Hello,
I'm looking for a splunk query to capture AD groups that are not integrated with SAML in Splunk Cloud
I got my query right
| rest splunk_server=local /services/authorization/roles
| fields imported_roles,imported_srchIndexesAllowed,imported_srchIndexesDefault,srchIndexesAllowed,srchIndexesDefault,title
| rename title as roles
| table roles
| join type=left roles
[| rest splunk_server=local /services/admin/SAML-groups
| fields roles,title
| rename title as ADGroup
| mvexpand roles ]
| search roles!="can_delete"
| where isnull(ADGroup)
I got my query right
| rest splunk_server=local /services/authorization/roles
| fields imported_roles,imported_srchIndexesAllowed,imported_srchIndexesDefault,srchIndexesAllowed,srchIndexesDefault,title
| rename title as roles
| table roles
| join type=left roles
[| rest splunk_server=local /services/admin/SAML-groups
| fields roles,title
| rename title as ADGroup
| mvexpand roles ]
| search roles!="can_delete"
| where isnull(ADGroup)