https://community.splunk.com/t5/Splunk-Search/Why-are-there-missing-fields-for-sample-queries/m-p/628781#M218414 <P>Hi</P> <P>I'm implementing some searches provided by Splunk Threat Research Team to detect threats from AD logs. But I cannot set all required fields. For example, one of them is below.&nbsp;</P> <P>"Windows Computer Account Requesting Kerberos Ticket" (<A href="https://research.splunk.com/endpoint/fb3b2bb3-75a4-4279-848a-165b42624770/" target="_blank" rel="noopener">https://research.splunk.com/endpoint/fb3b2bb3-75a4-4279-848a-165b42624770/</A>)</P> <P>It requires some fields that I cannot find , such as subject, and action.</P> <P>Below is a sample log. I can't find which value I should extract as a "subject" and "action".&nbsp; I use "WinEventLog:Security" as sourcetype.&nbsp; I installed the&nbsp;<SPAN>TA-microsoft-windows.&nbsp; Thank you.</SPAN></P> <PRE>LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=2106676187 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: PC-DEMO$ Supplied Realm Name: attackrange.local User ID: ATTACKRANGE\PC-DEMO$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 59022 Additional Information: Ticket Options: 0x40800010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: &nbsp;</PRE> <P>&nbsp;</P> Mon, 30 Jan 2023 16:33:46 GMT syamaguchi3 2023-01-30T16:33:46Z https://community.splunk.com/t5/Splunk-Search/Why-are-there-missing-fields-for-sample-queries/m-p/628781#M218414 <P>Hi</P> <P>I'm implementing some searches provided by Splunk Threat Research Team to detect threats from AD logs. But I cannot set all required fields. For example, one of them is below.&nbsp;</P> <P>"Windows Computer Account Requesting Kerberos Ticket" (<A href="https://research.splunk.com/endpoint/fb3b2bb3-75a4-4279-848a-165b42624770/" target="_blank" rel="noopener">https://research.splunk.com/endpoint/fb3b2bb3-75a4-4279-848a-165b42624770/</A>)</P> <P>It requires some fields that I cannot find , such as subject, and action.</P> <P>Below is a sample log. I can't find which value I should extract as a "subject" and "action".&nbsp; I use "WinEventLog:Security" as sourcetype.&nbsp; I installed the&nbsp;<SPAN>TA-microsoft-windows.&nbsp; Thank you.</SPAN></P> <PRE>LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=2106676187 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: PC-DEMO$ Supplied Realm Name: attackrange.local User ID: ATTACKRANGE\PC-DEMO$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 59022 Additional Information: Ticket Options: 0x40800010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: &nbsp;</PRE> <P>&nbsp;</P> Mon, 30 Jan 2023 16:33:46 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-there-missing-fields-for-sample-queries/m-p/628781#M218414 syamaguchi3 2023-01-30T16:33:46Z https://community.splunk.com/t5/Splunk-Search/Why-are-there-missing-fields-for-sample-queries/m-p/628877#M218450 <P>From the sample log, subject can contain the value "A Kerberos authentication ticket (TGT) was requested." and the field action should contain "success" if the value for the field Keywords is "Audit Success" and "failure" if the value for the field Keywords is "Audit Failure". This is a calculated field so if its not populating already, you can create easily via settings -&gt; fields -&gt; calculated fields.</P><P>Hope this helps.</P> Mon, 30 Jan 2023 17:59:00 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-there-missing-fields-for-sample-queries/m-p/628877#M218450 shivanshu1593 2023-01-30T17:59:00Z https://community.splunk.com/t5/Splunk-Search/Why-are-there-missing-fields-for-sample-queries/m-p/629345#M218625 <P>Thank you.</P> Thu, 02 Feb 2023 14:19:34 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-there-missing-fields-for-sample-queries/m-p/629345#M218625 syamaguchi3 2023-02-02T14:19:34Z