Skip to content

Latest commit

 

History

History
426 lines (344 loc) · 18.1 KB

README.md

File metadata and controls

426 lines (344 loc) · 18.1 KB

AD LDAP

Publisher: Splunk
Connector Version: 2.0.7 Product Vendor: Splunk
Product Name: Active Directory LDAP
Product Version Supported (regex): ".*"
Minimum Product Version: 4.9.39220

App specifically designed for interacting with Microsoft Active Directory's LDAP Implementation

App Information

  • This LDAP application utilizes the LDAP3 library for Python. This was chosen, in part, due to the pythonic design of the library and the quality of the documentation. Both SSL and TLS are supported.
  • Please make sure to view additional documentation for this app on our GitHub Open Source Repo!

LDAP Ports Requirements (Based on Standard Guidelines of IANA ORG )

  • LDAP(service) TCP(transport protocol) - 389
  • LDAP(service) UDP(transport protocol) - 389
  • LDAP(service) TCP(transport protocol) over TLS/SSL (was sldap) - 636
  • LDAP(service) UDP(transport protocol) over TLS/SSL (was sldap) - 636

Asset Configuration

The asset for this app requires an account with which to Bind and perform actions. If you are only ever going to perform information gathering tasks (e.g. getting account attributes) then a standard user account would be fine. However, if you plan on doing things like Unlocking, Resetting Passwords, Moving objects, etc. - then you will need an account with permissions to actually perform these actions. It is best practice to NOT use a "Domain Administrator" (or higher) account. Instead, delegate the appropriate least-privilege access to a service account with a very strong password. Lastly, it is strongly recommended to use SSL and disallow insecure (plain text and unsigned binds) if at all possible.

Run Query Action

This action provides the user the ability to run generic queries with the LDAP syntax. The action takes a filter (in LDAP syntax), an optional search base to search within, and specific attributes that you would like to return.

  • Common AD LDAP Run Query Examples

    • Get Users belonging to a specific OU, Container, or Group

      • filter = (samaccountname=*)
      • attributes = samaccountname;mail
      • search_base = distinguishedNameOfOU/Container/Group
    • List Group Names that a User belongs to

      • filter = (&(member=distinguishedNameOfUserHERE)(objectClass=group))
      • attributes = name
    • Return results if mail attribute is present OR sAMAccountName matches '*admin*'

      • filter = (|(mail=*)(samaccountname=*admin*))
      • attributes = samaccountname;mail;userprincipalname;distinguishedname
    • If you would like to learn more about LDAP Filter Syntax, check out this Microsoft Wiki

Configuration Variables

The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Active Directory LDAP asset in SOAR.

VARIABLE REQUIRED TYPE DESCRIPTION
server required string The Active Directory Server hostname, IP, or VIP for binding
username required string The username with which to bind to LDAP
password required password The password for the binding user
force_ssl required boolean Force the use of SSL protocol. Note that some actions are not possible without secure binding!
validate_ssl_cert required boolean Select if you want to validate the LDAP SSL certificate
ssl_port required numeric The port to bind for SSL (default 636)

Supported Actions

test connectivity - Validate the asset configuration for connectivity using supplied configuration
add group members - Adds one or more Active Directory objects to one or more groups
remove group members - Removes one or more Active Directory objects from one or more groups
unlock account - Unlocks a locked Active Directory account
disable account - Disables an Active Directory account
enable account - Enables a disabled Active Directory account
reset password - Resets the password of a user, requiring the user to change password at next login
set password - Set a user's password
move object - Moves an entry in Active Directory
run query - Query Active Directory LDAP
get attributes - Get attributes of various principals
set attribute - Add, delete, or replace an attribute of a user

action: 'test connectivity'

Validate the asset configuration for connectivity using supplied configuration

Type: test
Read only: True

Action Parameters

No parameters are required for this action

Action Output

No Output

action: 'add group members'

Adds one or more Active Directory objects to one or more groups

Type: generic
Read only: False

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
use_samaccountname optional Specify members AND groups as sAMAccountName(s) instead of distinguishedName(s) (note: member AND groups will use sAMAccountName if selected) boolean
members required Semi-colon (';') separated list of users. If 'use samaccountname' is false, then these must be distinguishedName(s) string
groups required Semi-colon (';') separated list of groups to which the members will be added. If 'use samaccountname' is false, then these must be distinguishedName(s) string

Action Output

DATA PATH TYPE CONTAINS
action_result.data.*.member string
action_result.data.*.function string
action_result.data.*.group string
action_result.summary string
action_result.status string
action_result.message string
action_result.parameter.use_samaccountname string
action_result.parameter.members string
action_result.parameter.groups string
action_result.summary.found_user_records numeric
action_result.summary.requested_user_records numeric
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'remove group members'

Removes one or more Active Directory objects from one or more groups

Type: generic
Read only: False

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
use_samaccountname optional Specify members AND groups as sAMAccountName(s) instead of distinguishedName(s) boolean
members required Semi-colon (';') separated list of users. If 'use samaccountname' is false, then these must be distinguishedName(s) string
groups required Semi-colon (';') separated list of groups from which the members will be removed. If 'use samaccountname' is false, then these must be distinguishedName(s) string

Action Output

DATA PATH TYPE CONTAINS
action_result.data.*.member string
action_result.data.*.function string
action_result.data.*.group string
action_result.summary string
action_result.status string
action_result.message string
action_result.parameter.use_samaccountname string
action_result.parameter.members string
action_result.parameter.groups string
action_result.summary.found_user_records numeric
action_result.summary.requested_user_records numeric
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'unlock account'

Unlocks a locked Active Directory account

Type: generic
Read only: False

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
use_samaccountname optional Use sAMAccountName for user instead of distinguishedName(s) boolean
user required Specify the user to unlock. If 'use samaccountname' is false, then this must be the user's distinguishedName string user name

Action Output

DATA PATH TYPE CONTAINS
action_result.data.*.user_dn string
action_result.data.*.samaccountname string
action_result.data.*.unlocked boolean
action_result.message string
action_result.status string
action_result.parameter.use_samaccountname boolean
action_result.summary string
action_result.parameter.user string user name
action_result.summary.unlocked numeric
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'disable account'

Disables an Active Directory account

Type: generic
Read only: False

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
use_samaccountname optional Specify sAMAccountName instead of distinguishedName boolean
user required Specify the user to disable. If 'use samaccountname' is false, then this must be the user's distinguishedName string user name

Action Output

DATA PATH TYPE CONTAINS
action_result.parameter.user string user name
action_result.data.*.starting_status string
action_result.summary.account_status string
action_result.status string
action_result.parameter.use_samaccountname boolean
action_result.message string
action_result.data.*.user_dn string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'enable account'

Enables a disabled Active Directory account

Type: generic
Read only: False

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
use_samaccountname optional Specify sAMAccountName instead of distinguishedName boolean
user required Specify the user to enable. If 'use samaccountname' is false, then this must be the user's distinguishedName string user name

Action Output

DATA PATH TYPE CONTAINS
action_result.parameter.user string user name
action_result.data.*.starting_status string
action_result.summary.account_status string
action_result.status string
action_result.parameter.use_samaccountname boolean
action_result.message string
action_result.data.*.user_dn string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'reset password'

Resets the password of a user, requiring the user to change password at next login

Type: generic
Read only: False

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
use_samaccountname optional Use sAMAccountName instead of distinguishedName boolean
user required User whose attributes are to be modified string user name

Action Output

DATA PATH TYPE CONTAINS
action_result.data.*.reset numeric
action_result.data.*.user_dn string
action_result.data.*.samaccountname string
action_result.status string
action_result.message string
action_result.summary.reset numeric
action_result.parameter.user string user name
action_result.parameter.use_samaccountname numeric
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'set password'

Set a user's password

Type: generic
Read only: False

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
use_samaccountname optional Specify sAMAccountName instead of distinguishedName boolean
user required Specify the user whose password will be set. If 'use samaccountname' is false, then this must be the user's distinguishedName string user name
password required New password string
confirm_password required Re-type the password string

Action Output

DATA PATH TYPE CONTAINS
action_result.parameter.user string user name
action_result.data.*.set boolean
action_result.data.*.user_dn string
action_result.data.*.samaccountname string
action_result.parameter.password string
action_result.parameter.confirm_password string
action_result.status string
action_result.parameter.use_samaccountname boolean
action_result.summary string
action_result.message string
action_result.summary.set numeric
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'move object'

Moves an entry in Active Directory

Type: generic
Read only: False

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
object required Specify the distinguishedName to move string
destination_ou required The distinguishedName of the OU the specified object will move to string

Action Output

DATA PATH TYPE CONTAINS
action_result.parameter.object string
action_result.parameter.destination_ou string
action_result.summary.moved string
action_result.data.*.source_object string
action_result.data.*.destination_container string
action_result.status string
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'run query'

Query Active Directory LDAP

Type: investigate
Read only: True

This action flexibly supports querying Active Directory using LDAP syntax.

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
filter required The LDAP filter (must be in LDAP Syntax) string
search_base optional The search base to use in its distinguishedName format. If not specified, the 'defaultNamingContext' will be used string
attributes required Semi-colon separated list of attributes to collect (e.g. sAMAccountName;mail) string

Action Output

DATA PATH TYPE CONTAINS
action_result.data.*.entries.*.attributes string
action_result.parameter.filter string
action_result.parameter.search_base string
action_result.parameter.attributes string
action_result.status string
action_result.message string
action_result.summary.total_objects numeric
action_result.data.*.entries.*.dn string
action_result.data.*.entries.*.attributes.samaccountname string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'get attributes'

Get attributes of various principals

Type: investigate
Read only: True

This action takes any number of principals (sAMAccountName, distinguishedName, or userprincipalname) and returns requested attributes. Separate with semi-colon (';').

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
principals required The semi-colon separated principals. These can be sAMAccountName, userprincipalname, or distinguishedName string
attributes required Semi-colon separated list of attributes to collect string

Action Output

DATA PATH TYPE CONTAINS
action_result.parameter.principals string
action_result.parameter.attributes string
action_result.status string
action_result.message string
summary.total_objects numeric
action_result.summary string
action_result.data.*.entries.*.attributes string
action_result.data.*.entries.*.dn string
action_result.data.*.entries.*.attributes.objectGUID string
action_result.summary.total_objects numeric
summary.total_objects_successful numeric

action: 'set attribute'

Add, delete, or replace an attribute of a user

Type: generic
Read only: False

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
use_samaccountname optional Use sAMAccountName instead of distinguishedName boolean
user required User whose attributes are to be modified string user name
attribute required The attribute to modify (add/delete/replace) string
value optional Attribute value string
action required Semi-colon separated list of attributes to collect string

Action Output

DATA PATH TYPE CONTAINS
action_result.data.*.message string
action_result.status string
action_result.message string
action_result.summary.summary string
action_result.parameter.user string user name
action_result.parameter.value string
action_result.parameter.action string
action_result.parameter.attribute string
action_result.parameter.use_samaccountname numeric
summary.total_objects numeric
summary.total_objects_successful numeric