All Apps and Add-ons

using inputlookup or ldapsearch to filter results with App for Windows Infrastructure

DeanDeleon0
Path Finder

Hello!

I am fairly new at using Splunk. I am trying to keep create a search that will let me monitor msad-successful-user-logons for admin/service accounts. I'm using the query from "Administrator Logons" dash on the "Administrator Audit" dashboard from the App:Splunk App for Windows Infrastructure as a reference. As this doesn't seem to list AD accounts with admin privileges (it seems to log all logons from any user), I want to use specific our Admin/service account OU's instead of specifying specific users.

So poking around I've found two ways to search for those OU's

using inputlookup:
|inputlookup ad-user-lookup where (DistinguishedName="_Service Accounts" OR DistinguishedName="_Admin Accounts")

using ldapsearch(haven't figured out how to combine the two into one search as with inputlookup)

| ldapsearch domain=my.domain basedn="OU=_Admin Accounts,DC=domain,DC=ca" scope="sub" search="(objectClass=user)" scope="sub" search="(objectClass=user)"
| ldapsearch domain=my.domain basedn="OU=_Service Accounts,DC=domain,DC=ca" scope="sub" search="(objectClass=user)" scope="sub" search="(objectClass=user)"

I'm trying to combine it with the following search, but not have to specific user="Admin*" or other users names instead:

eventtype=msad-successful-user-logons dest_nt_domain="" user="Admin" OR user="admin*" | rename src as src_ip|ip-to-host | fix-localhost|lookup SiteInfo host | dedup consecutive=t Site, src_host, src_ip | eval Account_Name=mvindex(Account_Name, -1) | table _time, Account_Name, src_host, src_ip | rename src_host as Workstation, src_ip as "IP Address", Account_Name as "AD Account"

I’ve seen examples similar to this, where the inputlookup is encased in a square bracket in the search, so I've tried the following:

eventtype=msad-successful-user-logons [|inputlookup ad-user-lookup where (DistinguishedName="_Service Accounts" OR DistinguishedName="_Admin Accounts")] |rename src as src_ip|ip-to-host|fix-localhost|lookup SiteInfo host|dedup consecutive=t Site,src_host,src_ip | eval Account_Name=mvindex(Account_Name, -1) |table _time,Account_Name, src_host,src_ip|rename src_host as Workstation,src_ip as "IP Address" Account_Name as "AD Account"

but my searches yield no results. Any help would be appreciated.

0 Karma
1 Solution

DeanDeleon0
Path Finder

Looks like I managed to figure out the way to go about this and get the intended results. However it appears to be taking quite a long time to search.

Updated:

eventtype=msad-successful-user-logons |rename src as src_ip|`ip-to-host`|`fix-localhost`|lookup SiteInfo host|dedup consecutive=t Site,src_host,src_ip | eval Account_Name=mvindex(Account_Name, -1) |table _time,Account_Name, src_host,src_ip |rename src_host as Workstation,src_ip as "IP Address" Account_Name as "AD Account", DistinguishedName as Groups | lookup ad-user-lookup SamAccountName as "AD Account" OUTPUT DistinguishedName | regex DistinguishedName="_Admin Accounts"

View solution in original post

0 Karma

DeanDeleon0
Path Finder

Eventually figured out the answer.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@DeanDeleon0 - Was one of your comments you left above the answer to your question? If yes, which one? I can convert it to a comment and accept it for you. If not, can you please provide the solution? Thank you.

0 Karma

DeanDeleon0
Path Finder

The last comment, prior to this one.

0 Karma

DeanDeleon0
Path Finder

Looks like I managed to figure out the way to go about this and get the intended results. However it appears to be taking quite a long time to search.

Updated:

eventtype=msad-successful-user-logons |rename src as src_ip|`ip-to-host`|`fix-localhost`|lookup SiteInfo host|dedup consecutive=t Site,src_host,src_ip | eval Account_Name=mvindex(Account_Name, -1) |table _time,Account_Name, src_host,src_ip |rename src_host as Workstation,src_ip as "IP Address" Account_Name as "AD Account", DistinguishedName as Groups | lookup ad-user-lookup SamAccountName as "AD Account" OUTPUT DistinguishedName | regex DistinguishedName="_Admin Accounts"
0 Karma

DeanDeleon0
Path Finder

Ok, so I've been apparently using the incorrect lookup and needed to use just |lookup. This is now yielding results... but how can I now filter so it only shows me users from the OU's I want from inside the DistinguishedName field?

query:
eventtype=msad-successful-user-logons |rename src as src_ip|ip-to-host|fix-localhost|lookup SiteInfo host|dedup consecutive=t Site,src_host,src_ip | eval Account_Name=mvindex(Account_Name, -1) |table _time,Account_Name, src_host,src_ip, CN |rename src_host as Workstation,src_ip as "IP Address" Account_Name as "AD Account", DistinguishedName as Groups | lookup ad-user-lookup SamAccountName as "AD Account" OUTPUT DistinguishedName

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...