All Apps and Add-ons

How do I look up members in an AD group and display which users have not generated a "Success/Fail" VPN event from Cisco ISE ?

jkujawa
Explorer

I am lost on this one. I want to look up members in an AD group and output users who have not generated a success or failure action from Cisco ISE within xx days. Here are two searches I built. Not sure if they can be combined for what I am trying to accomplish.

Queries Active Directory and displays users in the group.

|ldapsearch domain=MYDOMAIN search="(&(objectClass=user)(memberOf=CN=MyGroup,OU=Groups,DC=Mydomain,DC=com))" | table sAMAccountName | rename sAMAccountName as Username | Sort Username

Queries Cisco ISE and displays employees who used the VPN.

sourcetype="cisco:ise:syslog" NetworkDeviceName="MYVPN" action=failure OR action=success PIX7x_Tunnel_Group_Name=MYVPNGroup

Thanks!

Tags (1)
0 Karma

maciep
Champion

If there is a user field in the cisco ise data that would match the user coming from ldap, then I think one way could be to append these searches together with a common field name and use some stats to filter down to the users you want to see.

Not tested at all, but maybe something like this

sourcetype="cisco:ise:syslog" NetworkDeviceName="MYVPN" action=failure OR action=success PIX7x_Tunnel_Group_Name=MYVPNGroup
    | rename user_field as Username
    | eval type = "ise"
    | append [ 
        | ldapsearch domain=MYDOMAIN search="(&(objectClass=user)(memberOf=CN=MyGroup,OU=Groups,DC=Mydomain,DC=com))" 
        | rename sAMAccountName as Username 
        | eval type = "ldap" ]
    | stats dc(type) as count values(type) as types by Username
    | where count=1 AND types="ldap"
0 Karma

jkujawa
Explorer

The relevant Cisco ISE fields are:

  • user
  • AD_User_Resolved_DNs
  • User_Name
  • UserName

The one that matched the LDAP query best is "AD_User_Resolved_DNs" as it matches the case format (upper or lower).

So far, I've tried the search string you provided and it is not pulling in the correct data. I see the usernames, but it includes people who logged in to the VPN within the specified time frame from the time picker.

sourcetype="cisco:ise:syslog" NetworkDeviceName="MYVPN" action=failure OR action=success PIX7x_Tunnel_Group_Name=MYVPNGroup  | rename AD_User_Resolved_DNs as Username  | eval type = "ise"          | append [  | ldapsearch domain=MYDOMAIN search="(&(objectClass=user) memberOf=CN=MyGroup,OU=Groups,DC=Mydomain,DC=com))"  | rename sAMAccountName as Username 
 | eval type = "ldap" ] | stats dc(type) as count values(type) as types by Username | where count=1 AND types="ldap"
0 Karma

maciep
Champion

are the usernames exactly the same? No domains or anything to strip out?

if you remove the where command at the end and maybe sort by username do you see any you would consider duplicates? Or in general do you see data you'd expect - a username, a count and field for types, probably containing one or two entries?

0 Karma
Get Updates on the Splunk Community!

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...