Solved: Splunk Query to find the AD groups not configured ... - Splunk Community

Splunk Search

Hello,

I'm looking for a splunk query to capture AD groups that are not integrated with SAML in Splunk Cloud

1 Solution

Solution

I got my query right

| rest splunk_server=local /services/authorization/roles
| fields imported_roles,imported_srchIndexesAllowed,imported_srchIndexesDefault,srchIndexesAllowed,srchIndexesDefault,title
| rename title as roles
| table roles
| join type=left roles
[| rest splunk_server=local /services/admin/SAML-groups
| fields roles,title
| rename title as ADGroup
| mvexpand roles ]
| search roles!="can_delete"
| where isnull(ADGroup)

View solution in original post

Solution

I got my query right

| rest splunk_server=local /services/authorization/roles
| fields imported_roles,imported_srchIndexesAllowed,imported_srchIndexesDefault,srchIndexesAllowed,srchIndexesDefault,title
| rename title as roles
| table roles
| join type=left roles
[| rest splunk_server=local /services/admin/SAML-groups
| fields roles,title
| rename title as ADGroup
| mvexpand roles ]
| search roles!="can_delete"
| where isnull(ADGroup)

Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...