All Apps and Add-ons

Active Directory Returning duplicated events?

MK-DRT
Loves-to-Learn Lots

So we're having this issue where all of our active directory events are coming back as having multiple duplicates of the same event. We had an issue with the Service accounts splunk used but all the domains we want to query can be queried now. Confirmed via ldaptestconnection.

But this is specifically happening with searches relating to ldapfilter, below is the search we use,

Note : the ldap_doamins.csv contains all the domains we have and what splunk so search.

| inputlookup ldap_domains.csv WHERE enabled=1
| fields - enabled
| ldapfilter search="(&(memberOf:1.2.840.113556.1.4.1941:=CN=Backup Operators,CN=Builtin,$baseDN$))" domain=$domain$ attrs="name,sAMAccountName,objectCategory,objectClass,objectSID"
| tojson
| eval _raw = replace(_raw,"^{","{\"query_type\":\"activedirectory:admin_groups\",\"taskid\":\"".now()."\",\"admin_group_dn\":\"CN=Backup Operators,CN=Builtin,".baseDN."\",")
| eval _raw = replace(_raw,"\:\[\]",":\"\"")
| foreach *
[
| eval _raw=replace(_raw,"<<FIELD>>", lower("<<FIELD>>"))
]
| fields _raw
| collect `activedirectory_index` output_format=hec

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...