Publisher: Splunk
Connector Version: 2.3.2
Product Vendor: Splunk
Product Name: Active Directory LDAP
Product Version Supported (regex): ".*"
Minimum Product Version: 6.3.0
App specifically designed for interacting with Microsoft Active Directory's LDAP Implementation
- This LDAP application utilizes the LDAP3 library for Python. This was chosen, in part, due to the pythonic design of the library and the quality of the documentation. Both SSL and TLS are supported.
- Please make sure to view additional documentation for this app on our GitHub Open Source Repo!
LDAP Ports Requirements (Based on Standard Guidelines of IANA ORG )
- LDAP(service) TCP(transport protocol) - 389
- LDAP(service) UDP(transport protocol) - 389
- LDAP(service) TCP(transport protocol) over TLS/SSL (was sldap) - 636
- LDAP(service) UDP(transport protocol) over TLS/SSL (was sldap) - 636
The asset for this app requires an account with which to Bind and perform actions. If you are only ever going to perform information gathering tasks (e.g. getting account attributes) then a standard user account would be fine. However, if you plan on doing things like Unlocking, Resetting Passwords, Moving objects, etc. - then you will need an account with permissions to actually perform these actions. It is best practice to NOT use a "Domain Administrator" (or higher) account. Instead, delegate the appropriate least-privilege access to a service account with a very strong password. Lastly, it is strongly recommended to use SSL and disallow insecure (plain text and unsigned binds) if at all possible.
-
Need to install the certificate on the server
- Upload the SSL certificate on the server
- Go to /opt/phantom/bin and execute the import_cert.py script using command:
phenv python3 import_cert.py -i "path_of_certificate_on_server"
-
Go to etc/hosts using the root user. Assign the domain to IP to use the SSL certificate
Note: For reference: Splunk Docs
This action provides the user the ability to run generic queries with the LDAP syntax. The action takes a filter (in LDAP syntax), an optional search base to search within, and specific attributes that you would like to return.
-
Common AD LDAP Run Query Examples
-
Get Users belonging to a specific OU, Container, or Group
- filter = (samaccountname=*)
- attributes = samaccountname;mail
- search_base = distinguishedNameOfOU/Container/Group
-
List Group Names that a User belongs to
- filter = (&(member=distinguishedNameOfUserHERE)(objectClass=group))
- attributes = name
-
Return results if mail attribute is present OR sAMAccountName matches '*admin*'
- filter = (|(mail=*)(samaccountname=*admin*))
- attributes = samaccountname;mail;userprincipalname;distinguishedname
-
If you would like to learn more about LDAP Filter Syntax, check out this Microsoft Wiki
-
This table lists the configuration variables required to operate AD LDAP. These variables are specified when configuring a Active Directory LDAP asset in Splunk SOAR.
VARIABLE | REQUIRED | TYPE | DESCRIPTION |
---|---|---|---|
server | required | string | The Active Directory Server hostname, IP, or VIP for binding |
username | required | string | The username with which to bind to LDAP |
password | required | password | The password for the binding user |
force_ssl | optional | boolean | Force the use of SSL protocol. Note that some actions are not possible without secure binding! |
validate_ssl_cert | optional | boolean | Select if you want to validate the LDAP SSL certificate |
ssl_port | required | numeric | The port to bind for SSL (default 636) |
test connectivity - Validate the asset configuration for connectivity using supplied configuration
add group members - Adds one or more Active Directory objects to one or more groups
remove group members - Removes one or more Active Directory objects from one or more groups
unlock account - Unlocks a locked Active Directory account
disable account - Disables an Active Directory account
enable account - Enables a disabled Active Directory account
reset password - Resets the password of a user, requiring the user to change password at next login
set password - Set a user's password
move object - Moves an entry in Active Directory
run query - Query Active Directory LDAP
get attributes - Get attributes of various principals
set attribute - Add, delete, or replace an attribute of a user
rename object - Rename the object
Validate the asset configuration for connectivity using supplied configuration
Type: test
Read only: True
No parameters are required for this action
No Output
Adds one or more Active Directory objects to one or more groups
Type: generic
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
use_samaccountname | optional | Specify members AND groups as sAMAccountName(s) instead of distinguishedName(s) (note: member AND groups will use sAMAccountName if selected) | boolean | |
members | required | Semi-colon (';') separated list of users. If 'use samaccountname' is false, then these must be distinguishedName(s) | string | |
groups | required | Semi-colon (';') separated list of groups to which the members will be added. If 'use samaccountname' is false, then these must be distinguishedName(s) | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.groups | string | Domain Guests | |
action_result.parameter.members | string | svc-test | |
action_result.parameter.use_samaccountname | boolean | True False | |
action_result.data.*.function | string | added | |
action_result.data.*.group | string | cn=domain guests,cn=users,dc=test,dc=lab | |
action_result.data.*.member | string | cn=svc-test,ou=test,dc=test,dc=lab | |
action_result.summary | string | ||
action_result.summary.found_user_records | numeric | 1 | |
action_result.summary.requested_user_records | numeric | 1 | |
action_result.message | string | added member(s) to group(s) | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Removes one or more Active Directory objects from one or more groups
Type: generic
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
use_samaccountname | optional | Specify members AND groups as sAMAccountName(s) instead of distinguishedName(s) | boolean | |
members | required | Semi-colon (';') separated list of users. If 'use samaccountname' is false, then these must be distinguishedName(s) | string | |
groups | required | Semi-colon (';') separated list of groups from which the members will be removed. If 'use samaccountname' is false, then these must be distinguishedName(s) | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.groups | string | Domain Guests | |
action_result.parameter.members | string | svc-test | |
action_result.parameter.use_samaccountname | boolean | True False | |
action_result.data.*.function | string | removed | |
action_result.data.*.group | string | cn=domain guests,cn=users,dc=test,dc=lab | |
action_result.data.*.member | string | cn=svc-test,ou=test,dc=test,dc=lab | |
action_result.summary | string | ||
action_result.summary.found_user_records | numeric | 1 | |
action_result.summary.requested_user_records | numeric | 1 | |
action_result.message | string | removed member(s) from group(s) | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Unlocks a locked Active Directory account
Type: generic
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
use_samaccountname | optional | Use sAMAccountName for user instead of distinguishedName(s) | boolean | |
user | required | Specify the user to unlock. If 'use samaccountname' is false, then this must be the user's distinguishedName | string | user name |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.use_samaccountname | boolean | True False | |
action_result.parameter.user | string | user name |
CN=DEFAULTACCOUNT,CN=USERS,DC=TEST,DC=LAB |
action_result.data.*.samaccountname | string | ||
action_result.data.*.unlocked | boolean | True | |
action_result.data.*.user_dn | string | cn=defaultaccount,cn=users,dc=test,dc=lab | |
action_result.summary | string | ||
action_result.summary.unlocked | numeric | True | |
action_result.message | string | Unlocked: True | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Disables an Active Directory account
Type: generic
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
use_samaccountname | optional | Specify sAMAccountName instead of distinguishedName | boolean | |
user | required | Specify the user to disable. If 'use samaccountname' is false, then this must be the user's distinguishedName | string | user name |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.use_samaccountname | boolean | True False | |
action_result.parameter.user | string | user name |
CN=DEFAULTACCOUNT,CN=USERS,DC=TEST,DC=LAB |
action_result.data.*.starting_status | string | enabled | |
action_result.data.*.user_dn | string | cn=defaultaccount,cn=users,dc=test,dc=lab | |
action_result.summary.account_status | string | disabled | |
action_result.message | string | Account status: disabled | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Enables a disabled Active Directory account
Type: generic
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
use_samaccountname | optional | Specify sAMAccountName instead of distinguishedName | boolean | |
user | required | Specify the user to enable. If 'use samaccountname' is false, then this must be the user's distinguishedName | string | user name |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.use_samaccountname | boolean | True False | |
action_result.parameter.user | string | user name |
CN=DEFAULTACCOUNT,CN=USERS,DC=TEST,DC=LAB |
action_result.data.*.starting_status | string | disabled | |
action_result.data.*.user_dn | string | cn=defaultaccount,cn=users,dc=test,dc=lab | |
action_result.summary.account_status | string | enabled | |
action_result.message | string | Account status: enabled | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Resets the password of a user, requiring the user to change password at next login
Type: generic
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
use_samaccountname | optional | Use sAMAccountName instead of distinguishedName | boolean | |
user | required | User whose attributes are to be modified | string | user name |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.use_samaccountname | boolean | True False | |
action_result.parameter.user | string | user name |
SVC-TEST |
action_result.data.*.reset | numeric | True | |
action_result.data.*.samaccountname | string | SVC-TEST | |
action_result.data.*.user_dn | string | CN=SVC-TEST,OU=TEST,DC=TEST,DC=LAB | |
action_result.summary.reset | numeric | True | |
action_result.message | string | Reset: True | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Set a user's password
Type: generic
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
use_samaccountname | optional | Specify sAMAccountName instead of distinguishedName | boolean | |
user | required | Specify the user whose password will be set. If 'use samaccountname' is false, then this must be the user's distinguishedName | string | user name |
password | required | New password | string | |
confirm_password | required | Re-type the password | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.confirm_password | string | Thisisanewpw!123 | |
action_result.parameter.password | string | Thisisanewpw!123 | |
action_result.parameter.use_samaccountname | boolean | True False | |
action_result.parameter.user | string | user name |
CN=DEFAULTACCOUNT,CN=USERS,DC=TEST,DC=LAB |
action_result.data.*.samaccountname | string | ||
action_result.data.*.set | boolean | True | |
action_result.data.*.user_dn | string | cn=defaultaccount,cn=users,dc=test,dc=lab | |
action_result.summary | string | ||
action_result.summary.set | numeric | True | |
action_result.message | string | Set: True | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Moves an entry in Active Directory
Type: generic
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
object | required | Specify the distinguishedName to move | string | |
destination_ou | required | The distinguishedName of the OU the specified object will move to | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.destination_ou | string | OU=TEST,DC=TEST,DC=LAB | |
action_result.parameter.object | string | CN=SVC-TEST,OU=TEST,DC=TEST,DC=LAB | |
action_result.data.*.destination_container | string | OU=TEST,DC=TEST,DC=LAB | |
action_result.data.*.source_object | string | CN=SVC-TEST,OU=TEST,DC=TEST,DC=LAB | |
action_result.summary.moved | string | True | |
action_result.message | string | Moved: True | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Query Active Directory LDAP
Type: investigate
Read only: True
This action flexibly supports querying Active Directory using LDAP syntax.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
filter | required | The LDAP filter (must be in LDAP Syntax) | string | |
search_base | optional | The search base to use in its distinguishedName format. If not specified, the 'defaultNamingContext' will be used | string | |
attributes | required | Semi-colon separated list of attributes to collect (e.g. sAMAccountName;mail) | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.attributes | string | sAMAccountName | |
action_result.parameter.filter | string | (sAMAccountName=*) | |
action_result.parameter.search_base | string | ou=test,dc=test,dc=lab | |
action_result.data.*.entries.*.attributes | string | ||
action_result.data.*.entries.*.attributes.samaccountname | string | SVC-TEST | |
action_result.data.*.entries.*.dn | string | CN=SVC-TEST,OU=TEST,DC=TEST,DC=LAB | |
action_result.summary.total_objects | numeric | 1 | |
action_result.message | string | Total objects: 1 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Get attributes of various principals
Type: investigate
Read only: True
This action takes any number of principals (sAMAccountName, distinguishedName, or userprincipalname) and returns requested attributes. Separate with semi-colon (';').
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
principals | required | The semi-colon separated principals. These can be sAMAccountName, userprincipalname, or distinguishedName | string | |
attributes | required | Semi-colon separated list of attributes to collect | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.attributes | string | ObjectGUID | |
action_result.parameter.principals | string | SVC-TEST;defaultaccount | |
action_result.data.*.entries.*.attributes | string | ||
action_result.data.*.entries.*.attributes.objectGUID | string | {a6c536dd-2487-41dd-8524-0037342505da} | |
action_result.data.*.entries.*.dn | string | CN=SVC-TEST,OU=test,DC=TEST,DC=LAB | |
action_result.summary | string | ||
action_result.summary.total_objects | numeric | 2 | |
action_result.message | string | Total objects: 2 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Add, delete, or replace an attribute of a user
Type: generic
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
use_samaccountname | optional | Use sAMAccountName instead of distinguishedName | boolean | |
user | required | User whose attributes are to be modified | string | user name |
attribute | required | The attribute to modify (add/delete/replace) | string | |
value | optional | Attribute value | string | |
action | required | Semi-colon separated list of attributes to collect | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.action | string | REPLACE | |
action_result.parameter.attribute | string | ||
action_result.parameter.use_samaccountname | boolean | True False | |
action_result.parameter.user | string | user name |
Cn=SVC-TEST,OU=TEST,DC=TEST,DC=LAB |
action_result.parameter.value | string | [email protected] | |
action_result.data.*.message | string | Success | |
action_result.summary.summary | string | Successfully Set Attributes | |
action_result.message | string | Summary: Successfully Set Attributes | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Rename the object
Type: generic
Read only: False
When 'use_samaccountname' is false, the 'object' parameter should include the distinguishedName. Otherwise, use the sAMAccountName. For the 'new_name' parameter, append the new name to the attribute name. For example, to rename a user, use 'cn=New_user_name'; for an OU, use 'ou=New_OU_name'.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
object | required | The object to be renamed | string | user name |
use_samaccountname | optional | Use sAMAccountName instead of distinguishedName | boolean | |
new_name | required | New name for the object | string | user name |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.object | string | user name |
cn=test user,ou=test,dc=test,dc=test,dc=com |
action_result.parameter.use_samaccountname | boolean | True False | |
action_result.parameter.new_name | string | user name |
cn=new name |
action_result.status | string | success failed | |
action_result.data.*.message | string | Success | |
action_result.summary.summary | string | Successfully Renamed Object | |
action_result.message | string | Summary: Successfully Renamed Object | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |