Hi all,
I've Google'd a bit but couldn't find an answer that allowed me to understand something about the way the native AD monitor works. My Splunk instance is running on Windows, which allowed me to quickly create a monitor for AD.
What I see, however, is that I'm limited in the events that I can search for. They are either incomplete or just have fields completely missing. For example, when trying to find about event ID 4728 for group membership, I have no events related to this ID.
What I was able to figure out is that this is because I don't have SUF in the domain controllers. I would like, if possible, for this to be confirmed.
If SUF in the DCs is the recommended way to go (they would get SUF either way, but I thought I wouldn't need them for AD monitoring) is there any special inputs.conf configuration for filtering AD events for changes and security? My goal is to implement most of what is described in the "Active Directory Change and Security Event IDs" cheat sheet.
Thank you!
... View more