From 1f56bbc1c785c707ba8ffdac8d74372e21484a33 Mon Sep 17 00:00:00 2001 From: admingit Date: Tue, 24 Oct 2023 16:28:43 +0200 Subject: [PATCH] add_app --- deployment-apps/eventid/.DS_Store | Bin 0 -> 6148 bytes .../eventid/appserver/static/appIcon.png | Bin 0 -> 1596 bytes .../eventid/appserver/static/appIcon_2x.png | Bin 0 -> 2172 bytes .../eventid/appserver/static/application.css | 553 +++++ .../eventid/appserver/static/dashboard.css | 78 + .../eventid/appserver/static/dashboard.js | 1128 +++++++++ .../eventid/appserver/static/default.css | 2152 +++++++++++++++++ .../eventid/bin/ev_process_proc.py | 45 + .../eventid/bin/ev_process_xml_parameters.py | 48 + deployment-apps/eventid/default/.DS_Store | Bin 0 -> 6148 bytes deployment-apps/eventid/default/app.conf | 22 + .../eventid/default/data/ui/nav/default.xml | 14 + .../eventid/default/data/ui/views/README | 1 + .../default/data/ui/views/audit_events.xml | 405 ++++ .../default/data/ui/views/documentation.xml | 55 + .../eventid/default/data/ui/views/eventid.xml | 362 +++ .../data/ui/views/interesting_events.xml | 55 + .../data/ui/views/interesting_processes.xml | 189 ++ .../data/ui/views/users_and_groups.xml | 225 ++ .../data/ui/views/windows_event_sources.xml | 120 + .../ui/views/windows_events_xml_source.xml | 208 ++ deployment-apps/eventid/default/macros.conf | 8 + deployment-apps/eventid/default/setup.xml | 23 + .../eventid/default/transforms.conf | 22 + .../eventid/default/workflow_actions.conf | 10 + deployment-apps/eventid/license-eula.rtf | 57 + .../lookups/eventid_interesting_events.csv | 22 + .../lookups/eventid_interesting_processes.csv | 72 + .../eventid/lookups/xml_event_types.csv | 6 + deployment-apps/eventid/splunkbase.manifest | 165 ++ deployment-apps/eventid/static/appIcon.png | Bin 0 -> 1566 bytes deployment-apps/eventid/static/appIconAlt.png | Bin 0 -> 1355 bytes .../eventid/static/appIconAlt_2x.png | Bin 0 -> 2805 bytes deployment-apps/eventid/static/appIcon_2x.png | Bin 0 -> 3240 bytes 34 files changed, 6045 insertions(+) create mode 100644 deployment-apps/eventid/.DS_Store create mode 100644 deployment-apps/eventid/appserver/static/appIcon.png create mode 100644 deployment-apps/eventid/appserver/static/appIcon_2x.png create mode 100644 deployment-apps/eventid/appserver/static/application.css create mode 100644 deployment-apps/eventid/appserver/static/dashboard.css create mode 100644 deployment-apps/eventid/appserver/static/dashboard.js create mode 100644 deployment-apps/eventid/appserver/static/default.css create mode 100755 deployment-apps/eventid/bin/ev_process_proc.py create mode 100755 deployment-apps/eventid/bin/ev_process_xml_parameters.py create mode 100644 deployment-apps/eventid/default/.DS_Store create mode 100644 deployment-apps/eventid/default/app.conf create mode 100644 deployment-apps/eventid/default/data/ui/nav/default.xml create mode 100644 deployment-apps/eventid/default/data/ui/views/README create mode 100644 deployment-apps/eventid/default/data/ui/views/audit_events.xml create mode 100644 deployment-apps/eventid/default/data/ui/views/documentation.xml create mode 100644 deployment-apps/eventid/default/data/ui/views/eventid.xml create mode 100644 deployment-apps/eventid/default/data/ui/views/interesting_events.xml create mode 100644 deployment-apps/eventid/default/data/ui/views/interesting_processes.xml create mode 100644 deployment-apps/eventid/default/data/ui/views/users_and_groups.xml create mode 100644 deployment-apps/eventid/default/data/ui/views/windows_event_sources.xml create mode 100644 deployment-apps/eventid/default/data/ui/views/windows_events_xml_source.xml create mode 100644 deployment-apps/eventid/default/macros.conf create mode 100644 deployment-apps/eventid/default/setup.xml create mode 100644 deployment-apps/eventid/default/transforms.conf create mode 100644 deployment-apps/eventid/default/workflow_actions.conf create mode 100644 deployment-apps/eventid/license-eula.rtf create mode 100644 deployment-apps/eventid/lookups/eventid_interesting_events.csv create mode 100644 deployment-apps/eventid/lookups/eventid_interesting_processes.csv create mode 100644 deployment-apps/eventid/lookups/xml_event_types.csv create mode 100644 deployment-apps/eventid/splunkbase.manifest create mode 100644 deployment-apps/eventid/static/appIcon.png create mode 100644 deployment-apps/eventid/static/appIconAlt.png create mode 100644 deployment-apps/eventid/static/appIconAlt_2x.png create mode 100644 deployment-apps/eventid/static/appIcon_2x.png diff --git a/deployment-apps/eventid/.DS_Store b/deployment-apps/eventid/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..0f328807bfbfaa6628ff7fa508af1395b03e545c GIT binary patch literal 6148 zcmeHKJ5EC}5S)cbM50NV(pTUHRuoRa1^7Iuo|FR8zlw9^Xv}^Jq6b}4B$}1hW3P8? zd5X7h0oZ0gJOC>IOS&VzeVCi?yU*;VB1WY1j6Ftt4WDo0>u#3)cfh%K81Rk{y!__x zM&FW20VyB_q<|EV0w-3W3heU!#OLZbDIf(dUjhFH!68}z;)3BY&ZCzg zHV+Vc;grY-&5}w?s#S|&NoTxOUN4*ylMbuq!|G>E{ z#*~dsVzxmY#QTSG;>9a68r)-XQqg5iq4G@amK(9w7ViO|1kcsOYYwHectEy zJiq7bY7AM+qh>6e0RTXhE>oQ?t_i_6B1HT;Ofj9}vOv(}2|1iqaML^ks4Sd`0d*{0 zz+^MDrL5!}lL`Q#HhXTKkf(o#G;^$!4(doftW!h-Kx&%DNt=rp0W>iMc85|j@O_H} zv|E&t_hfol@1z);J+qu=a>}!E&E-XA!Ximq2BvyQ(E!T`H0WWA9WK(Nl#JOW#eGl= zNx(4`p-3rtMk-Hl04a`VK$#RyHp6lRlw(o^g9(gC0#O)&Aq0hBJQ;yW8BW3oIQ~dP zZ@k4yW~;U1zQmJKViN=>2|;eRTk1}ca(n@V5Cj3iD1@TPqDHc-%puU8WQQw$!h)J{ znR&ZYuyYPDXpuH?8w909Wcn-w)~VM|8g{tG6D6h$^3YBQk-`wm2ICsjb_v7gG z?aD24GEg?-;x_PRu^!g=39y*Empck7ifqW0yj?5`U99HJ8(796=+sJycq6sgEu@yh zwFrV^Fpk1<1%jv$IYp@nN`n(PrNyub8!y7*l#0S}B1Hk?2!d!(Rfe1(G^hfhWHLBK zGl|tXTmtPdGZTL8qTg{W`cf=O@eD0+d@jcoPjrC6#tEFu#yLSMMh(efM%j%Ap%zkmS@E8yoNS5OG1z)(bk;~0TxVaYhw@_(`hiDaN)dpy@J z6C$w(gWJjG7Y~!;!#Kp5;l<%tG;AyffRI9+T9xbRHYKfFcq$z_6>?@^xA)d>bn^jO zntycmCwHc-ZtFNZLyaBl53~dfyPt%IcCQ)q<|mDWXJFCVtyO=x*QLO>M9=G zj!ghwi>!z?UVRv|L{<&7+e)q^4s|+99yA=h&JzCA9^}%GUH9f)eK%jRrF%cIIxX+*Y3Qk*kxuRyw8YN`zTVTYquIZ*%(AU|@4~uT z{?ew!v-07mPq>40jHRVwsQ>BFM)HHUoyDo^TfDKi>cdd5u2hOtZ0rqh>C8;&O?lL+zRR!=MJ+TS>HRz847ZjUOzyU`c?pX)SP>O&d%)&Bzc_Fg*x literal 0 HcmV?d00001 diff --git a/deployment-apps/eventid/appserver/static/appIcon_2x.png b/deployment-apps/eventid/appserver/static/appIcon_2x.png new file mode 100644 index 0000000000000000000000000000000000000000..2fa23aa1ef93e6c4be223ef3a97ea6ce1dee3f36 GIT binary patch literal 2172 zcmV-?2!r>DP)r_V%?cQ+Fp*Ix{3; zKbe#glwnvQqM5&DmZ+J!WN{|CWG*h6CB}&}nCQ$L3@~QN7LgxAWQ#vCPz0+mF7(pg z7FKQhUP__uz4tu+Q3|y5wzuuQZwvb*P3}GCIp_U8&wKiw^FHTXcn{LjP`9>aL){_( z|5S_dlGuay&#`&=&jHKIx9+Tg_ecQro_qYUc{4w+@B@K4C{G9|+~5H?_(*MDsaw(z z6ZtO6!b`>Nc?GFWgElv00NU2pS6aV*MqM5S$_MWC0D^pP{!6=iu6(~iIQ{8WRmSLQ z6_-u> zdiAX2%)~N*C1ApemI1{AK?eR3Kmwr)B>|j6=~7WwL|l|ER9!?ArAMIO3Q0lxMP(L7 zMO6ZqE*Df-U|@kNWe5v^;&Doji`cu%x9$4p@QQH-Ahy2lertI|kWT_L#wlW|I3r?L zj^sRK7=Y%6Rkw-SO~74Qm6m%B7?av~^DDbs(ixbsdT3d<@~fiu5Z9OUaaH+Nxfb3x zn)5Km2xxw2;HIIR|X^D?ePYW9NS}X^=JmEe$KbhVqlFNy{A;cuSD2ecHdZ zddJ>)rVVRCq40Uktm&#STm;ir*EiYp-C%9ldhcW(1Y@1$8&S~|O@px`5dc|b*1k+KWZOz?;MZ1Pdk zy$vedim~;fS9ZObTgek6ToNwqozd&4s3W2ds$msAdI1&!z5%b&E^SUG(G9U!?Bdmh zm#v%DtO@w@`s*up{C-QW92g{A5-v;>#EYykMTiusND&ZF2p9;eYEUu7f(C(NlsTY5 zL~fec73H8W(YOAcwzmHbuem$|I_9S~~lDe*T9OAN3yHqR+uGVLq^X}Aj^j8!%iSW}4J=lu%tpVH zM`KpaH=3H8_KapVA)z0rtbBh$<+DautKdvXUycwsqsos{hF?dc(cTQ~Gw-`9RJBU5 zUq-lVoNaSW66FmQ-EQ*oUXMf~eVI1Q$cgGus20pK2umieG3&IU{7H~Mnq=R;ksffF zFlqoop-?c-m}gNQ8p}3^bOEPOP9S1R999$2=W5iNqk-eX;e6l=n1Te_>7Hd zufH{NHZtz__-u2{+hCRBY(UvW2KmA?^rGxn!!Akr-mYjld2Bxg8{j#DSf z%L={;^!0bp=PxD_yK+5jv&rQE)KpYdtC;;0SZ+2VJbf}6{X>?udBWf@H!8kO<8)p@ zHq9uUeed<^JY0GP)PzE7b$oMtFT%qoqfOVXu zW4>1#Yyakjn5n?1>X^>?Q>m;ZAEqNltQl()#2#yHbv;ot1(;q894ATA_?+xnHQW=3_vs*jauZzbVeffVUDxd`nLX=u_4$?qSJnW+ZN-72<6ZIiF|P#Xno)D1x0IF5P37gk1YA80b{Vw( z#Oc%j$*nYR7$>N=;_mN)fuf@Z2?O&H>gNOk^GfEI{<)*0qd!MFbH+q=f$56JPjtrJ zUj>7KsGttW3Y$o6EDi>`yIl7u!+x4Joyp3vm#T`2J22*9LF#~ZMW35lSom6FW8<_R y5!pWXV`?fZZwKyGky2FuDt&oxO^1^p>G(f>#ryQm0*sRY0000real-time"), + TODAY_REFRESHED_TIME : _("today at %(timeText)s."), + GENERIC_REFRESHED_TIME : _("%(dateText)s ago"), + FULL_REFRESHED_TIME : _("refreshed: %(dateText)s"), + DISPLAY_REFLOW_EVENT: 'Splunk.Events.REDRAW', + PANEL_DROP_EVENT: 'Splunk.Events.PANEL_DROP', + windowWidth: $(window).width(), +// windowHeight: $(window).height(), + + initialize: function() { + // handlers to keep the last refreshed headers updated. + $(document).bind('jobResurrected', this.onJobExists.bind(this)); + $(document).bind('jobDispatched', this.onJobExists.bind(this)); + $(document).bind('jobProgress', this.onJobProgress.bind(this)); + + var that = this; + + // setup the headers to auto-truncate long titles + this.titleHeaders = $('.layoutCell .splHeader h2'); + this.handlePanelResize(); + + var timeoutID = null; + + $(window).bind('resize', function() { + if ( $(window).width() != that.windowWidth /*|| $(window).height() != that.windowHeight*/ ) { + that.windowWidth = $(window).width(); +// that.windowHeight = $(window).height(); + + if ( timeoutID ) + window.clearTimeout(that.timeoutID); + + timeoutID = window.setTimeout(function(){ + $(window).trigger("real_resize"); + }, 100); + } + }); + + $(window).bind('real_resize', this.handlePanelResize.bind(this)); +// $(document).bind('Splunk.Events.REDRAW', this.handlePanelResize.bind(this)); + $(document).bind('allModulesLoaded', this.handlePanelResize.bind(this)); + $(document).bind('jobDone', function(){ + if(!this.editMode) { + setTimeout(this.equalizeHeights, 500); + } + }.bind(this)); + + // custom event fired by chart modules when they are resized manually by the user + $(document).bind('ChartManualResize', this.handlePanelResize.bind(this)); + + $(document).bind('RefreshPage', this.softRefresh.bind(this)); +// $(window).bind('resize', function(){DebugUtils.trace("window.resize invoked")}); +// $(window).bind('real_resize', function(){DebugUtils.trace("window.real_resize invoked")}); +// $(document).bind('Splunk.Events.REDRAW', function(){DebugUtils.trace("Splunk.Events.REDRAW invoked")}); +// $(document).bind('allModulesLoaded', function(){DebugUtils.trace("allModulesLoaded invoked")}); +// $(document).bind('jobDone', function(){DebugUtils.trace("jobDone invoked")}); +// $(document).bind('ChartManualResize', function(){DebugUtils.trace("ChartManualResize invoked")}); + + + $(document).bind('PrintStart', this.insertPageBreakers.bind(this)); + $(document).bind('PrintEnd', this.removePageBreakers.bind(this)); + + this.searchIdToGroupNames = {}; + this.panelRowsSelector = 'div.layoutRow[class*="panel_row"]'; +// this.panelRowsSelector = 'div.layoutRow[class="panel_row*"]'; + this.$panelRows = $(this.panelRowsSelector); + + this.$isAwesomeBrowser = ! ($.browser.msie && $.browser.version < 9); + + // DebugUtils.trace( this.panelRowsSelector); + + //do equal heights + this.equalizeHeights(); + + var dragAndDropEnabled = false; + if ( Splunk.ViewConfig && ! ($.browser.msie && $.browser.version == 6) && 0 == $(".FlashWrapperContainer").length ) { + dragAndDropEnabled = (Splunk.ViewConfig.view.nativeObjectMode == "SimpleDashboard") && Splunk.ViewConfig.view.canWrite && ! Splunk.ViewConfig.view.hasRowGrouping; + } + + this.editMode = false; + $(document).bind('Splunk.Module.DashboardTitleBar.editMode', function(event, enabled){ + var $paneledit = $('.paneledit'); + + if (enabled) { + $paneledit.show(); + if(dragAndDropEnabled) { + that.dragAndDropControllerInit(); + that.editMode = true; + } + } else { + $paneledit.hide(); + if(dragAndDropEnabled) { + that.dragAndDropControllerDestroy(); + that.editMode = false; + } + } + }.bind(this)); + + that.panelEditInit(); + + //setup panel editor and focus model + this.messenger = Splunk.Messenger.System.getInstance(); + }, + + /** + * Reloads the existing page preserving old search jobs if they are present via the + * fragment identifier. + * + * @param {String} excludeGimpId (Optional) An optional gimpId to exclude form the soft-refresh (forces job refresh) + */ + softRefresh: function(excludeGimpId) { + var frag = {}; //Splunk.util.queryStringToProp(Splunk.util.getHash()); + var gimps = $('.Gimp'); + for (var i = 0; i < gimps.length; i++) { + var gimpId = gimps[i].id; + if (gimpId==excludeGimpId) { + continue; + } + var gimpModule = Splunk.Globals['ModuleLoader'].getModuleInstanceById(gimpId); + var search = gimpModule.getContext().get("search"); + + if (!search || !search.job) continue; + + var sid = search.job.getSearchId(); + + if (!sid) continue; + + var meta = gimpModule.container.closest('.dashboardCell').find('.paneledit').attr("data-sequence"); + frag['panel_' + meta + ".sid"] = sid; + search.job.setAsAutoCancellable(false); + } + + frag['edit'] = 1; + window.location.hash = Splunk.util.propToQueryString(frag); + window.location.reload(); + }, + + // iterate on all the panels besides the one clicked on, and remove the menu. + // since this is a draggable object, the events are not propagating to the top and document.click is never triggered. + // we could manually trigger a dummy event, or a doc.click event, besides IE is garbage and it is throwing a weird error when we do so. + menusGC: function(orig){ + var that = this; + $('.paneledit').each(function(){ + if (this != orig){ + that.hideMenu(this.actionsMenu); + } + }); + }, + + hideMenu: function(menu){ + if (menu) { + menu.getMenu().remove(); + menu = null; + } + }, + + panelEditInit: function() { + var that = this; + + $('.paneledit').click(function(event) { + + that.menusGC(this); + + // since events are not being propagated, we have to manually hide our menu item if it is in a visible mode. + if (this.actionsMenu && this.actionsMenu.getMenu().is(':visible')) { + that.hideMenu(this.actionsMenu); + event.stopImmediatePropagation(); + return false; + } + + // remove the previous menu, since our id could have been changed. + that.hideMenu(this.actionsMenu); + + var meta = $(this);//.parent(); + + var sequence = meta.attr('data-sequence'); + var intersectX = meta.attr('data-intersect-x'); + var intersectY = meta.attr('data-intersect-y'); + var dashboardId = meta.attr('data-dashboard-id'); + var app = meta.attr('data-app'); + var panelType = meta.attr('data-paneltype'); + var id = $($('.Gimp')[sequence]).attr('id'); + + var gimpModule = Splunk.Globals['ModuleLoader'].getModuleInstanceById(id); + //shallow object of k/v pairs adapted for panel editor + var panelSettings = gimpModule.getPanelSettings(panelType, 'options.'); + + + panelSettings.id = dashboardId; + panelSettings.panelType = panelType; + panelSettings.enable_fragment_id = 0; + panelSettings.enable_controls = 1; + + + + //search meta data + var context = null, search = null, job = null; + context = gimpModule.getContext(); + if (context) search = context.get('search'); + if (search) job = search.job; + + if (!job || job.areResultsTransformed()) + panelSettings.is_transforming = true; + else + panelSettings.is_transforming = false; + + //set the href to the panel editor + var editVisualizationHref = Splunk.util.make_url('paneleditor', app, 'edit', intersectX, intersectY)+ '?' + Splunk.util.propToQueryString(panelSettings); + + + + var menuDict = [ + { + label: _("Edit search"), + uri: Splunk.util.make_url('paneleditor', app, 'searchedit', intersectX, intersectY) + '?id=' + encodeURIComponent(dashboardId), + callback: function(event) { + $(document).trigger('SessionTimeout.Jobber'); + that.showExpose(id); + var options = { + onBeforeDestroy: function() { + //restart the jobber + $(document).trigger('SessionStart.Jobber'); + $(".dashboardCellEditable").removeClass("dashboardCellActive"); + that.hideExpose(); + }, + onFrameLoad: function(popup, iframe) { + $(document).bind('panelsave', function() { + popup.destroyPopup(); + that.softRefresh(id); + }); + }, + isModal: false, + pclass: 'panelEditorPopup' + }; + Splunk.Popup.IFramer(event.target.href, _("Edit search"), options); + return false; + } + }, + { + label: _("Edit visualization"), + uri: editVisualizationHref, + callback: function(event) { + $(document).trigger('SessionTimeout.Jobber'); + //panel meta found on + //gimp module lookup + var id = $($('.Gimp')[sequence]).attr('id'); + that.showExpose(id); + var options = { + onBeforeDestroy: function() { + //restart the jobber + $(document).trigger('SessionStart.Jobber'); + $(".dashboardCellEditable").removeClass("dashboardCellActive"); + that.hideExpose(); + }, + onFrameLoad: function(popup, iframe) { + $(document).bind('panelsave', function() { + popup.destroyPopup(); + that.softRefresh(id); + }); + }, + isModal: false, + pclass: 'panelEditorPopup' + }; + Splunk.Popup.IFramer(event.target.href, _("Edit visualization"), options); + return false; + } + }, + { + label: _("Delete"), + uri: '', + callback: function(event) { + that.showExpose(id); + setTimeout(function(){ + var deletePanel = confirm(_('Are you sure you would like to delete this panel?')); + that.hideExpose(); + if (deletePanel) { + var url = Splunk.util.make_url('paneleditor', app, 'delete', intersectX, intersectY)+ '?' + Splunk.util.propToQueryString({id: dashboardId}); + $.ajax({ + url: url, + type: 'POST', + timeout: 10000, + complete: function(jqXHR, textStatus) { + if (jqXHR.status==204) { + //delete node beacuse we are going to reset sequence + meta.closest('.layoutCell').remove(); + that.resetSequence(); + that.softRefresh(id); + } else { + alert(_('Sorry, the specified panel could not be deleted.')); + } + } + }); + } + }, 600); + return false; + } + } + ]; + this.actionsMenu = new Splunk.MenuBuilder({ + menuDict: menuDict, + activator: (that.$isAwesomeBrowser ? meta : meta.parent()), + menuClasses: 'splMenu-primary' + }); + this.actionsMenu.showMenu(); + return false; + }); + }, + + panelRowsAddOverlayLayers: function(doBind) { + + var that = this; + that.isDNDEditMode = doBind; + + if(doBind) { + $(window).unbind("real_resize", doAddOverlays); + $(window).bind("real_resize", doAddOverlays); + doAddOverlays(); + } + + + function doAddOverlays(e) { + + if ( ! that.isDNDEditMode ) { + return ; + } + + var start = DebugUtils.getCurrfentTime(); + + var mySelection = $(that.panelRowsSelector); + mySelection.find(".vmPanelDropPlaceholderOverlay").remove(); + + // reset z-index since IE is dumb. + if ( ! that.$isAwesomeBrowser ) { + mySelection.children().css({"z-index": "1"}); + } + + mySelection.find(".layoutCellInner").each(function(){ + var overlayNode = $(document.createElement("div")).addClass("layoutCellInner vmPanelDropPlaceholderOverlay"); + $(this).after(overlayNode); + var ieThingy = 25; + + var height = ($(this).parent().height()); + if( ! that.$isAwesomeBrowser ) + height -= ieThingy; + + height += "px"; + + var top = that.$isAwesomeBrowser ? "0" : ieThingy+"px"; + bindAttributes(overlayNode, ($(this).parent().width() - 15) + "px", height, top); + + + if ( ! that.$isAwesomeBrowser ) { + overlayNode = $(document.createElement("div")).addClass("layoutCellInner vmPanelDropPlaceholderOverlay"); + $(this).after(overlayNode); + bindAttributes(overlayNode, ($(this).parent().width() - 100) + "px", ieThingy + "px", 0); + } + }); + + + function bindAttributes(element, width, height, top) { + element.css({ + 'width': width, + 'height': height, + 'z-index': 2, +// 'background-color': 'red', + 'top': top + }).bind({ + mouseover: function(){ + var selection = $(this).parent().children().first(); + selection.find(".dashboardContent, .splHeader").css("opacity", "0.6"); + }, + mouseout: function(){ + that.dragAndDropMouseOut($(this).parent().children().first()); + } + }); + } + + DebugUtils.trace( "doAddOverlays", start) ; + + } + + }, + + dragAndDropMouseOut: function (selection) { + if (selection) { + selection.find(".dashboardContent, .splHeader").css("opacity", "1.0"); + } + else { + this.dragAndDropMouseOut($(this.panelRowsSelector).find('.layoutCellInner')); + } + }, + + dragAndDropControllerInit: function() { + + var that = this; + + var maxHeight = 250; + var newRowHeight = 20; + + var sortableParameters = { + connectWith: that.panelRowsSelector, + placeholder: 'vmPanelDropPlaceholder', + opacity: 0.7, + tolerance: 'pointer', + cursor: 'move', + delay: 100, + cursorAt: { top: (maxHeight / 2) }, + handle: '.vmPanelDropPlaceholderOverlay' + }; + + //help IE get out of class early + if(! this.$isAwesomeBrowser){ + sortableParameters.helper = function(){ + return $('
'); + }; + sortableParameters.opacity = 1; + } + + $('.splLastRefreshed').hide(); + + $(that.panelRowsSelector).fadeOut('fast', function(){$(this).fadeIn('fast');}); + + + // FIXME hide the "move panels" button + // this should be removed from the template once the feature is stable + $(".editmode > .splButton-tertiary.move").hide(); + + + _removeEmptyRows(); + + // set max height + var selector = $(that.panelRowsSelector); + + selector.find(".layoutCell").css({"max-height": (maxHeight + "px")/*, "overflow": "hidden"*/}); + selector.find(".layoutCellInner").css({"min-height": "0", "max-height": ((maxHeight - 10) + "px"), "overflow": "hidden"}); + selector.find(".dashboardContent").css({"max-height": ((maxHeight - 60) + "px"), "overflow": "hidden"}); + + that.panelRowsAddOverlayLayers(true); + + _generateEmptyRows(false); + + that.changeChartFlow(); + + /** END COMMANDS - METHODS START HERE */ + + + function _bindEvents() { + + var myRowSelection = $(that.panelRowsSelector); + + myRowSelection.unbind('sortstart'); + myRowSelection.unbind('sortactivate'); + myRowSelection.unbind('sortover'); + myRowSelection.unbind('sortstop'); + + myRowSelection.bind( "sortstart", _sortableStart ); + myRowSelection.bind( "sortactivate", _sortableActivate ); + myRowSelection.bind( "sortover", _sortableOver ); + myRowSelection.bind( "sortstop", _sortableStop ); + } + + + function _sortableStart(event, ui) { + $('.vmPanelDropPlaceholder').css("height", Math.floor( $(ui.item).height() - 15) + 'px' ); //TODO: this seems hacky + $('.vmPanelDropPlaceholder').css("width", Math.floor($(ui.item).width() - 25) + 'px'); + } + + function _sortableActivate(event, ui) { +// var start = DebugUtils.getCurrfentTime(); + + if( ! (this === ui.item.parent()[0]) ) { + if ( $(this).children().length > 2 ) { // disable rows that has 3 panels - this is a UI constrain + $(this).sortable("disable"); + _sortableRefresh(); + } + } + else if ( $(this).children().length == 2 ) { // for a single panel row - disable the insertion points above and below + $(this).next().sortable("disable");//.css("background-color", "red"); + $(this).prev().sortable("disable");//.css("background-color", "green"); + _sortableRefresh(); + } + +// DebugUtils.trace( "_sortableActivate", start) ; + + } + /** + * handle sortable over target + */ + function _sortableOver(event, ui) { + // var start = DebugUtils.getCurrfentTime(); + + that.equalizeWidths(event, ui); + + var numItems = $(this).children().length; + if ( $(ui.sender).context === $(this).context ) + numItems--; + + var width = Math.floor(96 / numItems) + "%"; + $('.vmPanelDropPlaceholder').css("width",width); + + // attempt to set width of helper to width of placeholder + //$(ui.helper).width($(ui.placeholder).width()); + +// var height = Math.max($(this).height(), $(ui.item).height()) + "px"; +// // DebugUtils.trace( "_sortableOver", start) ; + } + + function _sortableStop(event, ui) { + var start = DebugUtils.getCurrfentTime(); + + // on some rare cases you can drop the panel top a position where the mouse is not over it. + // for these cases we would like to apply the mouseout styling ann all panels, just to play safe. + that.dragAndDropMouseOut(); + + + // hide any visible menus + that.menusGC(); + + DebugUtils.trace("_sortableStop invoked") ; + + $(that.panelRowsSelector).sortable('destroy'); + + _removeEmptyRows(); + + that.equalizeWidths(event, ui, true); + + // save the state to the system + _save(); + + that.changeChartFlow(); + + $(".vmPanelDropPlaceholderOverlay", $(that.panelRowsSelector)).remove(); + + _generateEmptyRows(true); + + that.panelRowsAddOverlayLayers(true); + + // fire off the panel drop event, passing the dropped element as extra data + $(document).trigger(that.PANEL_DROP_EVENT, {droppedElement: ui.item[0]}); + + DebugUtils.trace( "_sortableStop end", start) ; + } + + + function _sortableInit( setParams ) { + var start = DebugUtils.getCurrfentTime(); + var sortable; + + if (setParams ) + sortable = $(that.panelRowsSelector).sortable(sortableParameters); + else + sortable = $(that.panelRowsSelector).sortable(); + + + sortable.disableSelection(); + + _bindEvents(); + + DebugUtils.trace( "_sortableInit ("+(setParams)+") ", start) ; + return sortable; + } + + function _sortableRefresh(setParams) { + var start = DebugUtils.getCurrfentTime(); + var sortable = _sortableInit(setParams).sortable("refresh"); + DebugUtils.trace( "_sortableRefresh", start) ; + return sortable; + } + + + function _generateEmptyRows(doRefresh) { + + var counter = 1; + $(that.panelRowsSelector).each(function(){ + _addEmptyRow($(this), "before"); + }); + _addEmptyRow($(that.panelRowsSelector).last(), "after", 100); + + // XXX not sure what is causing this, but sometimes new rows are getting a 0 opacity. + // This ugly woraround takes care of that. + $(".layoutRow").fadeTo(0, 1); + + doRefresh ? _sortableRefresh(true) : _sortableInit(true); + + + function _addEmptyRow(element, where, rowHeight) { + var start = DebugUtils.getCurrfentTime(); + + rowHeight = rowHeight ? rowHeight : newRowHeight; + var newElement = $(document.createElement("div")).addClass("layoutRow equalHeightRow splClearfix panel_row1_col").css("min-height", rowHeight + "px"); + ( where == "after" ) ? element.after(newElement) : element.before(newElement); + + DebugUtils.trace( "_addEmptyRow", start) ; + } + } + + + function _removeEmptyRows() { + var start = DebugUtils.getCurrfentTime(); + + $(that.panelRowsSelector).each(function(){ + if ( $(this).children().length == 0 ) + $(this).remove(); + }); + +// $(".vmPanelDropPlaceholderOverlay", $(that.panelRowsSelector)).css("opacity", "0.2").css("background-color", "white"); +// $(".layoutCellInner", $(that.panelRowsSelector)).parent().children().first().css("box-shadow", "0 0 5px #CCCCCC"); + + DebugUtils.trace( "_removeEmptyRows", start) ; + } + + + + + function _save() { +// var start = DebugUtils.getCurrfentTime(); + $.post(Splunk.util.make_url(['viewmaster', Splunk.util.getCurrentApp(), Splunk.ViewConfig.view.id].join('/')), { + 'action': 'edit', + 'view_json': JSON.stringify(_toJSON()) + }, + _onSaveCallback, 'json'); + +// DebugUtils.trace( "_save", start) + function _toJSON() { + var output = {}; + output['new_panel_sequence'] = []; + + $(that.panelRowsSelector).each(function() { + var rowSet = []; + $('.paneledit', this).each(function() { + var s = parseInt($(this).attr('data-sequence'), 10); + if (!isNaN(s)) + rowSet.push(s); + }); + output['new_panel_sequence'].push(rowSet); + }); + return output; + } + + function _onSaveCallback(jsonObject){ + if (jsonObject.success) { + // reset the current indexing to future actions + that.resetSequence(); + } + else { + for (var i=0,L=jsonObject.messages.length; i"); + lastRefreshedSpan.addClass("splLastRefreshed"); + lastRefreshedSpan.attr("title", sprintf(this.FULL_REFRESHED_TIME, {dateText: longDateText})); + if (shortDateText === this.NOW_REFRESHED_TIME) { + lastRefreshedSpan.html(sprintf(this.NOW_REFRESHED_TIME)); + } else { + lastRefreshedSpan.html(sprintf(this.GENERIC_REFRESHED_TIME, {dateText: shortDateText})); + } + + // 4 go find the correct panel title + $('h2[title="' + group + '"]').closest('.layoutCell').find('.meta').attr('title', group); + $('.meta[title="' + group + '"]').find("span.splLastRefreshed").remove(); + $('.meta[title="' + group + '"]').prepend(lastRefreshedSpan); + }, + /** + * Auto truncates the panel headers based on available width + */ + handlePanelResize: function() { + this.titleHeaders.each(function() { + // without this check it has the neat effect of nuking the contents of all $(".splHeader h2") + // including those in modules like ResultsHeader. + if ($(this).attr('title')) { + // this is just a trial and error calculation; could be smarter + var charWidth = parseInt(Math.pow($(this).parent().width() / 12 - 15, 1.15), 10); + //$(this).text(Splunk.util.smartTrim($(this).attr('title'), charWidth)); + } + }); + // set equal heights in view mode only + if(!this.editMode) { + this.equalizeHeights(); + } + }, + + /** + * This method catches the case where the user is looking at a new simple + * dashboard that has no panels, and displays an accelerator link + */ + showDashboardPrompts: function() { + var view_config = Splunk.util.getCurrentViewConfig(); + if (view_config.hasOwnProperty('view') && view_config['view']['objectMode'] != 'SimpleDashboard') { + return false; + } + var panelCount = $('.dashboardCell').length; + if (panelCount == 0) { + var link = $( _('

This dashboard is empty. Edit the dashboard to add a panel.

')).bind('click', function() { + Splunk.Globals.Viewmaster.openDashEditForm(Splunk.util.getCurrentView()); + return false; + }).appendTo($('.layoutRow.firstRow')); + } + }, + /** + * This method equalizes heights of dashboard cells within the same panel + */ + equalizeHeights: function() { + var start = DebugUtils.getCurrfentTime(); + $(".equalHeightRow").each(function(){ + $(this).find('.layoutCellInner').css({'min-height': 0}); + if ($.browser.msie && $.browser.version == 6.0) { + $(this).children().css({'height': 0}); + } + var max = 0; + $(this).find('.layoutCellInner').each(function(i){ + if ($(this).height() > max) { max = $(this).height(); } + }); + if ($.browser.msie && $.browser.version == 6.0) { $(this).find('.layoutCellInner').css({'height': max}); } + $(this).find('.layoutCellInner').css({'min-height': max}); + }); + DebugUtils.trace( "equalizeHeights", start) ; + }, + + /** + * This method traverses the dashboard rows from top to bottom, whenever it finds one that will have a page break + * in the middle of it, inserts a page-breaking element above it + */ + insertPageBreakers: function() { + // IE9 and IE10 can handle page breaking purely in CSS + if($.browser.msie && parseFloat($.browser.version) >= 9) { + return; + } + var $row, rowHeight, + currentHeight = 0, + $pageBreaker = $('
'), + pageBreakHeight = ($.browser.msie) ? 800 : 900; // pixel height to use when breaking up the page + + $('.equalHeightRow').each(function(i, row) { + $row = $(row); + // caclulate the row height, force to zero for empty elements, since some browsers will report a non-zero height + rowHeight = ($row.is(':empty')) ? 0 : $row.outerHeight(true); // true means include margin + if(i != 0 && rowHeight > 0 && currentHeight + rowHeight >= pageBreakHeight) { + // this element needs a page break before it + $pageBreaker.clone().insertBefore($row); + currentHeight = rowHeight; + } + else { + currentHeight += rowHeight; + } + }); + }, + + removePageBreakers: function() { + if($.browser.msie && parseFloat($.browser.version) >= 9) { + return; + } + $('.page-breaker').remove(); + } + +}); + +var DebugUtils = { + + traceEnabled: false, + + getCurrfentTime: function() { + if(this.traceEnabled) + return (new Date()).getTime(); + }, + trace: function(arg, start) { + if( this.traceEnabled && window.console) { + var now = this.getCurrfentTime(); + arg = this._addSpaces(arg, 30); + if (start) + arg += ["\t", (now - start)].join(''); + console.log([now, "\t", arg].join('')); + } + }, + _addSpaces: function(str, len) { + var newStr = str; + while(newStr.length < len) + newStr += " "; + + return newStr; + } +}; + + + + + diff --git a/deployment-apps/eventid/appserver/static/default.css b/deployment-apps/eventid/appserver/static/default.css new file mode 100644 index 00000000..37a0cd51 --- /dev/null +++ b/deployment-apps/eventid/appserver/static/default.css @@ -0,0 +1,2152 @@ +/* + * Glorious Splunk Skin + * + */ + + + + +/* Basic Typography +---------------------------------*/ +body, td { + font-family:Arial,Helvetica,sans-serif; + font-size:11px; + color: #333; +} + +input, textarea, select, optgroup { + font-family:Arial,Helvetica,sans-serif; + font-size:12px; + color: #111; +} + +h1 { + font-size: 18px; + font-weight: normal; + color:#73A550; +} +h2 { + font-size: 12px; + font-weight:bold; + color: #333; +} +h3 { + font-size: 12px; + font-weight: bold; + color: #333; +} +h4 { + font-size: 11px; + font-weight: bold; + color: #333; +} + +/* font styles */ +.splFont-mono, .SearchBar label { + font-family: Consolas,Monaco,Courier New,monospace; +} + +.SearchBar textarea, .SearchBar label { + font-size: 12px; + -moz-box-shadow: none; + -webkit-box-shadow: none; + box-shadow: none; +} +.SearchBar textarea:focus { + outline: 0; +} + +/* link colors +---------------------------------*/ +a { + color: #1a7996; +} +a.disabled { + color:#999; +} + +/* panel-specific font colors +---------------------------------*/ +.appHeaderWrapper { + color: #666; +} +.appHeaderWrapper a { + color: #CCC; +} + +.appHeaderWrapper a.help { + background: url(../../../img/skins/default/icon-help-12.png) no-repeat left center; + _background: url(../../../img/skins/default/icon-help-12-black-ie6.png) no-repeat left center; /* for ie 6 */ + display: block; + padding-left: 16px; + float: left; +} + + +/* Application Header +_________________________________*/ +/* app header wrapper */ +/* - this can be used to set a background for the entire header area. */ +.appHeaderWrapper { + background: #000 url(/static/img/skins/default/bg_appHeaderWrapper.png) repeat-x; +} +/* application header */ +.appHeader { + /* height:100px; // to change the height of the header area, add a height property here. */ +} + +/* change the app logo here. set the height/width for your image, as well as the path to the image */ +.appLogo { + height: 43px; + width: 80px; + background: url(/static/img/skins/default/splunk_logo_black.png) no-repeat 0 0; + _background: url(/static/img/skins/default/splunk_logo_black.gif) no-repeat 0 0; +} + +/* +use this to display the name of the app. +use line-height to adjust alignment with logo. if +if the name of the app is in the logo, set this to display: none; +*/ +.appHeaderWrapper h1 { + color:#73a550; + line-height: 43px; +} + + +/* background colors +---------------------------------*/ + +/* default page color */ +body, .splBackground-default, .graphArea, .resultsArea, +.reportSecondPanel, .reportThirdPanel, .sidebarCollapsed, +.SearchBar .saTypeaheadWrapper { + background-color: #FFF; +} + +/* primary background - applies to search controls and primary action panels */ +.viewHeader, .mainSearchControls, .splSearchControls-inline, +.SearchBar .saHelpWrapper { + background-color: #edede7; +} + +/* secondary background - sidebar, other panels */ +.splBackground-secondary, .sidebarExpanded { + background-color:#edede7; +} + +/* Specific overrides */ +.layoutCellInner .ResultsHeader .splHeader, .layoutCellInner .ResultsHeader .splHeader-secondary { + background: transparent none; +} + + +/* headers +---------------------------------*/ +.splHeader-primary { + border-top-width: 1px; + border-top-style: solid; +} + +.splHeader-secondary { + border-top-width: 1px; + border-top-style: solid; +} + + + +.splHeader-secondary { + background-color: #edede7; + _background-position: 0px -111px; +} +/* navigation bar */ +.splHeader-navigation { + background-image: none; + _background-image: none; +} + +.splHeader h2 a { + font-weight:normal; +} + +/* Specific overrides */ +.TitleBar .splHeader, .FieldPickerPopup .splHeader-primary { + background-color: #edede7; + background-image: none; +} + +.FlashTimeline .splHeader-primary { + background: #fff url(/static/img/skins/default/overlay_topgradient_7.png) repeat-x; + _background-image: none; +} + +.FlashTimeline { + background: #fff url(/static/img/skins/default/overlay_bottomgradient_7.png) repeat-x bottom center; + _background-image:none; +} + +.DisableRequiredFieldsButton { + background: #edede7 url(/static/img/skins/default/overlay_topgradient_32.png) repeat-x; + _background-image:none; +} + +.splView-flashtimeline .ResultsHeader .splHeader-primary { + background: #edede7 url(/static/img/skins/default/overlay_topgradient_32.png) repeat-x; + _background-image:none; + border-color: #a4a4a4; + padding-top: 5px; +} + +.splView-flashtimeline .ResultsHeader .splHeader-primary h2 { + background-color: #fff; + -webkit-border-top-left-radius: 6px; + -moz-border-radius-topleft: 6px; + border-top-left-radius: 6px; +} + +/* borders +---------------------------------*/ +* { + border-color: #ccc; +} + +div.sidebarCollapsed .sidebarControl { + -moz-border-radius: 0 0 5px 0; + -webkit-border-radius: 0 0 5px 0; + border-radius: 0 0 5px 0; + background: #edede7 url(/static/img/skins/default/overlay_topgradient_32.png) repeat-x; + border-top: 1px solid #A4A4A4; +} + +div.sidebar .FieldPicker { + border-color: #a4a4a4; +} + +/* Dashboards +_______________________________*/ + +/* dashboard headers */ + +body.splTemplate-dashboard { + background-color: #EDEDE7; +} +.splHeader-dashboard { + background-image: none; +} +.splHeader-dashboard { + background-color: transparent; +} +.splHeader-dashboard h2, +.dashboardContent .ServerSideInclude h2, +.dashboardContent .GenericHeader h3 { + font-size:12px; + color: #73a550; + font-weight:bold; + background-color: transparent; +} +/* rounded box for dashboard modules */ +.dashboardCell { + position: relative; + background: #fff; + border-style: solid; + border-width: 1px; + -moz-border-radius: 5px; + -webkit-border-radius: 5px; + border-radius: 5px; + -moz-box-shadow: 0 0 5px rgba(0, 0, 0, 0.25); + -webkit-box-shadow: #ccc 0 0 5px; + box-shadow: #ccc 0 0 5px; + _background-image: none; +} + +.dashboardContent .SimpleResultsTableResults, .dashboardContent .EventsViewer { + background-image: none; + background: transparent; +} + + + +/* form elements +_________________________________*/ +fieldset legend { + color: #73A550; + font-size: 14px; + font-weight: bold; +} +fieldset legend span{ + color: #000; + font-size: 10px; + font-weight: normal; +} +input, textarea, select { + font-family: Arial, Helvetica, sans-serif; + font-size: 11px; +} +input[type="text"], input[type="textfield"], input[type="password"], +textarea, .input-facade, +.splTextAreaStd, +.codeMirrorTextAreaWrapper, +div.accumulator-scrollbox { + box-shadow: inset 0px 1px 3px #ccc; +} +.input-hide, input.input-hide, textarea.input-hide, +.splTextAreaStd textarea { + box-shadow: none; +} +label { + font-size: 12px; +} +label.disabledLabel { + color:#666; +} +select option[disabled] { + color:#999; + box-shadow: none; +} +input.readonly { + background-color: #999; + box-shadow: none; +} +p.exampleText { + color: #666; + clear: both; +} +p.fieldsetHelpText { + color: #666; +} +input[disabled]{ +background-color: #f4f4f1; +color: #333; +padding-left: 0; +box-shadow: none; +} +.splTextArea { + border:1px solid #ccc; +} + + +/* tables +------------------------------*/ +table.splTable { + border-color: #999; +} +table.splTable th { + border-color: #999; +} +table.splTable th a { + color: #000; +} +table.splTable td { + border-color: #CCC; +} +.empty_results { + background: #edede7; + border: 0px !important; + font-size: 12px; + font-weight: normal !important; + padding: 10px !important; + -webkit-border-radius: 4px; + -moz-border-radius: 4px; + border-radius: 4px; + color: #666 !important; +} + +/* sorting */ +.splSortNone, .splSortAsc, .splSortDesc { + background-image: url(/static/img/skins/default/splIcons.gif); + background-position: -67px -446px; + background-repeat: no-repeat; + cursor: pointer; +} +.splSortDesc { + background-position: -67px -365px; +} +.splSortDesc:hover { + background-position: -67px -385px; +} +.splSortAsc{ + background-position: -67px -385px; +} +.splSortAsc:hover { + background-position: -67px -366px; +} + +/* global elements +---------------------------------*/ +.splPipe { + color:#999; +} +.splDivider { + border-bottom-style: solid; + border-bottom-width: 1px; +} +#loading { + background-color:#73a550; + color:#fff; +} /* I smell a refactor here... */ +#loadingmessage { + font-size:18px; + background: url(/static/img/skins/default/loading_white.gif) no-repeat 0 0; +} +.popupLoading { + background: url(/static/img/skins/default/loading_white.gif) no-repeat 0 20px; + font-size:18px; +} +.mouseoverHighlight, .mouseoverHighlight td { + background-color:#f5e998; +} + +.searchFieldGhost { + border-color: #333; +} +.widgeterror { color: red; font-weight: bold; } + +.resultStatusMessage { + color: #666; +} + +/* percentage bar graph +_________________________________*/ +.splBarGraph { + background: #edede7; +} +.splBarGraphBar { + background: #73a550 url(/static/img/skins/default/overlay_gradient_28.png) repeat-x; +} +.splBarGraphValue { + +} + +.graphLoading { + padding-bottom: 5px; +} + +/* popups +---------------------------------*/ + +.popupContainer { + z-index:10000; + border-color: #666; + -moz-box-shadow: 0 0 8px rgba(0, 0, 0, 0.7); + -webkit-box-shadow: #222 0 0 8px; + box-shadow: #222 0 0 8px; +} + +.wizardPopup .popupContent iframe { + width:400px; + border:none; + display: block; +} + +.wideTreeviewPopup .popupContent iframe { + width:700px; + height:433px; + border:none; + display: block; +} + +.panelEditorPopup .popupContent iframe { + width:340px; + border:none; + display: block; +} +.panelEditorPopup .popupContent { + min-width:340px; +} + +.fieldValuePopup { + border-color: #666; + -moz-box-shadow: none; /* needs dropshadow for others than ff3.5 and safari 4, removing this one and adding the jank normal dropshadow from menu*/ + -webkit-box-shadow: none; + box-shadow: none; + border: none; +} +.fieldValuePopup .fieldValuePopupInner { + border:1px solid #CCC; + background-image:url(/static/img/skins/default/bg_reversegradient_28.png); +} + +/* fieldpicker popup */ +.fieldLayers .popupContainer { + border-color: #ccc; +} + +.pdfPopup { + background: #fff; +} + +/* popup header bar */ +.splHeader-popup { + background: #000 url(/static/img/skins/default/overlay_gradient_28.png) repeat-x 0 0; + _background: #000 url(/static/img/skins/default/backgrounds_ie6.gif) repeat-x 0 -450px; +} +.splHeader-popup h2 { + color:#FFF; + font-size:14px; +} + +.splHeader-popup, .splHeader-popup h2 { + cursor: move; +} + +/*iframe loading*/ +.popupContent .popup-loading { + width: 100%; + height:100%; + position:absolute; + top:0; + text-indent:-1000em; + direction:ltr; + background: #fff url('/static/img/skins/default/loading_white.gif') no-repeat center center; + _height:100px; /* IE6 won't recalculate height properly :( */ +} + +/* popup content */ +.popupContent { + background-color: #FFF; + position:relative; + _zoom:1; +} + +.popupContent .error, .wizard .error { + font-size: 12px; + background: #af4444; + margin: 10px; + margin-bottom: 0px; + + -moz-border-radius:4px 4px 4px 4px; + -webkit-border-radius: 4px 4px 4px 4px; + border-radius: 4px 4px 4px 4px; +} + +/* popup footer (button container) */ +.popupFooter { + background: #edede7 url(/static/img/skins/default/overlay_topInnerShadow_35.png) repeat-x; + _background: #000 url(/static/img/skins/default/backgrounds_ie6.gif) repeat-x 0 -231px; +} + +/* Field Value popup-specific styles */ + +.fieldValuePopup h3 em { + font-size:11px; +} + +.fieldValuePopup table th.fieldName { + font-weight: normal; +} + +.fieldValuePopup table tr:first-child th.fieldName { + font-weight: bold; +} + +.fieldValuePopup table td, .fieldValuePopup table th { + color:#333; + border-bottom-style: dotted; + border-bottom-width: 1px; +} + +.fieldValuePopup table tr.fieldNameHeaderRow th { + border-bottom-style: solid; + border-bottom-width: 1px; +} + +.fieldValuePopup table tr.fieldNameHeaderRow td { + font-weight:bold; + color:#000; + border-bottom: none; +} +.fieldValuePopup p.reportLinks, +.fieldValuePopup div.reportLinks +{ + -moz-border-radius: 4px; + -webkit-border-radius: 4px; + border-radius: 4px; +} + +/* overlays and shadows +---------------------------------*/ +.splOverlay, .splOverlay-white { + background-color: #000; + opacity:0.7; + filter:alpha(opacity=70); +} +.splOverlay-white { + background-color:#FFF; +} + +.splShadow { + background: url(/static/img/skins/default/shadow_soft.png) no-repeat bottom right; + -moz-border-radius-bottomleft: 16px; /*is this supposed to be different?*/ + -moz-border-radius-topright: 17px; + -webkit-border-top-right-radius: 17px; + -webkit-border-bottom-left-radius: 17px; + border-top-right-radius:17px; + border-bottom-left-radius:17px; + _background: none; +} + +/* buttons +---------------------------------*/ + +.splButton-primary, +.splButton-secondary, +.splButton-tertiary { + background: #73a550 url(/static/img/skins/default/overlay_gloss_28.png) repeat-x left -3px; + color: #FFF; + font-family: Arial, Helvetica, sans-serif; + font-size:12px; + border: 1px solid #5e8d3d; + -moz-border-radius: 4px; + -webkit-border-radius: 4px; + border-radius: 4px; + _background-image: none; +} +button.splButton-primary span, +button.splButton-secondary span, +button.splButton-tertiary span +{ + line-height:21px; /*Note: line-height won't work on buttons in FF*/ +} + +.splButton-primary { + color:#fff; + background-color: #659c40; + border: 1px solid #5e8d3d; +} +.splButton-secondary { + color: #333; + background-color:#fff; + border: 1px solid #bbb; +} +.splButton-tertiary { + color:#fff; + background-color: #548ea0; + border: 1px solid #498a99; +} + +.splButton-primary:hover, +.splButton-primary:focus { + background-color: #4e7830; + outline: none; +} + +.splButton-secondary:hover, +.splButton-secondary:focus { + background-color: #f3f3f3; + border-color: #aaa; + outline: none; +} + +.splButton-tertiary:hover, +.splButton-tertiary:focus { + background-color: #326c79; + outline: none; +} + +.splButton-disabled, +.splButton-disabled:hover, +.splButton-disabled:focus { + background: #bbb; + color: #999; + border-color: #999; +} + +.splButton-disabled .splButtonIcon { + opacity:0.5; +} + +.splButton-primary span.splMenuIcon, +.splButton-tertiary span.splMenuIcon { + background-position: 0 -300px; +} + +/* buttons Groups +---------------------------------*/ + +.splButtonGroup .splButton-primary, +.splButtonGroup .splButton-secondary, +.splButtonGroup .splButton-tertiary { + -moz-border-radius: 0; + -webkit-border-radius: 0; + border-radius: 0; + margin:0; + border-left-color: #8FB777; +} +.splButtonGroup .splButton-secondary { + border-left-color: #ddd; +} + +.splButtonGroup .splButton-tertiary { + border-left-color: #7ca6b0; +} + +.splButtonGroup .splButton-disabled { + border-left-color: #bbb; +} + +.splButtonGroup .splButton-primary:first-child, +.splButtonGroup .splButton-secondary:first-child, +.splButtonGroup .splButton-tertiary:first-child { + -moz-border-radius-bottomleft: 4px; + -webkit-border-bottom-left-radius: 4px; + border-bottom-left-radius: 4px; + -moz-border-radius-topleft: 4px; + -webkit-border-top-left-radius: 4px; + border-top-left-radius: 4px; + border-left-color: #5E8D3D; +} + +.splButtonGroup .splButton-secondary:first-child { + border-left-color: #ccc; +} + +.splButtonGroup .splButton-tertiary:first-child { + border-left-color: #498A99; +} + +.splButtonGroup .splButton-disabled:first-child { + border-left-color: #999; +} + +.splButtonGroup .splButton-primary:last-child, +.splButtonGroup .splButton-secondary:last-child, +.splButtonGroup .splButton-tertiary:last-child { + -moz-border-radius-bottomright: 4px; + -webkit-border-bottom-right-radius: 0; + border-bottom-right-radius: 4px; + -moz-border-radius-topright: 4px; + -webkit-border-top-right-radius: 0; + border-top-right-radius: 4px; + border-right-width:1px; +} + +/* Iconic Links +---------------------------------*/ + +.splIconicLinkIcon, .splButtonIcon, span.splMenuIcon { + background-image: url(/static/img/skins/default/sprite_button_icons.png); + _background-image: url(/static/img/skins/default/sprite_button_icons.gif); + background-position: 0 0; +} + + +.splIconicLinkIcon { + margin-top:2px; +} +.splIconicLinkLabel { + font-size:11px; +} + +.splIconicLinkDisabled { + background-image: none; + color: #999; +} + + +.splIconicLinkDisabled .splIconicLinkIcon { + -moz-opacity: 0.45; + opacity: 0.45; + -ms-filter:"progid:DXImageTransform.Microsoft.Alpha(Opacity=45)"; /* IE8 */ + filter: progid:DXImageTransform.Microsoft.Alpha(Opacity=45); /* IE7 */ + filter:alpha(opacity=50); /* IE6 */ + + color: #999; + -moz-border-radius: 3px; + -webkit-border-radius: 3px; + border-radius: 3px; +} + +.splIcon-export { + background-position: -26px -660px; +} + +.splIconicLinkDisabled .splIcon-export { + background-position: -13px -660px; +} + +.splIcon-options { + background-position: -26px -680px; +} + + +/* Splunk search button */ + +/* search button */ +input.searchButton { + background-color: #659c40; + background-image: url(/static/img/skins/default/search_button.png); + /* white > */ + background-position: right center; + /* black > -- uncomment for black arrow. -- + background-position: left center; + */ + /* corner rounding for good browsers */ + -moz-border-radius: 4px; + -webkit-border-radius: 4px; + border-radius: 4px; + + border: 1px solid #5e8d3d; + font-family: Arial, Helvetica, sans-serif; + cursor: pointer; + + + _background-image: url(/static/img/skins/default/green_search_button.png); + _background-color:transparent; + _border: none; + _zoom:1; +} + +input.searchButton:hover, +input.searchButton:focus { + background-color: #4e7830; + _background-color:transparent; +} + +table.mainSearchControlsTable input.searchButton { + border-left-color: #8fb777; + -moz-border-radius-topleft: 0; + -moz-border-radius-bottomleft: 0; + -webkit-border-top-left-radius: 0; + -webkit-border-bottom-left-radius: 0; + border-bottom-left-radius: 0; + border-top-left-radius: 0; + border-bottom-left-radius: 0; +} + +/* button wrapper */ +.splButtonWrapper { + border-top-width:1px; + border-top-style:solid; +} + +/* icons +---------------------------------*/ +.splIcon { + background-image: url(/static/img/skins/default/splIcons.gif); + background-color: #999; +} + +/*-- external link icon --*/ +.spl-icon-external-link-xsm { + background: transparent url(/static/img/skins/default/icon-external-xsm.png) no-repeat 0 0; + _background: transparent url(/static/img/skins/default/icon-external-xsm.gif) no-repeat 0 0; + background-repeat:no-repeat; + background-position: 0% 50%; + display:inline-block; + padding-left: 15px; + margin-left: 5px; + font-style: normal; +} +.spl-icon-external-link-xsm.inline-icon { + margin-left: 0px; +} + +/*-- sidebar collapse icon --*/ +.splIcon-sidebar-open .splIconicLinkIcon { background-position: -26px -320px; } +.splIcon-sidebar-closed .splIconicLinkIcon { background-position: -26px -340px; } + +/*-- linear and log scale buttons --*/ +div.FlashTimeline a.linLogToggle { + color:#000; +} + +div.FlashTimeline a.linLogToggle:focus { + background-color: #ccc; +} + +div.FlashTimeline a.linLogToggle .splIcon-triangle-4-s { + background-position: -67px -367px; +} + + + +/*-- clear buttons --*/ +.splIcon-clear { + -webkit-border-radius: 6px; + -moz-border-radius: 6px; + border-radius: 5px; + background-position: 0px 0px; +} +html>/**/body .splIcon-clear, x:-moz-any-link, x:default { /* do rounding for ff3, not ff2 */ + -moz-border-radius: 5px; +} +.splIcon-clear:hover { background-position: -20px 0px; } + +/*-- close icons --*/ +.splIcon-close { background-position: 0px 0px; } +.splIcon-close:hover { background-position: -20px 0px; } + +/*-- arrow icons --*/ +.splIcon-arrow-n, .splIcon-arrow-e, .splIcon-arrow-s, .splIcon-arrow-w { + -webkit-border-radius: 6px; + -moz-border-radius: 6px; + border-radius: 5px; + background-color: #999; +} +html>/**/body .splIcon-arrow-n, html>/**/body .splIcon-arrow-s, html>/**/body .splIcon-arrow-e, +html>/**/body .splIcon-arrow-w, x:-moz-any-link, x:default { /* do rounding for ff3, not ff2 */ + -moz-border-radius: 5px; +} +.splIcon-arrow-n { background-position: 0px -100px; } +.splIcon-arrow-e { background-position: 0px -140px; } +.splIcon-arrow-s { background-position: 0px -120px; } +.splIcon-arrow-w { background-position: 0px -160px; } +.splIcon-arrow-n:hover { background-position: -20px -100px; } +.splIcon-arrow-e:hover { background-position: -20px -140px; } +.splIcon-arrow-s:hover { background-position: -20px -120px; } +.splIcon-arrow-w:hover { background-position: -20px -160px; } + +/*-- results view buttons --*/ +.splIcon-events-list, .splIcon-events-table, .splIcon-results-table, .splIcon-results-chart { + background-image: url(/static/img/skins/default/sprite_button_icons.png); + _background-image: url(/static/img/skins/default/sprite_button_icons.gif); +} +.splIcon-events-list { background-position: -26px -740px; } +.splIcon-events-table { background-position: -26px -760px; } +.splIcon-results-table { background-position: -26px -780px; } +.splIcon-results-chart { background-position: -26px -800px; } +.splIcon-events-list:hover { background-position: -39px -740px; } +.splIcon-events-table:hover { background-position: -39px -760px; } +.splIcon-results-table:hover { background-position: -39px -780px; } +.splIcon-results-chart:hover { background-position: -39px -800px; } + +/* triangles */ +/* Note: to separate color from implementation, we're using a numbering system to differentiate colors. + 1=grey,2=white,3=green,4=black,5=blue. If the icon sprite changes, the number mapping to colors would be different */ +.splIcon-triangle, +.splIcon-triangle-1-n, .splIcon-triangle-1-s, .splIcon-triangle-1-e, .splIcon-triangle-1-w, +.splIcon-triangle-2-n, .splIcon-triangle-2-s, .splIcon-triangle-2-e, .splIcon-triangle-2-w, +.splIcon-triangle-3-n, .splIcon-triangle-3-s, .splIcon-triangle-3-e, .splIcon-triangle-3-w, +.splIcon-triangle-4-n, .splIcon-triangle-4-s, .splIcon-triangle-4-e, .splIcon-triangle-4-w, +.splIcon-triangle-5-n, .splIcon-triangle-5-s, .splIcon-triangle-5-e, .splIcon-triangle-5-w { + background-color:transparent; +} +.splIcon-triangle-large { + background-color:transparent; +} + +/* grey */ +.splIcon-triangle-1-n { background-position: -7px -386px; } +.splIcon-triangle-1-s { background-position: -7px -367px; } +.splIcon-triangle-1-e { background-position: -7px -407px; } +.splIcon-triangle-1-w { background-position: -7px -427px; } +/* white */ +.splIcon-triangle-2-n { background-position: -27px -386px; } +.splIcon-triangle-2-s { background-position: -27px -367px; } +.splIcon-triangle-2-e { background-position: -27px -407px; } +.splIcon-triangle-2-w { background-position: -27px -427px; } +/* green */ +.splIcon-triangle-3-n { background-position: -47px -386px; } +.splIcon-triangle-3-s { background-position: -47px -367px; } +.splIcon-triangle-3-e { background-position: -47px -407px; } +.splIcon-triangle-3-w { background-position: -47px -427px; } +/* black */ +.splIcon-triangle-4-n { background-position: -67px -386px; } +.splIcon-triangle-4-s { background-position: -67px -367px; } +.splIcon-triangle-4-e { background-position: -67px -407px; } +.splIcon-triangle-4-w { background-position: -67px -427px; } +/* blue */ +.splIcon-triangle-5-n { background-position: -87px -386px; } +.splIcon-triangle-5-s { background-position: -87px -367px; } +.splIcon-triangle-5-e { background-position: -87px -407px; } +.splIcon-triangle-5-w { background-position: -87px -427px; } + +/* state interaction +_________________________________*/ + +.fatal, .error, .warn, .info, .persistent { + background: url(/static/img/skins/default/overlay_gradient_28_plus.png) repeat-x top left; + _background: #000 none; + font-weight: bold; +} + +.fatal, .error { + background-color: #a62f2f; + color: #fff; +} +.warn, .persistent { + background-color: #ffee91; + color: #000; +} +.info { + background-color: #e8f8ff; + color: #000; +} + + +.fatal .remove, .error .remove, .warn .remove, .info .remove, .persistent .remove { + background: #000 url(/static/img/skins/default/splIcons.gif) no-repeat top left; + -moz-border-radius: 4px; + -webkit-border-radius: 4px; + border-radius: 4px; +} + +.fatal .remove, .error .remove { + background-color: #6f2121; +} +.warn .remove, .persistent .remove { + background-color: #b9ac66; +} +.info .remove { + background-color: #94a9b2; +} + + +/* menu classes +---------------------------------*/ + +.splMenu { + font-size: 11px; + font-family: Arial, Helvetica, sans-serif; +} + +/* primary menu - white */ +.splMenu-primary, .splMenu-primary a { + color: #333; +} +.splMenu-primary li.disabled a { + color:#999; +} +.splMenu-primary ul { + background-color: #FFF; +} +.splMenu-primary .actionsMenuDivider { +} + +/* primary menu hover styles */ +.splMenu-primary li:hover { + background: #f3ecbb; +} +.splMenu-primary ul li.htmlBlock:hover { + background-color: transparent; +} + +/* secondary menu - black */ +.splMenu-secondary, .splMenu-secondary a { + color: #CCC; +} +.splMenu-secondary li.disabled a { + color:#999; +} +.splMenu-secondary ul { + background-color: #000; + border-color: #333; +} + +/* primary menu hover styles */ +.splMenu-secondary li:hover { + background-color: #7b9059; +} +.splMenu-secondary a:hover { + color: #FFF; +} +.splMenu-secondary ul li.htmlBlock:hover { + background-color: transparent; +} + +/* Tab styles +-------------------------------*/ + +.tabsWrapper { + background-color: #bdbdb7; +} +ul.tabs li { + background: #666 url(/static/img/skins/default/tab_switcher_rounded_corners.gif) no-repeat 0 -68px; +} +ul.tabs li a { + background: #666 url(/static/img/skins/default/tab_switcher_rounded_corners.gif) no-repeat right -102px; + color: #FFF; + font-size: 12px; +} +/* on state */ +ul.tabs li.selected { + background-color: #FFF; + background: #FFF url(/static/img/skins/default/tab_switcher_rounded_corners.gif) no-repeat 0 0; +} +ul.tabs li.selected a { + color: #333; + background: #FFF url(/static/img/skins/default/tab_switcher_rounded_corners.gif) no-repeat right -34px; +} + +/* jquery ui styles +_______________________________*/ + +/* datepicker styles */ +.ui-datepicker { + border: 1px solid #ccc; + background: #FFF; +} +.ui-datepicker a { + color: #333; +} +.ui-datepicker-inline { + border-style: solid; + border-width: 1px; +} +.ui-datepicker-header { + background: #edede7 url(/static/img/skins/default/overlay_gradient_28.png) repeat-x scroll 0 -5px; + _background: #edede7 url(/static/img/skins/default/backgrounds_ie6.gif) repeat-x scroll 0 -5px; +} +.ui-datepicker-header a { + background-image: url(/static/img/skins/default/splIcons.gif); + background-repeat: no-repeat; +} +.ui-datepicker-prev { + background-position: -67px -418px; +} +.ui-datepicker-next { + background-position: -67px -398px; +} +.ui-datepicker-current-day { + background-color: #a8c479; +} + +/* resizable styles */ +.ui-resizable-s { + background:#cdcdc7 url(/static/img/skins/default/bg_resizer.gif) center no-repeat !important; + _font-size:0; +} + +.ui-resizable-helper { + border: 1px dashed #999; +} + +/* TimeSpinner styles */ +.TimeSpinner { + border: 1px solid #ccc; +} + +/*********************************** + Module styles +************************************/ + +/* Dev note: putting these in here for now, figuring out what refactoring can be done later */ + + +/*** Gandalf ***/ + +/* TimeRangeBinning */ +.TimeRangeBinning .trbToggle { + font-size:12px; +} +.TimeRangeBinning .trbToggle span.splIcon-triangle { + background-position: -87px -407px; + background-color: transparent; +} +.TimeRangeBinning .trbOn span.splIcon-triangle { + background-position: -87px -367px; +} + +/*** Jobs ***/ + +/* Job Status */ + +.JobStatus { + background-color: #EDEDE7; +} + +.JobStatus .output .scanned, +.JobStatus .output .results { + font-style:normal; + font-size:12px; +} +.JobStatus .output .running h2, +.JobStatus .output .runningReport h2, +.JobStatus .output .finalizing h2 { + background: url(/static/img/skins/default/loader_green_on_grey.gif) left no-repeat; + /* use loader.gif for green on white */ +} + +.JobStatus .output .complete h2 { + background: url(/static/img/skins/default/bg_job_status.png) 0 -13px no-repeat; +} + +.JobStatus .output .paused h2 { + background: url(/static/img/skins/default/bg_job_status.png) 0 8px no-repeat; +} + +.autoPauseText > strong { + color: #900; +} + +/* link icons */ + + + +.save .splButtonIcon { + background-position: 0 -160px; +} + +.create .splButtonIcon { + background-position: 0 -180px; +} +.inspector .splButtonIcon { + background-position: 0 -120px; +} + +.print .splButtonIcon { + background-position: 0 -140px; +} + +.background .splButtonIcon{ + background-position: 0 -20px; +} + +.finalize .splButtonIcon { + background-position: 0 -80px; +} + +.pause .splButtonIcon { + background-position: 0 -60px; +} + +.unpause .splButtonIcon{ + background-position: 0 -40px; +} + +.cancel .splButtonIcon{ + background-position: 0 -100px; +} + +.schedulepdf .splButtonIcon{background-position:0 -560px;} +.move .splButtonIcon{background-position:0 -580px;} +.add .splButtonIcon{background-position:0 -640px;} +.permissions .splButtonIcon{background-position:0 -600px;} +.xml .splButtonIcon{background-position:0 -620px;} + +/* IE6 removal of gradient overlays */ +.JobStatus .splHeader { + _background-image: none; +} + +.JobStatus .autoPauseTip { + color: #800; +} +.JobStatus .autoPauseTip a { + color: #1a7996; +} + +/*** Nav ***/ + +/* AppBar */ +ul.appBarNav li a:hover, +ul.appBarNav li a.menuOpen { + background: url(/static/img/skins/default/overlay_white_28.png) repeat-x 0 0; + _background: url(/static/img/skins/default/backgrounds_ie.gif) repeat-x 0 -727px; +} +ul.appBarNav li a { + font-size: 11px; + font-weight: bold; +} +.splMenu-primary ul li.splUserCreated { + background-image: url(/static/img/skins/default/greendot.gif); + background-repeat: no-repeat; + background-position: 4px 10px; +} + +/* BreadCrumb */ +.BreadCrumb { + font-size:14px; +} +.BreadCrumb .gt { + color:#888; +} + +/* TitleBar */ +.TitleBar div.menuOpen, .TitleBar a.menuOpen { + background-color: #CCC; +} +.TitleBar h2 em { + font-style:normal; +} +.TitleBar .splPipe { + font-size:12px; +} + +/*** Results header ***/ +h2 .timeRangeStr { + font-weight: normal; +} + + +/*** Message ***/ +.Message ol { + font-size: 0px; + line-height: 1; +} +.Message ol li { + font-size: 11px; + line-height: 16px; + padding: 6px 10px; +} + +/*** Paginator ***/ + +.Paginator a, .Paginator .disabled:hover { + border-style: solid; + border-width: 1px; + border-color: #fff; + -moz-border-radius: 3px; + -webkit-border-radius: 3px; + border-radius: 3px; + _border-width:0px; +} +.Paginator a:hover { + border-color: #ccc; + text-decoration:none; +} +.Paginator .active a, .Paginator .active a:hover { + background-color: #999; + -webkit-box-shadow: inset 1px 1px 1px 0px #333333; + -moz-box-shadow: inset 1px 1px 1px 0px #333333; + box-shadow: inset 1px 1px 1px 0px #333333; + color: #fff; + border-color: #fff; +} +.Paginator .previous, .Paginator .next { + color:#999; +} + + +/*** Prototypes ***/ + +/* SimpleEventsViewer */ + +.SimpleEventsViewer { + background-color:#fff; +} +.SimpleEventsViewer span.searchTermHighlight { + background-color:#f5e998; +} +.SimpleEventsViewer .eventFields { + color: LightSlateGrey; +} +.SimpleEventsViewer .eventFields .value { + color: #000; +} + +/*** Results ***/ + +/* EventsViewer */ + +.EventsViewer, .SimpleResultsTableResults { +} + +.EventsViewerScroller { + border-top-style: solid; + border-top-width: 1px; +} +.EventsViewer .header { + font-weight:normal; + font-size:11px; + color:#333; +} +.EventsViewer .header em { + font-weight:bold; + font-style:normal; +} + +.EventsViewer .tb { + border:1px solid red; +} +.EventsViewer .tb h2 { + font-size:11px; + font-weight:bold; +} +.EventsViewer .tb h3 { + font-size:10px; + font-weight:bold; +} +.EventsViewer .tb td:first-child { + color:#666; +} +.EventsViewer .default .pos { + font-style:normal; + font-size:11px; + color:#bbb; +} +.EventsViewer .default .time { + font-style:normal; + font-size:11px; + color:#666; +} +.EventsViewer .default .audit { + font-style:normal; + display:block; + padding:2px 0px 4px 20px; + color:#666; +} +/* BEGIN NOTICE: decoration_audit_ class names currently have no indirection, do not change! */ +.EventsViewer .default .decoration_audit_valid { + background:url(/static/img/skins/default/audit_valid.gif) no-repeat; +} +.EventsViewer .default .decoration_audit_gap { + background:url(/static/img/skins/default/audit_gap.gif) no-repeat; +} +.EventsViewer .default .decoration_audit_tampered { + background:url(/static/img/skins/default/audit_tampered.gif) no-repeat; +} +.EventsViewer .default .decoration_audit_cantvalidate { + background:url(/static/img/skins/default/audit_cantvalidate.gif) no-repeat; +} +/* END NOTICE: decoration_audit_ class names currently have no indirection, do not change! */ +.EventsViewer .default .event { + font-family:Consolas, Monaco, Courier New, monospace; + font-size: 12px; + color:#333; +} +.EventsViewer .default .a, .EventsViewer .default .h, .EventsViewer .default .fields .v:hover, .EventsViewer .default .fields .tg:hover, .EventsViewer .default .time:hover { + background-color:#f5e998; +} +.EventsViewer .default .showinline { + color:#4D9BB3; +} +.EventsViewer .default .fields li { + color:#778899; +} +.EventsViewer .default .fields em { + font-style:normal; +} +.EventsViewer .default .fields .k { + color:#999; +} +.EventsViewer .default .fields .v { + color:#333; +} +.EventsViewer .default .fields .tg { + color:#999; + font-style:italic; +} +.EventsViewer .default .fields .fm { + background: url(/static/img/skins/default/splIcons.gif) no-repeat -67px -364px; + color:#FFF; +} +.actions .splButtonIcon { + background-position: 0 -280px; +} + + +.results-table-help { + font-size: 12px; +} + +/* BEGIN: tag field popup styles */ +.tagfieldpopup { + background:#FFF; +} +.tagfieldpopup input { + font-size:11px; + color:#333; +} + + + +/* FancyChartTypeFormatter */ +.FancyChartTypeFormatter .chartTypeTitle { + font-size: 12px; +} +.FancyChartTypeFormatter .chartTypeActivator { + border-style: solid; + border-width: 1px; + background: url(/static/img/skins/default/overlay_gradient_28.png) repeat-x 0 0; +} +.FancyChartTypeFormatter .chartTypeActivator span { + background: url(/static/img/skins/default/arrows.gif) no-repeat 0 0 ; +} +.FancyChartTypeFormatter .chartTypeMenu ul { + background-color:#FFF; + border-style: solid; + border-width: 1px; +} +.FancyChartTypeFormatter .chartTypeMenu li:hover { + background-color: #f3ecbb; +} +.FancyChartTypeFormatter .chartTypeActivator a, +.FancyChartTypeFormatter .chartTypeMenu li a { + color:#333; + text-decoration:none; + font-size:12px; + background-image:url(/static/img/skins/default/chart_type_icons.gif); + background-repeat:no-repeat; + background-position: 5px -45px; +} +.FancyChartTypeFormatter .chartTypeMenu li.column a, +.FancyChartTypeFormatter .chartTypeActivator a.column { + background-position: 5px 3px; +} +.FancyChartTypeFormatter .chartTypeMenu li.line a, +.FancyChartTypeFormatter .chartTypeActivator a.line { + background-position: 5px -45px; +} +.FancyChartTypeFormatter .chartTypeMenu li.area a, +.FancyChartTypeFormatter .chartTypeActivator a.area { + background-position: 5px -94px; +} +.FancyChartTypeFormatter .chartTypeMenu li.bar a, +.FancyChartTypeFormatter .chartTypeActivator a.bar { + background-position: 5px -144px; +} + +/* Timeline */ +/* + background-color -> controls bgcolor + border-left-color -> controls foregroundColor + color -> controls fontColor + border-right-color -> controls seriesColor +*/ + + +/********************************** +Timeline and charts +***********************************/ + +div.FlashTimeline, +div.FlashTimeline .splHeader { + background-color: #fff; + + /* Color of the chart lines */ + border-left-color: #000; + + /* Color of the columns */ + border-right-color: #73a550; + + color: #000; +} + +div.FlashTimeline a.splIconicLinkDisabled { + color: #999; +} + +div.FlashTimeline .splHeader { +/* background-image: none;*/ + border-top-width: 0; +} + + +div.FlashTimeline a.hideshow .splIconicLinkIcon { + background-position: -26px -400px; +} + +div.FlashTimeline .minimized a.hideshow .splIconicLinkIcon { + background-position: -26px -420px; +} + + +.TimelineContainer, +.FlashWrapperContainer { + padding-bottom: 7px; + _padding-bottom:0; +} + +.FlashTimeline .zoomIn .splIconicLinkIcon { + background-position: -26px -480px; +} + +.FlashTimeline .zoomOut .splIconicLinkIcon { + background-position: -26px -500px; +} + +.FlashTimeline .selectAll .splIconicLinkIcon { + background-position: -26px -520px; +} +.FlashTimeline .splIconicLinkDisabled.zoomIn .splIconicLinkIcon { + background-position: -13px -480px; +} + +.FlashTimeline .splIconicLinkDisabled.zoomOut .splIconicLinkIcon { + background-position: -13px -500px; +} + +.FlashTimeline .splIconicLinkDisabled.selectAll .splIconicLinkIcon { + background-position: -13px -520px; +} + + + +/* FlashChart */ +/* + background-color -> controls bgcolor + border-left-color -> controls foregroundColor + color -> controls fontColor +*/ +div.FlashChart { + background-color: #fff; + border-left-color: #000; + color: #000; +} + +/* JSChart: + * + * JSChart will adopt the same styles as FlashChart, this allows backwards compatibility with any styling + * applied to FlashChart in an application.css file + */ + +/* MultiFieldViewer + SuggestedFieldViewer */ +.MultiFieldViewer .fieldTabs .mouseoverHighlight, +.MultiFieldViewer .fieldTabs .selected, +.SuggestedFieldViewer .fieldTabs .mouseoverHighlight, +.SuggestedFieldViewer .fieldTabs .selected { + background-color:#C2D4DA; +} + +.MultiFieldViewer .fieldTabs .mouseoverHighlight a, +.SuggestedFieldViewer .fieldTabs .mouseoverHighlight a { + background-image: url(/static/img/skins/default/graph_icon.png); + background-repeat: no-repeat; + background-position: right 3px; +} + +.MultiFieldViewer .valueCount, +.SuggestedFieldViewer .valueCount { + color: #999; +} + +.MultiFieldViewer .iconNumeric, +.SuggestedFieldViewer .iconNumeric, +.MultiFieldViewer .iconString, +.SuggestedFieldViewer .iconString { + font-family: "Times New Roman", Georgia, Times, serif; + color: #999; + font-style: italic; + font-weight: bold; + font-size: 13px; + line-height: 12px; +} + +/* Count */ +.Count label, .Count select { + font-size: 11px; +} + +.pageControls .Count .perPageLabel{ + color: #333; +} + +/* EnablePreview */ +.pageControls .EnablePreview label { + font-size:11px; +} + +/* ResultsActionsButtons */ +.ResultsActionButtons { + background-color: #EDEDE7; +} + +/* SimpleResultsTable */ +table.simpleResultsTable td.pos, +table.simpleResultsTable th.pos { + color: #bbb; + border: none; +} +table.simpleResultsTable td.lowValue { + border: 1px solid blue; +} +table.simpleResultsTable td.highValue { + border: 1px solid red; +} + +/* SingleValue */ +.SingleValueHolder { + background-color: #ccc; + -moz-border-radius: 4px; + -webkit-border-radius: 4px; + border-radius: 4px; + font-size: 16px; + font-weight: bold; + -moz-box-shadow: inset 0 0 5px rgba(0, 0, 0, 0.25); + -webkit-box-shadow: inset 0 0 5px rgba(0, 0, 0, 0.25); + box-shadow: inset 0 0 5px rgba(0, 0, 0, 0.25); + background-image:url(/static/img/skins/default/overlay_gradient_50.png); + background-repeat: repeat-x; + _background-image: none; + +} +.SingleValue .severe { + background-color: #bb2121; + color: #fff; +} +.SingleValue .high { + background-color: #e67918; + color: #fff; +} +.SingleValue .elevated { + background-color: #e9da34; + color: #000; +} +.SingleValue .guarded { + background-color: #4da6df; + color: #fff; +} +.SingleValue .low { + background-color: #72c72d; + color: #fff; +} +.SingleValue .None { + background-color: #999; + color: #fff; +} + +/*** Search ***/ + +/* Field Picker */ + +.FieldPickerPopup .fpUpdateFields, .FieldPickerPopup .fpUpdateFieldsUpdate { + color: #E5F2F5; +} +.FieldPickerPopup li.fpSelFieldsNotPresent { + color:#999; +} +.FieldPickerPopup .fpAddTermCell span.splIcon-arrow-e { + background-color: #73a550; +} +.FieldPickerPopup li.fpSelFieldsNotPresent span { + background-color: #CCC; +} +.FieldPickerPopup .fpFilterFields label { + font-weight: bold; + font-size: 11px; +} +.FieldPickerPopup .fpFieldListContainerOuter { + _background: url(/static/img/skins/default/field_list_header.png) repeat-x 0 0; +} +.FieldPickerPopup .fpFieldListContainerOuter thead tr { + background-position: left -5px; +} +.FieldPickerPopup .fpFieldListContainerOuter th span { + background-color: transparent; + background-position: -67px -441px; +} +.FieldPickerPopup .fpFieldListContainerOuter +.headerSortUp span { + background-position: -67px -379px; +} +.FieldPickerPopup .fpFieldListContainerOuter th.headerSortDown span { + background-position: -67px -360px; +} +.FieldPickerPopup .fpFieldList tr.fieldSelected td.fpFieldTerm { + color:#999; +} +.FieldPickerPopup .fpFieldList tr.fieldSelected td.fpAddTermCell span { + background-color: #CCC; +} + +.fpFieldList .splHeader { + background-image: url(/static/img/skins/default/overlay_gradient_28.png); + _background-image: none; +} + + + +/* adding this class on hover via jquery, handles row highlighting and graph icon */ +.FieldPickerPopup .fpFieldList tbody tr:hover, .FieldPickerPopup .fpFieldList tbody tr.mouseoverHighlight { + background-color: #f5e998; +} +.FieldPickerPopup .fpFieldList tbody tr:hover .fpFieldListSecond a, +.FieldPickerPopup .fpFieldList tbody tr.mouseoverHighlight .fpFieldListSecond a { + background: url(/static/img/skins/default/graph_icon.png) no-repeat center right; +} + + + + +/*** SearchBar for DEFAULT.CSSS ***/ + +table .SearchBar .searchFieldWrapper { +} + +table.mainSearchControlsTable .SearchBar .searchFieldWrapper { + border: 1px solid #5e8d3d; + background-color: #5e8d3d; + + + border-right-width: 0; + -moz-border-radius-topright: 0; + -moz-border-radius-bottomright: 0; + -webkit-border-top-right-radius: 0; + -webkit-border-bottom-right-radius: 0; + border-bottom-right-radius: 0; + border-top-right-radius: 0; + border-bottom-right-radius: 0; + background: #73a550 url(/static/img/skins/default/search_bar.png); + _background: #73a550; + _background-image: none; +} + +.SearchBar .searchFieldWrapperInner { + border-color: #a0c288; +} + +.SearchBar label { + color: #bbb; +} + +.SearchBar .assistantActivator { + background-color:#689549; + background-image: url(/static/img/skins/default/overlay_gradient_28.png); + _background-image: none; + background-repeat: repeat-x; +} +.SearchBar .assistantEnabled span.assistantAutoOpener { + color: #fff; +} +.SearchBar .assistantEnabled span.saHandle { + background:transparent url(/static/img/skins/default/bg_resizer_white.png) center no-repeat; + _background:transparent url(/static/img/skins/default/bg_resizer_white.gif) center no-repeat; +} +.SearchBar h4 { + color: #73A550; +} +.sakeywordCount{ + background-color: #fff; + color: #333; +} +.saKeywordSelected { + background-color: #f5e998; +} +.saKeywordSelected .sakeywordCount{ + background-color: #f5e998; +} + +.sakeyword:hover { + background-color: #EDEDE7; +} +.sakeyword:hover .sakeywordCount{ + background-color: #EDEDE7; +} +.splSearchControls-inline { + background-repeat: repeat-x; + background-position: bottom; + _background-image: none; +} +.SearchBar .assistantWrapperEnabled { + -webkit-box-shadow: 2px 2px 3px 0px rgba(0, 0, 0, 0.4); + -moz-box-shadow: 2px 2px 3px 0px rgba(0, 0, 0, 0.4); + box-shadow: 2px 2px 3px 0px rgba(0, 0, 0, 0.4); + border-top:1px solid #A0C288 ; +} + +.SearchBar .assistantInner { + background: #edede7 url(/static/img/skins/default/bg_search_assistant.png) left top repeat-y; + zoom:1; +} +.SearchBar .assistantInnerHelpOnly { + background-color: #edede7; + background-image: none; +} + + +.SearchBar .assTab .splIcon { + background-position: 0 -582px; + background-color: transparent; +} +.SearchBar .assistantWrapperEnabled .assTab .splIcon { + background-position: 0 -562px; +} + + +.SearchBar .saHelpWrapper { + border-left-color: #fff; +} +.SearchBar .sakeyword em { + font-style: normal; + font-weight: bold; + color: #046a89; +} +.SearchBar .saNotice { + background-color: #f5e998; + border-color: #CCC !important; +} +.SearchBar .error { + background-color: #f5e998; + border-color: #CCC !important; + color: #900; + background-image: none; +} + +.introstep { + color: #333; +} +.intro code { + color: #73A550; +} +.SearchBar .intro ul li{ + list-style-type: disc; +} + +.splView-flashtimeline .JobStatus { + background: #EDEDE7 url('/static/img/skins/default/overlay_bottomgradient_32.png') repeat-x bottom left; + _background-image: none; + border-bottom-color: #a4a4a4; +} + + +.splView-flashtimeline .ChartTypeFormatter { + border-bottom: 1px solid #ccc; +} + +.splView-flashtimeline .ShowHideHeader div.secondary h2 { + font-size: 12px; +} +.splView-flashtimeline .ShowHideHeader { + border-top-width: 2px; +} + + +div.splSearchFormatChart-tabs ul li.selected .linkSwitcherSelectedIcon { + background: transparent url(/static/img/skins/default/splIcons.gif) -68px -346px no-repeat; +} + +/* TimeRangePicker */ +.TimeRangePicker .timeRangeActivatorWrapper { + background-image: url(/static/img/skins/default/overlay_topgradient_white.png); + background-repeat: repeat-x; + background-color:#d5d5d1; + _background-image:url(/static/img/skins/default/backgrounds_ie6.gif); + -moz-border-radius: 5px; + -webkit-border-radius: 5px; + border-radius: 5px; +} + + +table.mainSearchControlsTable .TimeRangePicker .timeRangeActivator { + padding-top: 3px; +} + +table.mainSearchControlsTable .TimeRangePicker .timeRangeActivatorWrapper { + border: 1px solid #5e8d3d; + border-left-width: 0; + -moz-border-radius: 0; + -webkit-border-radius: 0; + border-radius: 0; + + color: #fff; + + background: #659c40 url(/static/img/skins/default/search_bar.png); + _background-image: url('/static/img/skins/default/green_search_button.png'); + _background-repeat: no-repeat; + _background-position: 0px -74px; + + font-size: 12px; + height: 26px; +} + +/* IE6 & 7 FIX*/ +.mainSearchControlsTable .timeRangeActivatorWrapper{*position:relative;} +.mainSearchControlsTable .dropDown +{ + *position:absolute; + *top:0px; + *right:10px; +} +/*IE7 double input border*/ +*+html .mainSearchControlsTable .SubmitButton fieldset{border:1px solid #5E8D3D ;} +*+html .mainSearchControlsTable .SubmitButton input { + border:0; + height: 26px; + width: 42px; +} +/*IE7 min width */ +*+html .mainSearchControlsTable .timeRangeActivator { + min-width:100px; + width:expression(this.currentStyle.getAttribute('minWidth')); +} + +table.mainSearchControlsTable .TimeRangePicker .timeRangeActivatorWrapper:hover, +table.mainSearchControlsTable .TimeRangePicker .timeRangeActivatorWrapper:focus { + background-color: #4e7830; + text-decoration: none; +} + +table.mainSearchControlsTable .TimeRangePicker .timeRangeActivatorWrapper .dropDown { + background-position: -27px -367px; + margin-top: 11px; +} + + +.trpCustomDateTime .rangeType { + border-bottom: 1px solid #CCC; +} +.trpCustomDateTime input.disabled { + background-color: #DDD; + border-color:#DDD; + color:#666; +} +.trpCustomDateTime .earliestDateTime, +.trpCustomDateTime .latestDateTime { + border: 1px solid #ccc; +} +.trpCustomDateTime .dateTimeDisabled { + background-color: #f4f4f1; + border-color:#f4f4f1; + color:#666; +} +.trpCustomDateTime .dateTimeDisabled input { + background:transparent; +} +.trpCustomDateTime input.customDate { + border: none; + background: transparent; +} +.trpCustomDateTime div.outputString { + background-color: #f4f4f1; + border: 1px solid #f4f4f1; + color:#333; +} + + +/*** Report builder ***/ + +.report_builder_format_report .viewHeader { + border: 0; +} + +.report_builder_format_report .JobStatus { + border: 0; +} +.ShowHideHeader { + border-top-width: 1px; + border-top-style: solid; +} + +/*** Advanced charting ***/ + +.splView-charting .ResultsHeader .splHeader-primary { + background-image: none; +} + +/*** Switchers ***/ + +/* ButtonSwitcher */ +.ButtonSwitcher ul li.selected .splIcon-events-list { + background-position: 0 -740px; +} +.ButtonSwitcher ul li.selected .splIcon-events-table { + background-position: 0 -760px; +} +.ButtonSwitcher ul li.selected .splIcon-results-table { + background-position: 0 -780px; +} +.ButtonSwitcher ul li.selected .splIcon-results-chart { + background-position: 0 -800px; +} +.ButtonSwitcher ul li.disabled .splIcon-events-list { + background-position: -13px -740px; +} +.ButtonSwitcher ul li.disabled .splIcon-events-table { + background-position: -13px -760px; +} +.ButtonSwitcher ul li.disabled .splIcon-results-table { + background-position: -13px -780px; +} +.ButtonSwitcher ul li.disabled .splIcon-results-chart { + background-position: -13px -800px; +} +.ButtonSwitcher ul li.disabled a * { + cursur:default; +} + + +.ButtonSwitcher ul li { + border-color: #fff; + -moz-border-radius: 3px; + -webkit-border-radius: 3px; + border-radius: 3px; +} + +.ButtonSwitcher ul li.selected, .ButtonSwitcher ul li.selected:hover { + background-color: #999; + -webkit-box-shadow: inset 1px 1px 1px 0px #333333; + -moz-box-shadow: inset 1px 1px 1px 0px #333333; + box-shadow: inset 1px 1px 1px 0px #333333; +} + +/* Link Switcher */ +.LinkSwitcher a { + font-size: 12px; +} +.LinkSwitcher ul li.selected a { + color:#333; + font-weight: bold; + text-decoration:none; +} + +/* ShowHideHeader */ +.ShowHideHeader div.secondary { + background-image: none; +} +.ShowHideHeader h2 span.splIcon-triangle { + background-position: -67px -367px; +} +.ShowHideHeader div.secondary h2 { + font-size: 11px; + font-weight: normal; +} +.ShowHideHeader div.secondary h2 span.splIcon-triangle { + background-position: -87px -367px; +} +.ShowHideHeader div.secondary h2:hover { + text-decoration:underline; +} +.ShowHideHeader h2.closed span.splIcon-triangle { + background-position: -67px -407px; +} +.ShowHideHeader div.secondary h2.closed span.splIcon-triangle { + background-position: -87px -407px ; +} + +/* TabSwitcher */ +.TabSwitcher { + background-color: #bdbdb7; +} +.TabSwitcher ul li { + background: #666 url(/static/img/skins/default/tab_switcher_rounded_corners.gif) no-repeat 0 -68px; +} +.TabSwitcher ul li a { + font-size: 12px; + background: #666 url(/static/img/skins/default/tab_switcher_rounded_corners.gif) no-repeat right -102px; + color: #FFF; +} +.TabSwitcher ul li.selected { + background-color: #FFF; + background: #FFF url(/static/img/skins/default/tab_switcher_rounded_corners.gif) no-repeat 0 0; +} +.TabSwitcher ul li.selected a { + color: #333; + background: #FFF url(/static/img/skins/default/tab_switcher_rounded_corners.gif) no-repeat right -34px; +} + +/* progress bar */ + +.JobProgressIndicator .splBarGraph { + background-image:url(/static/img/skins/default/overlay_innershadow_4.png); + _background-image: none; +} + +.JobProgressIndicator .splBarGraphBar { + background-image:url(/static/img/skins/default/overlay_gradient_4.png); + _background-image: none; +} + + + +/********************************** +Interactive Field Extractor +***********************************/ +.ifxHelpColumn { + background-color:#E5F2F5; +} + +.ifxHelpColumn h4 { + color:#111 +} + + +/********************************** +hacks +***********************************/ + +/* safari focus outline */ +/* +*:focus {outline: 0;} +*/ + diff --git a/deployment-apps/eventid/bin/ev_process_proc.py b/deployment-apps/eventid/bin/ev_process_proc.py new file mode 100755 index 00000000..3f5eccf2 --- /dev/null +++ b/deployment-apps/eventid/bin/ev_process_proc.py @@ -0,0 +1,45 @@ +#!/usr/bin/env python + +import csv +import sys +import re + + +# arp.exe,Target Discovery,Obtains information about hosts on the local broadcast domain +# New_Process_Name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe +# C:\Windows\System32\wbem\WmiPrvSE.exe + +def process_interesting(full_path_process): + try: + process_path_elements = full_path_process.split("\\") + process = process_path_elements[len(process_path_elements)-1] + return process + except: + return full_path_process + +def main(): + if len(sys.argv) != 3: + print "Usage: python ev_process_proc.py [full_path_process] [process]" + print sys.argv[1] + print len(sys.argv) + sys.exit(1) + + full_path_process = sys.argv[1] + process = sys.argv[2] + + infile = sys.stdin + outfile = sys.stdout + + r = csv.DictReader(infile) + header = r.fieldnames + + w = csv.DictWriter(outfile, fieldnames=r.fieldnames) + w.writeheader() + + for result in r: + if result[full_path_process]: + result[process] = process_interesting(result[full_path_process]) + if result[process]: + w.writerow(result) + +main() diff --git a/deployment-apps/eventid/bin/ev_process_xml_parameters.py b/deployment-apps/eventid/bin/ev_process_xml_parameters.py new file mode 100755 index 00000000..b6ec9a79 --- /dev/null +++ b/deployment-apps/eventid/bin/ev_process_xml_parameters.py @@ -0,0 +1,48 @@ +#!/usr/bin/env python + +import csv +import sys +import re +import xml.etree.ElementTree as ET + +# Windows Modules Installerstopped540072007500730074006500640049006E007300740061006C006C00650072002F0031000000 + +def process_xml(xml_info): + try: + xml_result = "" + root = ET.fromstring(""+xml_info+"") + for child in root: + #xml_result = xml_result + child.tag + child.attrib + child.text+"\n" + xml_result = xml_result + child.text + "@" + #xml_result = xml_result + child.attrib + "\n" + return xml_result + except: + return "Error: "+xml_info + +def main(): + if len(sys.argv) != 3: + print "Usage: python ev_process_xml_parameters.py [raw_xml_data] [extracted_xml_data]" + print sys.argv[1] + print len(sys.argv) + sys.exit(3) + + raw_xml_data = sys.argv[1] + extracted_xml_data = sys.argv[2] + + infile = sys.stdin + outfile = sys.stdout + + r = csv.DictReader(infile) + header = r.fieldnames + + w = csv.DictWriter(outfile, fieldnames=r.fieldnames) + w.writeheader() + + for result in r: + if result[raw_xml_data]: + result[extracted_xml_data] = process_xml(result[raw_xml_data]) + #result[extracted_xml_data] = raw_xml_data + if result[extracted_xml_data]: + w.writerow(result) + +main() diff --git a/deployment-apps/eventid/default/.DS_Store b/deployment-apps/eventid/default/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..7fdec4623181a1dd222bf6941e176628c56528c2 GIT binary patch literal 6148 zcmeH~JqiLr422WjLa^D=avBfd4F=H@cmaR56fD$!j_%73f~&QNyg>3zG82}4#m+`V zbbTLIBE5*r;6_lA49C} z?O@4sHQ9pEE}FxK=9AT?7??)8Xh8zg>R_M(RA8jQH1gi=|1JE}{6A`8N(HFEpDCc- zX17`6rSfildp)b~vuf)G2mLt0%TE9jyNVZZH|!T%fHm2IsKEFm;4&~!fv+m?01d + + + + + + + + + + + + EventId.Net + \ No newline at end of file diff --git a/deployment-apps/eventid/default/data/ui/views/README b/deployment-apps/eventid/default/data/ui/views/README new file mode 100644 index 00000000..d518a88b --- /dev/null +++ b/deployment-apps/eventid/default/data/ui/views/README @@ -0,0 +1 @@ +Add all the views that your app needs in this directory diff --git a/deployment-apps/eventid/default/data/ui/views/audit_events.xml b/deployment-apps/eventid/default/data/ui/views/audit_events.xml new file mode 100644 index 00000000..f87d0518 --- /dev/null +++ b/deployment-apps/eventid/default/data/ui/views/audit_events.xml @@ -0,0 +1,405 @@ +
+ + Click on the event to check it on www.eventid.net +
+ + + + -24h@h + now + + + + + All + * + ( + ) + host=" + " + OR + + `event_sources` ("Audit Success" OR "Audit Failure") | stats count by host + $interval.earliest$ + $interval.latest$ + + host + host + + + + Audit Failure,Audit Success + Failure + Success + ( + ) + " + " + OR + Audit Type + Audit Type + Audit Failure,Audit Success + + + + * + + + + Yes + No + Message!="*privilege*" + + + + Yes + No + Account_Name != "*$$*" + Account_Name != "*$$*" + +
+ + + Audit events over time + + + `event_sources` ("Audit Success" OR "Audit Failure") AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$ $Audit_Type$ +| fillnull +| timechart count + $interval.earliest$ + $interval.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Accounts with 3 or more failed logons + + + `event_sources` Failure_Reason=* ("Audit Failure") AND $Computer$ AND $keyword$ $nopriv$ Message != "*privilege*" Account_Name != "*$*" +| table host, Account_Name, Failure_Reason +| stats count by Account_Name +| where count > 2 + $interval.earliest$ + $interval.latest$ + 1 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Audit Failure events by computer + + + `event_sources` "Audit Failure" AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$ +| fillnull +| stats count by host + $interval.earliest$ + $interval.latest$ + 1 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Distinct Accounts + + + `event_sources` AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$ TaskCategory=Logon $Audit_Type$ +| stats dc(Account_Name) + $interval.earliest$ + $interval.latest$ + 1 + + + + + + + + + + + + + + + + + + + + + + Logon Successful Audits + + + `event_sources` AND $keyword$ $nopriv$ $nocomputer$ TaskCategory=Logon +| stats count + $interval.earliest$ + $interval.latest$ + 1 + + + + + + + + + + + Logon Audit Failure events + + + `event_sources` AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$ Failure_Reason=* ("Audit Failure") +| stats count + $interval.earliest$ + $interval.latest$ + + + + + + + + + search?q=`event_sources` Failure_Reason=* * ("Audit Failure") AND $Computer$ AND $keyword$ Message != "*privilege*" Account_Name != "*$*" | stats count&earliest=$interval.earliest$&latest=$interval.latest$ + + + + + New Local Admins + + + `event_sources`AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$ +| transaction Security_ID maxspan=180m +| search EventCode=4720 OR (EventCode=4732 Administrators) +| stats count + $interval.earliest$ + $interval.latest$ + 1 + + + + + + + + + + + + + + + + + + + + + + + + Events Summary + + + `event_sources` AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$ $Audit_Type$ +| fillnull +| eval Type=if(Keywords=="Audit Success",Keywords, Type) +| eval Type=if(Keywords=="Audit Failure",Keywords, Type) +| stats earliest(_time) as First latest(_time) as Last max(Message) as Sample_Message count by host, EventCode, Type +| sort -count host, EventCode, Type, Sample_message +| rename EventCode as "EventId" +| fieldformat First=strftime(First,"%x %X") | fieldformat Last=strftime(Last,"%x %X") + $interval.earliest$ + $interval.latest$ + + + + + + + + + https://www.eventid.net/display.asp?eventid=$row.EventId$&source=$row.SourceName$&app=SplunkEvId + +
+
+
+ + + Audit Failure Events + + + `event_sources` AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$ AND "Audit Failure" +| fillnull +| eval user=mvindex(Account_Name,1) +| table _time, host, EventCode, Message, user, Failure_Reason, Source_Workstation, Caller_Process_Name +| rename EventCode as "EventId", Caller_Process_Name as Process + $interval.earliest$ + $interval.latest$ + + + + + + +
+
+
+ + + Accounts successfully logged on + + + `event_sources`AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$ AND TaskCategory=Logon AND NOT Account_Name="*ANONYMOUS*" +| timechart count + $interval.earliest$ + $interval.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Audit Success Events + + + `event_sources` AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$ "Audit Success" +| fillnull +| eval Type=if(Keywords=="Audit Success",Keywords, Type) +| eval Type=if(Keywords=="Audit Failure",Keywords, Type) +| eval user=mvindex(Account_Name,1) +| table _time, host, EventCode, Message, user, Source_Workstation, Process_Name +| rename EventCode as "EventId", Process_Name as Process + $interval.earliest$ + $interval.latest$ + + + + + + +
+
+
+ + + Audit events - drill down option + + + `event_sources` $Audit_Type$ AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$ +| fillnull +| eval Type=if(Keywords=="Audit Success",Keywords, Type) +| eval Type=if(Keywords=="Audit Failure",Keywords, Type) +| eval user=mvindex(Account_Name,1) +| table _time, host, EventCode, Type, Message, user + $interval.earliest$ + $interval.latest$ + + host, LogName, EventCode, SourceName, Type, Message, user + + + + + + + +
\ No newline at end of file diff --git a/deployment-apps/eventid/default/data/ui/views/documentation.xml b/deployment-apps/eventid/default/data/ui/views/documentation.xml new file mode 100644 index 00000000..286b5a22 --- /dev/null +++ b/deployment-apps/eventid/default/data/ui/views/documentation.xml @@ -0,0 +1,55 @@ + + + + + Introduction + +

Welcome to the EventID.Net Windows Event Logs app!

+ +
+
+ + + Windows Event Log App sources of information + +

The Windows Event Log App assumes that Splunk is collecting information from Windows servers and workstation via one of the following methods: +

+

+ +

All these methods will collect the events and either collect them in the "wineventlog" Splunk index or record them in the default index with source the source set as "*WinEventLog*" (notice the wildcards). The app analyzes the entries matching these criteria (index="wineventlog" OR source=*WinEventLog*). This matches the defaults used by the Universal Forwarder, the collection of local Windows event logs and the collection via WMI.

+ +

In order to create the proper indexes, we recommend the installation of the Splunk Add-on for Microsoft Windows app.

+ +

To collect the logs from remote computers without installing the Universal Forwarded on each computer, configure the forwarding of event logs to central location using the Windows built-in event forwarding. See Configure Computers to Forward and Collect Events for details on how to configure a computer as a collector of logs.

+ + +
+
+ + + Additional information and troubleshooting + +

If no data is displayed, please verify that the Universal Forwarder is installed properly and that the all the Windows event logs are sent to the "wineventlog" index (or the WinEventLog* sources).

+ +

If the data is stored in a different index, the user can update the macros.conf [event_sources] section by using the application setup.

+ +

The Interesting Processes section from the Processes dashboard is partially based on a presentation by Michael Gough from www.malwarearchaeology.com: "The Top 10 Windows Event ID's Used To Catch Hackers In The Act". See for the presentation slides and information on how to enable the auditing of processes, including command-line based ones. The list of "interesting processes" is based on a study by JPCERT CC (Japan Computer Emergency Response Team Coordination Center) on detecting lateral movement through tracking of event logs. The list is stored in C:\Program Files\Splunk\etc\apps\eventid\lookups\interesting_processes.csv and it can be adjusted with a text editor if needed. For full functionality the audit of the command line arguments has to be enabled as described in Command Line Process Auditing

+ +

The XML dashboard is design to report Windows events rendered from the XML by using the renderXML stanza. The renderXML option reduced the volume of data to about 25% of the regular events, however some details such as the full description of the event are no longer recorded. See Feature Overview: XML Event Logs for more details.

+ +

Each of the dashboard can be set as an alarm (i.e. notifications when a certain number of failed logins are recorded, when certain processes are executed, etc).

+ +

Send any suggestions and questions to support@altairtech.ca. We can also provide advice in setting up the Splunk receiver for the Universal Forwarder.

+ +

We publish the most current version of EventID.Net Windows Event Logs Splunk app on www.eventid.net. Splunk may takes weeks or months to certify a new version.

+ + +
+
+ +
\ No newline at end of file diff --git a/deployment-apps/eventid/default/data/ui/views/eventid.xml b/deployment-apps/eventid/default/data/ui/views/eventid.xml new file mode 100644 index 00000000..27f7ba54 --- /dev/null +++ b/deployment-apps/eventid/default/data/ui/views/eventid.xml @@ -0,0 +1,362 @@ +
+ + Click on the event to check it on www.eventid.net +
+ + + + -24h@h + now + + + + + Error,Warning + Error + Warning + Information + ( + ) + Type=" + " + OR + Type + Type + + + + Denial,Audit Failure + Audit Failure + Audit Success + ( + ) + " + " + OR + Audit Type + Audit Type + Audit Failure + + + + All + * + ( + ) + host=" + " + OR + + `event_sources` | stats count by host + $interval.earliest$ + $interval.latest$ + + host + host + + + + * + + + + none + + ( + ) + + SourceName!=" + " + + AND + None + + `event_sources` $Type$ AND $Computer$ AND $keyword$ | stats count by SourceName + $interval.earliest$ + $interval.latest$ + + SourceName + SourceName + +
+ + + Errors + + + `event_sources` Type="Error" AND $Computer$ AND $keyword$ | stats count + $interval.earliest$ + $interval.latest$ + 1 + + + + + + + + + + + + + + + + + + + + + + Warnings + + + `event_sources` Type="Warning" AND $Computer$ AND $keyword$ | stats count + $interval.earliest$ + $interval.latest$ + 1 + + + + + + + + + + + + + + + + + + + + + + Information + + + `event_sources` Type="Information" AND NOT ("Audit Success" OR "Audit Failure") AND $Computer$ AND $keyword$ | stats count + $interval.earliest$ + $interval.latest$ + 1 + + + + + + + + + + + + + + + + + + + + search?q=`event_sources` Type="Information" | stats count&earliest=$interval.earliest$&latest=$interval.latest$ + + + + + Audit Failure + + + `event_sources` "Audit Failure" AND $Computer$ AND $keyword$ +| stats count + $interval.earliest$ + $interval.latest$ + 1 + + + + + + + + + /app/eventid/audit_events + + + + + Audit Success + + + `event_sources` Keywords="Audit Success" AND $Computer$ AND $keyword$ | stats count + $interval.earliest$ + $interval.latest$ + 1 + + + + + + + + + + + Logon Audit Failure + + + `event_sources` Failure_Reason=* ("Audit Failure") AND $Computer$ AND $keyword$ | eval user=mvindex(Account_Name,1) | stats count + -24h@h + now + + + + + + + + + /app/eventid/audit_events + + + + + + + Accounts with 3 or more failed logons + + + `event_sources` Failure_Reason=* * ("Audit Failure") AND $Computer$ AND $keyword$ | stats count by user | where count > 2 + $interval.earliest$ + $interval.latest$ + 1 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Top computers generating events + + + `event_sources` AND $Computer$ AND $keyword$ AND ($Audit_Type$ OR $Type$) +| eval SourceName = coalesce(SourceName,source) +| fillnull +| search $sourcetype_token$ +| stats count by host + $interval.earliest$ + $interval.latest$ + + + + + + /app/eventid/eventid?form.Computer=$row.host$ + + + + + + + Windows events over time + + + `event_sources` AND $Computer$ AND $keyword$ AND ($Audit_Type$ OR $Type$) +| timechart count + $interval.earliest$ + $interval.latest$ + + + + + + + + + + + + + + + + + + + Events Summary - Links to www.eventid.net + + + `event_sources` AND $Computer$ AND $keyword$ AND ($Audit_Type$ OR $Type$) +| eval SourceName = coalesce(SourceName,Provider) +| eval Type = coalesce(Type,Keyword) +| fillnull value="-" +| stats earliest(_time) as First latest(_time) as Last count by host, EventCode, SourceName, Type +| sort -count host, EventCode, SourceName, Type +| rename EventCode as "EventId" +| fieldformat First=strftime(First,"%x %X") +| fieldformat Last=strftime(Last,"%x %X") + $interval.earliest$ + $interval.latest$ + + + + + + + + + https://www.eventid.net/display.asp?eventid=$row.EventId$&source=$row.SourceName$&app=SplunkEvId + +
+
+
+ + + Events List + + + `event_sources` AND $Computer$ AND $keyword$ AND ($Audit_Type$ OR $Type$) +| eval SourceName = coalesce(SourceName,Provider) +| eval Type = coalesce(Type,Keyword) +| fillnull +| table _time, host, EventCode, SourceName, Type, Message +| rename EventCode as "EventId" + $interval.earliest$ + $interval.latest$ + + + + + + + + + + +
\ No newline at end of file diff --git a/deployment-apps/eventid/default/data/ui/views/interesting_events.xml b/deployment-apps/eventid/default/data/ui/views/interesting_events.xml new file mode 100644 index 00000000..03c08a86 --- /dev/null +++ b/deployment-apps/eventid/default/data/ui/views/interesting_events.xml @@ -0,0 +1,55 @@ +
+ + Click on the event to check it on www.eventid.net +
+ + + + -24h@h + now + + + + + All + * + ( + ) + ComputerName=" + " + OR + + `event_sources` | stats count by ComputerName + $interval.earliest$ + $interval.latest$ + + ComputerName + ComputerName + + + + * + +
+ + + Interesting Events + + + `event_sources` AND $Computer$ AND $keyword$ | lookup interesting_events_lookup event_id AS EventCode, source AS SourceName OUTPUT source,description | search description="*" | table _time, ComputerName, EventCode, SourceName, Type, Message,description | rename EventCode as "EventId", description as "Why is it interesting?" + $interval.earliest$ + $interval.latest$ + 1 + + + + + + + + + +
+
+
+
\ No newline at end of file diff --git a/deployment-apps/eventid/default/data/ui/views/interesting_processes.xml b/deployment-apps/eventid/default/data/ui/views/interesting_processes.xml new file mode 100644 index 00000000..76aa680f --- /dev/null +++ b/deployment-apps/eventid/default/data/ui/views/interesting_processes.xml @@ -0,0 +1,189 @@ +
+ + List of processes identified through event id 4688 and listed in the www.eventid.net list of processes that may indicate suspicious activity. To generate event id 4688, a system requires the audit of process creation. See the documentation for more details. +
+ + + + -24h@h + now + + + + + All + * + ( + ) + ComputerName=" + " + OR + + `event_sources` (EventCode=4688) | stats count by ComputerName + $interval.earliest$ + $interval.latest$ + + ComputerName + ComputerName + + + + All + * + ( + ) + New_Process_ID=" + " + OR + + `event_sources` (EventCode=4688) | stats count by New_Process_ID + $interval.earliest$ + $interval.latest$ + + New_Process_ID + New_Process_ID + + + + All + * + ( + ) + Creator_Process_ID=" + " + OR + + `event_sources` (EventCode=4688) | stats count by Creator_Process_ID + $interval.earliest$ + $interval.latest$ + + Creator_Process_ID + Creator_Process_ID + + + + * + + + + Yes + No + Account_Name != "*$*" + Account_Name != "*$*" + + + + Yes + No + New_Process_Name = "*" + New_Process_Name = "*" + +
+ + + Interesting Processes + + + `event_sources` AND $Computer$ AND $keyword$ $nocomputer$ $creator$ $process_id$ $nocmdpowershell$ (EventCode=4688) | lookup processlookup full_path_process as New_Process_Name OUTPUT process | lookup interesting_process_lookup process OUTPUT Category,Process_Details | search Category="*" | table _time, host, Account_Name, Process_Command_Line, process,Category,Process_Details, New_Process_ID, +Creator_Process_ID | rename host as Server,process as Process,Process_Details as "Interesting Process Details" + $interval.earliest$ + $interval.latest$ + 1 + + + + + + + + + +
+
+
+ + + Last 100 Processes + + + `event_sources` (EventCode=4688) AND $Computer$ AND $keyword$ $nocomputer$ $creator$ $process_id$ $nocmdpowershell$ +| head 100 +| table _time, host,Account_Name, New_Process_Name,Process_Command_Line, New_Process_ID, +Creator_Process_ID + $interval.earliest$ + $interval.latest$ + 1 + + + + + + + + + +
+
+
+ + + Top Processes + + + `event_sources` (EventCode=4688) AND $Computer$ AND $keyword$ $nocomputer$ $creator$ $process_id$ $nocmdpowershell$ | stats count by host, New_Process_Name | table host, New_Process_Name,count | sort -count | rename count as Count + $interval.earliest$ + $interval.latest$ + 1 + + + + + + + + +
+
+
+ + + Least Common Processes + + + `event_sources` (EventCode=4688) AND $Computer$ AND $keyword$ $nocomputer$ $creator$ $process_id$ $nocmdpowershell$ | stats count by host, New_Process_Name | table host, New_Process_Name,count | sort count| rename count as Count + $interval.earliest$ + $interval.latest$ + 1 + + + + + + + + +
+
+
+ + + Unusually Long CLI Commands + + + `event_sources` (EventCode=4688) AND (ComputerName="*") AND * Account_Name != "*$$*" (Creator_Process_ID="*") (New_Process_ID="*") New_Process_Name = "*" | head 100 | table _time, host,Account_Name, New_Process_Name,Process_Command_Line, New_Process_ID, +Creator_Process_ID + -24h@h + now + 1 + + + + + + + + +
+
+
+
\ No newline at end of file diff --git a/deployment-apps/eventid/default/data/ui/views/users_and_groups.xml b/deployment-apps/eventid/default/data/ui/views/users_and_groups.xml new file mode 100644 index 00000000..5171c5b6 --- /dev/null +++ b/deployment-apps/eventid/default/data/ui/views/users_and_groups.xml @@ -0,0 +1,225 @@ +
+ + Users and Groups Activities +
+ + + + -24h@h + now + + + + + * + * + +
+ + + Users Created + + + `event_sources` eventtype=windows_account_created $keyword$ +| timechart count + $interval.earliest$ + $interval.latest$ + 1 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Attempts to login with disabled accounts + + + `event_sources` name="*currently disabled*" $keyword$ +| eval domain=mvindex(Account_Domain,1) +| eval source_computer = coalesce(Workstation_Name,src_ip) +| eval domain = coalesce(domain,src_nt_domain) +| table _time,host,domain,user,source_computer + $interval.earliest$ + $interval.latest$ + 1 + + + + + + + + + +
+
+
+ + + Users Added to Domain Admins or Enterprise Admins + + + `event_sources` name="A member was added to a security-enabled *" AND ("Enterprise Admins" OR "Domain Admins") $keyword$ +| rename dest_nt_domain as domain, EventCode as "event id", Display_Name as "user name",host as server +| dedup _time,user +| eval added_by=mvindex(Security_ID,0) +| eval user=mvindex(Security_ID,1) +| table _time, server,domain, user,added_by + $interval.earliest$ + $interval.latest$ + 1 + + + + + + + + + +
+
+ + Users Added to local Administrators + + + `event_sources` name="A member was added to a security-enabled local group" AND user_group="Administrators" $keyword$ +| rename dest_nt_domain as domain, EventCode as "event id", Display_Name as "user name",host as server +| eval added_by=mvindex(Security_ID,0) +| eval user=mvindex(Security_ID,1) +| table _time, server,domain, user,added_by + $interval.earliest$ + $interval.latest$ + 1 + + + + + + + + + +
+
+
+ + + Users Created + + + `event_sources` eventtype=windows_account_created +| rename dest_nt_domain as domain, EventCode as "event id", Display_Name as "user name",host as server +| dedup _time,user +| eval created_by=mvindex(Account_Name,0) +| table _time, server,domain, user,"user name", created_by +| sort _time + $interval.earliest$ + $interval.latest$ + 1 + + + + + + + + + +
+
+ + Users Deleted + + + `event_sources` AND eventtype=windows_account_deleted $keyword$ +| eval deleted_by=mvindex(Account_Name,0) +| table _time, host, user,deleted_by +| sort _time + $interval.earliest$ + $interval.latest$ + 1 + + + +
+
+
+ + + Groups Created + + + `event_sources` name="A security-enabled global group was created" +| dedup _time,Group_Name +| rename dest_nt_domain as domain, EventCode as "event id", user as "created_by",host as server +| table _time, server,domain,Group_Name, created_by +| sort _time + $interval.earliest$ + $interval.latest$ + 1 + + + + + + + + + +
+
+ + Groups Deleted + + + `event_sources` name="A security-enabled global group was deleted" $keyword$ +| rename dest_nt_domain as domain, EventCode as "event id", user as "Deleted by",host as server +| table _time, server,domain,Group_Name, "Deleted by" +| sort _time + $interval.earliest$ + $interval.latest$ + 1 + + + + + + + + + +
+
+
+
\ No newline at end of file diff --git a/deployment-apps/eventid/default/data/ui/views/windows_event_sources.xml b/deployment-apps/eventid/default/data/ui/views/windows_event_sources.xml new file mode 100644 index 00000000..0eee2479 --- /dev/null +++ b/deployment-apps/eventid/default/data/ui/views/windows_event_sources.xml @@ -0,0 +1,120 @@ +
+ + Click on the event source to check it on www.eventid.net +
+ + + + -24h@h + now + + + + + Error + ( + ) + Type=" + " + OR + + `event_sources`| stats count by Type + $earliest$ + $latest$ + + Type + Type + + + + All + * + ( + ) + ComputerName=" + " + OR + + `event_sources` | stats count by ComputerName + $earliest$ + $latest$ + + ComputerName + ComputerName + + + + * + +
+ + + Event sources + + Click on the source to look it up on www.eventid.net + + `event_sources` $Type$ AND $Computer$ AND $keyword$ | stats count as TotalEvents by SourceName + + + https://www.eventid.net/source-name-$row.SourceName$.htm + + + + + + + + + + Event sources percentages + + + `event_sources` $Type$ AND $Computer$ AND $keyword$ | stats count by SourceName + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Matching events - drill down option + + + `event_sources` $Type$ AND $Computer$ AND $keyword$| table _time, ComputerName, LogName, EventCode, SourceName, Type, Message, UserName + + + + + + + + + + + ["ComputerName","LogName","EventCode","SourceName","Type","Message","UserName"] + + + +
\ No newline at end of file diff --git a/deployment-apps/eventid/default/data/ui/views/windows_events_xml_source.xml b/deployment-apps/eventid/default/data/ui/views/windows_events_xml_source.xml new file mode 100644 index 00000000..4191ea98 --- /dev/null +++ b/deployment-apps/eventid/default/data/ui/views/windows_events_xml_source.xml @@ -0,0 +1,208 @@ +
+ + Dashboard for events collected using the renderXML option +
+ + + + -24h@h + now + + + + + Error + Warning + Information + Audit + ( + ) + Level=" + " + OR + Level + Level + 3,2 + 2,3 + + + + All + * + ( + ) + Computer=" + " + OR + + `event_sources_xml` | stats count by Computer + $interval.earliest$ + $interval.latest$ + + Computer + Computer + + + + * + + + + none + + ( + ) + + Name!=" + " + + AND + None + + `event_sources_xml` $Type$ AND $Computer$ AND $keyword$ | rex field=Name mode=sed "s/\'//g" | stats count by Name + $interval.earliest$ + $interval.latest$ + + Name + Name + +
+ + + Windows events over time + + + `event_sources_xml` +| search $Type$ $Computer$ AND $keyword$ +| lookup xmleventtype_lookup xml_type AS Level OUTPUT event_type +| timechart count by event_type + $interval.earliest$ + $interval.latest$ + + + + + + + + + + + + Top computers generating events + + + `event_sources_xml` | fillnull value="-" | search $Computer$ AND $keyword$ | stats count by Computer + $interval.earliest$ + $interval.latest$ + + + + + + + + Accounts with 3 or more failed logons + + + `event_sources_xml` eventtype=windows_logon_failure | stats count by user | where count > 2 + $interval.earliest$ + $interval.latest$ + 1 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Logon Audit Failure events + + + `event_sources_xml` eventtype=windows_logon_failure | eval user=mvindex(Account_Name,1) | stats count + $interval.earliest$ + $interval.latest$ + + + + + + + + + + Events Summary + + + `event_sources_xml` | search $Type$ $Computer$ | lookup xmleventtype_lookup xml_type AS Level OUTPUT event_type | rex field=Name mode=sed "s/\'//g" | stats earliest(_time) as First latest(_time) as Last count by Computer,EventID,Name,Channel, event_type,eventtype | sort -count Computer,EventID,Name,Channel, event_type,eventtype | fieldformat First=strftime(First,"%x %X") | fieldformat Last=strftime(Last,"%x %X") | rename Channel as Log, Name as Source,event_type as Level,eventtype as Category + $interval.earliest$ + $interval.latest$ + + + + + + + + + https://www.eventid.net/display.asp?eventid=$row.EventId$&source=$row.SourceName$&app=SplunkEvId + +
+
+ + Logon Audit Failure events + + + `event_sources_xml` eventtype=windows_logon_failure | table _time,Computer,EventID,user,WorkstationName,LogonType,name | rename name as Details + $interval.earliest$ + $interval.latest$ + + + + + + + +
+
+
+ + + Events List + + + `event_sources_xml` | search ($Type$) AND $Computer$ AND $keyword$ $sourcetype_token$ | rex field=Name mode=sed "s/\'//g" | lookup xmleventtype_lookup xml_type AS Level OUTPUT event_type | lookup xml_raw_data_lookup raw_xml_data as EventData_Xml OUTPUT extracted_xml_data | eval extracted_xml_data = split(extracted_xml_data,"@") | table _time,EventID,Name,Channel, event_type,eventtype, extracted_xml_data | rename Channel as Log, event_type as Level, eventtype as Category, Name as Source + $interval.earliest$ + $interval.latest$ + + + + + + + + + + +
\ No newline at end of file diff --git a/deployment-apps/eventid/default/macros.conf b/deployment-apps/eventid/default/macros.conf new file mode 100644 index 00000000..1cdd92f8 --- /dev/null +++ b/deployment-apps/eventid/default/macros.conf @@ -0,0 +1,8 @@ + +[event_sources] +definition = (index="wineventlog" OR source=*WinEventLog*) +iseval = 0 + +[event_sources_xml] +definition = index="wineventlog_xml" +disabled = 0 \ No newline at end of file diff --git a/deployment-apps/eventid/default/setup.xml b/deployment-apps/eventid/default/setup.xml new file mode 100644 index 00000000..b4cabbd0 --- /dev/null +++ b/deployment-apps/eventid/default/setup.xml @@ -0,0 +1,23 @@ + + + + + + + text + + + + + + + + text + + + + diff --git a/deployment-apps/eventid/default/transforms.conf b/deployment-apps/eventid/default/transforms.conf new file mode 100644 index 00000000..749c491c --- /dev/null +++ b/deployment-apps/eventid/default/transforms.conf @@ -0,0 +1,22 @@ +[interesting_process_lookup] +default_match = N/A +filename = eventid_interesting_processes.csv +max_matches = 1 + +[processlookup] +external_cmd = ev_process_proc.py full_path_process process +fields_list = full_path_process,process + +[xmleventtype_lookup] +default_match = N/A +filename = xml_event_types.csv +max_matches = 1 + +[xml_raw_data_lookup] +external_cmd = ev_process_xml_parameters.py raw_xml_data extracted_xml_data +fields_list = raw_xml_data,extracted_xml_data + +[interesting_events_lookup] +default_match = N/A +filename = eventid_interesting_events.csv +max_matches = 1 \ No newline at end of file diff --git a/deployment-apps/eventid/default/workflow_actions.conf b/deployment-apps/eventid/default/workflow_actions.conf new file mode 100644 index 00000000..bc177771 --- /dev/null +++ b/deployment-apps/eventid/default/workflow_actions.conf @@ -0,0 +1,10 @@ + +[Eventid.Net lookup] +display_location = event_menu +eventtypes = winapp +fields = $EventCode$,$SourceName$ +label = Lookup event id $EventCode$ on www.eventid.net +link.method = get +link.target = blank +link.uri = https://www.eventid.net/display.asp?eventid=$EventCode$&app=Splunk&source=$SourceName$ +type = link diff --git a/deployment-apps/eventid/license-eula.rtf b/deployment-apps/eventid/license-eula.rtf new file mode 100644 index 00000000..dd0f29b3 --- /dev/null +++ b/deployment-apps/eventid/license-eula.rtf @@ -0,0 +1,57 @@ +{\rtf1\ansi\ansicpg1252\deff0{\fonttbl{\f0\fswiss\fcharset0 Helvetica;}} +{\*\generator Msftedit 5.41.21.2508;} +{\info +{\title Splunk Software License Agreement} +{\*\company Splunk Inc.}}\viewkind4\uc1\pard\qc\lang1033\b\f0\fs22 SPLUNK SOFTWARE LICENSE AGREEMENT\par +\pard\b0\fs18\par +THIS SPLUNK SOFTWARE LICENSE AGREEMENT (THE "AGREEMENT") GOVERNS ALL SOFTWARE PROVIDED BY SPLUNK INC. ("SPLUNK") INCLUDING FREE SPLUNK SOFTWARE ("FREE SOFTWARE") AND SOFTWARE PURCHASED THROUGH SPLUNK'S ONLINE STORE OR OTHER CHANNELS ("PURCHASED SOFTWARE"), COLLECTIVELY THE SPLUNK SOFTWARE ("SOFTWARE") AND ANY AND ALL UPDATES, UPGRADES, AND MODIFICATIONS THERETO. CONFIRMATION OF YOUR ORDERS ("ORDER CONFIRMATION") WILL BE DEEMED INCORPORATED INTO AND MADE PART OF THIS AGREEMENT.\par +\par +YOU WILL BE REQUIRED TO INDICATE YOUR AGREEMENT TO THESE TERMS AND CONDITIONS IN ORDER TO DOWNLOAD THE SOFTWARE AND REGISTER WITH SPLUNK IN ORDER TO OBTAIN LICENSE KEYS NECESSARY TO COMPLETE THE INSTALLATION PROCESS FOR PURCHASED SOFTWARE. BY CLICKING ON THE "YES" BUTTON, DOWNLOADING OR INSTALLING THE SOFTWARE, OR USING ANY MEDIA THAT CONTAINS THE SOFTWARE, YOU ARE CONSENTING TO BE BOUND BY THIS AGREEMENT.\par +\par +IF YOU AGREE TO THESE TERMS ON BEHALF OF A BUSINESS, YOU REPRESENT AND WARRANT THAT YOU HAVE AUTHORITY TO BIND THAT BUSINESS TO THIS AGREEMENT, AND YOUR AGREEMENT TO THESE TERMS WILL BE TREATED AS THE AGREEMENT OF THE BUSINESS. IN THAT EVENT, "YOU" AND "YOUR" REFER HEREIN TO THAT BUSINESS.\par +\par +"Splunk Developer API" means the documentation and functionality enabling the creation of extensions to the Software. "Example Modules" means the source code and binary form of examples that use the Splunk Developer API. \par +\par +PURCHASED SOFTWARE TERM. Unless earlier terminated, this Agreement will be in effect perpetually for any Purchased Software. "Term" means the period in which the Agreement is in effect.\par +\par +PURCHASED SOFTWARE FREE TRIAL. Notwithstanding the foregoing, if the applicable Order Confirmation is limited to a free trial license, then the Term will be limited to the free trial period specified in the Order Confirmation, this Agreement and any license rights granted hereunder will automatically terminate at the end of the free trial period, and there will be no Renewal Term. Any license keys provided for a free trial will automatically expire and may cause the Software to become non-operational at the end of the free trial period. Provisions in this Agreement regarding License Fees, Maintenance and Support, and Warranty will not apply to free trials.\par +\par +PURCHASED SOFTWARE LICENSE. Subject to your compliance with the terms and conditions of this Agreement, including your payment of the license fees set forth in each Order Confirmation (the "License Fees"), Splunk grants you a nonexclusive, nontransferable, revocable, limited license during the Term to use the Software for which you have paid the applicable License Fees as set forth in your Order Confirmation(s), only for your internal business purposes (which shall include use by consultants, accountants, auditors and attorneys hired to perform services for you) and only subject to the following conditions: you may use each Splunk Server with an Enterprise license to index no more than the peak daily volume of uncompressed data for which you have paid the applicable License Fees as set forth in your Order Confirmation (the "Maximum Peak Daily Volume"). The Software will be configured to display warnings and/or cease indexing data when the Maximum Peak Daily Volume is reached.\par +\par +FREE SOFTWARE LICENSE. Subject to the terms and conditions of this Agreement, Splunk grants to You a non-exclusive, worldwide, fully-paid up copyright license to use the Free Splunk Software in binary form only and only subject to the following conditions: (i) to index no more than 500MB of peak daily volume of uncompressed data (the 'Maximum Peak Daily Volume') and only for your internal business purposes (which shall include use by consultants, accountants, auditors and attorneys hired to perform services for you). The Software will be configured to display warnings, reduce available functionality, and/or cease indexing data when the Maximum Peak Daily Volume is reached.\par +\par +EXTENSION LICENSE. Splunk further grants to You a non-exclusive, worldwide, fully-paid up copyright license to use the Splunk Developer API and Example Modules included with the Software solely for the purpose of developing extensions to access the Splunk API or Example Modules for Your use in conjunction with the Software (collectively, "Your Extensions"). You agree to assume full responsibility for the performance of Your Extensions, and shall indemnify, hold harmless, and defend Splunk (including all of its officers, employees, directors, subsidiaries, representatives, affiliates and agents) and Splunk's suppliers from and against any claims or lawsuits, including attorney's fees and expenses, that arise or result from Your Extensions pursuant to this Agreement. You retain title to and copyright for Your Extensions, subject to Splunk's title to and copyright for the Software, the Splunk Developer API, and the Example Modules as specified in Ownership and Copyrights, below. This Agreement does not grant you any distribution rights. If you want to distribute or provide to any third parties Your Extensions, you must first register as a Splunk application developer and agree to the Splunk Developer Agreement at http://www.splunk.com/goto/devagreement. You will not remove or change any Splunk copyright notices or branding included in the Splunk Software or required by Splunk's Identity Guidelines as set forth at http://www.splunk.com/goto/splunkpowered, Splunk Developer APIs, or Example Modules, and will include such notices and branding in each copy of Your Extensions, the Splunk Software, the Splunk Developer APIs, and the Examples Modules that you make or distribute.\par +\par +PURCHASED SOFTWARE RESTRICTIONS. You agree not to (i) use the Software except as expressly authorized in this Agreement and your Order Confirmation; (ii) copy the Software (except as required to run the Software and for reasonable backup purposes); (iii) modify, adapt, or create derivative works of the Software; (iv) rent, lease, loan, resell, transfer, sublicense (including but not limited to offering any of the functionality of the Software on a service provider, hosted or time sharing basis) or distribute the Software to any third party; (v) decompile, disassemble or reverse-engineer the Software or otherwise attempt to derive the Software source code; (vi) disclose to any third party the results of any benchmark tests or other evaluation of the Software, or (vii) authorize any third parties to do any of the above.\par +\par +FREE SOFTWARE RESTRICTIONS. You shall not (i) decompile, disassemble or reverse engineer the Free Software without the express written authorization of Splunk; (ii) modify, adapt, or create derivative works of the Free Software; (iii) rent, lease, loan, or resell the Free Software, the Splunk Developer API, Example Modules, or Your Extensions (including but not limited to offering the functionality of the Free Software on an applications service provider or time sharing basis), except as expressly permitted in the Splunkbase Application Developer Agreement; (iv) decompile, disassemble or reverse-engineer the Software or otherwise attempt to derive the Software source code; (v) disclose to any third party the results of any benchmark tests or other evaluation of the Software, or (vi) authorize any third parties to do any of the above.\par +\par +OWNERSHIP. Splunk and/or its licensors own all worldwide right, title and interest in and to the Software, including all worldwide intellectual property rights therein. You will not delete or in any manner alter the copyright, trademark, and other proprietary rights notices appearing in or on the Software as provided. All right, title, and interest in and to all copies the Splunk Developer API, and the Example Modules remains with Splunk and/or its licensors. The Software, Splunk Developer API, and Example Modules are copyrighted and protected by the laws of the United States and other countries, and international treaty provisions. You may not remove any copyright notices from the Software, the Splunk Developer API, or the Example Modules.\par +\par +PURCHASED SOFTWARE LICENSE AND FEES. In order to access and use the Software, you are required to pay to Splunk the License Fees in accordance with your Order Confirmation. The License Fees will be due and payable in accordance with the terms set forth in your Order Confirmation. Any failure to pay the License Fees in accordance with an Order Confirmation will result in automatic revocation and termination of this Agreement and all rights and licenses granted hereunder. All License Fees are non-refundable once paid.\par +\par +MAINTENANCE AND SUPPORT. Subject to your payment of the applicable annual maintenance and support fees set forth in your Order Confirmation (the "Support Fees"), Splunk will provide the level of support for the Purchased Software identified in your Order Confirmation in accordance with the support descriptions set forth on Splunk's website at www.splunk.com. Splunk is not obligated to support, update or upgrade the Free Software.\par +\par +PURCHASED SOFTWARE VERIFICATION AND AUDIT. At Splunk's written request, you will furnish Splunk with a certification signed by an officer of your company verifying that the Software is being used in accordance with the terms and conditions of this Agreement and the applicable Order Confirmations. Upon at least ten (10) days prior written notice, Splunk may audit your use of the Software to ensure that you are in compliance with the terms of this Agreement and the applicable Orders. Any such audit will be conducted during regular business hours at your facilities, will not unreasonably interfere with your business activities and will be in compliance with your reasonable security procedures. You will provide Splunk with access to the relevant records and facilities. If an audit reveals that you have exceeded the daily peak volume during the period audited, then Splunk will invoice you, and you will promptly pay Splunk any underpaid fees based on Splunk's price list in effect at the time the audit is completed. If the daily peak volume usage exceeds ten percent (10%) of the licensed usage, then you will also pay Splunk's reasonable costs of conducting the audit.\par +\par +PURCHASED SOFTWARE WARRANTY. Splunk warrants that for a period of thirty (30) days after your registration of the Software with Splunk, the Software will substantially achieve any material function described in documentation for the Software published by Splunk. As Splunk's sole liability and your sole remedy for any failure of the Software to conform to this warranty, Splunk will repair or replace (at Splunk's option) your copy of the Software.\par +\par +WARRANTY DISCLAIMER. EXCEPT AS SET FORTH ABOVE, SPLUNK DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, QUIET ENJOYMENT AND WARRANTIES ARISING OUT OF COURSE OF DEALING OR USAGE OF TRADE. Splunk does not warrant (i) that the Software, developer's API'S or example modules will meet your requirements, (ii) that the Software will operate in the combinations that you may select, (iii) that the Software will serve the purposes intended by you, or (iv) that the operation of the Software will be error free or uninterrupted or that any Software errors will be corrected.\par +\par +LIMITATION OF LIABILITY. SPLUNK'S TOTAL CUMULATIVE LIABILITY TO YOU, FROM ALL CAUSES OF ACTION AND ALL THEORIES OF LIABILITY, WILL BE LIMITED TO AND WILL NOT EXCEED THE AMOUNTS PAID BY YOU TO SPLUNK IN THE TWELVE MONTHS PRIOR TO THE EVENT GIVING RISE TO SUCH LIABILITY. IN NO EVENT WILL SPLUNK BE LIABLE TO YOU FOR ANY SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES (INCLUDING LOSS OF USE, DATA, OR PROFITS, BUSINESS INTERRUPTION, OR COSTS OF PROCURING SUBSTITUTE SOFTWARE) ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT OR THE USE OR PERFORMANCE OF THE SOFTWARE, WHETHER SUCH LIABILITY ARISES FROM CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, AND WHETHER OR NOT SPLUNK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. THE PARTIES HAVE AGREED THAT THESE LIMITATIONS WILL SURVIVE AND APPLY EVEN IF ANY REMEDY IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE. WITHOUT LIMITING THE FOREGOING, SPLUNK WILL HAVE NO LIABILITY OR RESPONSIBILITY FOR ANY BUSINESS INTERRUPTION OR LOSS OF DATA ARISING FROM THE AUTOMATIC TERMINATION OF THE LICENSE RIGHTS GRANTED HEREIN AND ANY ASSOCIATED CESSATION OF THE SOFTWARE FUNCTIONS. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.\par +\par +PURCHASED SOFTWARE INDEMNITY. Splunk will defend, indemnify and hold you harmless from and against any loss, damage, liability or cost (including reasonable attorneys' fees) resulting from any third party claim that the Purchased Software infringes or violates any third party's patent, copyright or trademark rights; provided that you promptly notify Splunk in writing of any and all such claims. In the event of any loss, damage, liability or cost for which Splunk is obligated to indemnify you hereunder, Splunk shall have sole control of the defense and all related settlement negotiations, and you shall reasonably cooperate with Splunk in the defense and/or settlement thereof at Splunk's expense; provided that you may participate in such defense using your own counsel, at your own expense.\par +\par +TERMINATION. You may terminate this Agreement at any time by destroying or returning to Splunk all copies of the Software, including any documentation, in your possession and control, and providing to Splunk a written statement signed by an authorized representative of your company notifying Splunk that you are terminating the Agreement and certifying such destruction or return. Upon thirty days notice, Splunk may terminate this Agreement (and your license rights) upon notice in the event that you breach any provision of this Agreement and have not cured the breach during such notice period. Upon any expiration or termination of this Agreement, the rights and licenses granted hereunder will automatically terminate, and you agree to immediately cease using the Software and to return or destroy all copies of the Software in your possession or control. In the event of termination of this Agreement, Splunk will have no obligation to refund any License Fees, Support Fees, or other fees received from you during the Term. All provisions of this Agreement related to disclaimers of warranties, limitation of liability, remedies, damages, or Splunk's proprietary rights shall survive termination.\par +\par +SEVERABILITY. All rights and remedies, whether conferred hereunder or by any other instrument or law, will be cumulative and may be exercised singularly or concurrently. Failure by either Splunk or You to enforce any term will not be deemed a waiver of future enforcement of that or any other term. The terms and conditions stated herein are declared to be severable. Should any term(s) or condition(s) of this Agreement be held to be invalid or unenforceable the validity, construction and enforceability of the remaining terms and conditions of this Agreement shall not be affected.\par +\par +EXPORT. You agree to comply fully with all relevant export laws and regulations of the United States ("Export Laws") to ensure that the Software is not (i) exported or re-exported directly or indirectly in violation of Export Laws; or (ii) intended to be used for any purposes prohibited by the Export Laws, including but not limited to nuclear, chemical, or biological weapons proliferation.\par +\par +GOVERNMENT RESTRICTED RIGHTS. The Software shall be classified as "commercial computer software" as defined in the applicable provisions of the Federal Acquisition Regulation (the "FAR") and supplements thereto, including the Department of Defense (DoD) FAR Supplement (the "DFARS"). The parties acknowledge that the Software was developed entirely at private expense and that no part of the Software was first produced in the performance of a Government contract. If the Software is supplied for use by DoD, the Software is delivered subject to the terms of this Agreement and in accordance with DFARS 227.7202-1(a) and 227.7202-3(a) (1995), with restricted rights in accordance with DFARS 252.227-7013(c)(1)(ii) (OCT 1988), as applicable. If the Software is supplied for use by a Federal agency other than DoD, the Software is restricted computer software delivered subject to the terms of this Agreement and FAR 12.212(a) (1995); (ii) FAR 52.227-19; or FAR 52.227-14(ALT III), as applicable.\par +\par +PUBLICITY. You agree that Splunk may identify you as a Splunk customer on Splunk websites, client lists, press releases, and/or other marketing. You also agree that Splunk may publish a brief description highlighting your deployment of the Software.\par +\par +GENERAL. This Agreement shall be governed by and construed in accordance with the laws of the State of California, as if performed wholly within the state and without giving effect to the principles of conflict of law. Any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in the Northern District of California and the parties hereby consent to personal jurisdiction and venue therein. If any portion hereof is found to be void or unenforceable, the remaining provisions of this Agreement shall remain in full force and effect. Neither party may assign this Agreement, in whole or in part, except in connection with an internal reorganization or a sale of the business with which this Agreement is associated without Splunk's prior written consent, and any attempt to assign this Agreement other than as permitted above will be null and void. This Agreement is intended for the sole and exclusive benefit of the parties and is not intended to benefit any third party. Only the parties to this Agreement may enforce it. This Agreement and any Order Confirmations constitute the complete and exclusive understanding and agreement between the parties regarding their subject matter and supersede all prior or contemporaneous agreements or understandings, written or oral, relating to their subject matter. Any waiver, modification or amendment of any provision of this Agreement will be effective only if in writing and signed by duly authorized representatives of both parties.\par +} + diff --git a/deployment-apps/eventid/lookups/eventid_interesting_events.csv b/deployment-apps/eventid/lookups/eventid_interesting_events.csv new file mode 100644 index 00000000..154a5207 --- /dev/null +++ b/deployment-apps/eventid/lookups/eventid_interesting_events.csv @@ -0,0 +1,22 @@ +event_id,source,description +104,Microsoft-Windows-Eventlog,Attackers tend to clear logs in order to hide previous activity. +104,Eventlog,Attackers tend to clear logs in order to hide previous activity. +517,Security,Attackers tend to clear logs in order to hide previous activity. +1000,Application Error,Critical application error +1001,Microsoft-Windows-WER-SystemErrorReporting,Blue Screen of Death +1002,Application Hang,Application hang +1076,USER32,An admin provided a reason for an unexpected restart +1102,Eventlog,Attackers tend to clear logs in order to hide previous activity. +2004,Microsoft-Windows-Windows Firewall with Advanced Security,Firewall rule added +2006,Microsoft-Windows-Windows Firewall with Advanced Security,Firewall rule deleted +2033,Microsoft-Windows-Windows Firewall with Advanced Security,Firewall rule deleted +4608,Microsoft Windows security auditing,The computer has been restarted - not an usual event. +4625,Microsoft Windows security auditing,A user failed to logon +4663,Microsoft-Windows-Security-Auditing,An audited object has been accessed. +4719,Microsoft-Windows-Security-Auditing,System audit policy was changed +4728,Microsoft-Windows-Security-Auditing,User Added to Privileged Group +4732,Microsoft-Windows-Security-Auditing,User Added to Privileged Group +4735,Microsoft-Windows-Security-Auditing,Security-Enabled Group Modification +4740,Microsoft-Windows-Security-Auditing,Account lockout +4756,Microsoft-Windows-Security-Auditing,User Added to Privileged Group +7045,Service Control Manager,Installation of new services are not typical events. diff --git a/deployment-apps/eventid/lookups/eventid_interesting_processes.csv b/deployment-apps/eventid/lookups/eventid_interesting_processes.csv new file mode 100644 index 00000000..123f2868 --- /dev/null +++ b/deployment-apps/eventid/lookups/eventid_interesting_processes.csv @@ -0,0 +1,72 @@ +process,Category,Process_Details +arp.exe,Target Discovery,Obtains information about hosts on the local broadcast domain +at.exe,Command Execution,Executes a task at the specified time and it may be used to secretly place an application or script without being recognized by the user in advance and then execute it at the desired time. +bcdedit.exe,Privilege Escalation,Tool for editing the boot configuration and it may be used to escalate privileges +bcp.exe,Data extraction,Bulk copy of data from database. It may be used to exfiltrate data. +chcp.exe,Malware,"Displays the number of the active console code page, or changes the console's active console code page." +cmd.exe,Command Execution,Can be used to execute a large number of commands +cscript.exe,Command Execution,Can be used to execute a large number of scripts +csvde.exe,Acquisition of Account Information,Outputs account information on the Active Directory in the CSV format and it can be used to extract information on an existing account and select users and clients available as attack targets. +dsquery.exe,Acquisition of Account Information,"Obtains information, such as users and groups, from a directory service and it can be used to extract information on an existing account and select users and clients available as attack targets." +Find-GPOPasswords.ps1,Password Hash Acquisition,Acquires any password descriptions in a group policy file and may attempt to infiltrate other hosts using acquired passwords (by executing the tool on Active Directory). +GSECDUMP.EXE,Password Hash Acquisition,Extracts hash from SAM/AD or logon sessions and use it to log on to other hosts using acquired hash information. +icacls.exe,File Sharing,Changes the file access rights and it can be used to change the rights to read a file that cannot be read by the used account. It is also used to capture rights so that the content of a file created by the attacker will not be viewable +ipconfig.exe,Target Discovery,Displays or changes IP stack information +ldifde.exe,Acquisition of Account Information,Outputs account information on the Active Directory in the LDIF format and it can be used to extract information on an existing account and select users and clients available as attack targets. +mailpv.exe,Password Hash Acquisition,Extracts account information saved in the mail client settings on the machine +mimikatz.exe,Password Hash Acquisition,Steals recorded authentication information and it can be used to escalate the privileges to the domain Administrator privileges. +ms14-068.exe,Escalation to SYSTEM Privileges,Changes the privileges of the domain user to those of another user +nbtstat.exe,Target Discovery,Allows a refresh of the NetBIOS name cache and the names registered with Windows Internet Name Service (WINS). +nc.exe,Target Discovery,"Multpurpose tool, can be used for probing ports" +net.exe,Adding or Deleting a Local User/Group,Adds a user account in a client or the domain or creates a network share and it can be used to create accounts or additional sessions in the machine the attacker has infected or to communicate with other hosts. +net1.exe,Adding or Deleting a Local User/Group,Adds a user account in a client or the domain or creates a network share and it can be used to create accounts or additional sessions in the machine the attacker has infected or to communicate with other hosts. +netcat.exe,Target Discovery,"Multpurpose tool, can be used for probing ports" +netsh,Command Execution,"Allows to, either locally or remotely, display or modify the network configuration of a computer that is currently running. " +netstat.exe,Target Discovery,"Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics " +nmap,Target Discovery,Port scanner +nslookup.exe,Target Discovery,Performs a DNS lookup +ntdsutil.exe,Capturing Active Directory Database,"A command to maintain Active Directory databases and it can be used to extract NTDS.DIT, a database for NTDS, and other tools are used to analyze passwords (executed in Active Directory)." +OSQL.exe,Data extraction,"Allows execution of Transact-SQL statements, system procedures, and script files. Can be used to attack a database or exfiltrate information." +powercat.ps1,Malware,Part of PSAttack hacking tools +powershell.exe,Command Execution,Allows remote command execution and it may be used to change settings to enable the Domain Controller and other hosts on the network to perform operations requiring administrator rights +procdump.exe,Command Execution,Utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike +psexec.exe,Command Execution,Executes a process on a remote system and it may be used to remotely execute a command on client and servers in a domain. +psexecsvc.exe,Command Execution,Tool used for remotely executing processes on other systems +psLoggedOn.exe,Target Discovery,Displays both the locally logged on users and users logged on via resources for either the local computer +PwDump7.exe,Password Hash Acquisition,Displays a list of password hashes in the system and it may be used to perform logon authentication on other hosts using the acquired hash information. +PWDumpX.exe,Password Hash Acquisition,Acquires a password hash from a remote host and use it to perform attacks such as pass-the-hash. +qprocess.exe,Privilege Escalation,Query Process Utility - It can be used to start an elevated subprocess +QuarksPwDump.exe,Password Hash Acquisition,Acquires the NTLM hash of a local domain account and cached domain password and it may be used to perform logon authentication on other hosts using the acquired hash information. +query.exe,Target Discovery,Query User Sessions in Windows +rar.exe,Command Execution,"Used by many attackers to deploy tools, exfiltrate information" +rdpv.exe,Password Hash Acquisition,Extracts account information saved in the RDP settings on the machine and use it to log in to other hosts with such passwords. +reg.exe,Command Execution,"Adds, changes, and displays registry subkey information and values in registry entries." +route.exe,Target Discovery,Display or changes routing information +runas.exe,Command Execution,Runs command using a different account +rundll32,Command Execution,Tool responsible for running DLLs and placing its libraries in the memory +sc.exe,Command Execution,Retrieves and sets control information about services. +schtasks.exe,Command Execution,"Enables an administrator to create, delete, query, change, run, and end scheduled tasks on a local or remote computer. Can be used by an attacker in many situations." +sdbinst.exe,Privilege Escalation,SDB UAC Bypass - used to execute an application that is not normally executed by pretending to execute a typical application. +sdelete.exe,Deleting Evidence,Deletes a file after overwriting it several times and it can be used to delete a file created in the course of an attack to make it impossible to be recovered. +sethc.exe,Privilege Escalation,Sticky Keys utility +sqlcmd.exe,Command Execution,Manage SQL server from command line +ssh.exe,Command Execution,Opens a secure shell on a remote host +sysprep.exe,Privilege Escalation,"Prepares an installation of Windows for duplication, auditing, and customer delivery." +systeminfo.exe,Target Discovery,"Command-line utility that displays information about your Windows version, BIOS, processor, memory, network configuration" +tasklist.exe,Target Discovery,Displays running processes +timestomp.exe,Deleting Evidence,Changes the file timestamp and it can be used to conceal the access to the file by restoring the timestamp. +tracert.exe,Target Discovery,Traceroute tool. It can be used to discover information about the network +vssadmin.exe,Capturing Active Directory Database,"Creates Volume Shadow Copy and extracts NTDS.DIT and it can be used to extract NTDS.DIT, a database for NTDS, so that the password can be analysed using other tools." +wce.exe,Password Hash Acquisition,Acquires password hash information in the memory of a logged in host +wceaux.dll,Privilege Escalation,Executes a command with higher privileges using the hash of the acquired password +WebBrowserPassView.exe,Password Hash Acquisition,Extracts user names and passwords saved in the web browser of a machine +wevtutil.exe,Deleting Evidence,Deletes Windows event logs and it can be used to delete the evidence of an attack. +whoami.exe,Target Discovery,Displays information about the current user +winrar.exe,Command Execution,"Used by many attackers to deploy tools, exfiltrate information" +winrs.exe,Command Execution,Executes a command on a remote hosts +WMIC.exe,Command Execution,A tool used for Windows system management and it may be used to acquire information on the remote system or to execute a command with WMI. +wmic.exe,Command Execution,Windows Management Instrumentation Command-line +wmiexec.vbs,Command Execution,A tool used for Windows system management that may execute a script for other hosts. +wscript.exe,Command Execution,Can be used to execute a large number of scripts +wsmprovhost.exe,Privilege Escalation,WinRM Remote Powershell - Can be used to elevate privileges +wusa.exe,Privilege Escalation,Windows Update Standalone Installer - Can be used to elevate privileges diff --git a/deployment-apps/eventid/lookups/xml_event_types.csv b/deployment-apps/eventid/lookups/xml_event_types.csv new file mode 100644 index 00000000..0c96e79a --- /dev/null +++ b/deployment-apps/eventid/lookups/xml_event_types.csv @@ -0,0 +1,6 @@ +xml_type,event_type +0,Audit Success +1,Audit Failure +2,Error +3,Warning +4,Information \ No newline at end of file diff --git a/deployment-apps/eventid/splunkbase.manifest b/deployment-apps/eventid/splunkbase.manifest new file mode 100644 index 00000000..ec519ad2 --- /dev/null +++ b/deployment-apps/eventid/splunkbase.manifest @@ -0,0 +1,165 @@ +{ + "version": "1.0", + "date": "2022-11-13T16:20:11.646384877Z", + "hashAlgorithm": "SHA-256", + "app": { + "id": 3067, + "version": "1.5.1", + "files": [ + { + "path": "README.txt", + "hash": "dc3b8a4d9a70d328da7aa6d3eb19105c8698b7a8d5c932fd954dd562649ffc37" + }, + { + "path": "license-eula.txt", + "hash": "98b7ba70adba20e20074cd61e6d739dab3432f88b6662d25100589c4313c91c6" + }, + { + "path": "license-eula.rtf", + "hash": "52ed437423e1fec818c133c2aa5399a09051e3d852214bb097abd4493bf524c7" + }, + { + "path": "appserver/static/default.css", + "hash": "f382733e76c81ab6a65732f4bfe16695d4c3c6d6e95ee1f982c95b1e535c8182" + }, + { + "path": "appserver/static/appIcon.png", + "hash": "ed6f90e4767434de479b483bbf61a33e6a6df49e6343e175a4429571d6f94ca4" + }, + { + "path": "appserver/static/appIcon_2x.png", + "hash": "514fde35b97d6aa927b537c258a0d56c213e8d44f05b06b4eb64d628c5b8c5fa" + }, + { + "path": "appserver/static/dashboard.js", + "hash": "72d5964740d1d502779aac770157240dbe19098efd58b235031ff00af66a517d" + }, + { + "path": "appserver/static/dashboard.css", + "hash": "041f9cd8ca93efe80552900f56377e4f0e8c6c7d2e8074b4d2cd738c947e44c5" + }, + { + "path": "appserver/static/application.css", + "hash": "3fa88520e98d77a7b64470af4a8d5f3c5fb38780536254acb1390eef2e3dea44" + }, + { + "path": "static/appIconAlt.png", + "hash": "04b6f005badc8e43102a7f7c50507ebb6f3a7190419eeba186af82841e825cf5" + }, + { + "path": "static/appIconAlt_2x.png", + "hash": "c81524b8d5be9fcfe27824942778edcdb8816ea76962687caccf71585bd949af" + }, + { + "path": "static/appIcon.png", + "hash": "5de9138eda5158b773b127214877b6397440b83ba1c54a4e396e0ed832b28eab" + }, + { + "path": "static/appIcon_2x.png", + "hash": "84c8b9d977c0de2de38050321d8af789ea096d791fc4ae0febf8276aa649d495" + }, + { + "path": "bin/ev_process_proc.py", + "hash": "7e22ec9f4a2a0b0fbff25dd2337cdb382a3a5d3320f59510ad88c405f33715c1" + }, + { + "path": "bin/ev_process_xml_parameters.py", + "hash": "09c2f00bf6976933c55387524ca5079263b62c30144ea1564bf89d1e278fa765" + }, + { + "path": "lookups/eventid_interesting_processes.csv", + "hash": "9ea2fff7a3387f1616db788316cf93424cd35a8ca68b7438d4acf8e3bad35fcd" + }, + { + "path": "lookups/eventid_interesting_events.csv", + "hash": "2a0d8b42141c332ecd522c08be82ff75dfcb182b65c419fc9071cd939931bf8a" + }, + { + "path": "lookups/xml_event_types.csv", + "hash": "f659b8fd89a17314777c7b7c4db3c6621881c329de848de901696f97bcf9f8f3" + }, + { + "path": "default/workflow_actions.conf", + "hash": "cefd3810066e5ea0724cc4209bbcebf8e02f62a62e2701f7a4a736dc4daf24d7" + }, + { + "path": "default/setup.xml", + "hash": "9a99194460d4b208c23321ed3d6ae9fb3d22c8228fc354b1b0f2709c463f9af2" + }, + { + "path": "default/macros.conf", + "hash": "65750e629a66b2d01c4d4378afe62cc01a04ee6e50f9d486b95b28952df503f8" + }, + { + "path": "default/app.conf", + "hash": "3b8c9bb17010f6617ae2eb7e354314e7261acea9140e07876afde40fd0a1e9f7" + }, + { + "path": "default/transforms.conf", + "hash": "a1bf8d3f1ac933a79755be12f74c51521c143af67df030b6bdab86a9b2b841bd" + }, + { + "path": "default/data/ui/views/users_and_groups.xml", + "hash": "4f88bb0db7d02c4db24addabb3e066f153205932344219abe0cdccd95598c20e" + }, + { + "path": "default/data/ui/views/eventid.xml", + "hash": "8d81838c8772e2574815ffe2b0bb340848159fbc82ea9692b174ff8347e18f8b" + }, + { + "path": "default/data/ui/views/README", + "hash": "f75000f12510d242fc99decea9e7e5a46a1a8bef910d3d6f741797816b35034d" + }, + { + "path": "default/data/ui/views/audit_events.xml", + "hash": "07831e6022317dac835334ddc71bcd69ab070a36c226775bcf8ab3d4f978f487" + }, + { + "path": "default/data/ui/views/windows_events_xml_source.xml", + "hash": "eca2ee4e7ceb5ff9d647923288c2239221036bf8f527ad8adf152dad18adbdcf" + }, + { + "path": "default/data/ui/views/interesting_processes.xml", + "hash": "6eddc62a8c6f1699aef29beaf3a473ad3ee027d64b19145060e9485c62bf0580" + }, + { + "path": "default/data/ui/views/windows_event_sources.xml", + "hash": "6ba446cb74dae22077480b71e629740c59a076a397602769f2efdff5e339d023" + }, + { + "path": "default/data/ui/views/interesting_events.xml", + "hash": "0d328993aff2184d91580c3a559bac3a5cc132fa615c59b59334f4574aee84c3" + }, + { + "path": "default/data/ui/views/documentation.xml", + "hash": "8c637bd333af2d673a9ddce83bf11088960477e0df6469e7308e9422db43c9e5" + }, + { + "path": "default/data/ui/nav/default.xml", + "hash": "4b6b9487aa7fdce166ae3a289bda278b631811455ddce7b54263999776b9024d" + } + ] + }, + "products": [ + { + "platform": "splunk", + "product": "enterprise", + "versions": [ + "7.0", + "7.1", + "7.2" + ], + "architectures": [ + "x86_64" + ], + "operatingSystems": [ + "windows", + "linux", + "macos", + "freebsd", + "solaris", + "aix" + ] + } + ] +} \ No newline at end of file diff --git a/deployment-apps/eventid/static/appIcon.png b/deployment-apps/eventid/static/appIcon.png new file mode 100644 index 0000000000000000000000000000000000000000..4d0acb375447d6e694ac611d2c12025133c0d54a GIT binary patch literal 1566 zcmV+(2I2XMP)(D(=2$j$BiT&M!sbMrvMpu{DWY=GjUj__D^jrFWt^V& z^qhAefJ(WIo6o2A?XTzgo#*|%&+qq=oTAbPm?a1yNQk%6q{IZyVveSQR!cwtpX6ot zT>a`l?Hy`oN0*{9Hrq#npG{Cgd>kz)-YjffpQSMx!^ljrk01ZbYV39L#i}cETYIPS zf6pc}DG(WHqWgAj7Yg%p1WM^_a(w~@)YxyxXUf0zI(z%nIVZ5WFi&&zje~kY(9Df^ z0{pTcWv9Q9Dyyn}Q~l1x+fv^dzd$L);aB(S4!yEl$8p?($N_+I6j_;T_^^m5(s--E zud2afOw#q((bsg_x4tMWn0XYP!wmcFGRe)|B)on6n4XZ}5(-LS$F>q-b5Y)c$yEl_ zx>X#x=_hNdWwI=kB8&$%ZphN?*||+SJ~nU)($iLQ2M_GljeYm2K+^+;)?tRnen3M2 zJqPGHf-ntW;21P?EuRVg(mCm-}{Y*Z$SqqBJ!9 z=?^5paU9+}a#&9(g{%S}+*R;-n?eSsESuTmg&2y{Sv(WQ=}aiW>xcGh-#UK6uQE2W z1-UsJHF0sVR91m)H8Od(dH&>-0NLRL=hpM={Bt}D9p^Nvs>0dRgQUcGt{^{01B@!L zrMO4{fcIJya&2I07YpGD1j3->2y`4k!C=x-gbP4~07UBuGM=Gqg9(VyP4+5L6mhAt zlH}&)F#y=HwM2XMmuoU_j*X_vm)W>s1vu5FUrN1W~B1~@cV#@;uwneGk9j4hxd5BUWlRyad;T_ z-EO#CF5>FzgVX7Rs;aP9EGR503X*qCMmoq)jHa=bYvngT$&acXLZ!vVY9PC6V8 zu(@!)P)`F!~4!UfXO(lR3vAp{140ZW%IMVQfu z$jC?*6%_@m)e5avJL7+s7z|{}b}UH}%FD~iK!1PGI;9lP#>eAXtChu=%`k@_k*`WiLwuI3Au~DI2-A>if(G^gEjXTd4iv^1<`xtth_tdubPK5%%#Y3unVt$c z0Q`8d$_I=NB-OuOlU=R>6##5DTR`%O)5~I^r>9rFeC4+%3CMmwKKtUV1U6E1At50E zfWe`mr;@-|UwMrM^RN26clK@ zl0<52Yl$s6nOUvY1(E+zQ!9V?$th`K*PL`OP!t6<_B#K=M~~Q^oiFnSg8@HZzD#0c zV_`HJ=g!Q4bLT6(pO&4G{Qk)|wHdEw3Gs3C(1E?Wl;ugh-EJo#dOgd|&W1*q-Q?bK zw@oSg@~rgt-L`4(h%+WIhE*$5xtEHc7t&X+)C>&`!fZBA+iHD28Fe=rmS^xk5 literal 0 HcmV?d00001 diff --git a/deployment-apps/eventid/static/appIconAlt.png b/deployment-apps/eventid/static/appIconAlt.png new file mode 100644 index 0000000000000000000000000000000000000000..3fd665fc0b45ace6c0a68518123ed7c4767f2dfb GIT binary patch literal 1355 zcmV-R1+@B!P)31QA3<3@UgbQm}|VDHcmY@(?ezEsY&WQb}8LH*L<` z=bYt3Cdnk7w3ADJn1{3W+WY_4-fOSDMpyz=Re(C+Zr~0e00{s+GViz>|QPkJ#+#86oe8NdJ-rsOsaudw_q5#0!xG zUKNoq@)Dq`Ch!LE;tGl9)&#~9?$<$|@sfxnv&W1a{_n0PdEb<495@vz@EGz0@JS|- za|=+_=YXeIO6n?fjHJy&UC}`OkJr}Jt~K2fk0`Jocsbj5R*kCO5BxwT*^(~&Htv`g zrX1s1O2uOc1twZx3dLU0LJRd8)6*xDD*wh^8H~8bpA(MRJ?2l)iT z7pe<9A|f5L0#wxkI)S>B3rEhyeIJDrzKMk9bxjw;!y7#5Zyqd&7Eec?jlY10M8vf+ zh66L?ttaimQ^RSCWx^1+ugr1|*ZUF&HhNOoW3KBmI5=olS64Rzj{)s7M9%`eeKzi2 zj67h8`V8=!g5N+5f!lnBuJehO`NX|FVCdFT(`hL;(;Etmg%M-hwwyR|BGB5}8qb(s z0NO28tpV`QZ40{b61J!RQN@Me$fK+x^2u0wrxvKPmi~|yW3k| zU!SU|sF*3!cdBZg1+)O197>yeH+a$?Y!Adry-O#H$Kzt#wnQQk85tQdhK7dBD_5?V zmo8m0UDu_ms><27Z(n@Dv=$3!1lU+$=$8)^L>J3C+qPw3V89w39W}BJjEiEl|O>?Oa z<(z&Cn98=OD(&smWn0F^#%2%HFbsC@-krEbx#Wl5LnLAamx=1MPeE?1^vN zwk_4w)#dB&?_YMU&BAxUArZ;>=v@a@eM(hFySlofM~@zL`uh58Rh?YM?>|+2ePKI3 z8}v;?)B$fzPEPLa=;-hU0s-B%Ygf|i_2zp!dVtqNe z>J1_uQq|8@wI!dmmz3eE>I3cp8klZmiZVkHpr7f#=f8`{!q#h1{0|&RF~6d-R3!ia N002ovPDHLkV1i0LasL1S literal 0 HcmV?d00001 diff --git a/deployment-apps/eventid/static/appIconAlt_2x.png b/deployment-apps/eventid/static/appIconAlt_2x.png new file mode 100644 index 0000000000000000000000000000000000000000..220469ed61afbc2d4838ae5b6e3b6535f72c974b GIT binary patch literal 2805 zcmV5{e!G)djsi5=VTUH)*AIjQY9ah#-I$+CR!x%b_#?>Xn5d+vS096%|R4P*mZKoA%d z5#MZ&Lo(U9QmO#B38({B0+qlLz!pc`0(yYXk1n>&*bKq|xqSEa!ZSqQ~j|2AuHR<*> z1-u13C?YSW)5)~SE2WBo9{{`38944k@LsO+|iE@*|FIKTwtC*fIuRM9H4kfUEIrSOhA&8<1InrJ((?slC>3+S&$8 z+e_!d_ILc&6+TLUKYlEGXx9>ZI6+qmxKl)4ir03$q*4aZ46I5tuuh+)wOokUUhOmW z_xzT2F{ET5WJ$z=T)QZT4RUl*`G%-GW8~YRDGhKN(b>@jA_^jw!WTgT5hd>jEO|em zwDUujbPZaXFRUhAitk_J9RAVu&fp|s=YbE4$Y5+?Je$8e9`UdRzk4TS{IX-%c>9t$ zXBsgI0lru54E}Jfb2tU@Qs6tl0~7lggHmb%@FvkD!x)YYn6`#jhFmA+0cn7IL)2p* z%?fOQqoG3+p%k-Jd-lh#MMwrP2{<-dGtDzk?_ zN)cG>siQb_6Ea`b69e zJg6(BG~mYA8c%OT|K@7P@IxD1LE9{G>s)omPBf5YQk&QtO?ug_UU%DPzQ3R)3T?h$JW@`=(HSJO4ZRO|Z zTX}hTDlae3%FD~Mii?Y_{QUe(IgD#`rg(61@Zdp*$K!EK)vh&7W5I$2R!K>TSz20Z z78Dd%1qB6GVPT=A>j_hdnS`bT{#2!#o12ZphYw#7_9jA6QIS<$T^(Mza%H5nwA7p< zl8N9;nS6VDyMExn0cR?*<>lpOeSLj!`SRuSCNhizzYg?ICKU>WRY{%lX2AobN5e|pt z$dMyPG8w}#t~TN@LjDX8NF>qG(P0aPLP=+R`}Xa@tBkk_bZ8e%a$4Z14hV;$Z?|g-L62gCF{EDuABY_eD2T-{0qh(TKp-Vq|@n47{@MOzWiz= z|BQ&3FrNHVM3egCkZ5BeA`}%BU2Q6F0)H6&F-Csm6ywQ>(u)@_j=O|891b;&1j1aS zQAEb#nu(tLXTUgBuB@z#tJ<2Di5sRFg#sRlEf~jOPK#2Ci8=Fm3@;PT<{=Jw5%DwOF3!4j>%#HY^RBM0 ztHtOah<9&4?#ziu6Y%($kfu>zUw_3)aQgJ=d6k_=fF==nJYGdIwY?V@vyoM+Rz+%S zYsaboi4!O6vz4`-Cc1#HC#p({RjZ`-ylFpF`& z0)9jERg<_Ej1wW97mTha8Y|ZT^!4>=`}gm6o;r0(uc)Xnw{6=Nn1w{gY2e!;a(Ft8 z(^{iPwBSp?Jwz}0)6>&qYiVgQIyyS+b#-;a8#itYIUJ6eKC|v4x(WOBNDgvZn2`WQ zDdhmZKs2CO1~51{DDCa-dUtoXt*orfTD59b*zI1;~r3OPUf(0zdE~(U+V4DIzmwN*N1HM@-^+qBoyLUnE{alD9jEW?H&|Q@~N8 zS=KfY$w<0vR^xJ|lpQDm3W&atXeXLH@e|#4o}a46P6z)7Pu1a~iTk;900000NkvXX Hu0mjfKL$T< literal 0 HcmV?d00001 diff --git a/deployment-apps/eventid/static/appIcon_2x.png b/deployment-apps/eventid/static/appIcon_2x.png new file mode 100644 index 0000000000000000000000000000000000000000..aa831f87fd5a6d76f621c3551e3d95b06b801ad7 GIT binary patch literal 3240 zcmV;Z3|I4sP)6(yKGT-I>5E5sC<^TIMq#li zjKa$3s_f3Xv(C=W?u?Aj<*|#(_*lo;aa>1TT}5_QR>2k#0coL?3bduv7D|bi&9fl7+rD_laQcg7>4nZr2<8-(I^-UT|!4^ zm(bLF$z9jb=rWru6ZTR_qb+EnP$y5`JS8XzMTtr>al$M~+qS z-QCxO$Y~lu@^eaNup95cPco~xkR2Ccf1p5PQ?q;j7v+QB)tq%vI(~x~H~IN#eun zbF{S^!Ws@?kzc)Hsra|QepDuvN+!U*Lxa=FcR8JW(D!=#96yMOjV3SedQP!w#S%$a zT23(Tm{-ES_VNxze7q)TPC*GKB*rtZzqCU!Juhd{Cbe*2icVtQcx9&|Gh2X{jk=>Kjl%5fw#tKL2!7D5f-- z5Gb(UKr!zKPd;oDuw}TzV`F2;&KI^t#l@)t&P#qtF${wjpZ$|OBO`svnYx<-`#J>N zd6XxQ*6^f*qj)%-L8|;F*MtNu^WrmqjuNx}BY3~$w`|%VEiNjU(AYmzG*~EhHMvR2 z*G{tadlzZ$ABytgB*1fptXIgFo0BEl`uG-^zxI5Rn^{~adT?W@G-6tZ0f7RSZ4~EB z6tyOS9PSp-YV(#O0NyAO(*!@-uDf@Yq^|ygtNQdAuV~PVyqIP2`zN1}`&xP3fZh(A zHVUXQ3Z%^r^znenDZoVuVp%{U0%AmfN(`tZ1S&D0mNJw95IY`$w^8&55xhQKz|#9u0t{^e{O&i8$!qH`3^*JP59{zE|KNuEq^Y`OFXp@e zeB37B?N&EwwEA0A__}`Mnh?>ThyZw|Kt#9Yk3AP_G-|SC^G4~r@BiB|`nt!RDz%bq zynmgS0iCx{EIQ7Ur)pgRh)*8WVqotAmTt=rel9LuyIPW%81KQ?&Pn!%uUm4vSKHcl@Hf`GohJ^+A-72%-`r5@4gNDI*l1zEd#g~yMz zW{NE}Zen-cUgCwZ1ltN&+OSGYUoT;)CWruA5CoK!l@W>Lrtq>QizOP3dSv*GjQQnD z7mMXlHyx$JO|kWR*Q66C0J0RoEEU0=I1ycw#2`01v^JbhCk`GsKq#e%j=p)bL?XsL zE0;+={`9j!U=;aV*X94zQ(PJdjkuHnG-S4f07@2!5fj7=|4)$< znk)lSU=;Q=RGJ-hC(C@bkR;v|Nr%sW&x;hAgfTH4JBqt|( z$t5QxF!|GSL`}^tZWb6yMU56XdQCw0uuCKW?$QuEk|Cm{DGZ{gP|QauMW?}l`ucj( z(9i(4+YJCvC=^(}e7Rq=w1pr`RU;v#4 z1Fp8UkxLgZ!eX&_{LU~8O4qNaqsRKKm^q`61u)1mgrKN!x`)F&aZSJHFO&Ldjj1z<-}_{42C8}xcTT3cI5Pfri}j7A7T zME4rJppB2m`t|E+LPA2&_oSuj7*?0!87is5NJP8cZZtPH8`sA(Q#dPXrB_ zOd1~fhK2@|mz9wles#Q1C=^gCl~AfwP%4#BDU~!C@>5G%Q*&vW>Hg9gNllZ zpx>58qd`$o5zWlXLSka#Z6WCob~{H|jtj0LqP4XZ$BrHiinvav!?NYeX>ztM`xWD3~OlBG*;e_A(0)DQDz0N~8oI=?;N-{0@Ik!cwj&}y|2S8k$l zuD0F<43lqZ)w|pM6!iphSq1s|Ke=8vnas5AeB({>0C2qGl+R+8K#PdKeYiqjO|fzG8y6=OJ_6_#+nLSK>?!0+k zrcWsim`0vTu-WYN-G6=Jxb?ahd5+`gJMVqyAy`;ghkllgTCta zeGc4;li%@QfAj6g)Xy-C&+VTpSFTL$bt{0X@6Pb$Umf+iIPp7c{o|bvxT|d)BZE3C zD+?thB_1*to14d6>fTQD^z;g^zxlS8x!-_a@=m7{&+mB2ZZ!6dynq!eS5j?!{D_Rp z(ZBq4kKJas`;9^a`m5{L`-JCryks93uu)(rQ?q&VW*QqCJ0eqE zT}{kmEPf^%PA8A;yI-}Bwp?Erv*g@tvC@VMKe+E+aEDkbl@O^^ip;DmG&eO7p64M5 z0(!4sCq+d?QzCW6aSpn3_p4l>mFf)yRd0XYXriZ1*SHqUo6AN=D~Lj&Kz@EcT3cHQ z$8j*5&9K>QBsVuVG7Q3m*=(iHZU39SvFTD!8wx=mHW=u)(UaAu`RTdYY(l)2k;&!A zFDO7)cQ>(EEa>j;2E#B&Pfs5ogD`QqRquXw`)+$EM@~XIX~A(096esiv#bb(`O{gc zREpx_Vu)B49qsKzuh$cc#X_=kauBG3GoqltmxqoxcklT-XYCKIh$tlTz))mYcfQg6 z{n=VqPFAK!tBGUM)6-E@R0OlhM4FnKaP`L@i7qu2QBhH$5eX4pT|L4puf4?`C_C&7 zC)6I-(K3c%@QXDoB@b;Vm8#W4we6jqov5j)AuX3KVgCI2^zMZVF}fBm60lnP>1Usp z4gT*yxpO=P4G}q1C>D!x&&s8e2TIqDlz4I+hs&2Qqoci@B&Vd%?CfmB#Kes2IYwh2 z{rupe!Lmc&@Q%UYx7qw5qQ^-IA(&BAAX>3(vE;5h=d%h$)QIn+l!oOB9gaa-efo^+ z*teB@ZC!&)h+yGE#Lv>+0K+iI%gGeYo>|Nm9V`-e50%RVv9RcTj952!pQpq%d*gD)QmDVhR9`dh**ZW-2ym{qx}OmdcD^u@Z%W6 aq2m9XKIeE+tyoY10000