All these methods will collect the events and either collect them in the "wineventlog" Splunk index or record them in the default index with source the source set as "*WinEventLog*" (notice the wildcards). The app analyzes the entries matching these criteria (index="wineventlog" OR source=*WinEventLog*). This matches the defaults used by the Universal Forwarder, the collection of local Windows event logs and the collection via WMI.
To collect the logs from remote computers without installing the Universal Forwarded on each computer, configure the forwarding of event logs to central location using the Windows built-in event forwarding. See Configure Computers to Forward and Collect Events for details on how to configure a computer as a collector of logs.
+
+
+
+
+
+
+ Additional information and troubleshooting
+
+
If no data is displayed, please verify that the Universal Forwarder is installed properly and that the all the Windows event logs are sent to the "wineventlog" index (or the WinEventLog* sources).
+
+
If the data is stored in a different index, the user can update the macros.conf [event_sources] section by using the application setup.
+
+
The Interesting Processes section from the Processes dashboard is partially based on a presentation by Michael Gough from www.malwarearchaeology.com: "The Top 10 Windows Event ID's Used To Catch Hackers In The Act". See for the presentation slides and information on how to enable the auditing of processes, including command-line based ones. The list of "interesting processes" is based on a study by JPCERT CC (Japan Computer Emergency Response Team Coordination Center) on detecting lateral movement through tracking of event logs. The list is stored in C:\Program Files\Splunk\etc\apps\eventid\lookups\interesting_processes.csv and it can be adjusted with a text editor if needed. For full functionality the audit of the command line arguments has to be enabled as described in Command Line Process Auditing
+
+
The XML dashboard is design to report Windows events rendered from the XML by using the renderXML stanza. The renderXML option reduced the volume of data to about 25% of the regular events, however some details such as the full description of the event are no longer recorded. See Feature Overview: XML Event Logs for more details.
+
+
Each of the dashboard can be set as an alarm (i.e. notifications when a certain number of failed logins are recorded, when certain processes are executed, etc).
+
+
Send any suggestions and questions to support@altairtech.ca. We can also provide advice in setting up the Splunk receiver for the Universal Forwarder.
+
+
We publish the most current version of EventID.Net Windows Event Logs Splunk app on www.eventid.net. Splunk may takes weeks or months to certify a new version.
+
+
+
+
+
+
\ No newline at end of file
diff --git a/deployment-apps/eventid/default/data/ui/views/eventid.xml b/deployment-apps/eventid/default/data/ui/views/eventid.xml
new file mode 100644
index 00000000..27f7ba54
--- /dev/null
+++ b/deployment-apps/eventid/default/data/ui/views/eventid.xml
@@ -0,0 +1,362 @@
+
\ No newline at end of file
diff --git a/deployment-apps/eventid/default/data/ui/views/interesting_events.xml b/deployment-apps/eventid/default/data/ui/views/interesting_events.xml
new file mode 100644
index 00000000..03c08a86
--- /dev/null
+++ b/deployment-apps/eventid/default/data/ui/views/interesting_events.xml
@@ -0,0 +1,55 @@
+
\ No newline at end of file
diff --git a/deployment-apps/eventid/default/data/ui/views/interesting_processes.xml b/deployment-apps/eventid/default/data/ui/views/interesting_processes.xml
new file mode 100644
index 00000000..76aa680f
--- /dev/null
+++ b/deployment-apps/eventid/default/data/ui/views/interesting_processes.xml
@@ -0,0 +1,189 @@
+
\ No newline at end of file
diff --git a/deployment-apps/eventid/default/data/ui/views/users_and_groups.xml b/deployment-apps/eventid/default/data/ui/views/users_and_groups.xml
new file mode 100644
index 00000000..5171c5b6
--- /dev/null
+++ b/deployment-apps/eventid/default/data/ui/views/users_and_groups.xml
@@ -0,0 +1,225 @@
+
\ No newline at end of file
diff --git a/deployment-apps/eventid/default/data/ui/views/windows_event_sources.xml b/deployment-apps/eventid/default/data/ui/views/windows_event_sources.xml
new file mode 100644
index 00000000..0eee2479
--- /dev/null
+++ b/deployment-apps/eventid/default/data/ui/views/windows_event_sources.xml
@@ -0,0 +1,120 @@
+
\ No newline at end of file
diff --git a/deployment-apps/eventid/default/data/ui/views/windows_events_xml_source.xml b/deployment-apps/eventid/default/data/ui/views/windows_events_xml_source.xml
new file mode 100644
index 00000000..4191ea98
--- /dev/null
+++ b/deployment-apps/eventid/default/data/ui/views/windows_events_xml_source.xml
@@ -0,0 +1,208 @@
+
\ No newline at end of file
diff --git a/deployment-apps/eventid/default/macros.conf b/deployment-apps/eventid/default/macros.conf
new file mode 100644
index 00000000..1cdd92f8
--- /dev/null
+++ b/deployment-apps/eventid/default/macros.conf
@@ -0,0 +1,8 @@
+
+[event_sources]
+definition = (index="wineventlog" OR source=*WinEventLog*)
+iseval = 0
+
+[event_sources_xml]
+definition = index="wineventlog_xml"
+disabled = 0
\ No newline at end of file
diff --git a/deployment-apps/eventid/default/setup.xml b/deployment-apps/eventid/default/setup.xml
new file mode 100644
index 00000000..b4cabbd0
--- /dev/null
+++ b/deployment-apps/eventid/default/setup.xml
@@ -0,0 +1,23 @@
+
+
+
+
+
+
+ text
+
+
+
+
+
+
+
+ text
+
+
+
+
diff --git a/deployment-apps/eventid/default/transforms.conf b/deployment-apps/eventid/default/transforms.conf
new file mode 100644
index 00000000..749c491c
--- /dev/null
+++ b/deployment-apps/eventid/default/transforms.conf
@@ -0,0 +1,22 @@
+[interesting_process_lookup]
+default_match = N/A
+filename = eventid_interesting_processes.csv
+max_matches = 1
+
+[processlookup]
+external_cmd = ev_process_proc.py full_path_process process
+fields_list = full_path_process,process
+
+[xmleventtype_lookup]
+default_match = N/A
+filename = xml_event_types.csv
+max_matches = 1
+
+[xml_raw_data_lookup]
+external_cmd = ev_process_xml_parameters.py raw_xml_data extracted_xml_data
+fields_list = raw_xml_data,extracted_xml_data
+
+[interesting_events_lookup]
+default_match = N/A
+filename = eventid_interesting_events.csv
+max_matches = 1
\ No newline at end of file
diff --git a/deployment-apps/eventid/default/workflow_actions.conf b/deployment-apps/eventid/default/workflow_actions.conf
new file mode 100644
index 00000000..bc177771
--- /dev/null
+++ b/deployment-apps/eventid/default/workflow_actions.conf
@@ -0,0 +1,10 @@
+
+[Eventid.Net lookup]
+display_location = event_menu
+eventtypes = winapp
+fields = $EventCode$,$SourceName$
+label = Lookup event id $EventCode$ on www.eventid.net
+link.method = get
+link.target = blank
+link.uri = https://www.eventid.net/display.asp?eventid=$EventCode$&app=Splunk&source=$SourceName$
+type = link
diff --git a/deployment-apps/eventid/license-eula.rtf b/deployment-apps/eventid/license-eula.rtf
new file mode 100644
index 00000000..dd0f29b3
--- /dev/null
+++ b/deployment-apps/eventid/license-eula.rtf
@@ -0,0 +1,57 @@
+{\rtf1\ansi\ansicpg1252\deff0{\fonttbl{\f0\fswiss\fcharset0 Helvetica;}}
+{\*\generator Msftedit 5.41.21.2508;}
+{\info
+{\title Splunk Software License Agreement}
+{\*\company Splunk Inc.}}\viewkind4\uc1\pard\qc\lang1033\b\f0\fs22 SPLUNK SOFTWARE LICENSE AGREEMENT\par
+\pard\b0\fs18\par
+THIS SPLUNK SOFTWARE LICENSE AGREEMENT (THE "AGREEMENT") GOVERNS ALL SOFTWARE PROVIDED BY SPLUNK INC. ("SPLUNK") INCLUDING FREE SPLUNK SOFTWARE ("FREE SOFTWARE") AND SOFTWARE PURCHASED THROUGH SPLUNK'S ONLINE STORE OR OTHER CHANNELS ("PURCHASED SOFTWARE"), COLLECTIVELY THE SPLUNK SOFTWARE ("SOFTWARE") AND ANY AND ALL UPDATES, UPGRADES, AND MODIFICATIONS THERETO. CONFIRMATION OF YOUR ORDERS ("ORDER CONFIRMATION") WILL BE DEEMED INCORPORATED INTO AND MADE PART OF THIS AGREEMENT.\par
+\par
+YOU WILL BE REQUIRED TO INDICATE YOUR AGREEMENT TO THESE TERMS AND CONDITIONS IN ORDER TO DOWNLOAD THE SOFTWARE AND REGISTER WITH SPLUNK IN ORDER TO OBTAIN LICENSE KEYS NECESSARY TO COMPLETE THE INSTALLATION PROCESS FOR PURCHASED SOFTWARE. BY CLICKING ON THE "YES" BUTTON, DOWNLOADING OR INSTALLING THE SOFTWARE, OR USING ANY MEDIA THAT CONTAINS THE SOFTWARE, YOU ARE CONSENTING TO BE BOUND BY THIS AGREEMENT.\par
+\par
+IF YOU AGREE TO THESE TERMS ON BEHALF OF A BUSINESS, YOU REPRESENT AND WARRANT THAT YOU HAVE AUTHORITY TO BIND THAT BUSINESS TO THIS AGREEMENT, AND YOUR AGREEMENT TO THESE TERMS WILL BE TREATED AS THE AGREEMENT OF THE BUSINESS. IN THAT EVENT, "YOU" AND "YOUR" REFER HEREIN TO THAT BUSINESS.\par
+\par
+"Splunk Developer API" means the documentation and functionality enabling the creation of extensions to the Software. "Example Modules" means the source code and binary form of examples that use the Splunk Developer API. \par
+\par
+PURCHASED SOFTWARE TERM. Unless earlier terminated, this Agreement will be in effect perpetually for any Purchased Software. "Term" means the period in which the Agreement is in effect.\par
+\par
+PURCHASED SOFTWARE FREE TRIAL. Notwithstanding the foregoing, if the applicable Order Confirmation is limited to a free trial license, then the Term will be limited to the free trial period specified in the Order Confirmation, this Agreement and any license rights granted hereunder will automatically terminate at the end of the free trial period, and there will be no Renewal Term. Any license keys provided for a free trial will automatically expire and may cause the Software to become non-operational at the end of the free trial period. Provisions in this Agreement regarding License Fees, Maintenance and Support, and Warranty will not apply to free trials.\par
+\par
+PURCHASED SOFTWARE LICENSE. Subject to your compliance with the terms and conditions of this Agreement, including your payment of the license fees set forth in each Order Confirmation (the "License Fees"), Splunk grants you a nonexclusive, nontransferable, revocable, limited license during the Term to use the Software for which you have paid the applicable License Fees as set forth in your Order Confirmation(s), only for your internal business purposes (which shall include use by consultants, accountants, auditors and attorneys hired to perform services for you) and only subject to the following conditions: you may use each Splunk Server with an Enterprise license to index no more than the peak daily volume of uncompressed data for which you have paid the applicable License Fees as set forth in your Order Confirmation (the "Maximum Peak Daily Volume"). The Software will be configured to display warnings and/or cease indexing data when the Maximum Peak Daily Volume is reached.\par
+\par
+FREE SOFTWARE LICENSE. Subject to the terms and conditions of this Agreement, Splunk grants to You a non-exclusive, worldwide, fully-paid up copyright license to use the Free Splunk Software in binary form only and only subject to the following conditions: (i) to index no more than 500MB of peak daily volume of uncompressed data (the 'Maximum Peak Daily Volume') and only for your internal business purposes (which shall include use by consultants, accountants, auditors and attorneys hired to perform services for you). The Software will be configured to display warnings, reduce available functionality, and/or cease indexing data when the Maximum Peak Daily Volume is reached.\par
+\par
+EXTENSION LICENSE. Splunk further grants to You a non-exclusive, worldwide, fully-paid up copyright license to use the Splunk Developer API and Example Modules included with the Software solely for the purpose of developing extensions to access the Splunk API or Example Modules for Your use in conjunction with the Software (collectively, "Your Extensions"). You agree to assume full responsibility for the performance of Your Extensions, and shall indemnify, hold harmless, and defend Splunk (including all of its officers, employees, directors, subsidiaries, representatives, affiliates and agents) and Splunk's suppliers from and against any claims or lawsuits, including attorney's fees and expenses, that arise or result from Your Extensions pursuant to this Agreement. You retain title to and copyright for Your Extensions, subject to Splunk's title to and copyright for the Software, the Splunk Developer API, and the Example Modules as specified in Ownership and Copyrights, below. This Agreement does not grant you any distribution rights. If you want to distribute or provide to any third parties Your Extensions, you must first register as a Splunk application developer and agree to the Splunk Developer Agreement at http://www.splunk.com/goto/devagreement. You will not remove or change any Splunk copyright notices or branding included in the Splunk Software or required by Splunk's Identity Guidelines as set forth at http://www.splunk.com/goto/splunkpowered, Splunk Developer APIs, or Example Modules, and will include such notices and branding in each copy of Your Extensions, the Splunk Software, the Splunk Developer APIs, and the Examples Modules that you make or distribute.\par
+\par
+PURCHASED SOFTWARE RESTRICTIONS. You agree not to (i) use the Software except as expressly authorized in this Agreement and your Order Confirmation; (ii) copy the Software (except as required to run the Software and for reasonable backup purposes); (iii) modify, adapt, or create derivative works of the Software; (iv) rent, lease, loan, resell, transfer, sublicense (including but not limited to offering any of the functionality of the Software on a service provider, hosted or time sharing basis) or distribute the Software to any third party; (v) decompile, disassemble or reverse-engineer the Software or otherwise attempt to derive the Software source code; (vi) disclose to any third party the results of any benchmark tests or other evaluation of the Software, or (vii) authorize any third parties to do any of the above.\par
+\par
+FREE SOFTWARE RESTRICTIONS. You shall not (i) decompile, disassemble or reverse engineer the Free Software without the express written authorization of Splunk; (ii) modify, adapt, or create derivative works of the Free Software; (iii) rent, lease, loan, or resell the Free Software, the Splunk Developer API, Example Modules, or Your Extensions (including but not limited to offering the functionality of the Free Software on an applications service provider or time sharing basis), except as expressly permitted in the Splunkbase Application Developer Agreement; (iv) decompile, disassemble or reverse-engineer the Software or otherwise attempt to derive the Software source code; (v) disclose to any third party the results of any benchmark tests or other evaluation of the Software, or (vi) authorize any third parties to do any of the above.\par
+\par
+OWNERSHIP. Splunk and/or its licensors own all worldwide right, title and interest in and to the Software, including all worldwide intellectual property rights therein. You will not delete or in any manner alter the copyright, trademark, and other proprietary rights notices appearing in or on the Software as provided. All right, title, and interest in and to all copies the Splunk Developer API, and the Example Modules remains with Splunk and/or its licensors. The Software, Splunk Developer API, and Example Modules are copyrighted and protected by the laws of the United States and other countries, and international treaty provisions. You may not remove any copyright notices from the Software, the Splunk Developer API, or the Example Modules.\par
+\par
+PURCHASED SOFTWARE LICENSE AND FEES. In order to access and use the Software, you are required to pay to Splunk the License Fees in accordance with your Order Confirmation. The License Fees will be due and payable in accordance with the terms set forth in your Order Confirmation. Any failure to pay the License Fees in accordance with an Order Confirmation will result in automatic revocation and termination of this Agreement and all rights and licenses granted hereunder. All License Fees are non-refundable once paid.\par
+\par
+MAINTENANCE AND SUPPORT. Subject to your payment of the applicable annual maintenance and support fees set forth in your Order Confirmation (the "Support Fees"), Splunk will provide the level of support for the Purchased Software identified in your Order Confirmation in accordance with the support descriptions set forth on Splunk's website at www.splunk.com. Splunk is not obligated to support, update or upgrade the Free Software.\par
+\par
+PURCHASED SOFTWARE VERIFICATION AND AUDIT. At Splunk's written request, you will furnish Splunk with a certification signed by an officer of your company verifying that the Software is being used in accordance with the terms and conditions of this Agreement and the applicable Order Confirmations. Upon at least ten (10) days prior written notice, Splunk may audit your use of the Software to ensure that you are in compliance with the terms of this Agreement and the applicable Orders. Any such audit will be conducted during regular business hours at your facilities, will not unreasonably interfere with your business activities and will be in compliance with your reasonable security procedures. You will provide Splunk with access to the relevant records and facilities. If an audit reveals that you have exceeded the daily peak volume during the period audited, then Splunk will invoice you, and you will promptly pay Splunk any underpaid fees based on Splunk's price list in effect at the time the audit is completed. If the daily peak volume usage exceeds ten percent (10%) of the licensed usage, then you will also pay Splunk's reasonable costs of conducting the audit.\par
+\par
+PURCHASED SOFTWARE WARRANTY. Splunk warrants that for a period of thirty (30) days after your registration of the Software with Splunk, the Software will substantially achieve any material function described in documentation for the Software published by Splunk. As Splunk's sole liability and your sole remedy for any failure of the Software to conform to this warranty, Splunk will repair or replace (at Splunk's option) your copy of the Software.\par
+\par
+WARRANTY DISCLAIMER. EXCEPT AS SET FORTH ABOVE, SPLUNK DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, QUIET ENJOYMENT AND WARRANTIES ARISING OUT OF COURSE OF DEALING OR USAGE OF TRADE. Splunk does not warrant (i) that the Software, developer's API'S or example modules will meet your requirements, (ii) that the Software will operate in the combinations that you may select, (iii) that the Software will serve the purposes intended by you, or (iv) that the operation of the Software will be error free or uninterrupted or that any Software errors will be corrected.\par
+\par
+LIMITATION OF LIABILITY. SPLUNK'S TOTAL CUMULATIVE LIABILITY TO YOU, FROM ALL CAUSES OF ACTION AND ALL THEORIES OF LIABILITY, WILL BE LIMITED TO AND WILL NOT EXCEED THE AMOUNTS PAID BY YOU TO SPLUNK IN THE TWELVE MONTHS PRIOR TO THE EVENT GIVING RISE TO SUCH LIABILITY. IN NO EVENT WILL SPLUNK BE LIABLE TO YOU FOR ANY SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES (INCLUDING LOSS OF USE, DATA, OR PROFITS, BUSINESS INTERRUPTION, OR COSTS OF PROCURING SUBSTITUTE SOFTWARE) ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT OR THE USE OR PERFORMANCE OF THE SOFTWARE, WHETHER SUCH LIABILITY ARISES FROM CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, AND WHETHER OR NOT SPLUNK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. THE PARTIES HAVE AGREED THAT THESE LIMITATIONS WILL SURVIVE AND APPLY EVEN IF ANY REMEDY IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE. WITHOUT LIMITING THE FOREGOING, SPLUNK WILL HAVE NO LIABILITY OR RESPONSIBILITY FOR ANY BUSINESS INTERRUPTION OR LOSS OF DATA ARISING FROM THE AUTOMATIC TERMINATION OF THE LICENSE RIGHTS GRANTED HEREIN AND ANY ASSOCIATED CESSATION OF THE SOFTWARE FUNCTIONS. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.\par
+\par
+PURCHASED SOFTWARE INDEMNITY. Splunk will defend, indemnify and hold you harmless from and against any loss, damage, liability or cost (including reasonable attorneys' fees) resulting from any third party claim that the Purchased Software infringes or violates any third party's patent, copyright or trademark rights; provided that you promptly notify Splunk in writing of any and all such claims. In the event of any loss, damage, liability or cost for which Splunk is obligated to indemnify you hereunder, Splunk shall have sole control of the defense and all related settlement negotiations, and you shall reasonably cooperate with Splunk in the defense and/or settlement thereof at Splunk's expense; provided that you may participate in such defense using your own counsel, at your own expense.\par
+\par
+TERMINATION. You may terminate this Agreement at any time by destroying or returning to Splunk all copies of the Software, including any documentation, in your possession and control, and providing to Splunk a written statement signed by an authorized representative of your company notifying Splunk that you are terminating the Agreement and certifying such destruction or return. Upon thirty days notice, Splunk may terminate this Agreement (and your license rights) upon notice in the event that you breach any provision of this Agreement and have not cured the breach during such notice period. Upon any expiration or termination of this Agreement, the rights and licenses granted hereunder will automatically terminate, and you agree to immediately cease using the Software and to return or destroy all copies of the Software in your possession or control. In the event of termination of this Agreement, Splunk will have no obligation to refund any License Fees, Support Fees, or other fees received from you during the Term. All provisions of this Agreement related to disclaimers of warranties, limitation of liability, remedies, damages, or Splunk's proprietary rights shall survive termination.\par
+\par
+SEVERABILITY. All rights and remedies, whether conferred hereunder or by any other instrument or law, will be cumulative and may be exercised singularly or concurrently. Failure by either Splunk or You to enforce any term will not be deemed a waiver of future enforcement of that or any other term. The terms and conditions stated herein are declared to be severable. Should any term(s) or condition(s) of this Agreement be held to be invalid or unenforceable the validity, construction and enforceability of the remaining terms and conditions of this Agreement shall not be affected.\par
+\par
+EXPORT. You agree to comply fully with all relevant export laws and regulations of the United States ("Export Laws") to ensure that the Software is not (i) exported or re-exported directly or indirectly in violation of Export Laws; or (ii) intended to be used for any purposes prohibited by the Export Laws, including but not limited to nuclear, chemical, or biological weapons proliferation.\par
+\par
+GOVERNMENT RESTRICTED RIGHTS. The Software shall be classified as "commercial computer software" as defined in the applicable provisions of the Federal Acquisition Regulation (the "FAR") and supplements thereto, including the Department of Defense (DoD) FAR Supplement (the "DFARS"). The parties acknowledge that the Software was developed entirely at private expense and that no part of the Software was first produced in the performance of a Government contract. If the Software is supplied for use by DoD, the Software is delivered subject to the terms of this Agreement and in accordance with DFARS 227.7202-1(a) and 227.7202-3(a) (1995), with restricted rights in accordance with DFARS 252.227-7013(c)(1)(ii) (OCT 1988), as applicable. If the Software is supplied for use by a Federal agency other than DoD, the Software is restricted computer software delivered subject to the terms of this Agreement and FAR 12.212(a) (1995); (ii) FAR 52.227-19; or FAR 52.227-14(ALT III), as applicable.\par
+\par
+PUBLICITY. You agree that Splunk may identify you as a Splunk customer on Splunk websites, client lists, press releases, and/or other marketing. You also agree that Splunk may publish a brief description highlighting your deployment of the Software.\par
+\par
+GENERAL. This Agreement shall be governed by and construed in accordance with the laws of the State of California, as if performed wholly within the state and without giving effect to the principles of conflict of law. Any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in the Northern District of California and the parties hereby consent to personal jurisdiction and venue therein. If any portion hereof is found to be void or unenforceable, the remaining provisions of this Agreement shall remain in full force and effect. Neither party may assign this Agreement, in whole or in part, except in connection with an internal reorganization or a sale of the business with which this Agreement is associated without Splunk's prior written consent, and any attempt to assign this Agreement other than as permitted above will be null and void. This Agreement is intended for the sole and exclusive benefit of the parties and is not intended to benefit any third party. Only the parties to this Agreement may enforce it. This Agreement and any Order Confirmations constitute the complete and exclusive understanding and agreement between the parties regarding their subject matter and supersede all prior or contemporaneous agreements or understandings, written or oral, relating to their subject matter. Any waiver, modification or amendment of any provision of this Agreement will be effective only if in writing and signed by duly authorized representatives of both parties.\par
+}
+
diff --git a/deployment-apps/eventid/lookups/eventid_interesting_events.csv b/deployment-apps/eventid/lookups/eventid_interesting_events.csv
new file mode 100644
index 00000000..154a5207
--- /dev/null
+++ b/deployment-apps/eventid/lookups/eventid_interesting_events.csv
@@ -0,0 +1,22 @@
+event_id,source,description
+104,Microsoft-Windows-Eventlog,Attackers tend to clear logs in order to hide previous activity.
+104,Eventlog,Attackers tend to clear logs in order to hide previous activity.
+517,Security,Attackers tend to clear logs in order to hide previous activity.
+1000,Application Error,Critical application error
+1001,Microsoft-Windows-WER-SystemErrorReporting,Blue Screen of Death
+1002,Application Hang,Application hang
+1076,USER32,An admin provided a reason for an unexpected restart
+1102,Eventlog,Attackers tend to clear logs in order to hide previous activity.
+2004,Microsoft-Windows-Windows Firewall with Advanced Security,Firewall rule added
+2006,Microsoft-Windows-Windows Firewall with Advanced Security,Firewall rule deleted
+2033,Microsoft-Windows-Windows Firewall with Advanced Security,Firewall rule deleted
+4608,Microsoft Windows security auditing,The computer has been restarted - not an usual event.
+4625,Microsoft Windows security auditing,A user failed to logon
+4663,Microsoft-Windows-Security-Auditing,An audited object has been accessed.
+4719,Microsoft-Windows-Security-Auditing,System audit policy was changed
+4728,Microsoft-Windows-Security-Auditing,User Added to Privileged Group
+4732,Microsoft-Windows-Security-Auditing,User Added to Privileged Group
+4735,Microsoft-Windows-Security-Auditing,Security-Enabled Group Modification
+4740,Microsoft-Windows-Security-Auditing,Account lockout
+4756,Microsoft-Windows-Security-Auditing,User Added to Privileged Group
+7045,Service Control Manager,Installation of new services are not typical events.
diff --git a/deployment-apps/eventid/lookups/eventid_interesting_processes.csv b/deployment-apps/eventid/lookups/eventid_interesting_processes.csv
new file mode 100644
index 00000000..123f2868
--- /dev/null
+++ b/deployment-apps/eventid/lookups/eventid_interesting_processes.csv
@@ -0,0 +1,72 @@
+process,Category,Process_Details
+arp.exe,Target Discovery,Obtains information about hosts on the local broadcast domain
+at.exe,Command Execution,Executes a task at the specified time and it may be used to secretly place an application or script without being recognized by the user in advance and then execute it at the desired time.
+bcdedit.exe,Privilege Escalation,Tool for editing the boot configuration and it may be used to escalate privileges
+bcp.exe,Data extraction,Bulk copy of data from database. It may be used to exfiltrate data.
+chcp.exe,Malware,"Displays the number of the active console code page, or changes the console's active console code page."
+cmd.exe,Command Execution,Can be used to execute a large number of commands
+cscript.exe,Command Execution,Can be used to execute a large number of scripts
+csvde.exe,Acquisition of Account Information,Outputs account information on the Active Directory in the CSV format and it can be used to extract information on an existing account and select users and clients available as attack targets.
+dsquery.exe,Acquisition of Account Information,"Obtains information, such as users and groups, from a directory service and it can be used to extract information on an existing account and select users and clients available as attack targets."
+Find-GPOPasswords.ps1,Password Hash Acquisition,Acquires any password descriptions in a group policy file and may attempt to infiltrate other hosts using acquired passwords (by executing the tool on Active Directory).
+GSECDUMP.EXE,Password Hash Acquisition,Extracts hash from SAM/AD or logon sessions and use it to log on to other hosts using acquired hash information.
+icacls.exe,File Sharing,Changes the file access rights and it can be used to change the rights to read a file that cannot be read by the used account. It is also used to capture rights so that the content of a file created by the attacker will not be viewable
+ipconfig.exe,Target Discovery,Displays or changes IP stack information
+ldifde.exe,Acquisition of Account Information,Outputs account information on the Active Directory in the LDIF format and it can be used to extract information on an existing account and select users and clients available as attack targets.
+mailpv.exe,Password Hash Acquisition,Extracts account information saved in the mail client settings on the machine
+mimikatz.exe,Password Hash Acquisition,Steals recorded authentication information and it can be used to escalate the privileges to the domain Administrator privileges.
+ms14-068.exe,Escalation to SYSTEM Privileges,Changes the privileges of the domain user to those of another user
+nbtstat.exe,Target Discovery,Allows a refresh of the NetBIOS name cache and the names registered with Windows Internet Name Service (WINS).
+nc.exe,Target Discovery,"Multpurpose tool, can be used for probing ports"
+net.exe,Adding or Deleting a Local User/Group,Adds a user account in a client or the domain or creates a network share and it can be used to create accounts or additional sessions in the machine the attacker has infected or to communicate with other hosts.
+net1.exe,Adding or Deleting a Local User/Group,Adds a user account in a client or the domain or creates a network share and it can be used to create accounts or additional sessions in the machine the attacker has infected or to communicate with other hosts.
+netcat.exe,Target Discovery,"Multpurpose tool, can be used for probing ports"
+netsh,Command Execution,"Allows to, either locally or remotely, display or modify the network configuration of a computer that is currently running. "
+netstat.exe,Target Discovery,"Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics "
+nmap,Target Discovery,Port scanner
+nslookup.exe,Target Discovery,Performs a DNS lookup
+ntdsutil.exe,Capturing Active Directory Database,"A command to maintain Active Directory databases and it can be used to extract NTDS.DIT, a database for NTDS, and other tools are used to analyze passwords (executed in Active Directory)."
+OSQL.exe,Data extraction,"Allows execution of Transact-SQL statements, system procedures, and script files. Can be used to attack a database or exfiltrate information."
+powercat.ps1,Malware,Part of PSAttack hacking tools
+powershell.exe,Command Execution,Allows remote command execution and it may be used to change settings to enable the Domain Controller and other hosts on the network to perform operations requiring administrator rights
+procdump.exe,Command Execution,Utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike
+psexec.exe,Command Execution,Executes a process on a remote system and it may be used to remotely execute a command on client and servers in a domain.
+psexecsvc.exe,Command Execution,Tool used for remotely executing processes on other systems
+psLoggedOn.exe,Target Discovery,Displays both the locally logged on users and users logged on via resources for either the local computer
+PwDump7.exe,Password Hash Acquisition,Displays a list of password hashes in the system and it may be used to perform logon authentication on other hosts using the acquired hash information.
+PWDumpX.exe,Password Hash Acquisition,Acquires a password hash from a remote host and use it to perform attacks such as pass-the-hash.
+qprocess.exe,Privilege Escalation,Query Process Utility - It can be used to start an elevated subprocess
+QuarksPwDump.exe,Password Hash Acquisition,Acquires the NTLM hash of a local domain account and cached domain password and it may be used to perform logon authentication on other hosts using the acquired hash information.
+query.exe,Target Discovery,Query User Sessions in Windows
+rar.exe,Command Execution,"Used by many attackers to deploy tools, exfiltrate information"
+rdpv.exe,Password Hash Acquisition,Extracts account information saved in the RDP settings on the machine and use it to log in to other hosts with such passwords.
+reg.exe,Command Execution,"Adds, changes, and displays registry subkey information and values in registry entries."
+route.exe,Target Discovery,Display or changes routing information
+runas.exe,Command Execution,Runs command using a different account
+rundll32,Command Execution,Tool responsible for running DLLs and placing its libraries in the memory
+sc.exe,Command Execution,Retrieves and sets control information about services.
+schtasks.exe,Command Execution,"Enables an administrator to create, delete, query, change, run, and end scheduled tasks on a local or remote computer. Can be used by an attacker in many situations."
+sdbinst.exe,Privilege Escalation,SDB UAC Bypass - used to execute an application that is not normally executed by pretending to execute a typical application.
+sdelete.exe,Deleting Evidence,Deletes a file after overwriting it several times and it can be used to delete a file created in the course of an attack to make it impossible to be recovered.
+sethc.exe,Privilege Escalation,Sticky Keys utility
+sqlcmd.exe,Command Execution,Manage SQL server from command line
+ssh.exe,Command Execution,Opens a secure shell on a remote host
+sysprep.exe,Privilege Escalation,"Prepares an installation of Windows for duplication, auditing, and customer delivery."
+systeminfo.exe,Target Discovery,"Command-line utility that displays information about your Windows version, BIOS, processor, memory, network configuration"
+tasklist.exe,Target Discovery,Displays running processes
+timestomp.exe,Deleting Evidence,Changes the file timestamp and it can be used to conceal the access to the file by restoring the timestamp.
+tracert.exe,Target Discovery,Traceroute tool. It can be used to discover information about the network
+vssadmin.exe,Capturing Active Directory Database,"Creates Volume Shadow Copy and extracts NTDS.DIT and it can be used to extract NTDS.DIT, a database for NTDS, so that the password can be analysed using other tools."
+wce.exe,Password Hash Acquisition,Acquires password hash information in the memory of a logged in host
+wceaux.dll,Privilege Escalation,Executes a command with higher privileges using the hash of the acquired password
+WebBrowserPassView.exe,Password Hash Acquisition,Extracts user names and passwords saved in the web browser of a machine
+wevtutil.exe,Deleting Evidence,Deletes Windows event logs and it can be used to delete the evidence of an attack.
+whoami.exe,Target Discovery,Displays information about the current user
+winrar.exe,Command Execution,"Used by many attackers to deploy tools, exfiltrate information"
+winrs.exe,Command Execution,Executes a command on a remote hosts
+WMIC.exe,Command Execution,A tool used for Windows system management and it may be used to acquire information on the remote system or to execute a command with WMI.
+wmic.exe,Command Execution,Windows Management Instrumentation Command-line
+wmiexec.vbs,Command Execution,A tool used for Windows system management that may execute a script for other hosts.
+wscript.exe,Command Execution,Can be used to execute a large number of scripts
+wsmprovhost.exe,Privilege Escalation,WinRM Remote Powershell - Can be used to elevate privileges
+wusa.exe,Privilege Escalation,Windows Update Standalone Installer - Can be used to elevate privileges
diff --git a/deployment-apps/eventid/lookups/xml_event_types.csv b/deployment-apps/eventid/lookups/xml_event_types.csv
new file mode 100644
index 00000000..0c96e79a
--- /dev/null
+++ b/deployment-apps/eventid/lookups/xml_event_types.csv
@@ -0,0 +1,6 @@
+xml_type,event_type
+0,Audit Success
+1,Audit Failure
+2,Error
+3,Warning
+4,Information
\ No newline at end of file
diff --git a/deployment-apps/eventid/splunkbase.manifest b/deployment-apps/eventid/splunkbase.manifest
new file mode 100644
index 00000000..ec519ad2
--- /dev/null
+++ b/deployment-apps/eventid/splunkbase.manifest
@@ -0,0 +1,165 @@
+{
+ "version": "1.0",
+ "date": "2022-11-13T16:20:11.646384877Z",
+ "hashAlgorithm": "SHA-256",
+ "app": {
+ "id": 3067,
+ "version": "1.5.1",
+ "files": [
+ {
+ "path": "README.txt",
+ "hash": "dc3b8a4d9a70d328da7aa6d3eb19105c8698b7a8d5c932fd954dd562649ffc37"
+ },
+ {
+ "path": "license-eula.txt",
+ "hash": "98b7ba70adba20e20074cd61e6d739dab3432f88b6662d25100589c4313c91c6"
+ },
+ {
+ "path": "license-eula.rtf",
+ "hash": "52ed437423e1fec818c133c2aa5399a09051e3d852214bb097abd4493bf524c7"
+ },
+ {
+ "path": "appserver/static/default.css",
+ "hash": "f382733e76c81ab6a65732f4bfe16695d4c3c6d6e95ee1f982c95b1e535c8182"
+ },
+ {
+ "path": "appserver/static/appIcon.png",
+ "hash": "ed6f90e4767434de479b483bbf61a33e6a6df49e6343e175a4429571d6f94ca4"
+ },
+ {
+ "path": "appserver/static/appIcon_2x.png",
+ "hash": "514fde35b97d6aa927b537c258a0d56c213e8d44f05b06b4eb64d628c5b8c5fa"
+ },
+ {
+ "path": "appserver/static/dashboard.js",
+ "hash": "72d5964740d1d502779aac770157240dbe19098efd58b235031ff00af66a517d"
+ },
+ {
+ "path": "appserver/static/dashboard.css",
+ "hash": "041f9cd8ca93efe80552900f56377e4f0e8c6c7d2e8074b4d2cd738c947e44c5"
+ },
+ {
+ "path": "appserver/static/application.css",
+ "hash": "3fa88520e98d77a7b64470af4a8d5f3c5fb38780536254acb1390eef2e3dea44"
+ },
+ {
+ "path": "static/appIconAlt.png",
+ "hash": "04b6f005badc8e43102a7f7c50507ebb6f3a7190419eeba186af82841e825cf5"
+ },
+ {
+ "path": "static/appIconAlt_2x.png",
+ "hash": "c81524b8d5be9fcfe27824942778edcdb8816ea76962687caccf71585bd949af"
+ },
+ {
+ "path": "static/appIcon.png",
+ "hash": "5de9138eda5158b773b127214877b6397440b83ba1c54a4e396e0ed832b28eab"
+ },
+ {
+ "path": "static/appIcon_2x.png",
+ "hash": "84c8b9d977c0de2de38050321d8af789ea096d791fc4ae0febf8276aa649d495"
+ },
+ {
+ "path": "bin/ev_process_proc.py",
+ "hash": "7e22ec9f4a2a0b0fbff25dd2337cdb382a3a5d3320f59510ad88c405f33715c1"
+ },
+ {
+ "path": "bin/ev_process_xml_parameters.py",
+ "hash": "09c2f00bf6976933c55387524ca5079263b62c30144ea1564bf89d1e278fa765"
+ },
+ {
+ "path": "lookups/eventid_interesting_processes.csv",
+ "hash": "9ea2fff7a3387f1616db788316cf93424cd35a8ca68b7438d4acf8e3bad35fcd"
+ },
+ {
+ "path": "lookups/eventid_interesting_events.csv",
+ "hash": "2a0d8b42141c332ecd522c08be82ff75dfcb182b65c419fc9071cd939931bf8a"
+ },
+ {
+ "path": "lookups/xml_event_types.csv",
+ "hash": "f659b8fd89a17314777c7b7c4db3c6621881c329de848de901696f97bcf9f8f3"
+ },
+ {
+ "path": "default/workflow_actions.conf",
+ "hash": "cefd3810066e5ea0724cc4209bbcebf8e02f62a62e2701f7a4a736dc4daf24d7"
+ },
+ {
+ "path": "default/setup.xml",
+ "hash": "9a99194460d4b208c23321ed3d6ae9fb3d22c8228fc354b1b0f2709c463f9af2"
+ },
+ {
+ "path": "default/macros.conf",
+ "hash": "65750e629a66b2d01c4d4378afe62cc01a04ee6e50f9d486b95b28952df503f8"
+ },
+ {
+ "path": "default/app.conf",
+ "hash": "3b8c9bb17010f6617ae2eb7e354314e7261acea9140e07876afde40fd0a1e9f7"
+ },
+ {
+ "path": "default/transforms.conf",
+ "hash": "a1bf8d3f1ac933a79755be12f74c51521c143af67df030b6bdab86a9b2b841bd"
+ },
+ {
+ "path": "default/data/ui/views/users_and_groups.xml",
+ "hash": "4f88bb0db7d02c4db24addabb3e066f153205932344219abe0cdccd95598c20e"
+ },
+ {
+ "path": "default/data/ui/views/eventid.xml",
+ "hash": "8d81838c8772e2574815ffe2b0bb340848159fbc82ea9692b174ff8347e18f8b"
+ },
+ {
+ "path": "default/data/ui/views/README",
+ "hash": "f75000f12510d242fc99decea9e7e5a46a1a8bef910d3d6f741797816b35034d"
+ },
+ {
+ "path": "default/data/ui/views/audit_events.xml",
+ "hash": "07831e6022317dac835334ddc71bcd69ab070a36c226775bcf8ab3d4f978f487"
+ },
+ {
+ "path": "default/data/ui/views/windows_events_xml_source.xml",
+ "hash": "eca2ee4e7ceb5ff9d647923288c2239221036bf8f527ad8adf152dad18adbdcf"
+ },
+ {
+ "path": "default/data/ui/views/interesting_processes.xml",
+ "hash": "6eddc62a8c6f1699aef29beaf3a473ad3ee027d64b19145060e9485c62bf0580"
+ },
+ {
+ "path": "default/data/ui/views/windows_event_sources.xml",
+ "hash": "6ba446cb74dae22077480b71e629740c59a076a397602769f2efdff5e339d023"
+ },
+ {
+ "path": "default/data/ui/views/interesting_events.xml",
+ "hash": "0d328993aff2184d91580c3a559bac3a5cc132fa615c59b59334f4574aee84c3"
+ },
+ {
+ "path": "default/data/ui/views/documentation.xml",
+ "hash": "8c637bd333af2d673a9ddce83bf11088960477e0df6469e7308e9422db43c9e5"
+ },
+ {
+ "path": "default/data/ui/nav/default.xml",
+ "hash": "4b6b9487aa7fdce166ae3a289bda278b631811455ddce7b54263999776b9024d"
+ }
+ ]
+ },
+ "products": [
+ {
+ "platform": "splunk",
+ "product": "enterprise",
+ "versions": [
+ "7.0",
+ "7.1",
+ "7.2"
+ ],
+ "architectures": [
+ "x86_64"
+ ],
+ "operatingSystems": [
+ "windows",
+ "linux",
+ "macos",
+ "freebsd",
+ "solaris",
+ "aix"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/deployment-apps/eventid/static/appIcon.png b/deployment-apps/eventid/static/appIcon.png
new file mode 100644
index 0000000000000000000000000000000000000000..4d0acb375447d6e694ac611d2c12025133c0d54a
GIT binary patch
literal 1566
zcmV+(2I2XMP)(D(=2$j$BiT&M!sbMrvMpu{DWY=GjUj__D^jrFWt^V&
z^qhAefJ(WIo6o2A?XTzgo#*|%&+qq=oTAbPm?a1yNQk%6q{IZyVveSQR!cwtpX6ot
zT>a`l?Hy`oN0*{9Hrq#npG{Cgd>kz)-YjffpQSMx!^ljrk01ZbYV39L#i}cETYIPS
zf6pc}DG(WHqWgAj7Yg%p1WM^_a(w~@)YxyxXUf0zI(z%nIVZ5WFi&&zje~kY(9Df^
z0{pTcWv9Q9Dyyn}Q~l1x+fv^dzd$L);aB(S4!yEl$8p?($N_+I6j_;T_^^m5(s--E
zud2afOw#q((bsg_x4tMWn0XYP!wmcFGRe)|B)on6n4XZ}5(-LS$F>q-b5Y)c$yEl_
zx>X#x=_hNdWwI=kB8&$%ZphN?*||+SJ~nU)($iLQ2M_GljeYm2K+^+;)?tRnen3M2
zJqPGHf-ntW;21P?EuRVg(mCm-}{Y*Z$SqqBJ!9
z=?^5paU9+}a#&9(g{%S}+*R;-n?eSsESuTmg&2y{Sv(WQ=}aiW>xcGh-#UK6uQE2W
z1-UsJHF0sVR91m)H8Od(dH&>-0NLRL=hpM={Bt}D9p^Nvs>0dRgQUcGt{^{01B@!L
zrMO4{fcIJya&2I07YpGD1j3->2y`4k!C=x-gbP4~07UBuGM=Gqg9(VyP4+5L6mhAt
zlH}&)F#y=HwM2XMmuoU_j*X_vm)W>s1vu5FUrN1W~B1~@cV#@;uwneGk9j4hxd5BUWlRyad;T_
z-EO#CF5>FzgVX7Rs;aP9EGR503X*qCMmoq)jHa=bYvngT$&acXLZ!vVY9PC6V8
zu(@!)P)`F!~4!UfXO(lR3vAp{140ZW%IMVQfu
z$jC?*6%_@m)e5avJL7+s7z|{}b}UH}%FD~iK!1PGI;9lP#>eAXtChu=%`k@_k*`WiLwuI3Au~DI2-A>if(G^gEjXTd4iv^1<`xtth_tdubPK5%%#Y3unVt$c
z0Q`8d$_I=NB-OuOlU=R>6##5DTR`%O)5~I^r>9rFeC4+%3CMmwKKtUV1U6E1At50E
zfWe`mr;@-|UwMrM^RN26clK@
zl0<52Yl$s6nOUvY1(E+zQ!9V?$th`K*PL`OP!t6<_B#K=M~~Q^oiFnSg8@HZzD#0c
zV_`HJ=g!Q4bLT6(pO&4G{Qk)|wHdEw3Gs3C(1E?Wl;ugh-EJo#dOgd|&W1*q-Q?bK
zw@oSg@~rgt-L`4(h%+WIhE*$5xtEHc7t&X+)C>&`!fZBA+iHD28Fe=rmS^xk5
literal 0
HcmV?d00001
diff --git a/deployment-apps/eventid/static/appIconAlt.png b/deployment-apps/eventid/static/appIconAlt.png
new file mode 100644
index 0000000000000000000000000000000000000000..3fd665fc0b45ace6c0a68518123ed7c4767f2dfb
GIT binary patch
literal 1355
zcmV-R1+@B!P)31QA3<3@UgbQm}|VDHcmY@(?ezEsY&WQb}8LH*L<`
z=bYt3Cdnk7w3ADJn1{3W+WY_4-fOSDMpyz=Re(C+Zr~0e00{s+GViz>|QPkJ#+#86oe8NdJ-rsOsaudw_q5#0!xG
zUKNoq@)Dq`Ch!LE;tGl9)~9?$<$|@sfxnv&W1a{_n0PdEb<495@vz@EGz0@JS|-
za|=+_=YXeIO6n?fjHJy&UC}`OkJr}Jt~K2fk0`Jocsbj5R*kCO5BxwT*^(~&Htv`g
zrX1s1O2uOc1twZx3dLU0LJRd8)6*xDD*wh^8H~8bpA(MRJ?2l)iT
z7pe<9A|f5L0#wxkI)S>B3rEhyeIJDrzKMk9bxjw;!y7#5Zyqd&7Eec?jlY10M8vf+
zh66L?ttaimQ^RSCWx^1+ugr1|*ZUF&HhNOoW3KBmI5=olS64Rzj{)s7M9%`eeKzi2
zj67h8`V8=!g5N+5f!lnBuJehO`NX|FVCdFT(`hL;(;Etmg%M-hwwyR|BGB5}8qb(s
z0NO28tpV`QZ40{b61J!RQN@Me$fK+x^2u0wrxvKPmi~|yW3k|
zU!SU|sF*3!cdBZg1+)O197>yeH+a$?Y!Adry-O#H$Kzt#wnQQk85tQdhK7dBD_5?V
zmo8m0UDu_ms><27Z(n@Dv=$3!1lU+$=$8)^L>J3C+qPw3V89w39W}BJjEiEl|O>?Oa
z<(z&Cn98=OD(&smWn0F^#%2%HFbsC@-krEbx#Wl5LnLAamx=1MPeE?1^vN
zwk_4w)#dB&?_YMU&BAxUArZ;>=v@a@eM(hFySlofM~@zL`uh58Rh?YM?>|+2ePKI3
z8}v;?)B$fzPEPLa=;-hU0s-B%Ygf|i_2zp!dVtqNe
z>J1_uQq|8@wI!dmmz3eE>I3cp8klZmiZVkHpr7f#=f8`{!q#h1{0|&RF~6d-R3!ia
N002ovPDHLkV1i0LasL1S
literal 0
HcmV?d00001
diff --git a/deployment-apps/eventid/static/appIconAlt_2x.png b/deployment-apps/eventid/static/appIconAlt_2x.png
new file mode 100644
index 0000000000000000000000000000000000000000..220469ed61afbc2d4838ae5b6e3b6535f72c974b
GIT binary patch
literal 2805
zcmV5{e!G)djsi5=VTUH)*AIjQY9ah#-I$+CR!x%b_#?>Xn5d+vS096%|R4P*mZKoA%d
z5#MZ&Lo(U9QmO#B38({B0+qlLz!pc`0(yYXk1n>&*bKq|xqSEa!ZSqQ~j|2AuHR<*>
z1-u13C?YSW)5)~SE2WBo9{{`38944k@LsO+|iE@*|FIKTwtC*fIuRM9H4kfUEIrSOhA&8<1InrJ((?slC>3+S&$8
z+e_!d_ILc&6+TLUKYlEGXx9>ZI6+qmxKl)4ir03$q*4aZ46I5tuuh+)wOokUUhOmW
z_xzT2F{ET5WJ$z=T)QZT4RUl*`G%-GW8~YRDGhKN(b>@jA_^jw!WTgT5hd>jEO|em
zwDUujbPZaXFRUhAitk_J9RAVu&fp|s=YbE4$Y5+?Je$8e9`UdRzk4TS{IX-%c>9t$
zXBsgI0lru54E}Jfb2tU@Qs6tl0~7lggHmb%@FvkD!x)YYn6`#jhFmA+0cn7IL)2p*
z%?fOQqoG3+p%k-Jd-lh#MMwrP2{<-dGtDzk?_
zN)cG>siQb_6Ea`b69e
zJg6(BG~mYA8c%OT|K@7P@IxD1LE9{G>s)omPBf5YQk&QtO?ug_UU%DPzQ3R)3T?h$JW@`=(HSJO4ZRO|Z
zTX}hTDlae3%FD~Mii?Y_{QUe(IgD#`rg(61@Zdp*$K!EK)vh&7W5I$2R!K>TSz20Z
z78Dd%1qB6GVPT=A>j_hdnS`bT{#2!#o12ZphYw#7_9jA6QIS<$T^(Mza%H5nwA7p<
zl8N9;nS6VDyMExn0cR?*<>lpOeSLj!`SRuSCNhizzYg?ICKU>WRY{%lX2AobN5e|pt
z$dMyPG8w}#t~TN@LjDX8NF>qG(P0aPLP=+R`}Xa@tBkk_bZ8e%a$4Z14hV;$Z?|g-L62gCF{EDuABY_eD2T-{0qh(TKp-Vq|@n47{@MOzWiz=
z|BQ&3FrNHVM3egCkZ5BeA`}%BU2Q6F0)H6&F-Csm6ywQ>(u)@_j=O|891b;&1j1aS
zQAEb#nu(tLXTUgBuB@z#tJ<2Di5sRFg#sRlEf~jOPK#2Ci8=Fm3@;PT<{=Jw5%DwOF3!4j>%#HY^RBM0
ztHtOah<9&4?#ziu6Y%($kfu>zUw_3)aQgJ=d6k_=fF==nJYGdIwY?V@vyoM+Rz+%S
zYsaboi4!O6vz4`-Cc1#HC#p({RjZ`-ylFpF`&
z0)9jERg<_Ej1wW97mTha8Y|ZT^!4>=`}gm6o;r0(uc)Xnw{6=Nn1w{gY2e!;a(Ft8
z(^{iPwBSp?Jwz}0)6>&qYiVgQIyyS+b#-;a8#itYIUJ6eKC|v4x(WOBNDgvZn2`WQ
zDdhmZKs2CO1~51{DDCa-dUtoXt*orfTD59b*zI1;~r3OPUf(0zdE~(U+V4DIzmwN*N1HM@-^+qBoyLUnE{alD9jEW?H&|Q@~N8
zS=KfY$w<0vR^xJ|lpQDm3W&atXeXLH@e|#4o}a46P6z)7Pu1a~iTk;900000NkvXX
Hu0mjfKL$T<
literal 0
HcmV?d00001
diff --git a/deployment-apps/eventid/static/appIcon_2x.png b/deployment-apps/eventid/static/appIcon_2x.png
new file mode 100644
index 0000000000000000000000000000000000000000..aa831f87fd5a6d76f621c3551e3d95b06b801ad7
GIT binary patch
literal 3240
zcmV;Z3|I4sP)6(yKGT-I>5E5sC<^TIMq#li
zjKa$3s_f3Xv(C=W?u?Aj<*|#(_*lo;aa>1TT}5_QR>2k#0coL?3bduv7D|bi&9fl7+rD_laQcg7>4nZr2<8-(I^-UT|!4^
zm(bLF$z9jb=rWru6ZTR_qb+EnP$y5`JS8XzMTtr>al$M~+qS
z-QCxO$Y~lu@^eaNup95cPco~xkR2Ccf1p5PQ?q;j7v+QB)tq%vI(~x~H~IN#eun
zbF{S^!Ws@?kzc)Hsra|QepDuvN+!U*Lxa=FcR8JW(D!=#96yMOjV3SedQP!w#S%$a
zT23(Tm{-ES_VNxze7q)TPC*GKB*rtZzqCU!Juhd{Cbe*2icVtQcx9&|Gh