Hi,
So, we have a large number of domain controllers, which have Splunk Universal Forwarder installed AND Microsoft Defender for Identity.
Defender has switched to using Npcap (MS agreed some kind of OEM license with them), but I am told we need to keep Splunk and WinPcap for DNS traffic capture.
The issue is, on startup and occasionally every few days, I get spammed from Defender complaining that it's using WinPcap instead of Npcap drivers. Ie. it seems to be dumb and when it sees both, uses winpcap first and not npcap first. If I go to Defender for Identity I don't see any issues with the sensor.
Entire AD team get over 100 messages every few days with this. Ticket open with MS has so far yielded nothing.
Surely we can't be the only people with this problem?
Is there a way to rename the WinPcap driver and tell Splunk to go look for the renamed driver, for instance? I don't know. There must be a fix. It's driving us nuts.
Thanks!