Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to use ldap filter to find duplicate values?

Niro
Explorer
‎08-08-2023 01:45 PM

Hello,

I'm trying to set up an alert when someone creates or modifies an Active Directory account with a uidNumber that already exists in another account.

I already have a search that finds changes to accounts (below). I want to modify this search so that if the Property that changed is "uidNumber" then search ldap to see if it already exists on another account, and send an alert that contains both new and existing accounts names, uidnumber, and admin that made the change.

This is the current search I have to find all changes

As a separate sort of related question - any idea why when I remove "obj_dn" from the table command I get no results at all? I'm using ldapfilter here to get the cn of an object using the obj_dn field, but I didn't think I needed it anymore after that

 

 

index=wineventlog EventCode=5136 sourcetype=WinEventLog
| sort -_time
| ldapfilter domain=*** search="(DistinguishedName=$obj_dn$)" attrs="cn"
| rename cn as affected_user, LDAP_Display_Name as Property, dir_svcs_action as action
| table _time, Account_Name, Property, Value, action, affected_user, obj_dn

 

Labels (2)
Labels
Tags (2)
0 Karma
Reply

Niro
Explorer
‎08-12-2023 10:32 PM

I made SOME progress on this by using map. This returns the duplicate value, however I also want to get the "Account_Name" field of the original search - anyway to do that?

 

index="wineventlog" EventCode=5136 LDAP_Display_Name=uidNumber
| rename Value as uidNumber
| fields user, uidNumber, Account_Name
| map search="| ldapsearch domain=*** search="(uidNumber=$uidNumber$)" attrs="*""
| stats values(uidNumber) as uidNumber, values(dn) as dn, values(cn) as cn
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎08-13-2023 10:42 PM

I have a suspicion that Account_Name and uidNumber are equally populated, and that your intention is to get one row per uidNumber, not a multivalued uidNumber.  If this is correct, just put Account_Name and uidNumber in groupby.

index="wineventlog" EventCode=5136 LDAP_Display_Name=uidNumber
| rename Value as uidNumber
| fields user, uidNumber, Account_Name
| map search="| ldapsearch domain=*** search="(uidNumber=$uidNumber$)" attrs="*""
| stats values(dn) as dn, values(cn) as cn by Account_Name uidNumber

 If Account_Name may be null with a valid uidNumber, you can use values to preserve null values, like

index="wineventlog" EventCode=5136 LDAP_Display_Name=uidNumber
| rename Value as uidNumber
| fields user, uidNumber, Account_Name
| map search="| ldapsearch domain=*** search="(uidNumber=$uidNumber$)" attrs="*""
| stats values(Account_Name) as Account_Name values(dn) as dn, values(cn) as cn by uidNumber

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...