Hi I'm implementing some searches provided by Splunk Threat Research Team to detect threats from AD logs. But I cannot set all required fields. For example, one of them is below.  "Windows Computer Account Requesting Kerberos Ticket" (https://research.splunk.com/endpoint/fb3b2bb3-75a4-4279-848a-165b42624770/) It requires some fields that I cannot find , such as subject, and action. Below is a sample log. I can't find which value I should extract as a "subject" and "action".  I use "WinEventLog:Security" as sourcetype.  I installed the TA-microsoft-windows.  Thank you. LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=2106676187 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: PC-DEMO$ Supplied Realm Name: attackrange.local User ID: ATTACKRANGE\PC-DEMO$ Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 59022 Additional Information: Ticket Options: 0x40800010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint:     ... View more

Hi I configured an archiving policy and I would like to notice when logs are archived. Is there any way to do so? I guess if an archive job is logged as system log, I can detect it in _internal index. Thank you ... View more