Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are there no results found in the "Delegation" panel (logbinder - ADChanges)?

paulopires16
Loves-to-Learn Lots
‎08-08-2022 12:56 AM

Dear forum,

I'm trying to test my "Delegation" panel from the logbinder app but without success.

I have results in the eventviewer file but in the dahsboard it appears as "no results found", as in the official site: https://www.logbinder.com/Content/Solutions/splunkapp1.jpg everything else works fine.

How can I simulate a test in my AD to have results in this "Delegation" panel?

 

 

'filter_dc_winseclog_events' EventCode=5136 AttributeLDAPDisplayName=nTSecurityDescriptor | transaction maxspan=5s Correlation_ID | eval ObjectClass=if(ObjectClass="organizationalUnit" OR ObjectClass="group" OR ObjectClass="user" OR ObjectClass="computer" OR ObjectClass="domainDNS" OR ObjectClass="groupPolicyContainer",ObjectClass,"other") | rename ObjectClass as "Object Type" | rename DirectoryServiceName as Domain | timechart count by "Object Type"

 

 

Thanks

Paulo

Labels (1)
Labels
0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎08-08-2022 02:53 AM

Hi Paulo,

Based on the MS Docs, That event is related to changes in an AD object. Although I don't believe this is enabled by default. You might need to change the audit policy to enable auditing for the properties or actions involved and for the user performing the action or a group to which the user belongs in order to get those 5136 events.

I would check if the audit policy is checking this and try to make an object change that would trigger it.


MS docs:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136

More event details:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5136

 

 

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

paulopires16
Loves-to-Learn Lots
‎08-08-2022 03:55 AM

Dear @diogofgm 

They are already tere in the filter:

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[( (EventID >= 1100 and EventID <= 1102) or EventID=1104 or EventID=1108 or EventID = 4610 or EventID=4614 or EventID=4622 or EventID=4697 or (EventID >= 4704 and EventID <= 4707) or EventID=4713 or (EventID >= 4716 and EventID <= 4720) or (EventID >= 4725 and EventID <= 4735) )]]</Select>
<Select Path="Security">*[System[( (EventID >= 4737 and EventID <= 4739) or (EventID >= 4754 and EventID <= 4758) or EventID=4764 or EventID=4794 or EventID=4817 or EventID=4819 or (EventID >= 4865 and EventID <= 4867) or EventID=4906 or EventID=4908 or (EventID >= 4911 and EventID <= 4913) or EventID=6145)]]</Select>
<Select Path="Security"> (*[System[EventID=5136]] and *[EventData[ Data[@Name='AttributeLDAPDisplayName'] = 'nTSecurityDescriptor' or Data[@Name='AttributeLDAPDisplayName'] = 'gpOptions' or Data[@Name='AttributeLDAPDisplayName'] = 'gpLink' ]]) or (*[System[EventID=5136 or EventID=5137]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=5141]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=4611]] and *[EventData[ Data[@Name='LogonProcessName'] != 'Winlogon' ]]) </Select>
<Select Path="Security">*[System[EventID=4932]] and *[EventData[Data[@Name='Options'] = '2147483733']]</Select>
</Query>
</QueryList>
  • Account Management (Audit Other Account Management Events, Audit Security Group Management, Audit User Account Management)
  • DS Access (Audit Directory Service Changes, Audit Directory Service Replication)
  • Policy Change (Audit Audit Policy Change, Audit Authentication Policy Change, Audit Authorization Policy Change, Audit Other Policy Change Events)
  • System (Audit Security System Extension)

It looks like everything is going from AD Server to Splunk server, except these EventCode=5136 AttributeLDAPDisplayName=nTSecurityDescriptor.

I have these events in AD but I don't see them in the Splunk server log (supercharger)

Thanks

Paulo

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...