Splunk Search

Querying auth failures using ldapsearch and inputlookup

lbnsam
New Member

Hello there,

There are a couple of queries that I use to search for authentication failures on members of high-privileged groups. After testing, I noticed that the query is hit-and-miss. Specifically, if I reduce the number of groups in the search, it is more accurate. The structure of the query is as follows:

source="wineventlog:security"  EventCode=4625 AND (dest_nt_domain="Domain_Name") [| ldapsearch domain=Domain_Name search="(objectClass=group)"
| search cn="Domain Admins" OR cn="Administrators" OR cn="Print Operators" 
| ldapgroup
| rename member_name AS Account_Name | table Account_Name | format ]
| stats count by user

Note: The number of groups is around 200 or so.

My approach has been to place all of the groups in a csv file to be used as a LUT. However, I am having trouble combining the inputlookup command and the ldapsearch command. They are both required to be the first command in a search.

Any ideas are appreciated.

0 Karma

to4kawa
Ultra Champion
 source="wineventlog:security"  EventCode=4625 AND dest_nt_domain="Domain_Name"
| stats count by user
| ldapsearch domain=Domain_Name search="(sAMAccountName=$user$)" attrs="sAMAccountName, cn"
| table sAMAccountName, cn, count
| search cn="Domain Admins" OR cn="Administrators" OR cn="Print Operators" 

Hi,I'm sorry if the object class name is different

0 Karma

lbnsam
New Member

Thanks for the response, that certainly seems better than what I was doing.

However, I need to compare the cn with approximately 200 group names. Would the best way be to check using a lookup table? If so, I'm not sure where to import it in the query.

Basically, it would need to replace the last line:

| search cn="Domain Admins" OR cn="Administrators" OR cn="Print Operators"

0 Karma

to4kawa
Ultra Champion
source="wineventlog:security"  EventCode=4625 AND dest_nt_domain="Domain_Name"
| stats count by user
| ldapsearch domain=Domain_Name search="(&(sAMAccountName=$user$)(|(cn="Domain Admins")(cn="Administrators")(cn="Print Operators"))) attrs="sAMAccountName, cn"
| table sAMAccountName, cn, count

I have never tried it, so I am not confident.
If it's not good, try to remove the quot;

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...