{"id":139,"date":"2020-07-08T11:01:22","date_gmt":"2020-07-08T11:01:22","guid":{"rendered":"https:\/\/cybersecthreat.com\/?p=139"},"modified":"2024-02-25T01:19:30","modified_gmt":"2024-02-24T17:19:30","slug":"laps-logging-and-splunk-integration","status":"publish","type":"post","link":"https:\/\/cybersecthreat.com\/zh\/2020\/07\/08\/laps-logging-and-splunk-integration\/","title":{"rendered":"LAPS logging and Splunk"},"content":{"rendered":"

Today, we are going to discuss LAPS logging and Splunk integration.<\/p>\n\n\n\n

LAPS<\/a> (Local Administrator Password Solution) is a free tool created by Microsoft. It provides a cost effective password management solution within AD environment. In a nutshell, LAPS generate random and different password for each managed window workstations\/member servers. Then, LAPS change the password regularly based on GPO policy and save it into AD LDAP. As a result, LAPS makes lateral movement via Pass-the-Hash (PtH) attack more difficult.<\/p>\n\n\n\n

Some small businesses use LAPS as their primary PAM (Privilege account management) solution. However, many organization are using enterprise PAM and LAPS as a hybrid approach. For instance, they choose CyberArk to manage privilege account of servers and LAPS to manage built-in administrator account of workstation.<\/p>\n\n\n\n

Although the GPO policy of LAPS should only be applied to local account, we have experienced in some case LAPS change the built-in “Domain Admins” administrator automatically. Make sure <\/strong>you prepare for it. One option to deal with this kind of situation is to preserve an active session, and login a new session to test the credential. <\/p>\n\n\n\n

Many authors discussed about setup and configuration of LAPS. The resource are available in INSIDER THREAT SECURITY BLOG<\/a>, IT Connect<\/a>, RECAST SOFTWARE<\/a> \u53ca SECURITY BOULEVARD<\/a>. Therefore, we are not going to discuss the basic setup and configuration of LAPS. However, we do have one recommendation which is to ensure the value of “Password Length” is greater than 14 characters. It is because Windows may store LANMAN hash value in memory or even SAM file if the password characters less or equal to 14 characters. <\/p>\n\n\n\n

\"laps-gpo-password-complexity\"<\/figure>\n\n\n\n

Configure LAPS logging<\/h2>\n\n\n\n

In this section, we will discuss how to LAPS logging, which log who access the password of which workstations. You need to execute the following PowerShell on a domain controller, simply replace <OU-of-Computers-to-Audit> with the OU in your organisation:<\/p>\n\n\n\n

\n
Set-AdmPwdAuditing -OrgUnit <OU-of-Computers-to-Audit> -AuditedPrincipals:Everyone<\/code><\/code><\/pre>\n<\/div><\/div>\n\n\n\n
After enabled LAPS logging, Event Code 4662 will be generated whenever you retrieve password via LAPS GUI or Get-AdmPwdPassword PowerShell command. For example, below is sample Event ID 4662<\/strong> indicating user SOCTEST1\\Administrator retrieve the password of workstation WIN10-1:<\/p>\n\n\n\n
\n
An operation was performed on an object.\nSubject :\n\tSecurity ID:\t\tSOCTEST1\\Administrator\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tSOCTEST1\n\tLogon ID:\t\t0x5DC20\nObject:\n\tObject Server:\t\tDS\n\tObject Type:\t\tcomputer\n\tObject Name:\t\tCN=WIN10-1,OU=Computers_OU,DC=soctest,DC=loc\n\tHandle ID:\t\t0x0\nOperation:\n\tOperation Type:\t\tObject Access\n\tAccesses:\t\tControl Access\n\t\t\t\t\n\tAccess Mask:\t\t0x100\n\tProperties:\t\tControl Access\n\t\tDefault Property Set\n\t\t\tms-Mcs-AdmPwd\n\tcomputer\nAdditional Information:\n\tParameter 1:\t\t-\n\tParameter 2:<\/code><\/pre>\n<\/div><\/div>\n\n\n\n
When I try to search it in Splunk, nothing comes out!! According to Splunk<\/a>, Event Code 4662 is too noisy, and Splunk gives an example to filter all Event Code 4662. I realize I use the sample inputs.conf from Splunk. Below is snippet of default inputs.conf.<\/p>\n\n\n\n
[WinEventLog:\/\/Security]\ndisabled = 0\nstart_from = oldest\ncurrent_only = 0\nevt_resolve_ad_obj = 1\ncheckpointInterval = 5\nblacklist1 = EventCode=\"4662\" Message=\"Object Type:(?!\\s*groupPolicyContainer)\"\nblacklist2 = EventCode=\"566\" Message=\"Object Type:(?!\\s*groupPolicyContainer)\"\nrenderXml=true<\/code><\/pre>\n\n\n\n
It took me a couple of days trying many combination of inputs.conf, and finally I figure out the correct syntax.<\/p>\n\n\n\n
blacklist1 = EventCode=\"4662\" Message=\"(Object Type:(?!\\s*groupPolicyContainer))[\\s\\S]*(Properties:(?![\\s\\S]*Default Property Set))\"<\/code><\/pre>\n\n\n\n
Next step we can setup and monitor these privilege account usage. Enjoy it!<\/p>","protected":false},"excerpt":{"rendered":"
When I try to search it in Splunk, nothing comes out!! According to Splunk, Event Code 4662 is too noisy, and Splunk gives an example to filter all Event Code 4662. I realize I use the sample inputs.conf from Splunk. Below is snippet of default inputs.conf.<\/p>\n
It took me a couple of days trying many combination of inputs.conf, and finally I figure out the correct syntax.<\/p>","protected":false},"author":2,"featured_media":373,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_uf_show_specific_survey":0,"_uf_disable_surveys":false,"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","footnotes":""},"categories":[23],"tags":[46,52,53,49,47,48,50,33,51,31,32,20],"class_list":["post-139","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-splunk","tag-46","tag-blacklist","tag-blacklist1","tag-event-code-4662","tag-event-id-4662","tag-eventcode-4662","tag-eventid-4662","tag-laps","tag-ms-mcs-admpwd","tag-pass-the-hash","tag-pth","tag-splunk"],"yoast_head":"\nLAPS logging and Splunk - CyberSecThreat<\/title>\n<meta name=\"description\" content=\"In this section, we will enable LAPS logging, which can log who access the password of which workstations. According to Splunk, Event Code 4662 is too noisy\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cybersecthreat.com\/zh\/2020\/07\/08\/laps-logging-and-splunk-integration\/\" \/>\n<meta property=\"og:locale\" content=\"zh_TW\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"LAPS logging and Splunk\" \/>\n<meta property=\"og:description\" content=\"When I try to search it in Splunk, nothing comes out!! According to Splunk, Event Code 4662 is too noisy, and Splunk gives an example to filter all Event Code 4662. I realize I use the sample inputs.conf from Splunk. Below is snippet of default inputs.conf. It took me a couple of days trying many combination of inputs.conf, and finally I figure out the correct syntax.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cybersecthreat.com\/zh\/2020\/07\/08\/laps-logging-and-splunk-integration\/\" \/>\n<meta property=\"og:site_name\" content=\"CyberSecThreat\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cybersecthreat\" \/>\n<meta property=\"article:published_time\" content=\"2020-07-08T11:01:22+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-02-24T17:19:30+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Splunk_EventCode_4662_ms-Mcs-AdmPwd.png\" \/>\n\t<meta property=\"og:image:width\" content=\"865\" \/>\n\t<meta property=\"og:image:height\" content=\"698\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kelvin Yip\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@cybersecthreat\" \/>\n<meta name=\"twitter:site\" content=\"@cybersecthreat\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005:\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kelvin Yip\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9810\u4f30\u95b1\u8b80\u6642\u9593\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 \u5206\u9418\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/laps-logging-and-splunk-integration\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/laps-logging-and-splunk-integration\\\/\"},\"author\":{\"name\":\"Kelvin Yip\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#\\\/schema\\\/person\\\/4787dde06da74fa66cb5e92e481b0f98\"},\"headline\":\"LAPS logging and Splunk\",\"datePublished\":\"2020-07-08T11:01:22+00:00\",\"dateModified\":\"2024-02-24T17:19:30+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/laps-logging-and-splunk-integration\\\/\"},\"wordCount\":434,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/laps-logging-and-splunk-integration\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/Splunk_EventCode_4662_ms-Mcs-AdmPwd.png\",\"keywords\":[\"4662\",\"blacklist\",\"blacklist1\",\"Event Code 4662\",\"Event ID 4662\",\"EventCode 4662\",\"EventID 4662\",\"LAPS\",\"ms-Mcs-AdmPwd\",\"Pass-the-Hash\",\"PtH\",\"Splunk\"],\"articleSection\":[\"Splunk\"],\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/laps-logging-and-splunk-integration\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/laps-logging-and-splunk-integration\\\/\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/laps-logging-and-splunk-integration\\\/\",\"name\":\"LAPS logging and Splunk - CyberSecThreat\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/laps-logging-and-splunk-integration\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/laps-logging-and-splunk-integration\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/Splunk_EventCode_4662_ms-Mcs-AdmPwd.png\",\"datePublished\":\"2020-07-08T11:01:22+00:00\",\"dateModified\":\"2024-02-24T17:19:30+00:00\",\"description\":\"In this section, we will enable LAPS logging, which can log who access the password of which workstations. According to Splunk, Event Code 4662 is too noisy\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/laps-logging-and-splunk-integration\\\/#breadcrumb\"},\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/laps-logging-and-splunk-integration\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/laps-logging-and-splunk-integration\\\/#primaryimage\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/Splunk_EventCode_4662_ms-Mcs-AdmPwd.png\",\"contentUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/Splunk_EventCode_4662_ms-Mcs-AdmPwd.png\",\"width\":865,\"height\":698,\"caption\":\"Splunk EventCode 4662 with ms-Mcs-AdmPwd\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/laps-logging-and-splunk-integration\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Splunk\",\"item\":\"https:\\\/\\\/cybersecthreat.com\\\/category\\\/splunk\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"LAPS logging and Splunk\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#website\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/\",\"name\":\"CyberSecThreat\",\"description\":\"CyberSecurity Solutions\",\"publisher\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/cybersecthreat.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-TW\"},{\"@type\":[\"Organization\",\"Place\"],\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\",\"name\":\"CyberSecThreat Corporation Limited.\",\"alternateName\":\"CyberSecThreat\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/\",\"logo\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/laps-logging-and-splunk-integration\\\/#local-main-organization-logo\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/laps-logging-and-splunk-integration\\\/#local-main-organization-logo\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/cybersecthreat\",\"https:\\\/\\\/x.com\\\/cybersecthreat\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/cybersecthreat-corporation-limited\"],\"description\":\"CyberSecThreat, headquartered in Taiwan, is a Cybersecurity solutions provider that offers cutting-edge Cybersecurity solutions including Cyber Threat Intelligence (CTI), Security Orchestration, Automation, and Response (SOAR), UBA\\\/UEBA, DFIR, and CyberSecurity consulting. CyberSecThreat was awarded as Top 10 Cyber Security Companies of 2022 in APAC CIO Outlook\u2019s Cyber Security Edition. We position ourselves as one of the most comprehensive players in the most advanced high-end marketplace with our highly customizable cybersecurity solutions. CyberSecThreat has been committed to contributing to the CyberSecurity industry and assisting our global clients to improve their CyberSecurity posture. With our global partners and experts, we can deliver a wide range of world-class services to our global clients including vCISO, SOC consulting, Splunk consulting, red team, blue team, and AppSec consulting. CyberSecThreat Research Lab, which is led by our founder Kelvin Yip, is a subdivision that focuses on researching Cyber Warfare, Cyber Influence Operation\\\/Cognitive Domain Warfare (including Disinformation, Propaganda, and psychological manipulation), the latest Cybersecurity trends, and threats that organizations face today as well as technology innovation. With decades of Cybersecurity and technology experience, our teams of experts carry out research and experiment, bringing it to the real world. When things come to the real world and production environment, it is more complicated than our imagination. Let us worry about it because this is our mission! Our vision: NextGen safe digital life, and our mission is to Transform Security Into Real World.\",\"legalName\":\"CyberSecThreat Corporation Limited.\",\"foundingDate\":\"2021-01-23\",\"address\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/laps-logging-and-splunk-integration\\\/#local-main-place-address\"},\"geo\":{\"@type\":\"GeoCoordinates\",\"latitude\":\"25.0600452\",\"longitude\":\"121.4594381\"},\"telephone\":[\"(+886) 02 - 77527628\"],\"openingHoursSpecification\":[{\"@type\":\"OpeningHoursSpecification\",\"dayOfWeek\":[\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\",\"Sunday\"],\"opens\":\"09:00\",\"closes\":\"18:00\"}],\"email\":\"info@cybersecthreat.com\",\"areaServed\":\"Taiwan\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#\\\/schema\\\/person\\\/4787dde06da74fa66cb5e92e481b0f98\",\"name\":\"Kelvin Yip\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"caption\":\"Kelvin Yip\"},\"sameAs\":[\"https:\\\/\\\/cybersecthreat.com\"],\"knowsAbout\":[\"CyberSecurity\"],\"knowsLanguage\":[\"English\",\"Chinese\"],\"jobTitle\":\"Founder, CEO\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/zh\\\/author\\\/kelvinyip-m\\\/\"},{\"@type\":\"PostalAddress\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/laps-logging-and-splunk-integration\\\/#local-main-place-address\",\"streetAddress\":\"9 F.-A6, No. 601, Siyuan Rd., Xinzhuang Dist., New Taipei City 242032, Taiwan (R.O.C.)\",\"addressLocality\":\"New Taipei City\",\"postalCode\":\"242032\",\"addressRegion\":\"Taiwan\",\"addressCountry\":\"TW\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/laps-logging-and-splunk-integration\\\/#local-main-organization-logo\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/CyberSecThreat_website-site-logo-_164x164-min.png\",\"contentUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/CyberSecThreat_website-site-logo-_164x164-min.png\",\"width\":164,\"height\":164,\"caption\":\"CyberSecThreat Corporation Limited.\"}]}<\/script>\n<meta name=\"geo.placename\" content=\"New Taipei City\" \/>\n<meta name=\"geo.position\" content=\"25.0600452;121.4594381\" \/>\n<meta name=\"geo.region\" content=\"Taiwan\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"LAPS logging and Splunk - CyberSecThreat","description":"In this section, we will enable LAPS logging, which can log who access the password of which workstations. According to Splunk, Event Code 4662 is too noisy","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cybersecthreat.com\/zh\/2020\/07\/08\/laps-logging-and-splunk-integration\/","og_locale":"zh_TW","og_type":"article","og_title":"LAPS logging and Splunk","og_description":"When I try to search it in Splunk, nothing comes out!! According to Splunk, Event Code 4662 is too noisy, and Splunk gives an example to filter all Event Code 4662. I realize I use the sample inputs.conf from Splunk. Below is snippet of default inputs.conf. It took me a couple of days trying many combination of inputs.conf, and finally I figure out the correct syntax.","og_url":"https:\/\/cybersecthreat.com\/zh\/2020\/07\/08\/laps-logging-and-splunk-integration\/","og_site_name":"CyberSecThreat","article_publisher":"https:\/\/www.facebook.com\/cybersecthreat","article_published_time":"2020-07-08T11:01:22+00:00","article_modified_time":"2024-02-24T17:19:30+00:00","og_image":[{"width":865,"height":698,"url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Splunk_EventCode_4662_ms-Mcs-AdmPwd.png","type":"image\/png"}],"author":"Kelvin Yip","twitter_card":"summary_large_image","twitter_creator":"@cybersecthreat","twitter_site":"@cybersecthreat","twitter_misc":{"\u4f5c\u8005:":"Kelvin Yip","\u9810\u4f30\u95b1\u8b80\u6642\u9593":"3 \u5206\u9418"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/laps-logging-and-splunk-integration\/#article","isPartOf":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/laps-logging-and-splunk-integration\/"},"author":{"name":"Kelvin Yip","@id":"https:\/\/cybersecthreat.com\/#\/schema\/person\/4787dde06da74fa66cb5e92e481b0f98"},"headline":"LAPS logging and Splunk","datePublished":"2020-07-08T11:01:22+00:00","dateModified":"2024-02-24T17:19:30+00:00","mainEntityOfPage":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/laps-logging-and-splunk-integration\/"},"wordCount":434,"commentCount":0,"publisher":{"@id":"https:\/\/cybersecthreat.com\/#organization"},"image":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/laps-logging-and-splunk-integration\/#primaryimage"},"thumbnailUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Splunk_EventCode_4662_ms-Mcs-AdmPwd.png","keywords":["4662","blacklist","blacklist1","Event Code 4662","Event ID 4662","EventCode 4662","EventID 4662","LAPS","ms-Mcs-AdmPwd","Pass-the-Hash","PtH","Splunk"],"articleSection":["Splunk"],"inLanguage":"zh-TW","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/cybersecthreat.com\/2020\/07\/08\/laps-logging-and-splunk-integration\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/laps-logging-and-splunk-integration\/","url":"https:\/\/cybersecthreat.com\/2020\/07\/08\/laps-logging-and-splunk-integration\/","name":"LAPS logging and Splunk - CyberSecThreat","isPartOf":{"@id":"https:\/\/cybersecthreat.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/laps-logging-and-splunk-integration\/#primaryimage"},"image":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/laps-logging-and-splunk-integration\/#primaryimage"},"thumbnailUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Splunk_EventCode_4662_ms-Mcs-AdmPwd.png","datePublished":"2020-07-08T11:01:22+00:00","dateModified":"2024-02-24T17:19:30+00:00","description":"In this section, we will enable LAPS logging, which can log who access the password of which workstations. According to Splunk, Event Code 4662 is too noisy","breadcrumb":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/laps-logging-and-splunk-integration\/#breadcrumb"},"inLanguage":"zh-TW","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cybersecthreat.com\/2020\/07\/08\/laps-logging-and-splunk-integration\/"]}]},{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/laps-logging-and-splunk-integration\/#primaryimage","url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Splunk_EventCode_4662_ms-Mcs-AdmPwd.png","contentUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Splunk_EventCode_4662_ms-Mcs-AdmPwd.png","width":865,"height":698,"caption":"Splunk EventCode 4662 with ms-Mcs-AdmPwd"},{"@type":"BreadcrumbList","@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/laps-logging-and-splunk-integration\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Splunk","item":"https:\/\/cybersecthreat.com\/category\/splunk\/"},{"@type":"ListItem","position":2,"name":"LAPS logging and Splunk"}]},{"@type":"WebSite","@id":"https:\/\/cybersecthreat.com\/#website","url":"https:\/\/cybersecthreat.com\/","name":"\u5947\u8cc7\u5b89","description":"\u7db2\u8def\u5b89\u5168\u65b9\u6848","publisher":{"@id":"https:\/\/cybersecthreat.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cybersecthreat.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-TW"},{"@type":["Organization","Place"],"@id":"https:\/\/cybersecthreat.com\/#organization","name":"\u5947\u8cc7\u8a0a\u4fdd\u5b89\u53ca\u7db2\u7d61\u6709\u9650\u516c\u53f8","alternateName":"CyberSecThreat","url":"https:\/\/cybersecthreat.com\/","logo":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/laps-logging-and-splunk-integration\/#local-main-organization-logo"},"image":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/laps-logging-and-splunk-integration\/#local-main-organization-logo"},"sameAs":["https:\/\/www.facebook.com\/cybersecthreat","https:\/\/x.com\/cybersecthreat","https:\/\/www.linkedin.com\/company\/cybersecthreat-corporation-limited"],"description":"CyberSecThreat, headquartered in Taiwan, is a Cybersecurity solutions provider that offers cutting-edge Cybersecurity solutions including Cyber Threat Intelligence (CTI), Security Orchestration, Automation, and Response (SOAR), UBA\/UEBA, DFIR, and CyberSecurity consulting. CyberSecThreat was awarded as Top 10 Cyber Security Companies of 2022 in APAC CIO Outlook\u2019s Cyber Security Edition. We position ourselves as one of the most comprehensive players in the most advanced high-end marketplace with our highly customizable cybersecurity solutions. CyberSecThreat has been committed to contributing to the CyberSecurity industry and assisting our global clients to improve their CyberSecurity posture. With our global partners and experts, we can deliver a wide range of world-class services to our global clients including vCISO, SOC consulting, Splunk consulting, red team, blue team, and AppSec consulting. CyberSecThreat Research Lab, which is led by our founder Kelvin Yip, is a subdivision that focuses on researching Cyber Warfare, Cyber Influence Operation\/Cognitive Domain Warfare (including Disinformation, Propaganda, and psychological manipulation), the latest Cybersecurity trends, and threats that organizations face today as well as technology innovation. With decades of Cybersecurity and technology experience, our teams of experts carry out research and experiment, bringing it to the real world. When things come to the real world and production environment, it is more complicated than our imagination. Let us worry about it because this is our mission! Our vision: NextGen safe digital life, and our mission is to Transform Security Into Real World.","legalName":"CyberSecThreat Corporation Limited.","foundingDate":"2021-01-23","address":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/laps-logging-and-splunk-integration\/#local-main-place-address"},"geo":{"@type":"GeoCoordinates","latitude":"25.0600452","longitude":"121.4594381"},"telephone":["(+886) 02 - 77527628"],"openingHoursSpecification":[{"@type":"OpeningHoursSpecification","dayOfWeek":["Monday","Tuesday","Wednesday","Thursday","Friday","Saturday","Sunday"],"opens":"09:00","closes":"18:00"}],"email":"info@cybersecthreat.com","areaServed":"Taiwan"},{"@type":"Person","@id":"https:\/\/cybersecthreat.com\/#\/schema\/person\/4787dde06da74fa66cb5e92e481b0f98","name":"Kelvin Yip","image":{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","caption":"Kelvin Yip"},"sameAs":["https:\/\/cybersecthreat.com"],"knowsAbout":["CyberSecurity"],"knowsLanguage":["English","Chinese"],"jobTitle":"Founder, CEO","url":"https:\/\/cybersecthreat.com\/zh\/author\/kelvinyip-m\/"},{"@type":"PostalAddress","@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/laps-logging-and-splunk-integration\/#local-main-place-address","streetAddress":"9 F.-A6, No. 601, Siyuan Rd., Xinzhuang Dist., New Taipei City 242032, Taiwan (R.O.C.)","addressLocality":"New Taipei City","postalCode":"242032","addressRegion":"Taiwan","addressCountry":"TW"},{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/laps-logging-and-splunk-integration\/#local-main-organization-logo","url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2023\/12\/CyberSecThreat_website-site-logo-_164x164-min.png","contentUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2023\/12\/CyberSecThreat_website-site-logo-_164x164-min.png","width":164,"height":164,"caption":"CyberSecThreat Corporation Limited."}]},"geo.placename":"New Taipei City","geo.position":{"lat":"25.0600452","long":"121.4594381"},"geo.region":"Taiwan"},"taxonomy_info":{"category":[{"value":23,"label":"Splunk"}],"post_tag":[{"value":46,"label":"4662"},{"value":52,"label":"blacklist"},{"value":53,"label":"blacklist1"},{"value":49,"label":"Event Code 4662"},{"value":47,"label":"Event ID 4662"},{"value":48,"label":"EventCode 4662"},{"value":50,"label":"EventID 4662"},{"value":33,"label":"LAPS"},{"value":51,"label":"ms-Mcs-AdmPwd"},{"value":31,"label":"Pass-the-Hash"},{"value":32,"label":"PtH"},{"value":20,"label":"Splunk"}]},"featured_image_src_large":["https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Splunk_EventCode_4662_ms-Mcs-AdmPwd.png",865,698,false],"author_info":{"display_name":"Kelvin Yip","author_link":"https:\/\/cybersecthreat.com\/zh\/author\/kelvinyip-m\/"},"comment_info":1,"category_info":[{"term_id":23,"name":"Splunk","slug":"splunk","term_group":0,"term_taxonomy_id":23,"taxonomy":"category","description":"","parent":0,"count":10,"filter":"raw","cat_ID":23,"category_count":10,"category_description":"","cat_name":"Splunk","category_nicename":"splunk","category_parent":0}],"tag_info":[{"term_id":46,"name":"4662","slug":"4662","term_group":0,"term_taxonomy_id":46,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":52,"name":"blacklist","slug":"blacklist","term_group":0,"term_taxonomy_id":52,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":53,"name":"blacklist1","slug":"blacklist1","term_group":0,"term_taxonomy_id":53,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":49,"name":"Event Code 4662","slug":"event-code-4662","term_group":0,"term_taxonomy_id":49,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":47,"name":"Event ID 4662","slug":"event-id-4662","term_group":0,"term_taxonomy_id":47,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":48,"name":"EventCode 4662","slug":"eventcode-4662","term_group":0,"term_taxonomy_id":48,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":50,"name":"EventID 4662","slug":"eventid-4662","term_group":0,"term_taxonomy_id":50,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":33,"name":"LAPS","slug":"laps","term_group":0,"term_taxonomy_id":33,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":51,"name":"ms-Mcs-AdmPwd","slug":"ms-mcs-admpwd","term_group":0,"term_taxonomy_id":51,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":31,"name":"Pass-the-Hash","slug":"pass-the-hash","term_group":0,"term_taxonomy_id":31,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":32,"name":"PtH","slug":"pth","term_group":0,"term_taxonomy_id":32,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":20,"name":"Splunk","slug":"splunk","term_group":0,"term_taxonomy_id":20,"taxonomy":"post_tag","description":"","parent":0,"count":8,"filter":"raw"}],"_links":{"self":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts\/139","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/comments?post=139"}],"version-history":[{"count":0,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts\/139\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/media\/373"}],"wp:attachment":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/media?parent=139"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/categories?post=139"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/tags?post=139"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}