I have noted events such as
index=* sourcetype=ActiveDirectory admonEventType="deleted" OR admonEventType="updated"
Does not have an eventtype set that applies the appropriate tags to have it comply with
https://docs.splunk.com/Documentation/CIM/4.11.0/User/ChangeAnalysis
Even though this is flagged as being CIM compliant, would be great if these where added, or, the project Git repo be made available as to allow contributions
@shogan_splunk any updates on the GitHub access?
Thanks @shogan_splunk appreciate the update and look forward to getting access to repo .
Also, props (not a Splunk joke) to forum handle.
Simon,
I am working on a major update, with the main part using the kv store, along with other minor fixes/enhancements. I will split off a minor update to include the missing CIM tags as well as the planned minor fixes and Windows TA v5 + support.
As far as github, I will place it there and update this answer with a link.
Thanks for the feedback,
Steve