Hello Everyone, I have searched everywhere for a solution but did not get anything close to what I'm trying to do. So, I have one Domain Controller from where we are capturing data into the DS. On searching for EventCode 4624, I see around 10-15 events with the same timestamp, AccountName, etc. logging in. This single eventcode is consuming around 4-5 GB of license eveyday from a single Domain Controller which is not at all ideal. Blacklisting the event is no help as I need it for several reports. I have already removed the extra description at the end of events to reduce license usage. I was wondering if someone has faced similar issue or if someone could guide me on this, that would be great. Please let me know if I need to provide anymore information. ... View more

Hello Everyone, I have searched for an answer on this forum but have not seen any thread talking about checking the group policy attributes.  I'm using Splunk app for windows infrastructure and that gives me the "group Policy changes" report which gives the name of the GPO that was changed and who changed it. However, I need to know how can we check the attributes that are being changed in a GPO as just the GPO name is not helpful. GPO consists of several attributes and searching for the one that's changed will be a tiring process without Splunk. I've seen the following threads about GPO but none of them are about GPO attributes. https://community.splunk.com/t5/Archive/Query-for-Checking-GPO-Changes/m-p/384810/highlight/false https://community.splunk.com/t5/Security/How-to-identify-an-admin-who-made-a-change-in-GPO/m-p/469984#M10908 https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-correlate-the-admin-user-with-a-GPO-change/td-p/159210 Please let me know if you have further questions. Thank You, Rahul ... View more

Hello Everyone, I have searched for this everywhere but have not found any suitable answer. I have Splunk App for Windows Infrastructure installed and I can see the group policy changes in it. However, it only shows the name of the GPO and the user who changed it. I also need to know which GPO attribute was changed by the user. I am not sure how to achieve that using Splunk. I also tried the app "MS Windows AD Objects" but that too doesn't show any relevant information. I have checked the following link for answers:  https://community.splunk.com/t5/Archive/Query-for-Checking-GPO-Changes/m-p/384810/highlight/false https://community.splunk.com/t5/Security/How-to-identify-an-admin-who-made-a-change-in-GPO/m-p/469984#M10908 https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-correlate-the-admin-user-with-a-GPO-change/td-p/159210 and all the links within this answer thread. It would be great if someone can please assist me with this as it's very important for the Organization.   Thanks, Rahul   ... View more

Hi Everyone! I have researched this issue and found a few solutions, though not completely. I followed this link: https://answers.splunk.com/answers/557838/create-an-alert-based-on-cpu-being-at-95-for-a-spa.html and wanted to know if I can use "%_Processor_Time" instead of CPUPct as I am not able to extract "CPUPct" field. Also, I followed this link: https://answers.splunk.com/answers/693250/how-do-i-alert-if-cpu-is-greater-than-97-for-more.html here, I wanted to understand what does "instance=Total" mean? Also, which one of the accepted answers is better to use? The queries I used are as follows: SPL 1: index="perfmoncpu" | bin _time span=1m | stats max(%_Processor_Time) as PercentProcessorTime by host _time | eval PercentProcessorTime = round(PercentProcessorTime, 2) | eval overload = if(PercentProcessorTime >= 90, 1, 0) |streamstats current=f last(overload) as prevload by host |eval newgroup=case(isnull(prevload),1, prevload!=overload,1, true(),0) |streamstats sum(newgroup) as groupno by host |eventstats count as LoadDuration by host groupno | where overload = 1 and LoadDuration >= 10 | table host _time PercentProcessorTime LoadDuration SPL 2: index="perfmoncpu" source="PerfmonMk:CPU" instance=_Total | sort 0 _time | streamstats time_window=15min avg(cpu_load_percent) as last15min_load count by host | eval last15min_load = if (count < 90,null,round(last15min_load, 2)) | where (last15min_load) >= 90 | table host, cpu_load_percent, last15min_load I have used count<90 as the above SPL generates a count of 90 mins throughout Please let me know if you guys have any further questions. Thank You! PS: I am a newbie trying to learn splunk! ... View more

Hello Everyone, I have a service account that I need to configure to collect WMI data from domain controllers. This account can't be an admin on the domain controller, so am trying to provide least privilege access to my account as per the documentation below: https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/MonitorWMIdata I am running splunk enterprise 8.0.1 and have a basic architecture with only one instance of splunk running as an indexer and search head. I have not installed any forwarder(not allowed to install that on DC as per policy). So far, I have tried everything in this link: https://answers.splunk.com/answers/2703/how-to-enable-wmi-data-collection-on-a-domain-server.html However, I am still not able to connect to the DC. The above link says that it's been tried on windows 2003. I have windows server 2012 and 2016. Could someone please assist me in getting this fixed? Any help would be greatly appreciated. Please let me know if you require further information. I apologize if I have missed anything crucial. I am still a newbie trying to find my way through it. Thank You! ... View more