LdapQuery#
README
Description#
LDAP Query analyzer will request LDAP server to provide information about organisation's users, from observable of type mail or username.
How it works#
The analyzer is launch from an observable. The data (value) of this observable is used to request the LDAP server.
Optionally, from LdapQuery 3.0, you can:
* define whitelists to prevent undesirable requests to the LDAP server, using a specific username format for instance,
* define which attributes you want to import as Observables,
* define which attributes you want to import as Tags,
* define which attributes you want to import as Custom Fields.
Reports' summary#
Every time the analyzer is run, it should provide a report's summary attached to its observable. This summary is using a color code to quickly identify the result: blue, yellow or red.
Request success#
Success requests are displayed with blue color (LDAP:Query=John DOE).
It means that the request has been sent to the LDAP server, and that a user has been found. By clicking on the report, relevant information can be quickly displayed by apadting provided long template.
Request filtered#
Filtered requests are displayed with yellow color (LDAP:Query=filtered).
It means that the observable data has been filtered, so no request has been sent to the LDAP server.
By clicking on the report, whitelisted RegEx of allowed email domain name / username format is display. It can help you understand why the data has been filtered, in order to update your whitelist(s) or not.
Request no result#
Requests returning no result are displayed with red color (LDAP:Query=no_result).
It means that the request has been sent to the LDAP server, but no corresponding user has been found. Reason could be that given data are not accurate or non-existing.
Whitelists#
By default, no whitelist are set, meaning that no filters are applied.
Whitelist for type mail#
For observable of type mail, the whitelist is based on email's domain name. The code will simply split the email address at char @, and check if the domain name is in the whitelist or not.
If the domain name is not in the whitelist, the request will be filtered. When clicking on report's summary, whitelist can be display to check what is whitelisted or not. This can help you to populate the whitelist.
Whitelist for type username#
For observable of type username, the whitelist is based on regular expression comparison. The code will simply check if the username match any regular expression which are in the whitelist.
If regular expressions don't match the username, the request will be filtered. When clicking on report's summary, whitelisted regular expressions can be display to check for a better understanding. This can help you to populate the whitelist.
Attributes importation#
To import an attribute, it is mandatory to add it first to the list of attributes you want to harvest (parameter attributes).
Import as Observables#
Parameter attributes_to_extract allow to specify which attributes you want to extract as Observables. To import it with the appropriate type, you need to map the attibute name and the observable type, by using : separator:
* Format: attribute:datatype (attributes need to respect case sensivity),
* Examples:
* uid:username will import found uid attribute(s) into Observable(s) of type username,
* mail:mail will import found mail attribute(s) into Observable(s) of type mail. When attributes and type are the same, mail or mail: will provide the same result than mail:mail.
Import as Tags#
Parameter attributes_to_tags allow to specify which attributes you want to extract as Observable's Tags. To customize tags' prefix, you can map the attibute name and the desired prefix, by using : separator:
* Format: attribute or attribute:prefix (attributes need to respect case sensivity),
* Examples:
* mail will add the tag mail:jdoe@domain.org,
* mail:e-mail will add the tag e-mail:jdoe@domain.org.
Import as Custom Fields#
Parameter attributes_to_tags allow to specify which attributes you want to extract as Custom Fields. To choose which Custom Field to populate, you can map attibutes name and Custom Field names, by using : separator:
* Format: attribute or attribute:custom_field_name (attributes need to respect case sensivity),
* Example: if 'c' value is 'France' in the LDAP response, c:country will add the entry France in country Custom Field.
TheHive template#
A template for TheHive (long.html) comes along this new version.
This template dynamically adapts to LDAP query results, automatically displaying all attributes harvested.
* Prioritizes Full Name, Email, and UID, while listing other attributes dynamically
* Limits output to 5 results for clarity
* Handles filtered results, errors, and empty responses
Ldap_Query#
Author: Florian Perret @cyber_pescadito & THA-CERT @tha_cert
License: AGPL-V3
Version: 3.0
Supported observables types:
- username
- mail
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A
Description#
Query your LDAP server to harvest informations about an user of your organization
Configuration#
| LDAP_address | Should contain the protocol. Eg: ldaps://myldap.myorg.com |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| LDAP_port | Should contain the ldap port. Eg: 389 or 636 |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| LDAP_username | Username of the account that will be used to bind to LDAP server. The Account should have permissions to read ldap objects and attributes. |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| LDAP_password | Password of the account used to bind to LDAP server. |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| base_DN | The base DN to use in your LDAP. Eg: dc=myorg,dc=com |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| uid_search_fields | Specify here one or multiple fields to use when searching by username. Eg: uid and/or sAMAccountName |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | True |
| uid_search_filter | Restrict username format that you want to search on LDAP server, based on regular expression(s) matching. Eg: '^[0-9]{8}$' will request LDAP server only if username observable is a string of 8 digits |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | False |
| mail_search_fields | Specify here one or multiple fields to use when searching by email. Eg: mail and/or mailAlias |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | True |
| mail_search_filter | Restrict email domain names that you want to search on LDAP server. Eg: domain.org |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | False |
| attributes | Specify here the attributes you want to harvest. Eg: mail |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | True |
| attributes_to_extract | Specify here attributes that you want to extract as Observables. You need to specify the attibute name and observable type using ':' separator (attribute need to respect case sensivity). Format: 'attribute:datatype'. Eg: 'uid:username', 'mail:mail' |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | False |
| autoimport_artifacts | Set on 'True' to auto-import extracted artifacts from LDAP response, as observables. False by default. |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | boolean |
| The configuration item can contain multiple values | None |
| Is required | False |
| attributes_to_tags | Specify here attributes that you want to extract as tags. Optionally, you can re-define tag's prefix, using ':' separator (attribute need to respect case sensivity). Format: 'attribute' | 'attribute:prefix'. Eg: 'mail' will add tag 'mail:jdoe@domain.org', 'mail:e-mail' will add tag 'e-mail:jdoe@domain.org' |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | False |
| attributes_to_custom_fields | Specify here attributes that you want to extract as custom fields. You can re-define custom fields' names, using ':' separator (attribute need to respect case sensivity). Format: 'attribute:prefix'. Eg: 'c:Country' will add a 'Country' custom field 'France' |
|---|---|
| Default value if not configured | N/A |
| Type of the configuration item | string |
| The configuration item can contain multiple values | True |
| Is required | False |
Templates samples for TheHive#
No template samples to display.