Hello,
I'm trying to set up an alert when someone creates or modifies an Active Directory account with a uidNumber that already exists in another account.
I already have a search that finds changes to accounts (below). I want to modify this search so that if the Property that changed is "uidNumber" then search ldap to see if it already exists on another account, and send an alert that contains both new and existing accounts names, uidnumber, and admin that made the change.
This is the current search I have to find all changes
As a separate sort of related question - any idea why when I remove "obj_dn" from the table command I get no results at all? I'm using ldapfilter here to get the cn of an object using the obj_dn field, but I didn't think I needed it anymore after that
index=wineventlog EventCode=5136 sourcetype=WinEventLog | sort -_time | ldapfilter domain=*** search="(DistinguishedName=$obj_dn$)" attrs="cn" | rename cn as affected_user, LDAP_Display_Name as Property, dir_svcs_action as action | table _time, Account_Name, Property, Value, action, affected_user, obj_dn
I made SOME progress on this by using map. This returns the duplicate value, however I also want to get the "Account_Name" field of the original search - anyway to do that?
index="wineventlog" EventCode=5136 LDAP_Display_Name=uidNumber
| rename Value as uidNumber
| fields user, uidNumber, Account_Name
| map search="| ldapsearch domain=*** search="(uidNumber=$uidNumber$)" attrs="*""
| stats values(uidNumber) as uidNumber, values(dn) as dn, values(cn) as cn
I have a suspicion that Account_Name and uidNumber are equally populated, and that your intention is to get one row per uidNumber, not a multivalued uidNumber. If this is correct, just put Account_Name and uidNumber in groupby.
index="wineventlog" EventCode=5136 LDAP_Display_Name=uidNumber
| rename Value as uidNumber
| fields user, uidNumber, Account_Name
| map search="| ldapsearch domain=*** search="(uidNumber=$uidNumber$)" attrs="*""
| stats values(dn) as dn, values(cn) as cn by Account_Name uidNumber
If Account_Name may be null with a valid uidNumber, you can use values to preserve null values, like
index="wineventlog" EventCode=5136 LDAP_Display_Name=uidNumber
| rename Value as uidNumber
| fields user, uidNumber, Account_Name
| map search="| ldapsearch domain=*** search="(uidNumber=$uidNumber$)" attrs="*""
| stats values(Account_Name) as Account_Name values(dn) as dn, values(cn) as cn by uidNumber