Hi,
I think AD parser need an enhancement. It should parser "Service Name" from event "A Kerberos service ticket was requested". Usually that field contains an account name, that can be used to track authentications. Now that is not parsed at all.
We have an customer use-case and this is needed urgently.
by: Timo S. | over a year ago | Integrations
Comments
Fixing this is planned. Bug ID reference in plug-in documentation is: 1045558
This is now available at the following link: https://www.netiq.com/support/sentinel/plugins/preview.html
The exact download link is: https://www.netiq.com/support/sentinel/plugins/pre/collectors/Microsoft_Active-Directory-and-Windows_2011.1r8-201707050116-preview.clz.zip