Re: Why are "No results found" on Sensitive User d...

hatbeard · ‎09-23-2014

I'm trying to find some information on users, but why I am getting no data in the Sensitive User dashboard in Splunk App for Windows Infrastructure?

ahall_splunk · ‎12-03-2014

Sensitive accounts are accounts that have the TRUSTED_FOR_DELEGATION flag set in the userAccountControl field. These accounts are service accounts (either user or computer) that has kerberos delegation enabled. If you don't have any users or computers with this facility, it's likely you will see "No Results" - this isn't an error - it just means there aren't any of that type.

You can read about the fields in userAccountControl here: http://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx

Jeff_Lightly_Sp · ‎09-23-2014

Ahh, I've tried that too and get the same results. Editing the dashboard and modifying the domain did no good. I'll keep looking too.

Jeff_Lightly_Sp · ‎09-23-2014

Could you provide some context please, such as use-case? Thanks

hatbeard · ‎09-23-2014

I was trying to run that Dashboard in Splunk for Windows Infra. I get No results found, but others work. Not sure what exactly it's looking for, if I have an audit setting misconfigured, or something else. I can't find any background on that dashboard.

Why are "No results found" on Sensitive User dashboard for Splunk App for Windows Infrastructure?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?