Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

using SA-ldapsearch to search for related accounts

JWBailey
Communicator
‎01-14-2014 11:07 AM

I want to set up an alert if an account is disabled in active directory, a related account exists, and is left enabled. The relationship between the accounts is defined, for example, related accounts have the same sAMAccountName but with a number appended to the end to make them unique.

For example:

I have an account in active directory that was disabled: sAMAccountName=Sara. I want to verify the account is still disabled, and if so, automatically check active directory to see if Sara1 or Sara(whatever) exists, and if it is still enabled.

I need to verify because this search will not be running in real-time, so it is possible an account was disabled and re-enabled, and I do not want this to generate results.

I have SA-ldapsearch installed, and I can get various parts of this to work, but not all in the same search.

• I can perform the basic search to return results of all accounts that were disabled.

• I can use ldapfilter to check attributes and verify the account is still disabled.

• I have used ldapsearch separately to return attributes of existing accounts, and can use the wildcard to find all the accounts I want.

How do I put this all together? How do I take the results of the first half of my search, and feed them into an ldapsearch command adding a wildcard? When I try this I run into the problem that ldapsearch must be the first command of a search.

I have thought about splitting this into two searches and using a lookup file to store the results, but that seems like an awfully complex way to do this. And I am not even sure it would work.

What other options do I have?

Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎02-10-2014 09:17 AM

Your best bet for this is to create a lookup with the associated accounts in it. Create a table with the account name and the associated account. You should have a CSV file that looks like this:

src_nt_domain,src_user,assoc_user
XXX,Sara,Sara1
XXX,Sara,Sara2
XXX,Tom,Tom87

Whatever is appropriate to your environment. You can do this with an ldapsearch:

|ldapsearch domain=XXX search="(&(objectClass=user)(!(objectclass=computer)))" attrs="sAMAccountName" | rename sAMAccountName as assoc_user | eval isAssoc=if(match(assoc_user,"\d+$"),1,0) | where isAssoc=1 | rex field=assoc_user "^(?<src_user>.*?)\d+$" | eval src_nt_domain=XXX | table src_nt_domain,src_user,assoc_user | outputlookup associated_users.csv

Now, with that lookup, you can do what you want:

sourcetype=WinEventLog:Security (EventCode=629 OR EventCode=4725) | lookup associated_users src_nt_domain,src_user OUTPUT assoc_user | ldapfilter domain=$src_nt_domain$ search="(sAMAccountName=$assoc_user$)" attrs="userAccountControl" | where userAccountControl!="*DISABLE*" | stats values(assoc_user) by src_nt_domain,src_user

What you will get is a table with the domain and username of the newly-disabled user and the list of associated accounts that have not been disabled yet.

(Note: search commands have not been verified independently, since I don't have your environment)

Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...