×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
SPL_Dummy
Engager
Member since: ‎04-25-2025
‎07-09-2025
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 1
Member Since ‎04-25-2025
Activity Feed
View All

Re: Splunk CAC Based Authentication

by in Security
‎04-25-2025 12:58 PM
1 Karma
‎04-25-2025 12:58 PM
1 Karma
Following for I need to do this soon as well... hope you figure it out so I can 😉 ... View more

Can Windows UF send some EventCodes as XML and all...

by in Getting Data In
‎04-25-2025 12:52 PM
‎04-25-2025 12:52 PM
Short question: can I configure my window UF inputs.conf to collect Security Event logs as renderXML=false , unless it is EventCode=4662, if EventCode=4662 then I want renderXML=true inputs.conf file [WinEventLog://Security] disabled = 0 index = wineventlog start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 renderXml=false #(if EventCode=4662 then set renderXML=true   I read maybe a transform.conf would help with this...?   Explanation for this configuration request is so that I can utilized this Search for DCSync attacks provided by Enterprise Splunk Security, of which only seems to work with XML ingested Security Event 4662... : ESCU - Windows AD Replication Request Initiated by User Account - Rule `wineventlog_security` EventCode=4662 ObjectType IN ("%{19195a5b-6da0-11d0-afd3-00c04fd930c9}","domainDNS") AND Properties IN ("*Replicating Directory Changes All*", "*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*","*{9923a32a-3607-11d2-b9be-0000f87a36b2}*","*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*") AND AccessMask="0x100" AND NOT (SubjectUserSid="NT AUT*" OR SubjectUserSid="S-1-5-18" OR SubjectDomainName="Window Manager" OR SubjectUserName="*$") | stats min(_time) as _time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status dest | rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId, _time as attack_time | appendpipe [| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$" | fields - status] | table attack_time, AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, Target_Domain, user, Computer, TargetLogonId, status, src_ip, src_category, ObjectName, ObjectServer, ObjectType, OperationType, dest | stats min(attack_time) as _time values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as src_category, values(src_ip) as src_ip by TargetLogonId dest ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎07-09-2025 08:03 AM
Karma from
View All
Karma given to
View All