https://community.splunk.com/t5/Security/Security-Events/m-p/443184#M13251 <P>As nickhill mentioned, if you could add more details, that would great.</P> <P>I am assuming, you want to understand the Windows Audit polices and then enable required 'Windows event codes' which can then be monitored using Splunk TA.</P> <P>I suggest, you discuss with your Windows AD admin, who manages Domain controller and endpoints policies [ e.g. enable audit to log account logons - that produce 4624 event code]. Then using <A href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/monitoring-active-directory-for-signs-of-compromise">https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/monitoring-active-directory-for-signs-of-compromise</A>, you can enable/validate policies to match your need.</P> <P>Once the Windows event codes are available, you can install Splunk TA for windows or Splunk TA for Active directory and onboard them events to splunk </P> Mon, 18 Mar 2019 15:49:41 GMT lakshman239 2019-03-18T15:49:41Z https://community.splunk.com/t5/Security/Security-Events/m-p/443182#M13249 <P>Anyone help me on below,</P> <P>1) Login<BR /> 2) Logoff<BR /> 3) Un-successful login<BR /> 4) Modify authentication mechanisms<BR /> 5) Create user account<BR /> 6) Modify user account<BR /> 7) Create role<BR /> 8) Modify role<BR /> 9) Grant/revoke user privileges<BR /> 10) Grant/revoke role privileges<BR /> 11) Privileged commands<BR /> 12) Modify audit and logging<BR /> 13) Objects Create/Modify/Delete<BR /> 14) Modify configuration settings</P> <P>Thanks in advance.</P> Mon, 18 Mar 2019 12:31:13 GMT https://community.splunk.com/t5/Security/Security-Events/m-p/443182#M13249 brpsingara 2019-03-18T12:31:13Z https://community.splunk.com/t5/Security/Security-Events/m-p/443183#M13250 <P>I think you need to provide a bit more context. For example, What is the source of these logs, do you have the relevant TA's loaded, do you have the Authentication and Change CIM datamodels configured etc.?</P> Mon, 18 Mar 2019 12:58:30 GMT https://community.splunk.com/t5/Security/Security-Events/m-p/443183#M13250 nickhills 2019-03-18T12:58:30Z https://community.splunk.com/t5/Security/Security-Events/m-p/443184#M13251 <P>As nickhill mentioned, if you could add more details, that would great.</P> <P>I am assuming, you want to understand the Windows Audit polices and then enable required 'Windows event codes' which can then be monitored using Splunk TA.</P> <P>I suggest, you discuss with your Windows AD admin, who manages Domain controller and endpoints policies [ e.g. enable audit to log account logons - that produce 4624 event code]. Then using <A href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/monitoring-active-directory-for-signs-of-compromise">https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/monitoring-active-directory-for-signs-of-compromise</A>, you can enable/validate policies to match your need.</P> <P>Once the Windows event codes are available, you can install Splunk TA for windows or Splunk TA for Active directory and onboard them events to splunk </P> Mon, 18 Mar 2019 15:49:41 GMT https://community.splunk.com/t5/Security/Security-Events/m-p/443184#M13251 lakshman239 2019-03-18T15:49:41Z https://community.splunk.com/t5/Security/Security-Events/m-p/443185#M13252 <P>Thank you for the reply. I am new to the splunk, could you please share us is there any document or how to check is Splunk TA installed for Windows. </P> <P>The above reports need to configure for WIndows machines. Please suggest me what is starting point. </P> Mon, 18 Mar 2019 18:30:30 GMT https://community.splunk.com/t5/Security/Security-Events/m-p/443185#M13252 brpsingara 2019-03-18T18:30:30Z https://community.splunk.com/t5/Security/Security-Events/m-p/443186#M13253 <P>Thank you for the reply. I am new to the splunk, could you please share us is there any document or how to check is Splunk TA installed for Windows. </P> <P>The above reports need to configure for WIndows machines. Please suggest me what is starting point. </P> Mon, 18 Mar 2019 18:30:51 GMT https://community.splunk.com/t5/Security/Security-Events/m-p/443186#M13253 brpsingara 2019-03-18T18:30:51Z