×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
paulopires16
Loves-to-Learn Lots
Member since: ‎01-12-2021
‎08-08-2022
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎01-12-2021
View All

Re: No results found in the "Delegation" panel (lo...

by in Splunk Enterprise
‎08-08-2022 03:55 AM
‎08-08-2022 03:55 AM
Dear @diogofgm  They are already tere in the filter: <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[( (EventID >= 1100 and EventID <= 1102) or EventID=1104 or EventID=1108 or EventID = 4610 or EventID=4614 or EventID=4622 or EventID=4697 or (EventID >= 4704 and EventID <= 4707) or EventID=4713 or (EventID >= 4716 and EventID <= 4720) or (EventID >= 4725 and EventID <= 4735) )]]</Select> <Select Path="Security">*[System[( (EventID >= 4737 and EventID <= 4739) or (EventID >= 4754 and EventID <= 4758) or EventID=4764 or EventID=4794 or EventID=4817 or EventID=4819 or (EventID >= 4865 and EventID <= 4867) or EventID=4906 or EventID=4908 or (EventID >= 4911 and EventID <= 4913) or EventID=6145)]]</Select> <Select Path="Security"> (*[System[EventID=5136]] and *[EventData[ Data[@Name='AttributeLDAPDisplayName'] = 'nTSecurityDescriptor' or Data[@Name='AttributeLDAPDisplayName'] = 'gpOptions' or Data[@Name='AttributeLDAPDisplayName'] = 'gpLink' ]]) or (*[System[EventID=5136 or EventID=5137]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=5141]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=4611]] and *[EventData[ Data[@Name='LogonProcessName'] != 'Winlogon' ]]) </Select> <Select Path="Security">*[System[EventID=4932]] and *[EventData[Data[@Name='Options'] = '2147483733']]</Select> </Query> </QueryList> Account Management (Audit Other Account Management Events, Audit Security Group Management, Audit User Account Management) DS Access (Audit Directory Service Changes, Audit Directory Service Replication) Policy Change (Audit Audit Policy Change, Audit Authentication Policy Change, Audit Authorization Policy Change, Audit Other Policy Change Events) System (Audit Security System Extension) It looks like everything is going from AD Server to Splunk server, except these EventCode=5136 AttributeLDAPDisplayName=nTSecurityDescriptor. I have these events in AD but I don't see them in the Splunk server log (supercharger) Thanks Paulo ... View more

Why are there no results found in the "Delegation"...

by in Splunk Enterprise
‎08-08-2022 12:56 AM
‎08-08-2022 12:56 AM
Dear forum, I'm trying to test my "Delegation" panel from the logbinder app but without success. I have results in the eventviewer file but in the dahsboard it appears as "no results found", as in the official site: https://www.logbinder.com/Content/Solutions/splunkapp1.jpg everything else works fine. How can I simulate a test in my AD to have results in this "Delegation" panel?     'filter_dc_winseclog_events' EventCode=5136 AttributeLDAPDisplayName=nTSecurityDescriptor | transaction maxspan=5s Correlation_ID | eval ObjectClass=if(ObjectClass="organizationalUnit" OR ObjectClass="group" OR ObjectClass="user" OR ObjectClass="computer" OR ObjectClass="domainDNS" OR ObjectClass="groupPolicyContainer",ObjectClass,"other") | rename ObjectClass as "Object Type" | rename DirectoryServiceName as Domain | timechart count by "Object Type"     Thanks Paulo ... View more
Labels

Re: No results found in the ADChanges

by in Splunk Enterprise
‎08-07-2022 08:18 AM
‎08-07-2022 08:18 AM
Hi @genldupali  Did you solve your problem? I have the same problem.  Thanks Paulo ... View more

Oracle 12c UNIFIED_AUDIT_TRAIL to syslog server

by in Splunk Search
‎01-12-2021 11:38 AM
‎01-12-2021 11:38 AM
Dear community, I have to implement Oracle 12c audit and save/export audit data to a shared drive on the SYSLOG server. Splunk will get the data for this SYSLOG server. In a configuration like that, what is the best approach? Mixed auditing or Pure auditing? My approach is to define pure audit and create 2 procedures: Transfer UNIFIED_AUDIT_TRAIL to the SYSLOG server; Clean up the auditing data from time to time. With DBConnect, I must create a specific user, which I don't want. Is there a step-by-step guide in windows to implement Oracle 12c auditing? Thanks   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎08-08-2022 07:16 AM