...
index="winevent_dc_index" source="wineventlog:directory service" EventCode="2889"| rex field=_raw "(?ms)Binding\s+Type:\s+(?<typeBind>\d)"| table _time, host, EventCode, ClientIdentity, ClientIPAddress, typeBind
Appendix: Raw text from testing notes
Splunk: index="winevent_dc_index" source="wineventlog:directory service" EventCode="2889"
ATL-MBP-018
Which Airwatch OU? — macOS standard supported policies
AD record? NOPE reassign profile YEP
EventCode="2889"
events as “AD\oidadder” during machine bind events as “AD\atl-mbp-018$” thereafter, periodically with login events too
create “atlauren” Andrew Fake logout login as “atlauren” local account -> events as machine account login to EC events as “ad\atlauren” EC reconnect events as “ad\atlauren” machine events on logout events from machine and user on login/EC
** move to Airwatch OU Experimental ** AD/Certificate profile lands new events for rebinding as oitadder, machine record in New Computers OU *is a complete rebind* move to OU
EC reconnect no events logout no events reboot events as machine record login atlauren event as atlauren EC reconnect event as atlauren
|