DETECTING WINDOWS ATTACK WITH SPLUNK Detecting Kerberoasting/AS REProasting

Pls I’m confused here with this question of detecting Kerberossting / AS-Reproasting
Modify and employ the provided Sysmon Event 22-based Splunk search on all ingested data (All time) to identify all share names whose location was spoofed by 10.10.0.221. Enter the missing share name from the following list as your answer. myshare, myfileshar3, _

I have trying a lot of modification but it’s keep showing no result
The closest I get listed the user N/A

same issue, any progress/breakthrough?

Hi, search for the IP and list the values of share names, you will get the answer :slight_smile: