Re: MS Windows AD Objects App Custom Fields

JHannan · ‎11-10-2022

Is there a method to add custom AD Attributes from the AD Objects to the AD Object KV Stores in the MS AD Objects App or are we better off using a separate search to set these objects in a "Supplemental" AD Objects KV Store? Currently, the app maps most of the defaults AD Objects, but there are some that are not mapped that we'd like to add to the KV Store for use with other apps.

jcooperFossil · ‎11-11-2024

Coming in years after this question was asked, because I've been trying to do the same and I finally figured it out today!

The TA is currently on version 4.1.1

To get additional fields to appear in AD_Obj_User you need to do the following:
Edit the macro `ms_obj_admon_base_out_user` and include the fields you want in the SPL for "fields" and "table"
Do the same for the macro `ms_obj_user_base_migrate` just in case.

The part I was missing for years up until now was you have to edit the KV Store to specify what fields are allowed to be stored.
Edit the Lookup (KV Store) AD_Obj_User (Collection name is AD_Obj_User_LDAP_list_kv) and add the desired fields.

Rebuild your lookup and you're good to go!

MS Windows AD Objects App Custom Fields

configuration

development

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Announcing Modern Navigation: A New Era of Splunk User Experience

Casting Call: Compete in Cyber Games

Join the Conversation