1 Reply Latest reply on Jun 10, 2014 10:43 AM by davids15

    Dynamic watchlist using LDAP query help needed - set AD location to search

    cllapole

      This should be simple, but I cannot figure it out, and maybe it isn't even really possible in any straight-forward manner.  I am trying to create a Dynamic Watchlist of all computer accounts in the default AD Computers conatiner.  I use the Lookup Attribute of sAMAccountName (which works fine for computer name in other instances).  If I use the query (&(objectCategory=computer)(name=*)) I get back all computer accounts in AD.  I want to somehow limit this to only the computer accounts in the default AD Computers conatiner.  If anyone can help it will be greatly appreciated.

       

      For a further explanation of what I am ultimately trying to do (and maybe I shouldn't even bother with my watchlist), when computers are added to the domain they drop into the default Computers container in AD.  We have some internal issues that have caused computer accounts to not be moved out of that container (which is a manual process currently) and into the correct location we have determined they should be.  All of the Group Policies we have setup (and other security protections) are not happening because of the accounts are in the wrong place.  Initially, I am being asked to create a report generated by the SIEM of all computer accounts in the SIEM along with the user account of the person who added that computer account.  I was thinking of doing a watchlist and then associating each entry with the last occurence of the Computer Account Created event (SIG 43-211006450).  I thought if I could start with a computer account, I could somehow correalate the last event and add those fields to a daily report.  I was also thinking that if I had the list, and I was able to use the Object Created date, I could also then manipulate any computer accounts that are xx hours old (e.g. tag them in ePolicy differently or take other similar actions).  Am I making this more difficult than necessary?  Is there a smarter way to get this report created daily? 

       

      Thanks,

      Chris

      (SIEM version 9.3.2)