Splunk Enterprise Security

How to assign a Category and Priority for Splunk Enterprise Security using ldapsearch?

kiran331
Builder

Hi

I'm trying to create a Identity Lookup for Splunk Enterprise Security. I have a users from Group and OU's which has to be critical, I'm using the below search, OU case is working but no the group one, is there anything I'm missing?

| ldapsearch domain="XXXXX" search="(&(objectClass=user)(!(objectClass=computer)))" attrs="sAMAccountName,displayName,givenName,sn,mail,telephoneNumber,manager,department,whenCreated,accountExpires, userAccountControl, distinguishedName,userPrincipalName,employeeID"
|search userAccountControl="NORMAL_ACCOUNT"
|eval suffix=""
| eval priority=case(       like(distinguishedName,"%OU=AdminAccounts,DC=XXXXXXX,DC=com"), "critical",
                            like(distinguishedName,"%OU=DomainAdmins,OU=AdminAccounts,DC=XXXXXX,DC=com"), "critical", 
                            like(sAMAccountName,"%CN=Enterprise Admins ,CN=Users,DC=XXXXXX,DC=com"), "critical",

                            1==1,"medium" )

 | eval category=case(      like(distinguishedName,"%OU=DomainAdmins,OU=AdminAccounts,DC=XXXXXX,DC=com"), "Domain Admins" ,
                            like(distinguishedName,"%OU=AdminAccounts,DC=XXXXXX,DC=com"), "Admin Accounts",
                            like(sAMAccountName,"%CN=Enterprise Admins ,CN=Users,DC=XXXXXX,DC=com"), "Enterprise Admins",
                             1==1,"normal" )
|eval endDate=""
|eval watchlist="false"
|table sAMAccountName ,personalTitle,displayName,givenName,sn,suffix,mail,telephoneNumber,mobile,manager,priority,department,category,watchlist,startDate,endDate
|rename sAMAccountName as identity,personalTitle as prefix, displayName as nick, givenName as first, sn as last, mail as email, telephoneNumber as phone, mobile as phone2, manager as managedBy, department as bunit 

Enterprise ADmins is not working here?

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

(EDIT: Found another issue)

You have a space in your search that shouldn't be there, and I don't think samaccountname is going to work.

like(sAMAccountName,"%CN=Enterprise Admins ,CN=Users,DC=XXXXXX,DC=com"), "critical",

Should instead be

like(distinguishedName,"%CN=Enterprise Admins,CN=Users,DC=XXXXXX,DC=com"), "critical",

You probably could use sAMAccountName, but if you do so you need to match on just Enterprise Admins. (At which point you shouldn't need a like.)

Let us know if this works! Happy Splunking!

-Rich

View solution in original post

0 Karma

Richfez
SplunkTrust
SplunkTrust

(EDIT: Found another issue)

You have a space in your search that shouldn't be there, and I don't think samaccountname is going to work.

like(sAMAccountName,"%CN=Enterprise Admins ,CN=Users,DC=XXXXXX,DC=com"), "critical",

Should instead be

like(distinguishedName,"%CN=Enterprise Admins,CN=Users,DC=XXXXXX,DC=com"), "critical",

You probably could use sAMAccountName, but if you do so you need to match on just Enterprise Admins. (At which point you shouldn't need a like.)

Let us know if this works! Happy Splunking!

-Rich

0 Karma

Richfez
SplunkTrust
SplunkTrust

ADSI Edit can help you here. Run "ADSI Edit", drill down to the section where the right CN is (Enterprise Admins in this case), right-click on it and pick "properties" , then scroll down in there to find the various fields you need. If you click the "view" button when you have the right value selected, you can copy and paste it out of there.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...