×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
SPL_Dummy
Engager
Member since: ‎04-25-2025
2 weeks ago
Community Statistics
Posts 2
Solutions 0
Karma Given 2
Karma Received 1
Member Since ‎04-25-2025
Activity Feed
View All

Re: Splunk CAC Based Authentication

by in Security
‎04-25-2025 12:58 PM
1 Karma
‎04-25-2025 12:58 PM
1 Karma
Following for I need to do this soon as well... hope you figure it out so I can 😉 ... View more

Can Windows UF send some EventCodes as XML and all...

by in Getting Data In
‎04-25-2025 12:52 PM
‎04-25-2025 12:52 PM
Short question: can I configure my window UF inputs.conf to collect Security Event logs as renderXML=false , unless it is EventCode=4662, if EventCode=4662 then I want renderXML=true inputs.conf file [WinEventLog://Security] disabled = 0 index = wineventlog start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 renderXml=false #(if EventCode=4662 then set renderXML=true   I read maybe a transform.conf would help with this...?   Explanation for this configuration request is so that I can utilized this Search for DCSync attacks provided by Enterprise Splunk Security, of which only seems to work with XML ingested Security Event 4662... : ESCU - Windows AD Replication Request Initiated by User Account - Rule `wineventlog_security` EventCode=4662 ObjectType IN ("%{19195a5b-6da0-11d0-afd3-00c04fd930c9}","domainDNS") AND Properties IN ("*Replicating Directory Changes All*", "*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*","*{9923a32a-3607-11d2-b9be-0000f87a36b2}*","*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*") AND AccessMask="0x100" AND NOT (SubjectUserSid="NT AUT*" OR SubjectUserSid="S-1-5-18" OR SubjectDomainName="Window Manager" OR SubjectUserName="*$") | stats min(_time) as _time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status dest | rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId, _time as attack_time | appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$" | fields - status] | table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, ObjectServer, ObjectType, OperationType, dest | stats min(attack_time) as _time values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip by TargetLogonId dest ... View more
Contact Me
Online Status
Offline
Date Last Visited
2 weeks ago
Karma from
View All
Karma given to
View All