Deployment Architecture

Labeling based on AD OU

pacificcreek
Engager

Very new to Splunk and looking for a way to label users who come back in a Splunk search based on where they sit in an AD Domain. Our AD is shared between several business units and escalating issues would be much easier if we could identify those users with and ID for each business unit. I am able to pull the users from queries but am not sure where to start with a query based on OU Properties. Any Splunkers out there that can give me a hand?

Tags (1)
0 Karma

Richfez
SplunkTrust
SplunkTrust

Hi, pacificcreek!

There's a couple of options here. I'll provide two of them.

For my own use, we use the various portions in the dn (e.g. the "OU structure") as categories for our computer accounts. The way our AD is laid out this makes sense - workstations, desktops, servers and usually has the gross physical location (e.g. city) in it. I've tried to trim unnecessary stuff from the below to make it as succinct of an example as possible.

| ldapsearch domain=MyDomain search="(&(objectClass=computer))" attrs="cn,description,distinguishedName,dnsHostName,managedBy,operatingSystem,operatingSystemVersion,sAMAccountName,whenCreated" 
| eval dns=dnsHostName 
| rex field=managedBy "^CN\=(?<managedBy>[^,]+)" 
| eval owner= coalesce(managedBy,description, "Unknown") 
| rex field=sAMAccountName mode=sed "s/\$//g" 
| eval nt_host=sAMAccountName 
| makemv delim="," dn 
| rex field=dn "(OU|CN)\=(?<category>.+)" 
| eval category=mvjoin(lower('category'), "|") 
| eval deviceos = operatingSystem . " " . operatingSystemVersion 
| table *

The first couple of lines do the ldapsearch (attrs is very important for efficiency, but you can leave that off in testing if you want to see all fields - just know your search will take 10x as long!). .

There then follows a group of evals and rexes to clean up some fields.

The important bit for this is around line 7 - makemv on the dn, splitting on commas. The next line we trim out "OU=" or "CN=" from the results, then finally in line 9 join them back together as pipe delimited. As an example, one such returned category is LaptopName|crandon|laptops|MyCompany. Splunk can search on those fine, but your needs for that may differ, so adjustments may be required. (See below)

Another eval to create a deviceos out of the two other fields, then just pipe it all to a table for your viewing pleasure.

You could just as easily end it with ... | outputlookup mycompany_asset.csv, which is what I do (which I then use as a lookup in lots of places.)

An Adjustment:
You could keep the categories not pipe delimited by just removing the line | eval category=mvjoin(lower('category'), "|") in which case instead of LaptopName|crandon|laptops|MyCompany it would be a list:

LaptopName
crandon
laptops
MyCompany

Like that.

I know that's computers, but I think this is the technique you may end up with - modifying it to do "users" should be trivial.

In fact, here's a sample of something to do with users. IF you want to keep a little more control and have the OU structure indicate but not dictate the exact contents of some variable, you can use a case statement and build your own matching what you want.

| ldapsearch search="(&(objectClass=user) (!(objectClass=computer)))" attrs="userAccountControl,sAMAccountName,personalTitle,displayName,givenName,sn,mail,telephoneNumber,mobile,manager,department,whenCreated,accountExpires"
| search userAccountControl="NORMAL_ACCOUNT"
| dedup sAMAccountName
| eval suffix=""
| eval priority=case(       like(distinguishedName,"%OU=Expired,DC=MyDomain,DC=local"), "critical",
                            like(distinguishedName,"%OU=Vendors,OU=MyDomain,DC=MyDomain,DC=local"), "critical",
                            like(distinguishedName,"%OU=Support,DC=MyDomain,DC=local"), "high",
                            like(distinguishedName,"%OU=SYSTEMS,DC=MyDomain,DC=local"), "medium",
                            like(distinguishedName,"%OU=Users,OU=MyDomain,DC=MyDomain,DC=local"), "low",
                            1==1,"medium" )
| eval category=case(       like(distinguishedName,"%OU=Expired,DC=MyDomain,DC=local"), "expired",
                            like(distinguishedName,"%OU=Vendors,OU=MyDomain,DC=fcp,DC=local"), "vendors",
                            like(distinguishedName,"%OU=Vendors,OU=LEGAL,DC=MyDomain,DC=local"), "vendors",
                            1==1,"normal" )
| eval watchlist="false"
| eval endDate=if(accountExpires="(never)","",accountExpires)
| rex field=manager "CN=(?<managedBy>[^,]*)"
| table sAMAccountName, personalTitle, displayName, givenName, sn, suffix, mail, telephoneNumber, mobile, 
  managedBy, priority, department, category, watchlist, whenCreated, endDate 

That builds two fields - priority, which is one of critical, high, medium or low based on the OU they live in, and category which is one of expired, vendor or normal. Turns out in the latter, I think I could simplify the two "vendors" line into just one line: like(distinguishedName,"%Vendors%"), "vendors",, but that's just a tweak.

I hope these two give you some ideas on ways to accomplish what you need.

(As a note, both of those searches are simplifications of the ones we use to build lookups which we use for Splunk Enterprise Security.)

Happy Splunking!
-Rich

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...