Splunk Search

Active Directory Group Memberships

Inthegetto
Observer

I am new to splunk and trying to determine how to setup an alert when a user in active directory is in two different AD groups. For example if a user is in group A and B alert. Anyone have some direction on how to achieve this?

Labels (3)
0 Karma

tscroggins
Builder

@Inthegetto 

Splunk Supporting Add-on for Active Directory includes the ldapsearch command. When properly configured for your AD domain(s), you can search for users in both groups with an appropriate LDAP filter:

| ldapsearch search="(&(objectCategory=person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=GroupA,ou=Groups,DC=example,DC=com)(memberOf:1.2.840.113556.1.4.1941:=cn=GroupB,ou=Groups,DC=example,DC=com))"

Running as a scheduled search, you can trigger an alert when the result count is greater than 0.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!