topic Querying AD accounts and email addresses in Splunk Search

Querying AD accounts and email addresses

Sotu — Fri, 03 May 2024 23:48:04 GMT

I am able to pull my AD users account information successfully except for their email addresses. What am I doing wrong? Apologize since I am still learning.

| inputlookup AD_Obj_User WHERE domain="mydomain" | fields domain, sAMAccountName, userAccountControl, uac_details,domain, distinguishedName, mail, whenChanged,whenCreated | table domain, sAMAccountName, userAccountControl, uac_details,domain, distinguishedName, mail, whenChanged,whenCreated | eval uac_details=replace(mvjoin(uac_details,":"),"([\r\n]+)",":") | makemv delim=":" uac_details | search [| makeresults | eval uac_details=replace("#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#,#empty#","#empty#","") | makemv delim="," uac_details | eval mfilt_uac=mvfilter(match(uac_details,"^\w+")) | eval search=if(isnull(mfilt_uac),"","uac_details=\"".mvjoin(mfilt_uac,"\" AND uac_details=\"")."\"") | table search] | sort 0 sAMAccountName | rename sAMAccountName AS "user", uac_details AS userAccountControl_Details

Re: Querying AD accounts and email addresses

deepakc — Sat, 04 May 2024 14:02:35 GMT

It could be a permissions issue you need read the email address attribute ((&(objectClass=user)(objectCategory=person)(mail=*))) check the user permissions that is being used to pull the LDAP data, see your AD admin. Or run something like the below to check under that user account.

dsquery user -samid username | dsget user -email

If not, find out how it’s being populated, normally its done via the ldap search command see references below.

Check the ldap search that creates the lookup and you should have the data there, this may have been created already as a secluded search.

Reference:

Ldap Search using the command

https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.8/User/Theldapsearchcommand

Ldap Add-on
https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.8/User/AbouttheSplunkSupportingAdd-onforActiveDirectory

Re: Querying AD accounts and email addresses

yuanliu — Sat, 04 May 2024 18:04:17 GMT

The First Law of asking an answerable question states:

Present your dataset (anonymize as needed), illustrate desired output from illustrated dataset, explain the logic between illustrated dataset and desired output. (Without SPL.)

If attempted SPL does not give desired output, also illustrate actual output (anonymize as needed), then explain its difference from desired results if it is not painfully clear.

I am able to pull my AD users account information successfully except for their email addresses.

Can you explain from which source are you pulling AD info? Your SPL only uses a lookup file. Do you mean

lookup table AD_Obj_User contains email addresses but the illustrated SPL does not output them, or
your effort to populate AD_Obj_User fails to obtain email addresses from a legitimate AD source (as @deepakc speculated)?

If former, what is the purpose of the SPL? What is the content of AD_Obj_User? What is the desired output and the logic between the content and desired output?

If latter, what is the purpose of showing SPL?