AD does have a "magic string" (1.2.840.113556.1.4.1941) you can add to get this. Using your example the SPL would look like so:
index="my_index"
[| ldapsearch domain="mydomain" search="(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=MY Group Name,ou=delegated,ou=groups,dc=amr,dc=corp,dc=mydomain,dc=com))" attrs="sAMAccountName"
| table sAMAccountName
| rename sAMAccountName as User]
...rest of search
This also works in reverse say you want to get all groups including the nested groups for a user like so:
| ldapsearch search="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=cn=username,dc=amr,dc=corp,dc=mydomain,dc=com))" attrs="cn"
That will give you all groups a user belongs to, but a bit tougher to single out just the nested groups:
| ldapsearch search="(&(objectClass=user)(!(objectClass=computer))(cn=username))" attrs="cn,memberOf"
| append
[| ldapsearch search="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=cn=username,dc=amr,dc=corp,dc=mydomain,dc=com))" attrs="cn"
| rename dn AS memberOfNested
| table memberOfNested
| eval cn = "username"
]
| filldown memberOf
| eval nested = if(match(memberOf,memberOfNested),null(),memberOfNested)
| fields - memberOfNested
| stats values(*) AS * BY cn
The AD documentation can be seen here: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
Pay careful attention to Note 10:
The string 1.2.840.113556.1.4.1941 specifies LDAP_MATCHING_RULE_IN_CHAIN. This applies only to DN attributes. This is an extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match. This reveals group nesting. It is available only on domain controllers with Windows Server 2003 SP2 or Windows Server 2008 (or above).
... View more