Active Directory Data Adapter for Looking Up AD Account Attribute Values

[jandrusk]

What?

I would like to be able to create a data adapter in Graylog that would give me the ability to do lookups on a user object in our Active Directory and return a list of key value pairs of AD attributes associated with the object. For example, if in Graylog we have a field called, 'Username', that contains the SAMAccount value of an account in AD, we would like to be able to query the adapter to populate new fields with values associated with that object such as first and last name, e-mail address, department, etc. I would imagine we would define AD LDAP server with a port field, along with field for an account that minimally has read permissions to our Active Directory.

Why?

Our AD SamAccount naming convention by itself does not tell you who the user of the account actually is. Being able to query that information with AD and define new Graylog fields with those values would provider greater context around who the actual user is for a given message/event. I think this would aid us in tracking down various event types and would remove the need to do manual lookups to determine that info.

Your Environment

• Graylog Version: 3.3.7
• Elasticsearch Version: 6.8.12
• MongoDB Version: 4.0.20
• Operating System: RHEL 7.9
• Browser version: Chrome 85

[H2Cyber]

Would be interesting to have this.

The typical use case that we have (which could benefit from such an adapter) is management asking for user acess KPIs that are broken by different business units. We do have the access logs in GL which contain user access events, but the business unit information for each username is something that we have to pull from AD.

[Et7f3]

I have the same request for openldap. They can both use LDAP protocol. GL already use it for authentication so it could reuse this logic for the data adapter.