-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathQuery_AD_Splunk
More file actions
24 lines (22 loc) · 1.13 KB
/
Query_AD_Splunk
File metadata and controls
24 lines (22 loc) · 1.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Splunk API Keys (put you're own API keys in here
$url = "https://http-inputs-edu.splunkcloud.com:443/services/collector"
$token = "012345678-ABC-3210-EFG-9876543210EF"
$header = @{Authorization = "Splunk $token"}
# All the type of elevated accounts
$elevatedA = @('*_admin', '*_sys', 'elevated_', 'DomainAdmin_*')
foreach ($i in $elevatedA) { Get_info_to_Splunk($i) }
# GET: name, passwordlastset, lastlogondate
function Get_info_to_Splunk($accounts) {
Get-aduser -filter {samaccountName -like $accounts } -Server AD123MV1.ad.ac.ad:3268 `
-Properties SAMAccountName, LastLogonDate, PasswordLastSet, PasswordExpired | `
Select-Object SAMAccountName, passwordlastset, lastlogondate | `
ForEach-Object {
$usr = $_.SAMAccountName
$pwl = $_.passwordlastset
$log = $_.lastlogondate
$u = """SAMAccountName=$usr, passwordlastset=$pwl, lastlogondate=$log"""
$b = '{"sourcetype":"Elevated_Accounts", "source":"'+$accounts+'","host":"'+$env:computername+'","event":'
$bb = $b + $u + '}'
$result = Invoke-WebRequest -Uri $url -Headers $header -Body $bb -Method POST
}
}