topic Re: How to assign a Category and Priority for Splunk Enterprise Security using ldapsearch? in Splunk Enterprise Security

How to assign a Category and Priority for Splunk Enterprise Security using ldapsearch?

kiran331 — Fri, 17 Feb 2017 22:04:18 GMT

I'm trying to create a Identity Lookup for Splunk Enterprise Security. I have a users from Group and OU's which has to be critical, I'm using the below search, OU case is working but no the group one, is there anything I'm missing?

| ldapsearch domain="XXXXX" search="(&(objectClass=user)(!(objectClass=computer)))" attrs="sAMAccountName,displayName,givenName,sn,mail,telephoneNumber,manager,department,whenCreated,accountExpires, userAccountControl, distinguishedName,userPrincipalName,employeeID"
|search userAccountControl="NORMAL_ACCOUNT"
|eval suffix=""
| eval priority=case(       like(distinguishedName,"%OU=AdminAccounts,DC=XXXXXXX,DC=com"), "critical",
                            like(distinguishedName,"%OU=DomainAdmins,OU=AdminAccounts,DC=XXXXXX,DC=com"), "critical", 
                            like(sAMAccountName,"%CN=Enterprise Admins ,CN=Users,DC=XXXXXX,DC=com"), "critical",

                            1==1,"medium" )

 | eval category=case(      like(distinguishedName,"%OU=DomainAdmins,OU=AdminAccounts,DC=XXXXXX,DC=com"), "Domain Admins" ,
                            like(distinguishedName,"%OU=AdminAccounts,DC=XXXXXX,DC=com"), "Admin Accounts",
                            like(sAMAccountName,"%CN=Enterprise Admins ,CN=Users,DC=XXXXXX,DC=com"), "Enterprise Admins",
                             1==1,"normal" )
|eval endDate=""
|eval watchlist="false"
|table sAMAccountName ,personalTitle,displayName,givenName,sn,suffix,mail,telephoneNumber,mobile,manager,priority,department,category,watchlist,startDate,endDate
|rename sAMAccountName as identity,personalTitle as prefix, displayName as nick, givenName as first, sn as last, mail as email, telephoneNumber as phone, mobile as phone2, manager as managedBy, department as bunit

Enterprise ADmins is not working here?

Re: How to assign a Category and Priority for Splunk Enterprise Security using ldapsearch?

Richfez — Mon, 20 Feb 2017 01:26:23 GMT

(EDIT: Found another issue)

You have a space in your search that shouldn't be there, and I don't think samaccountname is going to work.

like(sAMAccountName,"%CN=Enterprise Admins ,CN=Users,DC=XXXXXX,DC=com"), "critical",

Should instead be

like(distinguishedName,"%CN=Enterprise Admins,CN=Users,DC=XXXXXX,DC=com"), "critical",

You probably could use sAMAccountName, but if you do so you need to match on just Enterprise Admins. (At which point you shouldn't need a like.)

Let us know if this works! Happy Splunking!

-Rich

Re: How to assign a Category and Priority for Splunk Enterprise Security using ldapsearch?

Richfez — Mon, 20 Feb 2017 01:36:17 GMT

ADSI Edit can help you here. Run "ADSI Edit", drill down to the section where the right CN is (Enterprise Admins in this case), right-click on it and pick "properties" , then scroll down in there to find the various fields you need. If you click the "view" button when you have the right value selected, you can copy and paste it out of there.