1. Example search for collecting identity data from Active Directory: |ldapsearch domain=<domain_name> search="(&(objectclass=user)(!(objectClass=computer)))" attrs="userAccountControl,sAMAccountName,personalTitle,displayName,givenName,sn,mail,telephoneNumber,mobile,manager,department,whenCreated,accountExpires" |makemv userAccountControl |search userAccountControl="NORMAL_ACCOUNT" |eval suffix="" |eval priority="medium" |eval category="normal" |eval watchlist="false" |eval endDate="" |table sAMAccountName,personalTitle,displayName,givenName,sn,suffix,mail,telephoneNumber,mobile,manager,priority,department,category,watchlist,whenCreated,endDate |rename sAMAccountName as identity, personalTitle as prefix, displayName as nick, givenName as first, sn as last, mail as email, telephoneNumber as phone, mobile as phone2, manager as managedBy, department as bunit, whenCreated as startDate | collect <index-name> This example search assigns static values for suffix, endDate, category, watchlist, and priority. Use it as a guide to construct and test a working search, then replace the static values with information from your AD environment. 2. Example search for collecting asset data from Active Directory: |ldapsearch domain=<domain name> search="(&(objectClass=computer))" |eval city="" |eval country="" |eval priority="medium" |eval category="normal" |eval dns=dNSHostName |eval owner=managedBy |rex field=sAMAccountName mode=sed "s/\$//g" |eval nt_host=sAMAccountName |makemv delim="," dn |rex field=dn "(OU|CN)\=(?<bunit>.+)" |table ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av | collect <index-name> 3. On HF make sure of outputs.conf forward the data to splunk cloud. 4. ON SH run a scheduled search to create lookups
... View more