Security

test AD environment

stefani
Explorer

I have the following environment: 1 HF -> 1 indexer -> 1 SH , code 9.1

How do I onboard the AD controller data into my HF ? I am using Add-on for Active Directory, any ldap commands? any recommendations ? is this the right tool ?

 

Labels (3)

stefani
Explorer

One more thing, how do I get this query : "| ldapsearch search="(objectClass=group)" attrs="*"
| collect index=<ldapsearch> "in my SH ?

I am following the tutorial ?

The following steps are the same for saving new alerts or editing existing alerts.

  1. From the Add Actions menu, select Log event.
  2. Add the following event information to configure the alert action. Use plain text or tokens for search, job, or server metadata.
    • Event text
    • Source and sourcetype
    • Host
    • Destination index for the log event. The main index is the default destination. You can specify a different existing index.
       
      How do I configure the event text to get the data in the SH ? all I get is some event like : "
      5/3/24
      10:00:01.000 AM
       
      | ldapsearch search="(objectClass=group)" attrs="*" | collect index=<ldapsearch>

kprior201
Path Finder

I'm not sure I fully understand what's going on here. When you run the

|ldapsearch search="(objectClass=group)" attrs="*"
| collect index=<ldapsearch>

command on your forwarder, do you get results or an error message? If you get results, then you should be able to simply search against the index on your search head. If you don't get results, then there's something else going on: is the app configured correctly? is the query correct?

stefani
Explorer

if I run the command on my HF is fine, it works. I configured the AD plugin to send events to the indexer. But if I run it on my SH doesn't work. I guess the send event function is not configured properly, by that I mean this tutorial :

The following steps are the same for saving new alerts or editing existing alerts.

  1. From the Add Actions menu, select Log event.
  2. Add the following event information to configure the alert action. Use plain text or tokens for search, job, or server metadata.
    • Event text
    • Source and sourcetype
    • Host
    • Destination index for the log event. The main index is the default destination. You can specify a different existing index.

kprior201
Path Finder

It's possible that your SH isn't set up to reach your LDAP systems and that's why it's not returning results, but it's hard to say without more information. I'd recommend checking the logs for the add-on and seeing if you can find any errors or anything in there. You'll find these in $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log (Ref: https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.8/User/UseSA-ldapsearchtotroubleshootproblem...)

kprior201
Path Finder

Hello!

1. You're on the right track. https://splunkbase.splunk.com/app/1151 is what you need to be using. The documentation for this add-on has information about how the ldapsearch part works. You can run ldapsearch commands via the command line of wherever this is configured. If you're wanting to import certain ldap data, you'll need to create scheduled searches (on the HFW) to pull that data into Splunk. Read through https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.8/User/AbouttheSplunkSupportingAdd-onforActi... to get a good background on how to do that.

2. Yes, this is possible. The easiest way to do this is probably just to separate the data into different indexes using the collect command. Whatever data you want user1 to have, run a query for that data and collect to a certain index. Whatever data you want user2 to have, run a separate query to collect to a different index. There are other ways to do this as well, but that's the simplest I could think of.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...