topic Splunk Related powershell scripts in Security https://community.splunk.com/t5/Security/Splunk-Related-powershell-scripts/m-p/535881#M12040 <P>Our Endpoint protection is blocking multiple powershell scripts that seem related to Splunk.</P><P>Can anyone explain what these scripts do?</P><P>nt6-siteinfo.ps1</P><P>nt6-health.ps1</P><P>nt6-repl-stat.ps1</P><P>&nbsp;</P><P>Thanks!</P> Thu, 14 Jan 2021 17:05:36 GMT Elky 2021-01-14T17:05:36Z Splunk Related powershell scripts https://community.splunk.com/t5/Security/Splunk-Related-powershell-scripts/m-p/535881#M12040 <P>Our Endpoint protection is blocking multiple powershell scripts that seem related to Splunk.</P><P>Can anyone explain what these scripts do?</P><P>nt6-siteinfo.ps1</P><P>nt6-health.ps1</P><P>nt6-repl-stat.ps1</P><P>&nbsp;</P><P>Thanks!</P> Thu, 14 Jan 2021 17:05:36 GMT https://community.splunk.com/t5/Security/Splunk-Related-powershell-scripts/m-p/535881#M12040 Elky 2021-01-14T17:05:36Z Re: Splunk Related powershell scripts https://community.splunk.com/t5/Security/Splunk-Related-powershell-scripts/m-p/535900#M12041 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230510">@Elky</a>,</P><P>These scripts are for Active Directory monitoring and they are inside <STRONG>Splunk_TA_windows</STRONG> app <STRONG>bin</STRONG> folder. &nbsp;You can find inputs.conf settings for these scripts below, they should have been enabled by Splunk Admin. After confirmation&nbsp;you can disable that inputs on those endpoints. &nbsp;</P><LI-CODE lang="markup">###### Scripted/Powershell Mod inputs Active Directory ###### ## Replication Information NT6 [script://.\bin\runpowershell.cmd nt6-repl-stat.ps1] source=Powershell sourcetype=MSAD:NT6:Replication interval=300 disabled=1 ## Replication Information 2012r2 and 2016 [powershell://Replication-Stats] script = &amp; "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-repl-stats.ps1" schedule = 0 */5 * ? * * source = Powershell sourcetype=MSAD:NT6:Replication disabled=1 ## Health and Topology Information NT6 [script://.\bin\runpowershell.cmd nt6-health.ps1] source=Powershell sourcetype=MSAD:NT6:Health interval=300 disabled=1 ## Health and Topology Information 2012r2 and 2016 [powershell://AD-Health] script = &amp; "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-health.ps1" schedule = 0 */5 * ? * * source=Powershell sourcetype=MSAD:NT6:Health disabled=1 ## Site, Site Link and Subnet Information NT6 [script://.\bin\runpowershell.cmd nt6-siteinfo.ps1] source=Powershell sourcetype=MSAD:NT6:SiteInfo interval=3600 disabled=1 ## Site, Site Link and Subnet Information 2012r2 and 2016 [powershell://Siteinfo] script = &amp; "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-siteinfo.ps1" schedule = 0 15 * ? * * source = Powershell sourcetype=MSAD:NT6:SiteInfo disabled=1</LI-CODE><P>&nbsp;</P><P>If this reply helps you an upvote is appreciated.</P> Thu, 14 Jan 2021 20:05:13 GMT https://community.splunk.com/t5/Security/Splunk-Related-powershell-scripts/m-p/535900#M12041 scelikok 2021-01-14T20:05:13Z