- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I'm trying to create a Identity Lookup for Splunk Enterprise Security. I have a users from Group and OU's which has to be critical, I'm using the below search, OU case is working but no the group one, is there anything I'm missing?
| ldapsearch domain="XXXXX" search="(&(objectClass=user)(!(objectClass=computer)))" attrs="sAMAccountName,displayName,givenName,sn,mail,telephoneNumber,manager,department,whenCreated,accountExpires, userAccountControl, distinguishedName,userPrincipalName,employeeID"
|search userAccountControl="NORMAL_ACCOUNT"
|eval suffix=""
| eval priority=case( like(distinguishedName,"%OU=AdminAccounts,DC=XXXXXXX,DC=com"), "critical",
like(distinguishedName,"%OU=DomainAdmins,OU=AdminAccounts,DC=XXXXXX,DC=com"), "critical",
like(sAMAccountName,"%CN=Enterprise Admins ,CN=Users,DC=XXXXXX,DC=com"), "critical",
1==1,"medium" )
| eval category=case( like(distinguishedName,"%OU=DomainAdmins,OU=AdminAccounts,DC=XXXXXX,DC=com"), "Domain Admins" ,
like(distinguishedName,"%OU=AdminAccounts,DC=XXXXXX,DC=com"), "Admin Accounts",
like(sAMAccountName,"%CN=Enterprise Admins ,CN=Users,DC=XXXXXX,DC=com"), "Enterprise Admins",
1==1,"normal" )
|eval endDate=""
|eval watchlist="false"
|table sAMAccountName ,personalTitle,displayName,givenName,sn,suffix,mail,telephoneNumber,mobile,manager,priority,department,category,watchlist,startDate,endDate
|rename sAMAccountName as identity,personalTitle as prefix, displayName as nick, givenName as first, sn as last, mail as email, telephoneNumber as phone, mobile as phone2, manager as managedBy, department as bunit
Enterprise ADmins is not working here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(EDIT: Found another issue)
You have a space in your search that shouldn't be there, and I don't think samaccountname is going to work.
like(sAMAccountName,"%CN=Enterprise Admins ,CN=Users,DC=XXXXXX,DC=com"), "critical",
Should instead be
like(distinguishedName,"%CN=Enterprise Admins,CN=Users,DC=XXXXXX,DC=com"), "critical",
You probably could use sAMAccountName, but if you do so you need to match on just Enterprise Admins. (At which point you shouldn't need a like.)
Let us know if this works! Happy Splunking!
-Rich
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(EDIT: Found another issue)
You have a space in your search that shouldn't be there, and I don't think samaccountname is going to work.
like(sAMAccountName,"%CN=Enterprise Admins ,CN=Users,DC=XXXXXX,DC=com"), "critical",
Should instead be
like(distinguishedName,"%CN=Enterprise Admins,CN=Users,DC=XXXXXX,DC=com"), "critical",
You probably could use sAMAccountName, but if you do so you need to match on just Enterprise Admins. (At which point you shouldn't need a like.)
Let us know if this works! Happy Splunking!
-Rich
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ADSI Edit can help you here. Run "ADSI Edit", drill down to the section where the right CN is (Enterprise Admins in this case), right-click on it and pick "properties" , then scroll down in there to find the various fields you need. If you click the "view" button when you have the right value selected, you can copy and paste it out of there.
