I'm pulling in Active Directory(AD) Data. It's a mix of Splunk on Windows and Splunk on Linux. That way, I can better understand the differences between the systems. What I'm noticing... the Data looks janky and not very usable:
Example - https://imgur.com/a/80WzCNC
A few things I would like to see:
- User's machine ip. I have 2 users, Garbage and Administrator. However, Splunk is only capturing a few AD events. I am not capturing the users IP Address information. Is there any way to do this?
2a. What should I expect from capturing Application and Security events data? When I capture the data it looks like all I'm seeing is the security events message. This is great in the short term if we see user 'Gespacio' is unable to install an App and GP blocked them. Less so when an actual security incident happens.
2b. Is even capturing Application and Security data worth it in the long run?
2c. I wanted to confirm that 'evt_resolve_ad_obj = x' does indeed tie a security or application event to a user and their LDAP data.
