Pulling Active Directory attributes using a domain connector

Document created by jbur on Aug 27, 2009Last modified by CBCJWINN on Aug 28, 2009
Version 2Show Document
  • View in full screen mode

This was originally posted by CBCJWINN on the old forum, but was not migrated over! (from 08-18-2009)
https://forum.arcsight.com/showthread.php?t=1669

 

Hi,

 

I am using windows unified connector.But it gives me only Event viewer details in the events ,i want to pull active directory attributes for that user id in event.

 

Can this connector pull active directory details for the user id  in events?

 

Thanks
-Sameer

 

--------------------------------------------------------------------

 

The Windows unified connector will be limited to event log events (security, system, application), so you're limited to the information that those events provide. If you want to collect information from Active Directory you will need to go about doing so using something other than the unified connector.

 

The method I decided to use was as follows:

 

- Installed folder follower flex connector
- Created sdkrfilereader properties file for parsing (attached as text file)
- Created VBScript to connect to LDAP to query accounts (attached as text file with info obfuscated)
- Created scheduled task to execute VBScript daily

 

Now, with the AD accounts being sent to the manager, I had to set up some content in the manager to save this information (package attached):

 

- Created "Windows Account" active list (expiration set to 1 day)
- Created rule to move accounts to active list

 

Once you have this prelimary steps set up and working, you can reference the active list data using "GetActiveListValue" variable in your rules, reports, etc.

 

 

--------------------------------------------------------------------

 

 

You will need to make quite a few changes to get this working in your environment.  These include:

 

     In the VBS:

     - Setting the correct folder destinations

     - Entering the User ID (LDAP CN) and password to connect to AD (I created a service account with Domain User rights)

     - Pointing to the correct LDAP instance

  

     In General:

     - Changing the properties, VBS and active list to capture attributes beyond those already listed such as groups

 

 

Obviously, this is intended to run in the Windows environment.  If you have questions or comments please post here and I'll address them as I'm able.

Outcomes