add_app

deployment-apps/winwatch/README

@@ -0,0 +1,49 @@
+App Name: winwatch
+Version: 1.1
+Author: Securonix Anjaneyulu Bollimuntha
+
+Installation and Configuration document:
+Support Contact:anjirhl@gmail.com
+
+Description of the App:
+The WinWatch App for Splunk provides an Executive and Operational view of key metrics and trends derived using windows security event log.
+
+Prerequisites:
+
+•	Splunk Enterprise / light / cloud server.
+•	Log data with source type : WinEventLog:Security
+
+Install the WinWatch App
+The WinWatch app has been provided as a “.tar.gz” file. Please follow the standard app import process in Splunk through the “Manage Apps” menu to install the WinWatch App.
+
+
+>> Click on the “Manage Apps” from Apps drop down and Choose “Install app from file” option.
+
+<< Dashboard Details >>
+
+User Logon Metrics / Trends
+
+The initial three panels provide day-day comparison of below items (last 48hrs).
+
+	No of servers people accessed.
+	No of unique accounts used.
+	Total logon count.
+	Total logon trend.
+	Interactive logon trend 
+	Non-Interactive logon trend (network,batch ..etc).
+
+Management Activities 
+
+The first four panels in the dashboard provides the below details.
+-	Count of accounts created count (Day-Day comparison)
+-	Count of accounts Removed count (Day-Day comparison)
+-	Count of accounts Modified (Day-Day comparison)
+-	Trend over time (Account created / removed) for the selected timeframe.
+-	Activity trend of accounts being enabled and disabled.
+-	Activity trend of accounts being locked and unlocked.
+-	Activity trend of firewall rule changes.
+-	Activity trend of domain and audit policy changes.
+
+
+
+

deployment-apps/winwatch/bin/README

@@ -0,0 +1 @@
+This is where you put any scripts you want to add to this app.

deployment-apps/winwatch/default/app.conf

@@ -0,0 +1,24 @@
+#
+# Splunk app configuration file
+#
+[id]
+name = winwatch
+version = 1.1.1
+
+[package]
+id = winwatch
+version = 1.1.1
+
+[install]
+is_configured = 0
+
+[ui]
+is_visible = 1
+label = WinWatch
+
+[launcher]
+author = Anjaneyulu Bollimuntha
+description = The win-watch App for Splunk provides an Executive and Operational view of key metrics and trends derived using windows security event log.
+
+version = 1.1.1
+

deployment-apps/winwatch/default/data/ui/nav/default.xml

@@ -0,0 +1,5 @@
+<nav search_view="search" color="#111008">
+  <view name="search" default='true' />
+  <view name="logons" />
+  <view name="admin_activity" />
+</nav>

deployment-apps/winwatch/default/data/ui/views/README

@@ -0,0 +1 @@
+Add all the views that your app needs in this directory

deployment-apps/winwatch/default/data/ui/views/admin_activity.xml

@@ -0,0 +1,272 @@
+<form>
+  <label>Management Activities</label>
+  <search id="my_search1">
+    <query>index="$idx$" sourcetype="$st$" |timechart span=1d count(eval(EventCode="626" OR EventCode="627" OR EventCode="628" OR EventCode="629" OR EventCode="632" OR EventCode="633" OR EventCode="636" OR EventCode="637" OR EventCode="644" OR EventCode="650" OR EventCode="651" OR EventCode="655" OR EventCode="656" OR EventCode="660" OR EventCode="661" OR EventCode="665" OR EventCode="666" OR EventCode="671" OR EventCode="685" OR EventCode="4722" OR EventCode="4723" OR EventCode="4724" OR EventCode="4725" OR EventCode="4728" OR EventCode="4729" OR EventCode="4732" OR EventCode="4733" OR EventCode="4740" OR EventCode="4746" OR EventCode="4747" OR EventCode="4751" OR EventCode="4752" OR EventCode="4756" OR EventCode="4757" OR EventCode="4761" OR EventCode="4762" OR EventCode="4767" OR EventCode="4781")) AS acc_modified,count(eval(EventCode="624" OR EventCode="645" OR EventCode="4720" OR EventCode="4741")) AS acc_created,count(eval(EventCode="630" OR EventCode="647" OR EventCode="4726" OR EventCode="4743")) AS acc_removed,count(eval(EventCode="626" OR EventCode="4722")) AS acc_enabled,count(eval(EventCode="629" OR EventCode="4725")) AS acc_disabled,count(eval(EventCode="644" OR EventCode="4740")) AS acc_locked,count(eval(EventCode="671" OR EventCode="4767")) AS acc_unlocked</query>
+    <earliest>$field1.earliest$</earliest>
+    <latest>$field1.latest$</latest>
+  </search>
+  <fieldset submitButton="false">
+    <input type="dropdown" token="idx">
+      <label>Select The Index</label>
+      <choice value="*">All</choice>
+      <default>*</default>
+      <fieldForLabel>index</fieldForLabel>
+      <fieldForValue>index</fieldForValue>
+      <search>
+        <query>| eventcount summarize=false index=* | dedup index | fields index</query>
+      </search>
+    </input>
+    <input type="dropdown" token="st">
+      <label>Select Sourcetype</label>
+      <choice value="WinEventLog:Security">WinEventLog:Security</choice>
+      <default>WinEventLog:Security</default>
+      <fieldForLabel>sourcetype</fieldForLabel>
+      <fieldForValue>sourcetype</fieldForValue>
+      <search>
+        <query>|metadata type=sourcetypes|table sourcetype|search NOT sourcetype="WinEventLog:Security"</query>
+      </search>
+    </input>
+    <input type="time" token="field1" searchWhenChanged="true">
+      <label>Date</label>
+      <default>
+        <earliest>-7d@h</earliest>
+        <latest>now</latest>
+      </default>
+    </input>
+  </fieldset>
+  <row>
+    <panel>
+      <single>
+        <title>Accounts Created</title>
+        <search base="my_search1">
+          <query>|table _time acc_created |sort _time</query>
+        </search>
+        <option name="drilldown">none</option>
+        <option name="colorBy">value</option>
+        <option name="colorMode">block</option>
+        <option name="numberPrecision">0</option>
+        <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
+        <option name="rangeValues">[0,30,70,100]</option>
+        <option name="showSparkline">1</option>
+        <option name="showTrendIndicator">1</option>
+        <option name="trendColorInterpretation">standard</option>
+        <option name="trendDisplayMode">absolute</option>
+        <option name="unitPosition">after</option>
+        <option name="useColors">1</option>
+        <option name="useThousandSeparators">1</option>
+        <option name="trendInterval">-24h</option>
+      </single>
+    </panel>
+    <panel>
+      <single>
+        <title>Accounts Removed</title>
+        <search base="my_search1">
+          <query>|table _time acc_removed |sort _time</query>
+        </search>
+        <option name="drilldown">none</option>
+        <option name="colorBy">value</option>
+        <option name="colorMode">block</option>
+        <option name="numberPrecision">0</option>
+        <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
+        <option name="rangeValues">[0,30,70,100]</option>
+        <option name="showSparkline">1</option>
+        <option name="showTrendIndicator">1</option>
+        <option name="trendColorInterpretation">standard</option>
+        <option name="trendDisplayMode">absolute</option>
+        <option name="unitPosition">after</option>
+        <option name="useColors">1</option>
+        <option name="useThousandSeparators">1</option>
+        <option name="trendInterval">-24h</option>
+      </single>
+    </panel>
+    <panel>
+      <single>
+        <title>Accounts Modified</title>
+        <search base="my_search1">
+          <query>|table _time acc_modified |sort _time</query>
+        </search>
+        <option name="drilldown">none</option>
+        <option name="colorBy">value</option>
+        <option name="colorMode">block</option>
+        <option name="numberPrecision">0</option>
+        <option name="rangeColors">["0x65a637","0x6db7c6","0xf7bc38","0xf58f39","0xd93f3c"]</option>
+        <option name="rangeValues">[0,30,70,100]</option>
+        <option name="showSparkline">1</option>
+        <option name="showTrendIndicator">1</option>
+        <option name="trendColorInterpretation">standard</option>
+        <option name="trendDisplayMode">absolute</option>
+        <option name="unitPosition">after</option>
+        <option name="useColors">1</option>
+        <option name="useThousandSeparators">1</option>
+        <option name="trendInterval">-24h</option>
+      </single>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <chart>
+        <title>Accounts Creation / Deletion Trend</title>
+        <search base="my_search1">
+          <query>|table _time acc_created acc_removed|timechart sum(acc_created) AS acc_created,sum(acc_removed) AS acc_removed</query>
+        </search>
+        <option name="charting.chart">area</option>
+        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
+        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
+        <option name="charting.axisTitleX.visibility">visible</option>
+        <option name="charting.axisTitleY.visibility">visible</option>
+        <option name="charting.axisTitleY2.visibility">visible</option>
+        <option name="charting.axisX.scale">linear</option>
+        <option name="charting.axisY.scale">linear</option>
+        <option name="charting.axisY2.enabled">0</option>
+        <option name="charting.axisY2.scale">inherit</option>
+        <option name="charting.chart.bubbleMaximumSize">50</option>
+        <option name="charting.chart.bubbleMinimumSize">10</option>
+        <option name="charting.chart.bubbleSizeBy">area</option>
+        <option name="charting.chart.nullValueMode">gaps</option>
+        <option name="charting.chart.showDataLabels">all</option>
+        <option name="charting.chart.showMarkers">true</option>
+        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
+        <option name="charting.chart.stackMode">stacked</option>
+        <option name="charting.chart.style">shiny</option>
+        <option name="charting.drilldown">all</option>
+        <option name="charting.layout.splitSeries">0</option>
+        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
+        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
+        <option name="charting.legend.placement">right</option>
+      </chart>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <chart>
+        <title>Accounts Enable / Disable - Trend</title>
+        <search base="my_search1">
+          <query>|timechart sum(acc_disabled) AS acc_disabled,sum(acc_enabled) AS acc_enabled</query>
+        </search>
+        <option name="charting.chart">column</option>
+        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
+        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
+        <option name="charting.axisTitleX.visibility">visible</option>
+        <option name="charting.axisTitleY.visibility">visible</option>
+        <option name="charting.axisTitleY2.visibility">visible</option>
+        <option name="charting.axisX.scale">linear</option>
+        <option name="charting.axisY.scale">linear</option>
+        <option name="charting.axisY2.enabled">0</option>
+        <option name="charting.axisY2.scale">inherit</option>
+        <option name="charting.chart.bubbleMaximumSize">50</option>
+        <option name="charting.chart.bubbleMinimumSize">10</option>
+        <option name="charting.chart.bubbleSizeBy">area</option>
+        <option name="charting.chart.nullValueMode">gaps</option>
+        <option name="charting.chart.showDataLabels">none</option>
+        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
+        <option name="charting.chart.stackMode">stacked</option>
+        <option name="charting.chart.style">shiny</option>
+        <option name="charting.drilldown">all</option>
+        <option name="charting.layout.splitSeries">0</option>
+        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
+        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
+        <option name="charting.legend.placement">bottom</option>
+      </chart>
+    </panel>
+    <panel>
+      <chart>
+        <title>Accounts Locked / Unlocked - Trend</title>
+        <search base="my_search1">
+          <query>|timechart sum(acc_locked) AS acc_locked,sum(acc_unlocked) AS acc_unlocked</query>
+        </search>
+        <option name="charting.chart">bar</option>
+        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
+        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
+        <option name="charting.axisTitleX.visibility">visible</option>
+        <option name="charting.axisTitleY.visibility">visible</option>
+        <option name="charting.axisTitleY2.visibility">visible</option>
+        <option name="charting.axisX.scale">linear</option>
+        <option name="charting.axisY.scale">linear</option>
+        <option name="charting.axisY2.enabled">0</option>
+        <option name="charting.axisY2.scale">inherit</option>
+        <option name="charting.chart.bubbleMaximumSize">50</option>
+        <option name="charting.chart.bubbleMinimumSize">10</option>
+        <option name="charting.chart.bubbleSizeBy">area</option>
+        <option name="charting.chart.nullValueMode">gaps</option>
+        <option name="charting.chart.showDataLabels">none</option>
+        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
+        <option name="charting.chart.stackMode">stacked</option>
+        <option name="charting.chart.style">shiny</option>
+        <option name="charting.drilldown">all</option>
+        <option name="charting.layout.splitSeries">0</option>
+        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
+        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
+        <option name="charting.legend.placement">bottom</option>
+      </chart>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <chart>
+        <title>Firewall Rule Changes</title>
+        <search>
+          <query>index="$idx$" sourcetype="$st$" (EventCode="4947" OR EventCode="4946" OR EventCode="4948") |timechart count</query>
+          <earliest>$field1.earliest$</earliest>
+          <latest>$field1.latest$</latest>
+        </search>
+        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
+        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
+        <option name="charting.axisTitleX.visibility">visible</option>
+        <option name="charting.axisTitleY.visibility">visible</option>
+        <option name="charting.axisTitleY2.visibility">visible</option>
+        <option name="charting.axisX.scale">linear</option>
+        <option name="charting.axisY.scale">linear</option>
+        <option name="charting.axisY2.enabled">0</option>
+        <option name="charting.axisY2.scale">inherit</option>
+        <option name="charting.chart">line</option>
+        <option name="charting.chart.bubbleMaximumSize">50</option>
+        <option name="charting.chart.bubbleMinimumSize">10</option>
+        <option name="charting.chart.bubbleSizeBy">area</option>
+        <option name="charting.chart.nullValueMode">gaps</option>
+        <option name="charting.chart.showDataLabels">all</option>
+        <option name="charting.chart.showMarkers">true</option>
+        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
+        <option name="charting.chart.stackMode">default</option>
+        <option name="charting.chart.style">shiny</option>
+        <option name="charting.drilldown">all</option>
+        <option name="charting.layout.splitSeries">0</option>
+        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
+        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
+        <option name="charting.legend.placement">right</option>
+      </chart>
+    </panel>
+    <panel>
+      <chart>
+        <title>Domain / Audit Policy Changes</title>
+        <search>
+          <query>index="$idx$" sourcetype="$st$" (EventCode=612 OR EventCode=4715 OR EventCode="643" OR EventCode="4739") |timechart count</query>
+          <earliest>-7d@h</earliest>
+          <latest>now</latest>
+        </search>
+        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
+        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
+        <option name="charting.axisTitleX.visibility">visible</option>
+        <option name="charting.axisTitleY.visibility">visible</option>
+        <option name="charting.axisTitleY2.visibility">visible</option>
+        <option name="charting.axisX.scale">linear</option>
+        <option name="charting.axisY.scale">linear</option>
+        <option name="charting.axisY2.enabled">0</option>
+        <option name="charting.axisY2.scale">inherit</option>
+        <option name="charting.chart">column</option>
+        <option name="charting.chart.bubbleMaximumSize">50</option>
+        <option name="charting.chart.bubbleMinimumSize">10</option>
+        <option name="charting.chart.bubbleSizeBy">area</option>
+        <option name="charting.chart.nullValueMode">gaps</option>
+        <option name="charting.chart.showDataLabels">all</option>
+        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
+        <option name="charting.chart.stackMode">default</option>
+        <option name="charting.chart.style">shiny</option>
+        <option name="charting.drilldown">all</option>
+        <option name="charting.layout.splitSeries">0</option>
+        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
+        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
+        <option name="charting.legend.placement">right</option>
+      </chart>
+    </panel>
+  </row>
+</form>

deployment-apps/winwatch/default/data/ui/views/logons.xml

@@ -0,0 +1,262 @@
+<form>
+  <search id="my_search1">
+    <query>index="$idx$" sourcetype="$st$" (EventCode=528 OR EventCode=540 OR EventCode=552 OR EventCode=4648 OR EventCode=4624 OR EventCode=4774) Logon_Type=* earliest=-48h|eval Account_Name=if(isnull(Account_Name),User,Account_Name)|eval Account_Name=mvindex(Account_Name,1)|search NOT (Account_Name="*$" OR Account_Name="ANONYMOUS LOGON" OR Account_Name="SYSTEM" OR Account_Name="LOCAL SERVICE" OR Account_Name="NETWORK SERVICE" OR Account_Name="-")|timechart span=1d  dc(ComputerName) AS server_count,dc(Account_Name) AS user_count,count AS logon_count</query>
+  </search>
+  <search id="my_search2">
+    <query>index="$idx$" sourcetype="$st$" (EventCode=528 OR EventCode=540 OR EventCode=552 OR EventCode=4648 OR EventCode=4624 OR EventCode=4774) Logon_Type=*|eval Account_Name=if(isnull(Account_Name),User,Account_Name)|eval Account_Name=mvindex(Account_Name,1)|search NOT (Account_Name="*$" OR Account_Name="ANONYMOUS LOGON" OR Account_Name="SYSTEM" OR Account_Name="LOCAL SERVICE" OR Account_Name="NETWORK SERVICE" OR Account_Name="-")|eval login_method=Logon_Type|replace 0 with "System Only",2 with "Interactive Logon",3 with "Network",4 with "Batch",5 with "Service",6 with "Proxy logon",7 with "Unlock",8 with "Network Clear Text",9 with "New Credentials",10 with "Remote Interactive",11 with "Cached Interactive",12 with "CachedRemoteInteractive",13 with "CachedUnlock" in login_method|timechart span=1d count by login_method|addtotals</query>
+    <earliest>$field1.earliest$</earliest>
+    <latest>$field1.latest$</latest>
+  </search>
+  <search id="my_search3">
+    <query>index="$idx$" sourcetype="$st$" (EventCode=528 OR EventCode=540 OR EventCode=552 OR EventCode=4648 OR EventCode=4624 OR EventCode=4774) Logon_Type=*|eval Account_Name=if(isnull(Account_Name),User,Account_Name)|eval Account_Name=mvindex(Account_Name,1)|search NOT (Account_Name="*$" OR Account_Name="ANONYMOUS LOGON" OR Account_Name="SYSTEM" OR Account_Name="LOCAL SERVICE" OR Account_Name="NETWORK SERVICE" OR Account_Name="-")|stats count by Account_Name,ComputerName,Source_Network_Address|search NOT (Source_Network_Address="-")</query>
+    <earliest>$field1.earliest$</earliest>
+    <latest>$field1.latest$</latest>
+  </search>
+  <label>User Logon Metrics / Trends</label>
+  <fieldset submitButton="false">
+    <input type="dropdown" token="idx">
+      <label>Select The Index</label>
+      <choice value="*">All</choice>
+      <default>*</default>
+      <fieldForLabel>index</fieldForLabel>
+      <fieldForValue>index</fieldForValue>
+      <search>
+        <query>| eventcount summarize=false index=* | dedup index | fields index</query>
+      </search>
+    </input>
+    <input type="dropdown" token="st">
+      <label>Select Sourcetype</label>
+      <choice value="WinEventLog:Security">WinEventLog:Security</choice>
+      <default>WinEventLog:Security</default>
+      <fieldForLabel>sourcetype</fieldForLabel>
+      <fieldForValue>sourcetype</fieldForValue>
+      <search>
+        <query>|metadata type=sourcetypes|table sourcetype|search NOT sourcetype="WinEventLog:Security"</query>
+      </search>
+    </input>
+    <input type="time" token="field1" searchWhenChanged="true">
+      <label>Date</label>
+      <default>
+        <earliest>-30d@d</earliest>
+        <latest>now</latest>
+      </default>
+    </input>
+  </fieldset>
+  <row>
+    <panel>
+      <single>
+        <title>SERVER COUNT</title>
+        <search base="my_search1">
+          <query>|table _time server_count |timechart span=1d sum(server_count) AS count</query>
+        </search>
+        <option name="drilldown">none</option>
+        <option name="colorBy">value</option>
+        <option name="colorMode">block</option>
+        <option name="numberPrecision">0</option>
+        <option name="showSparkline">1</option>
+        <option name="showTrendIndicator">1</option>
+        <option name="trendColorInterpretation">standard</option>
+        <option name="trendDisplayMode">absolute</option>
+        <option name="unitPosition">after</option>
+        <option name="useColors">1</option>
+        <option name="useThousandSeparators">1</option>
+        <option name="rangeColors">["0x6db7c6","0xf7bc38"]</option>
+        <option name="rangeValues">[15000]</option>
+        <option name="underLabel">Day-Day Trend</option>
+      </single>
+    </panel>
+    <panel>
+      <single>
+        <title>USER COUNT</title>
+        <search base="my_search1">
+          <query>|table _time user_count |timechart span=1d sum(user_count) AS count</query>
+        </search>
+        <option name="drilldown">none</option>
+        <option name="colorBy">value</option>
+        <option name="colorMode">block</option>
+        <option name="numberPrecision">0</option>
+        <option name="showSparkline">1</option>
+        <option name="showTrendIndicator">1</option>
+        <option name="trendColorInterpretation">standard</option>
+        <option name="trendDisplayMode">absolute</option>
+        <option name="unitPosition">after</option>
+        <option name="useColors">1</option>
+        <option name="useThousandSeparators">1</option>
+        <option name="rangeColors">["0x6db7c6","0xf7bc38"]</option>
+        <option name="rangeValues">[15000]</option>
+        <option name="underLabel">Day-Day Trend</option>
+      </single>
+    </panel>
+    <panel>
+      <single>
+        <title>LOGON COUNT</title>
+        <search base="my_search1">
+          <query>|table _time logon_count |timechart span=1d sum(logon_count) AS count</query>
+        </search>
+        <option name="drilldown">none</option>
+        <option name="colorBy">value</option>
+        <option name="colorMode">block</option>
+        <option name="numberPrecision">0</option>
+        <option name="showSparkline">1</option>
+        <option name="showTrendIndicator">1</option>
+        <option name="trendColorInterpretation">standard</option>
+        <option name="trendDisplayMode">absolute</option>
+        <option name="unitPosition">before</option>
+        <option name="useColors">1</option>
+        <option name="useThousandSeparators">1</option>
+        <option name="rangeColors">["0x6db7c6","0xf7bc38"]</option>
+        <option name="rangeValues">[15000]</option>
+        <option name="underLabel">Day-Day Trend</option>
+      </single>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>Logon Trend</title>
+      <chart>
+        <title>Overall Trend</title>
+        <search base="my_search2">
+          <query>|fields _time Total</query>
+        </search>
+        <option name="charting.chart">column</option>
+        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
+        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
+        <option name="charting.axisTitleX.visibility">collapsed</option>
+        <option name="charting.axisTitleY.visibility">visible</option>
+        <option name="charting.axisTitleY2.visibility">visible</option>
+        <option name="charting.axisX.scale">linear</option>
+        <option name="charting.axisY.scale">linear</option>
+        <option name="charting.axisY2.enabled">0</option>
+        <option name="charting.axisY2.scale">inherit</option>
+        <option name="charting.chart.bubbleMaximumSize">50</option>
+        <option name="charting.chart.bubbleMinimumSize">10</option>
+        <option name="charting.chart.bubbleSizeBy">area</option>
+        <option name="charting.chart.nullValueMode">gaps</option>
+        <option name="charting.chart.showDataLabels">all</option>
+        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
+        <option name="charting.chart.stackMode">stacked</option>
+        <option name="charting.chart.style">shiny</option>
+        <option name="charting.drilldown">all</option>
+        <option name="charting.layout.splitSeries">0</option>
+        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
+        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
+        <option name="charting.legend.placement">right</option>
+      </chart>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <chart>
+        <title>Interactive Logons</title>
+        <search base="my_search2">
+          <query>|fields _time "System Only","Interactive Logon",Unlock,"Remote Interactive","Cached Interactive","CachedRemoteInteractive"</query>
+        </search>
+        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
+        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
+        <option name="charting.axisTitleX.visibility">collapsed</option>
+        <option name="charting.axisTitleY.visibility">visible</option>
+        <option name="charting.axisTitleY2.visibility">visible</option>
+        <option name="charting.axisX.scale">linear</option>
+        <option name="charting.axisY.scale">linear</option>
+        <option name="charting.axisY2.enabled">0</option>
+        <option name="charting.axisY2.scale">inherit</option>
+        <option name="charting.chart">column</option>
+        <option name="charting.chart.bubbleMaximumSize">50</option>
+        <option name="charting.chart.bubbleMinimumSize">10</option>
+        <option name="charting.chart.bubbleSizeBy">area</option>
+        <option name="charting.chart.nullValueMode">gaps</option>
+        <option name="charting.chart.showDataLabels">all</option>
+        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
+        <option name="charting.chart.stackMode">stacked</option>
+        <option name="charting.chart.style">shiny</option>
+        <option name="charting.drilldown">all</option>
+        <option name="charting.layout.splitSeries">0</option>
+        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
+        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
+        <option name="charting.legend.placement">right</option>
+      </chart>
+    </panel>
+    <panel>
+      <chart>
+        <title>Non-Interactive Logon</title>
+        <search base="my_search2">
+          <query>|fields - Total "System Only","Interactive Logon",Unlock,"Remote Interactive","Cached Interactive","CachedRemoteInteractive"</query>
+        </search>
+        <option name="charting.chart">column</option>
+        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
+        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
+        <option name="charting.axisTitleX.visibility">collapsed</option>
+        <option name="charting.axisTitleY.visibility">visible</option>
+        <option name="charting.axisTitleY2.visibility">visible</option>
+        <option name="charting.axisX.scale">linear</option>
+        <option name="charting.axisY.scale">linear</option>
+        <option name="charting.axisY2.enabled">0</option>
+        <option name="charting.axisY2.scale">inherit</option>
+        <option name="charting.chart.bubbleMaximumSize">50</option>
+        <option name="charting.chart.bubbleMinimumSize">10</option>
+        <option name="charting.chart.bubbleSizeBy">area</option>
+        <option name="charting.chart.nullValueMode">gaps</option>
+        <option name="charting.chart.showDataLabels">none</option>
+        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
+        <option name="charting.chart.stackMode">stacked</option>
+        <option name="charting.chart.style">shiny</option>
+        <option name="charting.drilldown">all</option>
+        <option name="charting.layout.splitSeries">0</option>
+        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
+        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
+        <option name="charting.legend.placement">right</option>
+      </chart>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <chart>
+        <title>Top 5 - Active Accounts</title>
+        <search base="my_search3">
+          <query>|stats sum(count) AS count by Account_Name|sort - count |head 5</query>
+        </search>
+        <option name="charting.chart">bar</option>
+      </chart>
+    </panel>
+    <panel>
+      <chart>
+        <title>Top 5 - Active Hosts</title>
+        <search base="my_search3">
+          <query>|stats sum(count) AS count by ComputerName|sort - count |head 5</query>
+        </search>
+        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
+        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
+        <option name="charting.axisTitleX.visibility">visible</option>
+        <option name="charting.axisTitleY.visibility">visible</option>
+        <option name="charting.axisTitleY2.visibility">visible</option>
+        <option name="charting.axisX.scale">linear</option>
+        <option name="charting.axisY.scale">linear</option>
+        <option name="charting.axisY2.enabled">0</option>
+        <option name="charting.axisY2.scale">inherit</option>
+        <option name="charting.chart">pie</option>
+        <option name="charting.chart.bubbleMaximumSize">50</option>
+        <option name="charting.chart.bubbleMinimumSize">10</option>
+        <option name="charting.chart.bubbleSizeBy">area</option>
+        <option name="charting.chart.nullValueMode">gaps</option>
+        <option name="charting.chart.showDataLabels">none</option>
+        <option name="charting.chart.sliceCollapsingThreshold">0</option>
+        <option name="charting.chart.stackMode">default</option>
+        <option name="charting.chart.style">shiny</option>
+        <option name="charting.drilldown">all</option>
+        <option name="charting.layout.splitSeries">0</option>
+        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
+        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
+        <option name="charting.legend.placement">right</option>
+      </chart>
+    </panel>
+    <panel>
+      <chart>
+        <title>Top 5  - Active Network Sources</title>
+        <search base="my_search3">
+          <query>|stats sum(count) AS count by Source_Network_Address|sort - count |head 5</query>
+        </search>
+        <option name="charting.chart">bar</option>
+      </chart>
+    </panel>
+  </row>
+</form>

deployment-apps/winwatch/metadata/default.meta

@@ -0,0 +1,30 @@
+
+# Application-level permissions
+
+[]
+access = read : [ * ], write : [ admin, power ]
+
+### EVENT TYPES
+
+[eventtypes]
+export = system
+
+
+### PROPS
+
+[props]
+export = system
+
+
+### TRANSFORMS
+
+[transforms]
+export = system
+
+
+### LOOKUPS
+
+[lookups]
+export = system
+
+

deployment-apps/winwatch/splunkbase.manifest

@@ -0,0 +1,98 @@
+{
+  "version": "1.0",
+  "date": "2022-11-14T16:44:39.683478381Z",
+  "hashAlgorithm": "SHA-256",
+  "app": {
+    "id": 3180,
+    "version": "1.1.1",
+    "files": [
+      {
+        "path": "static/appLogo_2x.png",
+        "hash": "aa240f3546bbd04536948e6f4832deea593263ad7c6f552ef5bd7e82024bdec5"
+      },
+      {
+        "path": "static/appIconAlt_2x.png",
+        "hash": "b832f7960c4708f3163aa6865c2fd62a58a3849953040b81b15fb73e83f5b2b9"
+      },
+      {
+        "path": "static/appIcon_2x.png",
+        "hash": "394b5469c877721ee8aac1c459530dda8a2a6d6164d961ad5373892456bc1bc9"
+      },
+      {
+        "path": "static/appIconAlt.png",
+        "hash": "947ffa5050835e40d7e704b12a9f0eee35afac620ffa5e7bb5e608909ae4bf70"
+      },
+      {
+        "path": "static/appIcon.png",
+        "hash": "ed6f17bf3592e0ef89b71aa58d7dcb7aece696a47a9b74fdeb5a15cecdc83dc8"
+      },
+      {
+        "path": "static/appLogo.png",
+        "hash": "1b1b0b25d20ed6e3829c2e79e0b61b825280d2c9211dccd9e2712d4b7516cab9"
+      },
+      {
+        "path": "static/application.css",
+        "hash": "3e87f005948ee9459254e03ab58a08ff68f70049a5f8bf0f8e36e4458d489343"
+      },
+      {
+        "path": "default/app.conf",
+        "hash": "278365f0e195b39e4139b476bafb61c6dcae133b2b0dd52e4702236b8f9cc2e5"
+      },
+      {
+        "path": "default/data/ui/nav/default.xml",
+        "hash": "9f72267997034d03931cbbdc2de31aa8a46080f244e8f051d587283258c3f7e7"
+      },
+      {
+        "path": "default/data/ui/views/logons.xml",
+        "hash": "a85a984232c14db6e242420f7e470c1f2b819a699182bbb93dbf0411a44f29f5"
+      },
+      {
+        "path": "default/data/ui/views/admin_activity.xml",
+        "hash": "c672bf228668357f348b93b56a2cde875cba5142688abc3057ef57bfc6308c16"
+      },
+      {
+        "path": "default/data/ui/views/README",
+        "hash": "f75000f12510d242fc99decea9e7e5a46a1a8bef910d3d6f741797816b35034d"
+      },
+      {
+        "path": "metadata/default.meta",
+        "hash": "9002ef6a926c74a75a4817e36c19f7c039b44b1cee7ecb9a39dcb59add002f41"
+      },
+      {
+        "path": "bin/README",
+        "hash": "eaaa0ae11a829d5492934487b9628ba841d2678941afc4d979dee5ff19b7adbb"
+      },
+      {
+        "path": "README",
+        "hash": "c06016197c4fe86061794310a5e979fd25f4ce53d35dccd1dc5ad552ed991a3a"
+      }
+    ]
+  },
+  "products": [
+    {
+      "platform": "splunk",
+      "product": "enterprise",
+      "versions": [
+        "7.0",
+        "7.1",
+        "7.2",
+        "7.3",
+        "8.0",
+        "8.1",
+        "8.2",
+        "9.0"
+      ],
+      "architectures": [
+        "x86_64"
+      ],
+      "operatingSystems": [
+        "windows",
+        "linux",
+        "macos",
+        "freebsd",
+        "solaris",
+        "aix"
+      ]
+    }
+  ]
+}

deployment-apps/winwatch/static/application.css

@@ -0,0 +1 @@
+.app-bar .app-name {     font-weight: bold !important;     display: inline !important;}.appLogo {     background: url("appLogo.png") no-repeat scroll 0 0 rgba(0, 0, 0, 0);}.app-name .app-logo {     display: inline !important;}