- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- using SA-ldapsearch to search for related accounts
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
using SA-ldapsearch to search for related accounts
I want to set up an alert if an account is disabled in active directory, a related account exists, and is left enabled. The relationship between the accounts is defined, for example, related accounts have the same sAMAccountName but with a number appended to the end to make them unique.
For example:
I have an account in active directory that was disabled: sAMAccountName=Sara. I want to verify the account is still disabled, and if so, automatically check active directory to see if Sara1 or Sara(whatever) exists, and if it is still enabled.
I need to verify because this search will not be running in real-time, so it is possible an account was disabled and re-enabled, and I do not want this to generate results.
I have SA-ldapsearch installed, and I can get various parts of this to work, but not all in the same search.
• I can perform the basic search to return results of all accounts that were disabled.
• I can use ldapfilter to check attributes and verify the account is still disabled.
• I have used ldapsearch separately to return attributes of existing accounts, and can use the wildcard to find all the accounts I want.
How do I put this all together? How do I take the results of the first half of my search, and feed them into an ldapsearch command adding a wildcard? When I try this I run into the problem that ldapsearch must be the first command of a search.
I have thought about splitting this into two searches and using a lookup file to store the results, but that seems like an awfully complex way to do this. And I am not even sure it would work.
What other options do I have?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your best bet for this is to create a lookup with the associated accounts in it. Create a table with the account name and the associated account. You should have a CSV file that looks like this:
src_nt_domain,src_user,assoc_user
XXX,Sara,Sara1
XXX,Sara,Sara2
XXX,Tom,Tom87
Whatever is appropriate to your environment. You can do this with an ldapsearch:
|ldapsearch domain=XXX search="(&(objectClass=user)(!(objectclass=computer)))" attrs="sAMAccountName" | rename sAMAccountName as assoc_user | eval isAssoc=if(match(assoc_user,"\d+$"),1,0) | where isAssoc=1 | rex field=assoc_user "^(?<src_user>.*?)\d+$" | eval src_nt_domain=XXX | table src_nt_domain,src_user,assoc_user | outputlookup associated_users.csv
Now, with that lookup, you can do what you want:
sourcetype=WinEventLog:Security (EventCode=629 OR EventCode=4725) | lookup associated_users src_nt_domain,src_user OUTPUT assoc_user | ldapfilter domain=$src_nt_domain$ search="(sAMAccountName=$assoc_user$)" attrs="userAccountControl" | where userAccountControl!="*DISABLE*" | stats values(assoc_user) by src_nt_domain,src_user
What you will get is a table with the domain and username of the newly-disabled user and the list of associated accounts that have not been disabled yet.
(Note: search commands have not been verified independently, since I don't have your environment)
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
