Hello All,
I'm a new Splunker and have a Windows 6.3.2 enterprise installed with the following:
Supporting Add-on for Active Directory v 2.1.2
Cisco Security Suite v 3.1.1
Template for Citrix XenDesktop 7 v 1.1.1
App for Windows Infrastructure v 1.2.0
Add-on for PowerShell v 1.2.1
TA_Windows v 4.8.1
We are using Advanced Audit Policy (AAP) Configuration in our environment. I am not having any luck finding documentation on which AAP settings need to be configured. It appears to be an all or nothing proposition where either we get almost no information or millions of events in a very short period of time. I have searched the Splunk site fairly thoroughly but have not found any really helpful guidance on this. I did find this page:
http://docs.splunk.com/Documentation/MSApp/latest/MSInfra/ConfigureActiveDirectoryauditpolicy
This page mentions AAP but quickly looses me when suggesting I review of eventtypes.conf file. Any help or suggestions are greatly appreciated!
jpc
↧