All Apps and Add-ons

Active Directory Returning duplicated events?

MK-DRT
Loves-to-Learn Lots

So we're having this issue where all of our active directory events are coming back as having multiple duplicates of the same event. We had an issue with the Service accounts splunk used but all the domains we want to query can be queried now. Confirmed via ldaptestconnection.

But this is specifically happening with searches relating to ldapfilter, below is the search we use,

Note : the ldap_doamins.csv contains all the domains we have and what splunk so search.

| inputlookup ldap_domains.csv WHERE enabled=1
| fields - enabled
| ldapfilter search="(&(memberOf:1.2.840.113556.1.4.1941:=CN=Backup Operators,CN=Builtin,$baseDN$))" domain=$domain$ attrs="name,sAMAccountName,objectCategory,objectClass,objectSID"
| tojson
| eval _raw = replace(_raw,"^{","{\"query_type\":\"activedirectory:admin_groups\",\"taskid\":\"".now()."\",\"admin_group_dn\":\"CN=Backup Operators,CN=Builtin,".baseDN."\",")
| eval _raw = replace(_raw,"\:\[\]",":\"\"")
| foreach *
[
| eval _raw=replace(_raw,"<<FIELD>>", lower("<<FIELD>>"))
]
| fields _raw
| collect `activedirectory_index` output_format=hec

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...