All Apps and Add-ons

Combine ldapsearch with simple search

Dalador
Path Finder

Hi! 
I'm trying to combine ldapsearch with a simple search 
Here is my query: 
|ldapsearch domain="domain_name" search="(objectSid=$added_by$)" attrs=cn |table added_by
[|search index=windows_audit EventCode=4732 | eval added_by=mvindex(Security_ID,0) | eval Sid=mvindex(Security_ID,1)]
The idea is to find CN by Sid using ldapsearch function. 
But I got an error  Error in 'table' command: Invalid argument: 'Account_Domain=domain_name'

Query like:

|ldapsearch domain="domain_name" search="(objectSid="some_sid")" attrs=cn |table cn 

Is working perfect on my splunk.

 

What am I doing wrong? 

Labels (3)
0 Karma

marceloalejandr
Path Finder

Please disregard my previous message.  I was able to find the information on ldapsearch command at https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.3/User/Theldapsearchcommand

However I am curious if anyone has worked with ADFineGrainedPasswordPolicy and have been able to return users that are in this Policy using ldapsearch.    Thanks in advance.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Putting square brackets around part of query is like putting parentheses around part of a math equation - it makes that part go first with the result replacing what was inside.  That's why the table command is reporting an invalid argument.  You'll have to rearrange the query a little to get the desired result.

|ldapsearch domain="domain_name" search="(objectSid=[|search index=windows_audit EventCode=4732 | eval added_by=mvindex(Security_ID,0) | eval Sid=mvindex(Security_ID,1) | return $added_by])" attrs=cn 
|table added_by
---
If this reply helps you, an upvote would be appreciated.

Dalador
Path Finder

This returns  External search command 'ldapsearch' returned error code 1. Script output = "error_message=malformed filter

Annotation 2021-05-12 162111.png

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Run the subsearch by itself to see what it returns.  Then add eval or other statements as necessary to make the returned value conform to what your LDAP provider expects.

---
If this reply helps you, an upvote would be appreciated.

Dalador
Path Finder

Annotation 2021-05-12 165951.png

 

Thanks! 
I think soon I get the solution. Now I need to get rid off Sid="...", right? 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, and you can do that using return $Sid, as in my original answer.

---
If this reply helps you, an upvote would be appreciated.

Dalador
Path Finder

I don't know why but query 
index=windows_audit EventCode=4732 | eval added_by=mvindex(Security_ID,0) | eval Sid=mvindex(Security_ID,1) | return $Sid return only 1 result,  and then i use your original answer i got 

Unrecognized ldapsearch command option: Sid="\"S-1-5-21-1778430667-2033019328-1848965733-3395\""

Is there possible to use  |ldapsearch domain="my_domain" search="(&(objectSid="[|search index=windows_audit EventCode=4732 | eval added_by=mvindex(Security_ID,0) | eval Sid=mvindex(Security_ID,1) | return Sid]"))" attrs=cn
|table cn, Sid 
For several results in sub-search? 

Thank you! 
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The return command returns a single result by default.  You can add a number to say how many results to return, however, doing so may not give the desired results.  For example,

| return 1000 $Sid

will return a string like this

((Sid="\"S-1-5-21-1778430667-2033019328-1848965733-3395\"") OR ( Sid="\"S-1-5-21-1778430667-2033019328-1848965733-3396\"") OR ...)

which I believe is not the correct syntax for LDAP.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Dalador
Path Finder

I decided to rewrite my query 
now i'm doing: 
| ldapsearch domain=my_domain search="(&(objectClass=user)(!(objectClass=computer)))" attrs="objectSid,sAMAccountName" | outputlookup Ldap.csv
and then do my main search 
Do you now how can I run this by a cron?Shoud i use alert function to schedule this search?  

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Make it a scheduled report rather than an alert.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

marceloalejandr
Path Finder

Is there a document or reference of all the available and supported ldapsearch commands?   

Thanks in advance. 

Tags (1)
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!