Here are a few sample AD queries:
Disabled User accounts
All users belonging to a particular named group (in this case SIEM)
All members of the Domain Admin Group
Worked perfect, thank you!
A follow up question:
I also need to populate a Watchlist with the sAMAccountName of the members of an OU. When I execute the following string, I do NOT receive an error. Rather, the query comes back blank, even though there are indeed user accounts located in the specified OU.
Please help me identify the error in my below query so I can correct it?
Here is an example of an enrichment query I have to create a list of users who belong to a specific OU, in this case a group called compliance.
The lookup attribute is set to sAMAccountName as well. The end of your query with the sAMAccountName=* is repetitive, as when we generate the query, the lookup attribute gets appended to the query.
Try your query as follows and it should work for you:
You may also need to change the OU= to CN=. While it is technically an OU, it may be represented as a Common Name in your AD schema.
This feature does not work when trying to pull members of a given OU. I tried it last year, could not get it to work, opened a support ticket, they could not get it to work, escalated to Tier 3, they could not get it to work. The told me to open a PER, not the answer I was looking for.
I am still working to getting the query to work, but I did get the "received malformed data" error to go away. Change the authentication to be email@example.com vs just the AD user. Once I did that it seemed to be accepted by AD, just that my query syntax is still wrong.
To clarify your need for searching within OUs, the ESM will query from the root of the LDAP tree. In order to query an OU, we need the ability to change the base DN in the ESM. This will allow you to query for objects within a specific OU.
Filtering for an OU is not possible using the query syntax given above.
Just thought I'd add that in case you wanted to add it to the PER. It's similar to what you someone asked about here (Microsoft link -- ldap_query all users ine one OU).
feeeds, when querying LDAP, the LDAP server expects the DN syntax, otherwise the user@domain works too. I would suggest simplifiying your query. Here is a list of common queries that might help with understanding the syntax:
If you run a tcpdump on the ESM, you should see what the error is as well.
Just a side note - pulling the members of a Group is possible, however pulling the users that reside in a given OU is not supported by Microsoft.