Splunk Enterprise Security

LDAP query for identities for Enterprise Security

TheSplunkDude
Explorer

I’m trying to populate my users with the following query.
One of the issues I have is certain users don’t have the manager field filled in in AD, so I get a null value. For the manager’s that are populating the managedBy field I get the relative distinguished names (RDN) connected by commas, so I use the following | rex field=managedBy "^CN=(?\w*)," to get the sAMAccountName value.
Once I have this value I would like to a |ldapfilter on this field to return a readable first name, last name value.
The issue I have, when I try to run the |ldapfilter command it only returns the enriched data where there was a manager field value. if my total user count is 30,000 it only returns 5,000 users that have a manager value field.
I think I need to use a |eval statement before running the | ldapfilter command on the managedBy field but I’m not sure how to craft that. Essentially, I would like a search to return all 30,000 users and if a managerBy field has a value run the ldapfilter and give me a readable field.

|ldapsearch search="(&(objectclass=user)(!(objectClass=computer)))" attrs="userAccountControl,sAMAccountName,personalTitle,displayName,givenName,sn,mail,telephoneNumber,mobile,manager,department,whenCreated,accountExpires"
|makemv userAccountControl
|search userAccountControl="NORMAL_ACCOUNT"
|eval suffix=""
|eval priority="medium"
|eval category="normal"
|eval watchlist="false"
|eval endDate=""
|table sAMAccountName,personalTitle,displayName,givenName,sn,suffix,mail,telephoneNumber,mobile,manager,priority,department,category,watchlist,whenCreated,endDate
|rename sAMAccountName as identity, personalTitle as prefix, displayName as nick, givenName as first, sn as last, mail as email, telephoneNumber as phone, mobile as phone2, manager as managedBy, department as bunit, whenCreated as startDate
| rex field=managedBy "^CN=(?\w*),"
| ldapfilter search="(sAMAccountNAme=$Manager$)" attrs="displayName"
| rename displayName as managedBy

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!