Splunk Enterprise Security

How do I add a CIM Change Model and EventCode 4732 (A member was added to a security-enabled local group)

beano501
Engager

Running CIM 5.0 and was looking to do some reporting on users/groups added to security groups (information provided by the Windows Security Log event 4732 - but when I look in the Change datamodel, I cannot see the target group of the add in any of the fields.

We are using out of the box Splunk_TA_windows, and Splunk Add-on for Microsoft Windows and I would have hoped that the data model would have been automatically filled with the relevant fields. Am I missing something obvious, or is there something I need to setup myself to get this working?

Thanks

Simon

Labels (1)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...