Splunk Search

How to generate a list of users and Active Directory groups?

mlevsh
Builder

Can someone advice on the Splunk search to generate the list of users and associated Active Directory (AD) groups? We are using SAML authentication based on AD groups.

Thank you!

0 Karma

brreeves_splunk
Splunk Employee
Splunk Employee

Do you want this to be based on the SAML response? or their full list of AD Groups in Active Directory?

0 Karma

woodcock
Esteemed Legend

You need this app to mine assets from AD

https://splunkbase.splunk.com/app/3059/

adonio
Ultra Champion

maybe something like this for starters:

 index=<yourIndex> sourcetype=<youtSourcetype> CN=Schema objectCategory=* 
    | dedup distinguishedName 
    | stats list(cn) by DC OU 

start with verbose search so you can see all the fields you would like to report on
also, it is not clear from the question if you are looking for users who use splunk or to all users in your company connected to AD?
I would assume you are looking for users who are in splunk since you mentioned SAML. If that is the case, probably use @cusello answer above and join results from ad search (here) by the field user
hope it helps

0 Karma

jpolcari
Communicator

I've had pretty good luck using this Splunk app: https://splunkbase.splunk.com/app/3177/

Allows you to build lookup tables for users, groups, OUs, etc.

gcusello
SplunkTrust
SplunkTrust

Hi mlevsh
try something like this:

| rest /services/authentication/users

Bye.
Giuseppe

mlevsh
Builder

@cusello Hi Giuseppe, this endpoint shows type of authentication, not the actual AD group

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...