Hello there,
There are a couple of queries that I use to search for authentication failures on members of high-privileged groups. After testing, I noticed that the query is hit-and-miss. Specifically, if I reduce the number of groups in the search, it is more accurate. The structure of the query is as follows:
source="wineventlog:security" EventCode=4625 AND (dest_nt_domain="Domain_Name") [| ldapsearch domain=Domain_Name search="(objectClass=group)"
| search cn="Domain Admins" OR cn="Administrators" OR cn="Print Operators"
| ldapgroup
| rename member_name AS Account_Name | table Account_Name | format ]
| stats count by user
Note: The number of groups is around 200 or so.
My approach has been to place all of the groups in a csv file to be used as a LUT. However, I am having trouble combining the inputlookup command and the ldapsearch command. They are both required to be the first command in a search.
Any ideas are appreciated.
source="wineventlog:security" EventCode=4625 AND dest_nt_domain="Domain_Name"
| stats count by user
| ldapsearch domain=Domain_Name search="(sAMAccountName=$user$)" attrs="sAMAccountName, cn"
| table sAMAccountName, cn, count
| search cn="Domain Admins" OR cn="Administrators" OR cn="Print Operators"
Hi,I'm sorry if the object class name is different
Thanks for the response, that certainly seems better than what I was doing.
However, I need to compare the cn with approximately 200 group names. Would the best way be to check using a lookup table? If so, I'm not sure where to import it in the query.
Basically, it would need to replace the last line:
| search cn="Domain Admins" OR cn="Administrators" OR cn="Print Operators"
source="wineventlog:security" EventCode=4625 AND dest_nt_domain="Domain_Name"
| stats count by user
| ldapsearch domain=Domain_Name search="(&(sAMAccountName=$user$)(|(cn="Domain Admins")(cn="Administrators")(cn="Print Operators"))) attrs="sAMAccountName, cn"
| table sAMAccountName, cn, count
I have never tried it, so I am not confident.
If it's not good, try to remove the quot;