Splunk Enterprise Security

How to assign a Category and Priority for Splunk Enterprise Security using ldapsearch?

kiran331
Builder

Hi

I'm trying to create a Identity Lookup for Splunk Enterprise Security. I have a users from Group and OU's which has to be critical, I'm using the below search, OU case is working but no the group one, is there anything I'm missing?

| ldapsearch domain="XXXXX" search="(&(objectClass=user)(!(objectClass=computer)))" attrs="sAMAccountName,displayName,givenName,sn,mail,telephoneNumber,manager,department,whenCreated,accountExpires, userAccountControl, distinguishedName,userPrincipalName,employeeID"
|search userAccountControl="NORMAL_ACCOUNT"
|eval suffix=""
| eval priority=case(       like(distinguishedName,"%OU=AdminAccounts,DC=XXXXXXX,DC=com"), "critical",
                            like(distinguishedName,"%OU=DomainAdmins,OU=AdminAccounts,DC=XXXXXX,DC=com"), "critical", 
                            like(sAMAccountName,"%CN=Enterprise Admins ,CN=Users,DC=XXXXXX,DC=com"), "critical",

                            1==1,"medium" )

 | eval category=case(      like(distinguishedName,"%OU=DomainAdmins,OU=AdminAccounts,DC=XXXXXX,DC=com"), "Domain Admins" ,
                            like(distinguishedName,"%OU=AdminAccounts,DC=XXXXXX,DC=com"), "Admin Accounts",
                            like(sAMAccountName,"%CN=Enterprise Admins ,CN=Users,DC=XXXXXX,DC=com"), "Enterprise Admins",
                             1==1,"normal" )
|eval endDate=""
|eval watchlist="false"
|table sAMAccountName ,personalTitle,displayName,givenName,sn,suffix,mail,telephoneNumber,mobile,manager,priority,department,category,watchlist,startDate,endDate
|rename sAMAccountName as identity,personalTitle as prefix, displayName as nick, givenName as first, sn as last, mail as email, telephoneNumber as phone, mobile as phone2, manager as managedBy, department as bunit 

Enterprise ADmins is not working here?

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

(EDIT: Found another issue)

You have a space in your search that shouldn't be there, and I don't think samaccountname is going to work.

like(sAMAccountName,"%CN=Enterprise Admins ,CN=Users,DC=XXXXXX,DC=com"), "critical",

Should instead be

like(distinguishedName,"%CN=Enterprise Admins,CN=Users,DC=XXXXXX,DC=com"), "critical",

You probably could use sAMAccountName, but if you do so you need to match on just Enterprise Admins. (At which point you shouldn't need a like.)

Let us know if this works! Happy Splunking!

-Rich

View solution in original post

0 Karma

Richfez
SplunkTrust
SplunkTrust

(EDIT: Found another issue)

You have a space in your search that shouldn't be there, and I don't think samaccountname is going to work.

like(sAMAccountName,"%CN=Enterprise Admins ,CN=Users,DC=XXXXXX,DC=com"), "critical",

Should instead be

like(distinguishedName,"%CN=Enterprise Admins,CN=Users,DC=XXXXXX,DC=com"), "critical",

You probably could use sAMAccountName, but if you do so you need to match on just Enterprise Admins. (At which point you shouldn't need a like.)

Let us know if this works! Happy Splunking!

-Rich

0 Karma

Richfez
SplunkTrust
SplunkTrust

ADSI Edit can help you here. Run "ADSI Edit", drill down to the section where the right CN is (Enterprise Admins in this case), right-click on it and pick "properties" , then scroll down in there to find the various fields you need. If you click the "view" button when you have the right value selected, you can copy and paste it out of there.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...