Dear forum,
I'm trying to test my "Delegation" panel from the logbinder app but without success.
I have results in the eventviewer file but in the dahsboard it appears as "no results found", as in the official site: https://www.logbinder.com/Content/Solutions/splunkapp1.jpg everything else works fine.
How can I simulate a test in my AD to have results in this "Delegation" panel?
'filter_dc_winseclog_events' EventCode=5136 AttributeLDAPDisplayName=nTSecurityDescriptor | transaction maxspan=5s Correlation_ID | eval ObjectClass=if(ObjectClass="organizationalUnit" OR ObjectClass="group" OR ObjectClass="user" OR ObjectClass="computer" OR ObjectClass="domainDNS" OR ObjectClass="groupPolicyContainer",ObjectClass,"other") | rename ObjectClass as "Object Type" | rename DirectoryServiceName as Domain | timechart count by "Object Type"
Thanks
Paulo
Hi Paulo,
Based on the MS Docs, That event is related to changes in an AD object. Although I don't believe this is enabled by default. You might need to change the audit policy to enable auditing for the properties or actions involved and for the user performing the action or a group to which the user belongs in order to get those 5136 events.
I would check if the audit policy is checking this and try to make an object change that would trigger it.
MS docs:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136
More event details:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5136
Dear @diogofgm
They are already tere in the filter:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[( (EventID >= 1100 and EventID <= 1102) or EventID=1104 or EventID=1108 or EventID = 4610 or EventID=4614 or EventID=4622 or EventID=4697 or (EventID >= 4704 and EventID <= 4707) or EventID=4713 or (EventID >= 4716 and EventID <= 4720) or (EventID >= 4725 and EventID <= 4735) )]]</Select>
<Select Path="Security">*[System[( (EventID >= 4737 and EventID <= 4739) or (EventID >= 4754 and EventID <= 4758) or EventID=4764 or EventID=4794 or EventID=4817 or EventID=4819 or (EventID >= 4865 and EventID <= 4867) or EventID=4906 or EventID=4908 or (EventID >= 4911 and EventID <= 4913) or EventID=6145)]]</Select>
<Select Path="Security"> (*[System[EventID=5136]] and *[EventData[ Data[@Name='AttributeLDAPDisplayName'] = 'nTSecurityDescriptor' or Data[@Name='AttributeLDAPDisplayName'] = 'gpOptions' or Data[@Name='AttributeLDAPDisplayName'] = 'gpLink' ]]) or (*[System[EventID=5136 or EventID=5137]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=5141]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=4611]] and *[EventData[ Data[@Name='LogonProcessName'] != 'Winlogon' ]]) </Select>
<Select Path="Security">*[System[EventID=4932]] and *[EventData[Data[@Name='Options'] = '2147483733']]</Select>
</Query>
</QueryList>
It looks like everything is going from AD Server to Splunk server, except these EventCode=5136 AttributeLDAPDisplayName=nTSecurityDescriptor.
I have these events in AD but I don't see them in the Splunk server log (supercharger)
Thanks
Paulo