- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Analytic Story: Domain Account Discovery With Net App?
I'm a newbe and I try to configure Security Essential to search "net user /DOMAIN" discovery on my AD server.
I've installed an UniversalForwarder into AD with sysmon and configured input.conf with following entries
[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
If I run a simple search using index=* "net.exe" AND " user*" AND "*/do*"
I get result from source WinEventLog:Microsoft-Windows-Sysmon/Operational
while If I use Analytic Story: Domain Account Discovery With Net App that use datamodel Endpoint, no events returned. It seems that event in data model are only from source WinEventLog:Security
What I miss ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you need to configure and accelerate the relevant datamodels in splunk for that. Settings-->datamodels.
https://docs.splunk.com/Documentation/Splunk/9.0.4/Knowledge/Aboutdatamodels look at this as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Datamodel Endpoint has data inside, but it seems that only from security logs not from sysmon. How can implement?
