Splunk Support for Active Directory: How to get Us...

kiran331 · ‎08-04-2016

Hi

In a search result, I have a user name. How can I use LDAP commands to get the user attributes like display name, CN, email? Splunk Supporting Add-on for Active Directory is already installed.

javiergn · ‎08-07-2016

You can use ldapfilter for that, for example:

your base search here
| ldapfilter search="(&(objectclass=user)(!(objectClass=computer))(samAccountName=$samAccountName$))" attrs="sAMAccountName, personalTitle, displayName, givenName, sn, mail, telephoneNumber, mobile, manager, department, whenCreated, userAccountControl"

The above assumes there's a field named samAccountName with the usernames you are planning to search for. In a similar way you can include any variable like this: $FIELDNAME$.
You can add as many attributes as you want but do not use * as it'll take forever. Better to be specific on what you want.
Note that if you don't have a default domain you are going to have to specify it with "domain=YOURDOMAIN"

Hope that helps.

Regards,
J

kiran331 · ‎08-08-2016

Thanks for the Answer!

when i use ldapfilter command, i'm getting error "External search command 'ldapfilter' returned error code 1. Script output = " ERROR socket connection error: [Errno 111] Connection refused " ", when i use ldapsearch command in other search its working. Can you let me known if you had an idea of this issue?

javiergn · ‎08-08-2016

I haven't seen that issue before.

Which version of the ldap app are you running?
Also, have you tried simplifying the search just in case what I wrote above doesn't fully work in your environment?
Are you able to provide a sample of the query you are trying to run and the expected output?

kiran331 · ‎08-08-2016

Splunk Supporting Add-on for Active Directory - 2.1.2 and Splunk Enterprise version - 6.4.2

I tried to simply the search, its same thing.

I'm trying to create a alert when a user is enabled,

Search i'm using:

eventtype=wineventlog_security EventCode=4722 user!=*$|eval time=strftime(_time, "%Y-%d-%m %H:%M") |  ldapfilter search="(&(objectclass=user)(!(objectClass=computer))(samAccountName=$user$))" attrs="sAMAccountName, displayName,sn,mail,manager"

When i use ldap filter, output produces no results.

kiran331 · ‎08-08-2016

I tried using Doamin Name too

javiergn · ‎08-08-2016

Hi, your search works fine for me.
Have you tried debugging this by listing a few users first with:

eventtype=wineventlog_security EventCode=4722 user!=*$ | head 10 | table user

And then using ldapsearch in a new search instead of ldapfilter to ensure your ldap queries are working fine?

| ldapsearch search="(&(objectclass=user)(!(objectClass=computer))(samAccountName=manuallySpecifyAUserFromYourList))" attrs="sAMAccountName, displayName,sn,mail,manager"

Have you also try to search directly in your index and sourcetype instead of using eventtype?

kiran331 · ‎08-08-2016

Yes, I tried |ldapsearch with user details and it's working and with index name it's working.

but when I use ldapfilter, it's showing error.

External search command 'ldapfilter' returned error code 1. Script output = " ERROR socket connection error: [Errno 111] Connection refused "

javiergn · ‎08-09-2016

Hmm. Not sure.
If I were you I would try to upgrade from 2.1.2 to 2.1.3 and see if that helps.

The error you are listing is almost always Python related and Splunk 6.4 comes with a lot of changes in the Python world so maybe you need to run the latest app to be 100% is compatible with 6.4.

Splunk Support for Active Directory: How to get User details from Active Directory with a user name?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?