Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Querying auth failures using ldapsearch and inputlookup

lbnsam
New Member
‎11-15-2019 06:49 AM

Hello there,

There are a couple of queries that I use to search for authentication failures on members of high-privileged groups. After testing, I noticed that the query is hit-and-miss. Specifically, if I reduce the number of groups in the search, it is more accurate. The structure of the query is as follows:

source="wineventlog:security"  EventCode=4625 AND (dest_nt_domain="Domain_Name") [| ldapsearch domain=Domain_Name search="(objectClass=group)"
| search cn="Domain Admins" OR cn="Administrators" OR cn="Print Operators" 
| ldapgroup
| rename member_name AS Account_Name | table Account_Name | format ]
| stats count by user

Note: The number of groups is around 200 or so.

My approach has been to place all of the groups in a csv file to be used as a LUT. However, I am having trouble combining the inputlookup command and the ldapsearch command. They are both required to be the first command in a search.

Any ideas are appreciated.

0 Karma
Reply

to4kawa
Ultra Champion
‎11-15-2019 06:18 PM 
 source="wineventlog:security"  EventCode=4625 AND dest_nt_domain="Domain_Name"
| stats count by user
| ldapsearch domain=Domain_Name search="(sAMAccountName=$user$)" attrs="sAMAccountName, cn"
| table sAMAccountName, cn, count
| search cn="Domain Admins" OR cn="Administrators" OR cn="Print Operators"

Hi,I'm sorry if the object class name is different

0 Karma
Reply

lbnsam
New Member
‎11-18-2019 05:54 AM

Thanks for the response, that certainly seems better than what I was doing.

However, I need to compare the cn with approximately 200 group names. Would the best way be to check using a lookup table? If so, I'm not sure where to import it in the query.

Basically, it would need to replace the last line:

| search cn="Domain Admins" OR cn="Administrators" OR cn="Print Operators"

0 Karma
Reply

to4kawa
Ultra Champion
‎11-18-2019 08:53 AM 
source="wineventlog:security"  EventCode=4625 AND dest_nt_domain="Domain_Name"
| stats count by user
| ldapsearch domain=Domain_Name search="(&(sAMAccountName=$user$)(|(cn="Domain Admins")(cn="Administrators")(cn="Print Operators"))) attrs="sAMAccountName, cn"
| table sAMAccountName, cn, count

I have never tried it, so I am not confident.
If it's not good, try to remove the quot;

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...