All Apps and Add-ons

MS Windows AD Objects change objectClass

kmuellercm
Explorer

I have a unique situation where some of my users have a slightly different objectClass than usual and I'm trying to find a way to mask that so the default searches in the MS AD Objects app work properly

Basically the users are being parsed as objectClass="top|otherClass|person|organizationalPerson|user"

I want to selectively remote otherClass using a transform or props stanza but i'm unable to do so. I've tried the following on the indexer in the windows TA application:
transforms.conf:
[msad_fix_objectClass]
SOURCE_KEY = _raw
REGEX = (?ms).objectClass=(top|)(?:otherClass|)(person|organizationalPerson|user).
FORMAT = objectClass::"$1$2"

props.conf
[ActiveDirectory]
TRANSFORMS-objectClass = msad_fix_objectClass

But it's not working properly. Anyone have ideas?

0 Karma

kmuellercm
Explorer

Oh I answered my own question....

I was going about it incorrectly, I needed to use SEDCMD rather than a transform. SEDCMD is also way easier and more straightforward but took a bit to get the syntax correct.

The pipe's in the input were throwing me off, needed to escape them with a backslash

replace top|otherClass|
with just top|
in all locations in the event (g)

s/top\|otherClass\|/top\|/g

Be sure you understand that this applies to _raw so make sure your match is specific and only ever matches that string. this is why i made sure to include the top| parameter. hopefully these don't move around arbitrarily 🙂

props.conf (on the indexer and search head--honestly not sure which worked)

[ActiveDirectory]
SEDCMD-fixObjectClass = s/top\|otherClass\|/top\|/g
0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

We’ve been shouting it from the rooftops! The findings from the 2023 Splunk Career Impact Report showing that ...

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...