LDAP lists is another type of enriching logs for LDAP information. Lists match LDAP information of specific group/users and writes exact LDAP values to desired logs.
In the example above, the department information of the users registered on Ldap is retrieved and the Source.DepartmentName column is opened to all logs. Thus, the logs are enriched with this information from Ldap.
Basic/Advanced Mode: For detailed usage of lists you must click “Advanced Mode” Description: In terms of definition, you need to specify a name for the list.
Type: LDAP / AL
Severity: The part you are going to specify is what importance it has.
Context: You can tag the object, which enters this list, as Suspicious, Victim or Attacker for future events.
Tag: You can determine from this section which groups will have the authority to view the list that you are creating. (Click for directing Tag Feature)
Connection: You can enrich the content of the log by receiving additional column information from your LDAP server in the logs on the Logsign Unified SecOps Platform.
Search Domain: You need to enter your Domain Information.
Query: You need to enter your query of Domain Information which should add to LDAP connection information.
Key Field: You need to enter the field which should be gathered from LDAP (sAMAccountName)
Collect Fields: You need to enter the field which should be colleted from LDAP (sAMAccountName)
Update Period: You will give you the information on how long you will update for that event, ignoring the check events in the last option.
Purge Period: The number of seconds after which the information to retrieve from the list will be given. By default, it is specified as three thousand (3000) seconds.
In Modifier;
Key Field: It maches Domain Admins’ UserName and creates Source.DepartmentName column and set “Departments of Users”
Then you use the Save button to save settings.