Re: Analytic Story: Domain Account Discovery With ...

Araton71 · ‎06-06-2023

I'm a newbe and I try to configure Security Essential to search "net user /DOMAIN" discovery on my AD server.

I've installed an UniversalForwarder into AD with sysmon and configured input.conf with following entries

[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest

If I run a simple search using index=* "net.exe" AND " user*" AND "*/do*"

I get result from source WinEventLog:Microsoft-Windows-Sysmon/Operational

while If I use Analytic Story: Domain Account Discovery With Net App that use datamodel Endpoint, no events returned. It seems that event in data model are only from source WinEventLog:Security

What I miss ?

SinghK · ‎06-06-2023

I think you need to configure and accelerate the relevant datamodels in splunk for that. Settings-->datamodels.

https://docs.splunk.com/Documentation/Splunk/9.0.4/Knowledge/Aboutdatamodels look at this as well.

Araton71 · ‎06-07-2023

Datamodel Endpoint has data inside, but it seems that only from security logs not from sysmon. How can implement?

Analytic Story: Domain Account Discovery With Net App?

troubleshooting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation