All Apps and Add-ons

Active Directory Returning duplicated events?

MK-DRT
Loves-to-Learn Lots

So we're having this issue where all of our active directory events are coming back as having multiple duplicates of the same event. We had an issue with the Service accounts splunk used but all the domains we want to query can be queried now. Confirmed via ldaptestconnection.

But this is specifically happening with searches relating to ldapfilter, below is the search we use,

Note : the ldap_doamins.csv contains all the domains we have and what splunk so search.

| inputlookup ldap_domains.csv WHERE enabled=1
| fields - enabled
| ldapfilter search="(&(memberOf:1.2.840.113556.1.4.1941:=CN=Backup Operators,CN=Builtin,$baseDN$))" domain=$domain$ attrs="name,sAMAccountName,objectCategory,objectClass,objectSID"
| tojson
| eval _raw = replace(_raw,"^{","{\"query_type\":\"activedirectory:admin_groups\",\"taskid\":\"".now()."\",\"admin_group_dn\":\"CN=Backup Operators,CN=Builtin,".baseDN."\",")
| eval _raw = replace(_raw,"\:\[\]",":\"\"")
| foreach *
[
| eval _raw=replace(_raw,"<<FIELD>>", lower("<<FIELD>>"))
]
| fields _raw
| collect `activedirectory_index` output_format=hec

Labels (1)
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...