Re: LDAP Query in SOAR

sarahhhh20 · 12-11-2024 04:32 PM

Looking for a way to query LDAP using a custom action similar to Splunk SOAR's ldap query but do not see a current integration action that supports this. Is this functionality supported? If so, what would be the best way to create this query if our AD integration is properly configured?

dnehoda

Hi,

Between the two different integrations from SecOps and Splunk - what are the differences in the results of the queries. What do you get from Splunk that you need here?

I believe this would be some python code and a little bit of tinkering with the pieces you want or a feature request to get into the product/integration.

sarahhhh20

They have a supported action: run query: Query Active Directory LDAP in their LDAP integration. https://splunkbase.splunk.com/app/5755. That query does not appear to be currently supported by SecOps

dnehoda

If you can tell us what the LDAP query is exactly we may be able to modify the existing code within the SOAR IDE and use that to pull the data.

There is a component that is currently configured within the integration called "search active directory" that runs some kind of LDAP query - so it's certainly something that can be done - it just needs some custom configuration.

mccrilb

I have done this, if I understand what you are trying to do.

I copied the Search Active Directory and then modified it for the query that I wanted to run. I also set it to handle multiple entities. And I am sure there is a cleaner way to do it. but it's what I could do.

try:

manager = ActiveDirectoryManager(server, domain, username, password, use_ssl, custom_query_fields,

ca_certificate, siemplify.LOGGER)

cookie = None

fetched_entities = []

if not is_first_run:

fetched_entities, cookie = json.loads(siemplify.parameters['additional_data'])

cookie = base64.b64decode(cookie)

print (accountName)

# Check to see if there is more than one email address

if ';' in accountName:

accountName2 = accountName.split(';')

for i in accountName2:

query_string_loop = '(sAMAccountName='+i+')'

print (query_string_loop)

try:

entities, cookie = manager.search_with_paging(query_string_loop, SEARCH_PAGE_SIZE, cookie, limit)

except:

continue

fetched_entities.extend(entities)

# if there is only one email address

else:

query_string_loop = "(sAMAccountName="+accountName+")"

print(query_string_loop)

entities, cookie = manager.search_with_paging(query_string_loop, SEARCH_PAGE_SIZE, cookie, limit)

fetched_entities.extend(entities)

if cookie and (len(fetched_entities) < limit😞

cookie = base64.b64encode(cookie).decode()

output_message = 'Fetched {} entities'.format(len(fetched_entities))

status = EXECUTION_STATE_INPROGRESS

result_value = json.dumps((fetched_entities, cookie))

else:

status = EXECUTION_STATE_COMPLETED

result_value = True

if entities:

siemplify.result.add_result_json(fetched_entities)

output_message = 'Successfully performed query {} in Active Directory'.format(accountName)

else:

siemplify.result.add_result_json(fetched_entities)

output_message = 'No results to show following the query: {}'.format(query_string_loop)