How to add a custom attribute to the users lookup ...

lzaexpert · ‎05-23-2018

Hi there!

I was wondering how to add a custom attribute to the users lookup creation and update processes. Lets say that I have a myCustomAttribute for Users Objects that I would like to have within the 'AD Users LDAP list.csv' file.
I spent some hours trying to reverse all the macros involved but in the end I prefer asking 😉

Many Thanks

jcooperFossil · ‎11-11-2024

Coming in years after this question was asked, because I've been trying to do the same and I finally figured it out today!

The TA is currently on version 4.1.1

To get additional fields to appear in AD_Obj_User you need to do the following:
Edit the macro `ms_obj_admon_base_out_user` and include the fields you want in the SPL for "fields" and "table"
Do the same for the macro `ms_obj_user_base_migrate` just in case.

The part I was missing for years up until now was you have to edit the KV Store to specify what fields are allowed to be stored.
Edit the Lookup (KV Store) AD_Obj_User (Collection name is AD_Obj_User_LDAP_list_kv) and add the desired fields.

Rebuild your lookup and you're good to go!

salbro · ‎07-12-2019

Looking to also do this. Did you ever get the custom attribute added?

How to add a custom attribute to the users lookup in MS Windows AD Objects?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?