Analytic Story: Domain Account Discovery With Net ...

Araton71 · ‎06-06-2023

I'm a newbe and I try to configure Security Essential to search "net user /DOMAIN" discovery on my AD server.

I've installed an UniversalForwarder into AD with sysmon and configured input.conf with following entries

[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest

If I run a simple search using index=* "net.exe" AND " user*" AND "*/do*"

I get result from source WinEventLog:Microsoft-Windows-Sysmon/Operational

while If I use Analytic Story: Domain Account Discovery With Net App that use datamodel Endpoint, no events returned. It seems that event in data model are only from source WinEventLog:Security

What I miss ?

SinghK · ‎06-06-2023

I think you need to configure and accelerate the relevant datamodels in splunk for that. Settings-->datamodels.

https://docs.splunk.com/Documentation/Splunk/9.0.4/Knowledge/Aboutdatamodels look at this as well.

Araton71 · ‎06-07-2023

Datamodel Endpoint has data inside, but it seems that only from security logs not from sysmon. How can implement?

Analytic Story: Domain Account Discovery With Net App?

troubleshooting

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!