Your best way to query an AD User?

I am now doing this query: (mail={email})

since it is reliable.

I am doing something like [alert].[actors].[1].[id] right, to get the email.
Then I am putting that in an artifact and calling it the in LDAP query.
(mail=artifact string for email)
but it comes back with an error now that there character ’ ’ is not allowed. what!

A manual test does not have this issue, so the alert tied to it must be putting in a whitespace causing the LDAP query to fail.

full error:
ldap3.core.exceptions.LDAPInvalidDnError: character ’ ’ not allowed in attribute type

P.S. I will try putting [alert].[actors].[1].[id] in there to see if that works instead.

I am trying out python scripts to replace " " with “”. thoughts!?

It depends on the alert source:

For Teams I use regex so I know there isn’t any whitspaces.
Then I look for the user with
(|(sAMAccountName={{["UserName"].[content]}})(mail={{["UserName"].[content]}})(userPrincipalName={{["UserName"].[content]}}))

For anything Azure, I use the Azure Admin to look up the user by ID, then use the UPN against On Prem AD to get the rest of their info
(userPrincipalName={{["Azure User"].[user_information].[userPrincipalName]}})

If you are looking to remove whitespaces I’d reccomend the “Advanced Regex” Plugin with the “Search and Replace” action with the regex as \s and “New String” left empty. This will save you from having to maintain a python script manually

The JQ plugin has options to cleanup whitespaces too, like “–compact-output”

jq 1.5 Manual (stedolan.github.io)

1 Like