Re: Regarding Absence of Windows Security Command ...

AL3Z · ‎11-13-2023

hi ,

We could be the issue regarding the absence of Windows Security Command Line " EventCode=4688 ParentProcessName="C:\\Windows\\System32\\cmd.exe" events.
I have not blacklisted it in any of the app.

Thanks.

bharathkumarnec · ‎11-14-2023

@AL3Z Can you may be run btool to check the full configuration?

AL3Z · ‎11-16-2023

@bharathkumarnec

Hi, Where exactly we can run this btool to check the configurations. I dnt have back end access can we check in ui.

bharathkumarnec · ‎11-17-2023

@AL3Z
$SPLUNK_HOME$/bin/splunk btool inputs list --debug

AL3Z · ‎11-20-2023

@bharathkumarnec Hi,

After investigating I came across audit process creation is this causing this issue ??
https://docs.splunk.com/Documentation/ES/7.2.0/Admin/ConfigureLogging

bharathkumarnec · ‎11-20-2023

@AL3Z please check if the source is generating the data in the event viewer with the information that you are looking ?

AL3Z · ‎11-20-2023

@bharathkumarnec ,

Yes, it is generating the data in the event viewer!

Regarding Absence of Windows Security Command Line Events in Logs

other

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?