Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why are there no results found in the "Delegation" panel (logbinder - ADChanges)?

paulopires16
Loves-to-Learn Lots
‎08-08-2022 12:56 AM

Dear forum,

I'm trying to test my "Delegation" panel from the logbinder app but without success.

I have results in the eventviewer file but in the dahsboard it appears as "no results found", as in the official site: https://www.logbinder.com/Content/Solutions/splunkapp1.jpg everything else works fine.

How can I simulate a test in my AD to have results in this "Delegation" panel?

 

 

'filter_dc_winseclog_events' EventCode=5136 AttributeLDAPDisplayName=nTSecurityDescriptor | transaction maxspan=5s Correlation_ID | eval ObjectClass=if(ObjectClass="organizationalUnit" OR ObjectClass="group" OR ObjectClass="user" OR ObjectClass="computer" OR ObjectClass="domainDNS" OR ObjectClass="groupPolicyContainer",ObjectClass,"other") | rename ObjectClass as "Object Type" | rename DirectoryServiceName as Domain | timechart count by "Object Type"

 

 

Thanks

Paulo

Labels (1)
Labels
0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎08-08-2022 02:53 AM

Hi Paulo,

Based on the MS Docs, That event is related to changes in an AD object. Although I don't believe this is enabled by default. You might need to change the audit policy to enable auditing for the properties or actions involved and for the user performing the action or a group to which the user belongs in order to get those 5136 events.

I would check if the audit policy is checking this and try to make an object change that would trigger it.


MS docs:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136

More event details:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5136

 

 

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

paulopires16
Loves-to-Learn Lots
‎08-08-2022 03:55 AM

Dear @diogofgm 

They are already tere in the filter:

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[( (EventID >= 1100 and EventID <= 1102) or EventID=1104 or EventID=1108 or EventID = 4610 or EventID=4614 or EventID=4622 or EventID=4697 or (EventID >= 4704 and EventID <= 4707) or EventID=4713 or (EventID >= 4716 and EventID <= 4720) or (EventID >= 4725 and EventID <= 4735) )]]</Select>
<Select Path="Security">*[System[( (EventID >= 4737 and EventID <= 4739) or (EventID >= 4754 and EventID <= 4758) or EventID=4764 or EventID=4794 or EventID=4817 or EventID=4819 or (EventID >= 4865 and EventID <= 4867) or EventID=4906 or EventID=4908 or (EventID >= 4911 and EventID <= 4913) or EventID=6145)]]</Select>
<Select Path="Security"> (*[System[EventID=5136]] and *[EventData[ Data[@Name='AttributeLDAPDisplayName'] = 'nTSecurityDescriptor' or Data[@Name='AttributeLDAPDisplayName'] = 'gpOptions' or Data[@Name='AttributeLDAPDisplayName'] = 'gpLink' ]]) or (*[System[EventID=5136 or EventID=5137]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=5141]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=4611]] and *[EventData[ Data[@Name='LogonProcessName'] != 'Winlogon' ]]) </Select>
<Select Path="Security">*[System[EventID=4932]] and *[EventData[Data[@Name='Options'] = '2147483733']]</Select>
</Query>
</QueryList>
  • Account Management (Audit Other Account Management Events, Audit Security Group Management, Audit User Account Management)
  • DS Access (Audit Directory Service Changes, Audit Directory Service Replication)
  • Policy Change (Audit Audit Policy Change, Audit Authentication Policy Change, Audit Authorization Policy Change, Audit Other Policy Change Events)
  • System (Audit Security System Extension)

It looks like everything is going from AD Server to Splunk server, except these EventCode=5136 AttributeLDAPDisplayName=nTSecurityDescriptor.

I have these events in AD but I don't see them in the Splunk server log (supercharger)

Thanks

Paulo

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...