| ldapsearch domain="default" search="(&(samAccountType=000000000) (|(sAMAccountName=*)))" attrs="sAMAccountName, distinguishedName, userAccountControl, whenCreated, personalTitle, displayName, givenName, sn, mail, telephoneNumber, mobile, manager, department, co, l, st, accountExpires, memberOf"
| rex field=memberOf "CN=(?<memberOf_parsed>[^,]+)"
| eval memberOf=lower(replace(mvjoin(memberOf_parsed, "|"), " ", "_"))
| rex max_match=5 field=distinguishedName "OU=(?<dn_parsed>[^,]+)"
| eval category=lower(replace(mvjoin(dn_parsed, "|"), " ", "_"))
| eval priority=case(match(category, "domain_admin|disabled|hold|executive") OR match(memberOf, "domain_admins|enterprise_admins|schema_admins|administrators"), "critical",
match(category, "contractor|service_account|external"), "high", match(category, "employees|training|user_accounts|users|administration"), "medium", 1==1, "unknown")
| eval watchlist=case(match(category,"disabled|hold"), "true", 1==1, "false")
| eval startDate=strftime(strptime(whenCreated,"%Y%m%d%H%M"), "%m/%d/%Y %H:%M")
| eval endDate=strftime(strptime(accountExpires,"%Y-%m-%dT%H:%M:%S%Z"), "%m/%d/%Y %H:%M")
| eval work_city=mvjoin(mvappend(l, st), ", ")
| rename sAMAccountName as identity, personalTitle as prefix, displayName as nick, givenName as first, sn as last, mail as email, telephoneNumber as phone,mobile as phone2, manager AS managedBy, department as bunit, co AS work_country
| fillnull value="unknown" category, priority, bunit
| table identity,prefix,nick,first,last,suffix,email,phone,phone2,managedBy,priority,bunit,category,watchlist,startDate,endDate,work_city,work_country,work_lat,work_long | outputcsv xyz.csv this the search that is being used to generate a csv file, and yes, it's same addon as you mentioned. I believe you're right that > they're writing to a directory (on the same host as HF) And ingesting it by using a input. conf file. Because in cloud we cannot monitor directories directly from cloud instance. Correct me? thanks
... View more