parent
6d08cc6a27
commit
1f56bbc1c7
Binary file not shown.
|
After Width: | Height: | Size: 1.6 KiB |
|
After Width: | Height: | Size: 2.1 KiB |
@ -0,0 +1,553 @@
|
|||||||
|
body {
|
||||||
|
background-color: #cedec3;
|
||||||
|
font-size: 12px;
|
||||||
|
line-height: 130%;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.accountBarItems {
|
||||||
|
font-size: 11px;
|
||||||
|
}
|
||||||
|
|
||||||
|
br {
|
||||||
|
clear: both;
|
||||||
|
}
|
||||||
|
|
||||||
|
.SplunkModule {
|
||||||
|
padding: 0px;
|
||||||
|
}
|
||||||
|
|
||||||
|
.appHeaderWrapper {
|
||||||
|
background-color: #333333;
|
||||||
|
background-image: none;
|
||||||
|
}
|
||||||
|
|
||||||
|
#appContent h1 {
|
||||||
|
font-size: 24px;
|
||||||
|
font-weight: normal;
|
||||||
|
letter-spacing: -1px;
|
||||||
|
line-height: 130%;
|
||||||
|
margin-bottom: 15px;
|
||||||
|
text-shadow: white 0px 1px 1px;
|
||||||
|
}
|
||||||
|
|
||||||
|
.splButton-primary span,
|
||||||
|
.splButton-secondary span,
|
||||||
|
.splButton-tertiary span {
|
||||||
|
min-width: 110px;
|
||||||
|
}
|
||||||
|
|
||||||
|
.resultsArea {
|
||||||
|
background-color: #EDEDE7;
|
||||||
|
}
|
||||||
|
|
||||||
|
/** app tabs **/
|
||||||
|
div.appTabsWrapperOuter {
|
||||||
|
background: #333 url(./images/bg_tabs.png) repeat-x 50% 100%;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.appTabsWrapper {
|
||||||
|
margin: 0px auto 0px;
|
||||||
|
width: 830px;
|
||||||
|
overflow: hidden;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Target Firefox 2 and older [!] */
|
||||||
|
div.appTabsWrapper ul#appTabs, x:-moz-any-link {
|
||||||
|
position: relative;
|
||||||
|
top: 1px;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.appTabsWrapper ul#appTabs, x:-moz-any-link, x:default {
|
||||||
|
position: relative;
|
||||||
|
top: 0px;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.appTabsWrapper ul#appTabs {
|
||||||
|
list-style-type: none;
|
||||||
|
margin: 15px 0px 0px;
|
||||||
|
overflow: hidden;
|
||||||
|
padding: 0px;
|
||||||
|
width: 100%;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.appTabsWrapper ul#appTabs li {
|
||||||
|
float: left;
|
||||||
|
list-style-type: none;
|
||||||
|
margin: 0px 5px 0px 0px;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.appTabsWrapper ul#appTabs li a {
|
||||||
|
background-color: #73A550;
|
||||||
|
-moz-border-radius-topleft: 5px;
|
||||||
|
-moz-border-radius-topright: 5px;
|
||||||
|
-webkit-border-top-left-radius: 5px;
|
||||||
|
-webkit-border-top-right-radius: 5px;
|
||||||
|
border-top-left-radius: 5px;
|
||||||
|
border-top-right-radius: 5px;
|
||||||
|
color: white;
|
||||||
|
display: block;
|
||||||
|
font-size: 14px;
|
||||||
|
padding: 8px 20px;
|
||||||
|
text-decoration: none;
|
||||||
|
-moz-text-shadow: #666 0px 1px 1px;
|
||||||
|
-webkit-text-shadow: #666 0px 1px 1px;
|
||||||
|
text-shadow: #666 0px 1px 1px;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.appTabsWrapper ul#appTabs li.current a {
|
||||||
|
background-color: #EDEDE7;
|
||||||
|
color: #333;
|
||||||
|
text-shadow: white 0px 1px 1px;
|
||||||
|
border: 1px solid white;
|
||||||
|
border-bottom: none;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.launcherContent {
|
||||||
|
margin: 15px auto;
|
||||||
|
width: 830px;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.launcherList {
|
||||||
|
float: left;
|
||||||
|
width: 549px;
|
||||||
|
}
|
||||||
|
|
||||||
|
/** launcher links **/
|
||||||
|
ul.launcherLinks {
|
||||||
|
/* -webkit-box-shadow: #DDD 0px 0px 5px; */
|
||||||
|
border: 0px;
|
||||||
|
margin: 0px 0px 0px -25px;
|
||||||
|
list-style-type: none;
|
||||||
|
position: relative;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.launcherLinks li {
|
||||||
|
/* background-color: white; */
|
||||||
|
xxborder-bottom: 1px solid #edede7;
|
||||||
|
xxcolor: #666;
|
||||||
|
/* padding: 15px; */
|
||||||
|
position: relative;
|
||||||
|
z-index: 200;
|
||||||
|
zoom: 1;
|
||||||
|
_line-height: 0px;
|
||||||
|
_font-size: 1%;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.launcherLinks li .launcherApplistBackground {
|
||||||
|
cursor: pointer;
|
||||||
|
}
|
||||||
|
|
||||||
|
li.launcherMsg {
|
||||||
|
background-color: white;
|
||||||
|
margin-left: 25px;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.launcherLinks li.launcherMsg p {
|
||||||
|
padding: 0px;
|
||||||
|
_font-size: 12px;
|
||||||
|
}
|
||||||
|
|
||||||
|
li.launcherMsg .launcherMsgUpdate {
|
||||||
|
background: transparent url(images/icon_update.png) 0px 0px no-repeat;
|
||||||
|
_background-image: url(images/icon_update_ie6.png);
|
||||||
|
padding-left: 20px;
|
||||||
|
}
|
||||||
|
|
||||||
|
li.launcherMsg .launcherMsgSetup {
|
||||||
|
background: transparent url(images/icon_setup.png) 0px 0px no-repeat;
|
||||||
|
_background: transparent url(images/icon_setup_ie6.png) 0px 0px no-repeat;
|
||||||
|
padding-left: 20px;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.launcherLinks li.first div.launcherApplistBackground {
|
||||||
|
-moz-border-radius-topleft: 5px;
|
||||||
|
-moz-border-radius-topright: 5px;
|
||||||
|
-webkit-border-top-left-radius: 5px;
|
||||||
|
-webkit-border-top-right-radius: 5px;
|
||||||
|
border-top-left-radius: 5px;
|
||||||
|
border-top-right-radius: 5px;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.launcherLinks li.last div.launcherApplistBackground {
|
||||||
|
-moz-border-radius-bottomleft: 5px;
|
||||||
|
-moz-border-radius-bottomright: 5px;
|
||||||
|
-webkit-border-bottom-left-radius: 5px;
|
||||||
|
-webkit-border-bottom-right-radius: 5px;
|
||||||
|
border-bottom-left-radius: 5px;
|
||||||
|
border-bottom-right-radius: 5px;
|
||||||
|
border-bottom: none;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.launcherLinks li:hover {
|
||||||
|
xxbackground: #fff url(images/bg_gradient_100.png) repeat-x;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.launcherLinks li div {
|
||||||
|
background-repeat: no-repeat;
|
||||||
|
min-height: 50px;
|
||||||
|
xxpadding: 0px 0px 0px 46px;
|
||||||
|
xxmargin-left: -20px;
|
||||||
|
}
|
||||||
|
|
||||||
|
.appicon {
|
||||||
|
width: 36px;
|
||||||
|
height: 36px;
|
||||||
|
padding: 5px;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.launcherLinks li div.launcher-applist-wrapper,
|
||||||
|
ul.launcherLinks li div.launcherApplistBackground {
|
||||||
|
_font-size: 12px;
|
||||||
|
_line-height: 130%;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.launcherLinks li.datainputs div.launcherApplistIcon {
|
||||||
|
background-image:url(images/icon_addData.png);
|
||||||
|
background-position: 10px 10px;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.launcherLinks li.search div.launcherApplistIcon {
|
||||||
|
background-image:url(images/searchIcon.png);
|
||||||
|
background-position: 10px 10px;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
ul.launcherLinks li a {
|
||||||
|
font-size: 16px;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.launcherLinks li a:hover {
|
||||||
|
text-decoration: none;
|
||||||
|
_text-decoration: underline;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.launcherLinks p {
|
||||||
|
color: #666;
|
||||||
|
line-height: 130%;
|
||||||
|
margin: 0px;
|
||||||
|
padding-top: 5px;
|
||||||
|
}
|
||||||
|
|
||||||
|
/** launcher messages **/
|
||||||
|
ul.launcherLinks li.launcherMsg {
|
||||||
|
border-bottom: 1px solid #EEE;
|
||||||
|
cursor: text;
|
||||||
|
padding: 5px 15px;
|
||||||
|
-webkit-border-top-left-radius: 5px;
|
||||||
|
-webkit-border-top-right-radius: 5px;
|
||||||
|
-moz-border-radius-topleft: 5px;
|
||||||
|
-moz-border-radius-topright: 5px;
|
||||||
|
border-top-left-radius: 5px;
|
||||||
|
border-top-right-radius: 5px;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.launcherLinks li.launcherMsg a {
|
||||||
|
color: red;
|
||||||
|
display: inline-block;
|
||||||
|
text-decoration: underline;
|
||||||
|
font-size: 12px;
|
||||||
|
line-height: 130%;
|
||||||
|
}
|
||||||
|
|
||||||
|
/** launcher app list **/
|
||||||
|
ul.launcherLinks ul.launcherAppsList {
|
||||||
|
margin: 0px;
|
||||||
|
padding: 0px;
|
||||||
|
list-style: none;
|
||||||
|
z-index: 200;
|
||||||
|
position: relative;
|
||||||
|
*font-size: 1%;
|
||||||
|
}
|
||||||
|
|
||||||
|
li.launcherShadow {
|
||||||
|
-webkit-box-shadow: #DDD 0px 0px 5px;
|
||||||
|
-moz-box-shadow: #DDD 0px 0px 5px;
|
||||||
|
box-shadow: #DDD 0px 0px 5px;
|
||||||
|
|
||||||
|
-webkit-border-radius: 5px;
|
||||||
|
-moz-border-radius: 5px;
|
||||||
|
border-radius: 5px;
|
||||||
|
z-index: 2 !important;
|
||||||
|
position: absolute !important;
|
||||||
|
height: 356px;
|
||||||
|
width: 529px;
|
||||||
|
top: 0px;
|
||||||
|
left: 25px;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Firefox 2 hacks for list border */
|
||||||
|
li.launcherShadow, x:-moz-any-link {
|
||||||
|
top: -1px;
|
||||||
|
left: 24px;
|
||||||
|
border: 1px solid #CCC;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Firefox 3+ hacks for list border */
|
||||||
|
li.launcherShadow, x:-moz-any-link, x:default {
|
||||||
|
top: 0px;
|
||||||
|
left: 25px;
|
||||||
|
border: none;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Firefox 3.0 - 3.5 hacks for list border */
|
||||||
|
body.firefox3 li.launcherShadow {
|
||||||
|
top: -1px;
|
||||||
|
left: 24px;
|
||||||
|
border: 1px solid #CCC;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* IE 8 and below hacks for list border */
|
||||||
|
li.launcherShadow {
|
||||||
|
border: 1px solid #CCC\9;
|
||||||
|
top: -1px\9;
|
||||||
|
left: 24px\9;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* IE 6 hack */
|
||||||
|
#home li.launcherShadow {
|
||||||
|
_left: -1px;
|
||||||
|
}
|
||||||
|
|
||||||
|
/** launcher reorder handle **/
|
||||||
|
ul.launcherLinks li div.reorderHandle {
|
||||||
|
position: absolute;
|
||||||
|
display: block;
|
||||||
|
background-color: white;
|
||||||
|
background-image: url("images/icon_reorderHandler.png") !important;
|
||||||
|
_background-image: url("images/icon_reorderHandler_ie6.png") !important;
|
||||||
|
background-position: 8px 5px;
|
||||||
|
left: 0px;
|
||||||
|
top: 5px;
|
||||||
|
width: 20px;
|
||||||
|
height: 20px;
|
||||||
|
padding: 1px 0px 1px 5px;
|
||||||
|
-moz-border-radius-topleft: 5px;
|
||||||
|
-moz-border-radius-bottomleft: 5px;
|
||||||
|
-webkit-border-top-left-radius: 5px;
|
||||||
|
-webkit-border-bottom-left-radius: 5px;
|
||||||
|
border-top-left-radius: 5px;
|
||||||
|
border-bottom-left-radius: 5px;
|
||||||
|
min-height: 0px !important;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Firefox 2 hacks for reorder handle borders */
|
||||||
|
ul.launcherLinks li div.reorderHandle, x:-moz-any-link {
|
||||||
|
border: 1px solid #CCC;
|
||||||
|
border-right: none;
|
||||||
|
left: -1px;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Firefox 3+ hacks for reorder handle border */
|
||||||
|
ul.launcherLinks li div.reorderHandle, x:default {
|
||||||
|
border: none;
|
||||||
|
left: 0px;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Firefox 3.0 - 3.5 hacks for reorder handle borders */
|
||||||
|
body.firefox3 ul.launcherLinks li div.reorderHandle {
|
||||||
|
border: 1px solid #CCC;
|
||||||
|
border-right: none;
|
||||||
|
left: -1px;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* IE 8 and below hacks for reorder handle borders */
|
||||||
|
ul.launcherLinks li div.reorderHandle {
|
||||||
|
border: 1px solid #CCC\9;
|
||||||
|
border-right: none\9;
|
||||||
|
left: -1px\9;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.launcherLinks div.launcherApplistBackground {
|
||||||
|
margin-left: 25px;
|
||||||
|
background-color: white;
|
||||||
|
border-bottom: 1px solid #edede7;
|
||||||
|
zoom: 1;
|
||||||
|
}
|
||||||
|
ul.launcherLinks div.launcherApplistIcon {
|
||||||
|
padding: 10px;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.launcherLinks div.launcherApplistDesc {
|
||||||
|
margin-left: 45px;
|
||||||
|
*font-size: 12px;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.launcherLinks div.launcherApplistBackground:hover {
|
||||||
|
background: #fff url(images/bg_gradient_100.png) repeat-x bottom;
|
||||||
|
}
|
||||||
|
ul.launcherLinks .disabledApp div.launcherApplistBackground:hover {
|
||||||
|
background-image: none;
|
||||||
|
}
|
||||||
|
ul.launcherLinks li div.reorderHandle:hover {
|
||||||
|
cursor: move;
|
||||||
|
background-position: 8px -15px;
|
||||||
|
}
|
||||||
|
|
||||||
|
/** enable/set up buttons **/
|
||||||
|
ul.launcherLinks .setupApp button {
|
||||||
|
background-color: #BBB;
|
||||||
|
border: 1px solid #999;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.launcherLinks .setupApp button:hover {
|
||||||
|
border-color: #666;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.launcherLinks li.disabledApp button,
|
||||||
|
ul.launcherLinks li.setupApp button {
|
||||||
|
position: absolute;
|
||||||
|
top: 5px;
|
||||||
|
right: 7px;
|
||||||
|
height: 23px;
|
||||||
|
line-height: 20px;
|
||||||
|
background-position: left -5px;
|
||||||
|
padding: 0px 10px;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.launcherLinks li.disabledApp button span,
|
||||||
|
ul.launcherLinks li.setupApp button span {
|
||||||
|
min-width: 0;
|
||||||
|
line-height: 100%;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.launcherLinks li.disabledApp:hover {
|
||||||
|
background-image: none;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.launcherLinks li.disabledApp button:hover {
|
||||||
|
border-color: #000;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.launcherLinks .disabledApp,
|
||||||
|
ul.launcherLinks .disabledApp a {
|
||||||
|
cursor: text;
|
||||||
|
}
|
||||||
|
ul.launcherLinks .disabledApp .launcher-applist-wrapper {
|
||||||
|
opacity: 0.6;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul.launcherLinks .disabledApp p {
|
||||||
|
color: #333;
|
||||||
|
}
|
||||||
|
|
||||||
|
/** launchersidebar **/
|
||||||
|
div.launchersidebar {
|
||||||
|
float: left;
|
||||||
|
margin-left: 30px;
|
||||||
|
width: 250px;
|
||||||
|
border: none;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.section {
|
||||||
|
-moz-border-radius: 5px;
|
||||||
|
-webkit-border-radius: 5px;
|
||||||
|
border-radius: 5px;
|
||||||
|
-moz-box-shadow: 0 0 5px #DDD;
|
||||||
|
-webkit-box-shadow: #DDD 0 0 5px;
|
||||||
|
-moz-box-shadow: #DDD 0 0 5px;
|
||||||
|
-webkit-box-shadow: #DDD 0 0 5px;
|
||||||
|
box-shadow: #DDD 0 0 5px;
|
||||||
|
background: none repeat scroll 0 0 #E5F2F5;
|
||||||
|
margin-bottom: 10px;
|
||||||
|
padding: 15px;
|
||||||
|
border: 1px solid #CCC;
|
||||||
|
}
|
||||||
|
|
||||||
|
h2,
|
||||||
|
div.launchersidebar h2 {
|
||||||
|
color: #333;
|
||||||
|
font-size: 16px;
|
||||||
|
font-weight: normal;
|
||||||
|
margin: 0px;
|
||||||
|
padding: 0px;
|
||||||
|
padding-bottom: 10px;
|
||||||
|
text-shadow: 0 1px 1px white;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.launchersidebar ul {
|
||||||
|
margin: 0px 5px;
|
||||||
|
list-style: none;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.launchersidebar ul li {
|
||||||
|
padding: 5px 0px;
|
||||||
|
}
|
||||||
|
|
||||||
|
/** spotlight section **/
|
||||||
|
div.launchersidebar div.spotlight {
|
||||||
|
background-color: #666;
|
||||||
|
-moz-box-shadow: 0 0 5px #555 inset;
|
||||||
|
-webkit-box-shadow: 0 0 5px #555 inset;
|
||||||
|
box-shadow: 0 0 5px #555 inset;
|
||||||
|
border: 1px solid #555;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.launchersidebar div.spotlight h2 {
|
||||||
|
color: white;
|
||||||
|
text-shadow: 0px 1px 1px #333;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.launchersidebar div.spotlight button.splButton-primary {
|
||||||
|
margin: 5px;
|
||||||
|
background-color: #77AA44;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.launchersidebar div.spotlight button.splButton-primary:hover {
|
||||||
|
background-color: #693;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/* IE 6 doesn't recognize min_width */
|
||||||
|
div.launchersidebar div.spotlight button span {
|
||||||
|
_width: 110px;
|
||||||
|
}
|
||||||
|
|
||||||
|
/** icons for launchersidebar links **/
|
||||||
|
.apps {
|
||||||
|
background: url("images/icon_apps.png") no-repeat;
|
||||||
|
padding-left: 20px;
|
||||||
|
}
|
||||||
|
|
||||||
|
.tutorial {
|
||||||
|
background: url("images/icon_tutorial.png") no-repeat;
|
||||||
|
padding-left: 20px;
|
||||||
|
}
|
||||||
|
|
||||||
|
.whatsNew {
|
||||||
|
background: url("images/icon_mail.png") no-repeat;
|
||||||
|
padding-left: 20px;
|
||||||
|
}
|
||||||
|
|
||||||
|
.splunkDoc {
|
||||||
|
background: url("images/icon_file.png") no-repeat;
|
||||||
|
padding-left: 20px;
|
||||||
|
}
|
||||||
|
|
||||||
|
.searches {
|
||||||
|
background: url("images/icon_document.png") no-repeat;
|
||||||
|
padding-left: 20px;
|
||||||
|
}
|
||||||
|
|
||||||
|
.more {
|
||||||
|
background: url("images/icon_circle_add.png") no-repeat;
|
||||||
|
padding-left: 20px;
|
||||||
|
}
|
||||||
|
|
||||||
|
.answers {
|
||||||
|
background: url("images/icon_ask.png") no-repeat;
|
||||||
|
padding-left: 20px;
|
||||||
|
}
|
||||||
|
|
||||||
|
/** footer **/
|
||||||
|
div.divider {
|
||||||
|
margin-top: 20px;
|
||||||
|
width: 100%;
|
||||||
|
border-bottom: 1px solid #DDD;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.launcherFooter {
|
||||||
|
padding-top: 10px;
|
||||||
|
border-top: 1px solid #FFF;
|
||||||
|
color: #666;
|
||||||
|
text-shadow: 0px 1px 1px white;
|
||||||
|
}
|
||||||
@ -0,0 +1,78 @@
|
|||||||
|
|
||||||
|
/* Set background */
|
||||||
|
.main-section-body {
|
||||||
|
background-color:#cedec3;
|
||||||
|
background-image:-webkit-gradient(linear, 0 0, 0 100%, from(#e2e9eb), color-stop(400px, #cedec3), to(#cedec3));
|
||||||
|
background-image:-webkit-linear-gradient(#e2e9eb, #cedec3 400px, #cedec3);
|
||||||
|
background-image:-moz-linear-gradient(top, #e2e9eb, #cedec3 400px, #cedec3);
|
||||||
|
background-image:-o-linear-gradient(#e2e9eb, #cedec3 400px, #cedec3);
|
||||||
|
background-image:linear-gradient(#e2e9eb, #cedec3 400px, #cedec3);
|
||||||
|
filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffe2e9eb', endColorstr='#ffcedec3', GradientType=0);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Make the forms look like they are in a panel */
|
||||||
|
/*.fieldset {
|
||||||
|
border-radius: 4px;
|
||||||
|
border: 1px solid #cccccc;
|
||||||
|
background: white;
|
||||||
|
margin: 0 0px 10px 0;
|
||||||
|
box-shadow: 0px 1px 1px rgba(0, 0, 0, 0.08);
|
||||||
|
position: relative;
|
||||||
|
padding: 12px 15px 0px 15px;
|
||||||
|
}
|
||||||
|
|
||||||
|
.fieldset .hide-label {
|
||||||
|
}
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* Shrink the form text inputs */
|
||||||
|
/* Removed because Splunk 6.1 spaces the fields differently */
|
||||||
|
/*input, textarea, .uneditable-input {
|
||||||
|
width: 120px;
|
||||||
|
}*/
|
||||||
|
|
||||||
|
/* Make the Search button on each dashboard blue instead of green */
|
||||||
|
|
||||||
|
.btn-primary {
|
||||||
|
background-color: #5c9732;
|
||||||
|
background-image: -moz-linear-gradient(top, #0087df, #004f82);
|
||||||
|
background-image: -webkit-gradient(linear, 0 0, 0 100%, from(#0087df), to(#004f82));
|
||||||
|
background-image: -webkit-linear-gradient(top, #0087df, #004f82);
|
||||||
|
background-image: -o-linear-gradient(top, #0087df, #004f82);
|
||||||
|
background-image: linear-gradient(to bottom, #0087df, #004f82);
|
||||||
|
background-repeat: repeat-x;
|
||||||
|
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff0087df', endColorstr='#ff004f82', GradientType=0);
|
||||||
|
background-color: #0087df;
|
||||||
|
border: 1px solid #143ab1;
|
||||||
|
border-bottom-color: #0048c9;
|
||||||
|
border-top-color: #004f82;
|
||||||
|
color: #ffffff;
|
||||||
|
text-shadow: 0 -1px 0 rgba(51, 51, 51, 0.7);
|
||||||
|
-webkit-box-shadow: 0px 1px 1px rgba(0, 0, 0, 0.08);
|
||||||
|
-moz-box-shadow: 0px 1px 1px rgba(0, 0, 0, 0.08);
|
||||||
|
box-shadow: 0px 1px 1px rgba(0, 0, 0, 0.08);
|
||||||
|
}
|
||||||
|
|
||||||
|
.btn-primary:hover {
|
||||||
|
background-color: #7db44d;
|
||||||
|
background-image: -moz-linear-gradient(top, #6ac1fa, #007fd1);
|
||||||
|
background-image: -webkit-gradient(linear, 0 0, 0 100%, from(#6ac1fa), to(#007fd1));
|
||||||
|
background-image: -webkit-linear-gradient(top, #6ac1fa, #007fd1);
|
||||||
|
background-image: -o-linear-gradient(top, #6ac1fa, #007fd1);
|
||||||
|
background-image: linear-gradient(to bottom, #6ac1fa, #007fd1);
|
||||||
|
background-repeat: repeat-x;
|
||||||
|
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff6ac1fa', endColorstr='#ff007fd1', GradientType=0);
|
||||||
|
background-color: #389ddf;
|
||||||
|
border-color: #0c89db;
|
||||||
|
border-bottom-color: #006eb4;
|
||||||
|
border-top-color: #3f99d3;
|
||||||
|
background-position: 0 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
.btn-primary:active, .btn-primary.active {
|
||||||
|
background-color: #016baf 9;
|
||||||
|
}
|
||||||
|
.btn-primary:hover, .btn-primary:focus, .btn-primary:active, .btn-primary.active, .btn-primary.disabled, .btn-primary[disabled] {
|
||||||
|
color: #ffffff;
|
||||||
|
background-color: #016baf;
|
||||||
|
}
|
||||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,45 @@
|
|||||||
|
#!/usr/bin/env python
|
||||||
|
|
||||||
|
import csv
|
||||||
|
import sys
|
||||||
|
import re
|
||||||
|
|
||||||
|
|
||||||
|
# arp.exe,Target Discovery,Obtains information about hosts on the local broadcast domain
|
||||||
|
# New_Process_Name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
||||||
|
# C:\Windows\System32\wbem\WmiPrvSE.exe
|
||||||
|
|
||||||
|
def process_interesting(full_path_process):
|
||||||
|
try:
|
||||||
|
process_path_elements = full_path_process.split("\\")
|
||||||
|
process = process_path_elements[len(process_path_elements)-1]
|
||||||
|
return process
|
||||||
|
except:
|
||||||
|
return full_path_process
|
||||||
|
|
||||||
|
def main():
|
||||||
|
if len(sys.argv) != 3:
|
||||||
|
print "Usage: python ev_process_proc.py [full_path_process] [process]"
|
||||||
|
print sys.argv[1]
|
||||||
|
print len(sys.argv)
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
full_path_process = sys.argv[1]
|
||||||
|
process = sys.argv[2]
|
||||||
|
|
||||||
|
infile = sys.stdin
|
||||||
|
outfile = sys.stdout
|
||||||
|
|
||||||
|
r = csv.DictReader(infile)
|
||||||
|
header = r.fieldnames
|
||||||
|
|
||||||
|
w = csv.DictWriter(outfile, fieldnames=r.fieldnames)
|
||||||
|
w.writeheader()
|
||||||
|
|
||||||
|
for result in r:
|
||||||
|
if result[full_path_process]:
|
||||||
|
result[process] = process_interesting(result[full_path_process])
|
||||||
|
if result[process]:
|
||||||
|
w.writerow(result)
|
||||||
|
|
||||||
|
main()
|
||||||
@ -0,0 +1,48 @@
|
|||||||
|
#!/usr/bin/env python
|
||||||
|
|
||||||
|
import csv
|
||||||
|
import sys
|
||||||
|
import re
|
||||||
|
import xml.etree.ElementTree as ET
|
||||||
|
|
||||||
|
# <Data Name='param1'>Windows Modules Installer</Data><Data Name='param2'>stopped</Data><Binary>540072007500730074006500640049006E007300740061006C006C00650072002F0031000000</Binary>
|
||||||
|
|
||||||
|
def process_xml(xml_info):
|
||||||
|
try:
|
||||||
|
xml_result = ""
|
||||||
|
root = ET.fromstring("<Data>"+xml_info+"</Data>")
|
||||||
|
for child in root:
|
||||||
|
#xml_result = xml_result + child.tag + child.attrib + child.text+"\n"
|
||||||
|
xml_result = xml_result + child.text + "@"
|
||||||
|
#xml_result = xml_result + child.attrib + "\n"
|
||||||
|
return xml_result
|
||||||
|
except:
|
||||||
|
return "Error: "+xml_info
|
||||||
|
|
||||||
|
def main():
|
||||||
|
if len(sys.argv) != 3:
|
||||||
|
print "Usage: python ev_process_xml_parameters.py [raw_xml_data] [extracted_xml_data]"
|
||||||
|
print sys.argv[1]
|
||||||
|
print len(sys.argv)
|
||||||
|
sys.exit(3)
|
||||||
|
|
||||||
|
raw_xml_data = sys.argv[1]
|
||||||
|
extracted_xml_data = sys.argv[2]
|
||||||
|
|
||||||
|
infile = sys.stdin
|
||||||
|
outfile = sys.stdout
|
||||||
|
|
||||||
|
r = csv.DictReader(infile)
|
||||||
|
header = r.fieldnames
|
||||||
|
|
||||||
|
w = csv.DictWriter(outfile, fieldnames=r.fieldnames)
|
||||||
|
w.writeheader()
|
||||||
|
|
||||||
|
for result in r:
|
||||||
|
if result[raw_xml_data]:
|
||||||
|
result[extracted_xml_data] = process_xml(result[raw_xml_data])
|
||||||
|
#result[extracted_xml_data] = raw_xml_data
|
||||||
|
if result[extracted_xml_data]:
|
||||||
|
w.writerow(result)
|
||||||
|
|
||||||
|
main()
|
||||||
Binary file not shown.
@ -0,0 +1,22 @@
|
|||||||
|
######################################################
|
||||||
|
#
|
||||||
|
# Splunk_EventId.Net
|
||||||
|
#
|
||||||
|
# Copyright (C) 2016-2018 Firegen Analytics Inc All Rights Reserved.
|
||||||
|
#
|
||||||
|
######################################################
|
||||||
|
[install]
|
||||||
|
is_configured = 0
|
||||||
|
build = 1
|
||||||
|
|
||||||
|
[ui]
|
||||||
|
is_visible = 1
|
||||||
|
label = EventID.Net
|
||||||
|
|
||||||
|
[launcher]
|
||||||
|
author = adigrio
|
||||||
|
description = Dashboards for Windows event logs and links to www.eventid.net
|
||||||
|
version = 1.5.1
|
||||||
|
|
||||||
|
[package]
|
||||||
|
id = eventid
|
||||||
@ -0,0 +1,14 @@
|
|||||||
|
<nav search_view="search">
|
||||||
|
<view name="eventid" default="true" />
|
||||||
|
<view name="audit_events" />
|
||||||
|
<view name="users_and_groups" />
|
||||||
|
<view name="interesting_events" />
|
||||||
|
<view name="interesting_processes" />
|
||||||
|
<view name="windows_event_sources" />
|
||||||
|
<view name="windows_events_xml_source" />
|
||||||
|
<view name="search" />
|
||||||
|
<view name="dashboards" />
|
||||||
|
<view name="documentation" />
|
||||||
|
<!-- This is an external link -->
|
||||||
|
<a href="https://www.eventid.net/">EventId.Net</a>
|
||||||
|
</nav>
|
||||||
@ -0,0 +1 @@
|
|||||||
|
Add all the views that your app needs in this directory
|
||||||
@ -0,0 +1,405 @@
|
|||||||
|
<form>
|
||||||
|
<label>Audit Events</label>
|
||||||
|
<description>Click on the event to check it on www.eventid.net</description>
|
||||||
|
<fieldset autoRun="true" submitButton="false">
|
||||||
|
<input type="time" searchWhenChanged="true" token="interval">
|
||||||
|
<label>Select time range</label>
|
||||||
|
<default>
|
||||||
|
<earliest>-24h@h</earliest>
|
||||||
|
<latest>now</latest>
|
||||||
|
</default>
|
||||||
|
</input>
|
||||||
|
<input type="multiselect" token="Computer" searchWhenChanged="true">
|
||||||
|
<label>Computer</label>
|
||||||
|
<choice value="*">All</choice>
|
||||||
|
<default>*</default>
|
||||||
|
<prefix>(</prefix>
|
||||||
|
<suffix>)</suffix>
|
||||||
|
<valuePrefix>host="</valuePrefix>
|
||||||
|
<valueSuffix>"</valueSuffix>
|
||||||
|
<delimiter> OR </delimiter>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` ("Audit Success" OR "Audit Failure") | stats count by host</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<fieldForLabel>host</fieldForLabel>
|
||||||
|
<fieldForValue>host</fieldForValue>
|
||||||
|
</input>
|
||||||
|
<input type="checkbox" searchWhenChanged="true" token="Audit_Type">
|
||||||
|
<label>Audit Events</label>
|
||||||
|
<default>Audit Failure,Audit Success</default>
|
||||||
|
<choice value="Audit Failure">Failure</choice>
|
||||||
|
<choice value="Audit Success">Success</choice>
|
||||||
|
<prefix>(</prefix>
|
||||||
|
<suffix>)</suffix>
|
||||||
|
<valuePrefix>"</valuePrefix>
|
||||||
|
<valueSuffix>"</valueSuffix>
|
||||||
|
<delimiter> OR </delimiter>
|
||||||
|
<fieldForLabel>Audit Type</fieldForLabel>
|
||||||
|
<fieldForValue>Audit Type</fieldForValue>
|
||||||
|
<initialValue>Audit Failure,Audit Success</initialValue>
|
||||||
|
</input>
|
||||||
|
<input type="text" token="keyword" searchWhenChanged="true">
|
||||||
|
<label>Keyword:</label>
|
||||||
|
<default>*</default>
|
||||||
|
</input>
|
||||||
|
<input type="radio" token="nopriv" searchWhenChanged="true">
|
||||||
|
<label>Hide privilege related events</label>
|
||||||
|
<choice value="Message!="*privilege*"">Yes</choice>
|
||||||
|
<choice value="*">No</choice>
|
||||||
|
<default>Message!="*privilege*"</default>
|
||||||
|
</input>
|
||||||
|
<input type="radio" token="nocomputer" searchWhenChanged="true">
|
||||||
|
<label>Hide computer accounts events</label>
|
||||||
|
<choice value="Account_Name != "*$*"">Yes</choice>
|
||||||
|
<choice value="*">No</choice>
|
||||||
|
<default>Account_Name != "*$$*"</default>
|
||||||
|
<initialValue>Account_Name != "*$$*"</initialValue>
|
||||||
|
</input>
|
||||||
|
</fieldset>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Audit events over time</title>
|
||||||
|
<chart>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` ("Audit Success" OR "Audit Failure") AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$ $Audit_Type$
|
||||||
|
| fillnull
|
||||||
|
| timechart count</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||||
|
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||||
|
<option name="charting.axisTitleX.visibility">visible</option>
|
||||||
|
<option name="charting.axisTitleY.visibility">visible</option>
|
||||||
|
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||||
|
<option name="charting.axisX.scale">linear</option>
|
||||||
|
<option name="charting.axisY.scale">linear</option>
|
||||||
|
<option name="charting.axisY2.enabled">0</option>
|
||||||
|
<option name="charting.axisY2.scale">inherit</option>
|
||||||
|
<option name="charting.chart">column</option>
|
||||||
|
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||||
|
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||||
|
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||||
|
<option name="charting.chart.nullValueMode">gaps</option>
|
||||||
|
<option name="charting.chart.showDataLabels">none</option>
|
||||||
|
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||||
|
<option name="charting.chart.stackMode">default</option>
|
||||||
|
<option name="charting.chart.style">shiny</option>
|
||||||
|
<option name="charting.drilldown">all</option>
|
||||||
|
<option name="charting.layout.splitSeries">0</option>
|
||||||
|
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
|
||||||
|
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||||
|
<option name="charting.legend.placement">none</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
</chart>
|
||||||
|
</panel>
|
||||||
|
<panel>
|
||||||
|
<title>Accounts with 3 or more failed logons</title>
|
||||||
|
<chart>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` Failure_Reason=* ("Audit Failure") AND $Computer$ AND $keyword$ $nopriv$ Message != "*privilege*" Account_Name != "*$*"
|
||||||
|
| table host, Account_Name, Failure_Reason
|
||||||
|
| stats count by Account_Name
|
||||||
|
| where count > 2</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||||
|
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||||
|
<option name="charting.axisTitleX.visibility">visible</option>
|
||||||
|
<option name="charting.axisTitleY.visibility">visible</option>
|
||||||
|
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||||
|
<option name="charting.axisX.scale">linear</option>
|
||||||
|
<option name="charting.axisY.scale">linear</option>
|
||||||
|
<option name="charting.axisY2.enabled">0</option>
|
||||||
|
<option name="charting.axisY2.scale">inherit</option>
|
||||||
|
<option name="charting.chart">pie</option>
|
||||||
|
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||||
|
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||||
|
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||||
|
<option name="charting.chart.nullValueMode">gaps</option>
|
||||||
|
<option name="charting.chart.showDataLabels">none</option>
|
||||||
|
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||||
|
<option name="charting.chart.stackMode">default</option>
|
||||||
|
<option name="charting.chart.style">shiny</option>
|
||||||
|
<option name="charting.drilldown">all</option>
|
||||||
|
<option name="charting.layout.splitSeries">0</option>
|
||||||
|
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
|
||||||
|
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||||
|
<option name="charting.legend.placement">right</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
</chart>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Audit Failure events by computer</title>
|
||||||
|
<chart>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` "Audit Failure" AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$
|
||||||
|
| fillnull
|
||||||
|
| stats count by host</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||||
|
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||||
|
<option name="charting.axisTitleX.visibility">visible</option>
|
||||||
|
<option name="charting.axisTitleY.visibility">visible</option>
|
||||||
|
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||||
|
<option name="charting.axisX.scale">linear</option>
|
||||||
|
<option name="charting.axisY.scale">linear</option>
|
||||||
|
<option name="charting.axisY2.enabled">0</option>
|
||||||
|
<option name="charting.axisY2.scale">inherit</option>
|
||||||
|
<option name="charting.chart">pie</option>
|
||||||
|
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||||
|
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||||
|
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||||
|
<option name="charting.chart.nullValueMode">gaps</option>
|
||||||
|
<option name="charting.chart.showDataLabels">none</option>
|
||||||
|
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||||
|
<option name="charting.chart.stackMode">default</option>
|
||||||
|
<option name="charting.chart.style">shiny</option>
|
||||||
|
<option name="charting.drilldown">all</option>
|
||||||
|
<option name="charting.layout.splitSeries">0</option>
|
||||||
|
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
|
||||||
|
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||||
|
<option name="charting.legend.placement">right</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
</chart>
|
||||||
|
</panel>
|
||||||
|
<panel>
|
||||||
|
<title>Distinct Accounts</title>
|
||||||
|
<single>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$ TaskCategory=Logon $Audit_Type$
|
||||||
|
| stats dc(Account_Name)</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="colorBy">value</option>
|
||||||
|
<option name="colorMode">block</option>
|
||||||
|
<option name="drilldown">all</option>
|
||||||
|
<option name="numberPrecision">0</option>
|
||||||
|
<option name="rangeColors">["0x6db7c6","0x6db7c6"]</option>
|
||||||
|
<option name="rangeValues">[0]</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="showSparkline">1</option>
|
||||||
|
<option name="showTrendIndicator">1</option>
|
||||||
|
<option name="trellis.enabled">0</option>
|
||||||
|
<option name="trellis.scales.shared">1</option>
|
||||||
|
<option name="trellis.size">medium</option>
|
||||||
|
<option name="trendColorInterpretation">standard</option>
|
||||||
|
<option name="trendDisplayMode">absolute</option>
|
||||||
|
<option name="unitPosition">after</option>
|
||||||
|
<option name="useColors">1</option>
|
||||||
|
<option name="useThousandSeparators">1</option>
|
||||||
|
</single>
|
||||||
|
</panel>
|
||||||
|
<panel>
|
||||||
|
<title>Logon Successful Audits</title>
|
||||||
|
<single>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` AND $keyword$ $nopriv$ $nocomputer$ TaskCategory=Logon
|
||||||
|
| stats count</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="colorMode">block</option>
|
||||||
|
<option name="drilldown">all</option>
|
||||||
|
<option name="rangeColors">["0x65a637","0x65a637"]</option>
|
||||||
|
<option name="rangeValues">[0]</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="useColors">1</option>
|
||||||
|
</single>
|
||||||
|
</panel>
|
||||||
|
<panel>
|
||||||
|
<title>Logon Audit Failure events</title>
|
||||||
|
<single>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$ Failure_Reason=* ("Audit Failure")
|
||||||
|
| stats count</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<option name="colorMode">block</option>
|
||||||
|
<option name="drilldown">all</option>
|
||||||
|
<option name="rangeColors">["0xd93f3c","0xd93f3c"]</option>
|
||||||
|
<option name="rangeValues">[0]</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="useColors">1</option>
|
||||||
|
<drilldown>
|
||||||
|
<link target="_blank">search?q=`event_sources` Failure_Reason=* * ("Audit Failure") AND $Computer$ AND $keyword$ Message != "*privilege*" Account_Name != "*$*" | stats count&earliest=$interval.earliest$&latest=$interval.latest$</link>
|
||||||
|
</drilldown>
|
||||||
|
</single>
|
||||||
|
</panel>
|
||||||
|
<panel>
|
||||||
|
<title>New Local Admins</title>
|
||||||
|
<single>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources`AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$
|
||||||
|
| transaction Security_ID maxspan=180m
|
||||||
|
| search EventCode=4720 OR (EventCode=4732 Administrators)
|
||||||
|
| stats count</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="colorBy">value</option>
|
||||||
|
<option name="colorMode">block</option>
|
||||||
|
<option name="drilldown">none</option>
|
||||||
|
<option name="numberPrecision">0</option>
|
||||||
|
<option name="rangeColors">["0xf58f39","0xf58f39"]</option>
|
||||||
|
<option name="rangeValues">[0]</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="showSparkline">1</option>
|
||||||
|
<option name="showTrendIndicator">1</option>
|
||||||
|
<option name="trellis.enabled">0</option>
|
||||||
|
<option name="trellis.scales.shared">1</option>
|
||||||
|
<option name="trellis.size">medium</option>
|
||||||
|
<option name="trendColorInterpretation">standard</option>
|
||||||
|
<option name="trendDisplayMode">absolute</option>
|
||||||
|
<option name="unitPosition">after</option>
|
||||||
|
<option name="useColors">1</option>
|
||||||
|
<option name="useThousandSeparators">1</option>
|
||||||
|
</single>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Events Summary</title>
|
||||||
|
<table id="link2">
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$ $Audit_Type$
|
||||||
|
| fillnull
|
||||||
|
| eval Type=if(Keywords=="Audit Success",Keywords, Type)
|
||||||
|
| eval Type=if(Keywords=="Audit Failure",Keywords, Type)
|
||||||
|
| stats earliest(_time) as First latest(_time) as Last max(Message) as Sample_Message count by host, EventCode, Type
|
||||||
|
| sort -count host, EventCode, Type, Sample_message
|
||||||
|
| rename EventCode as "EventId"
|
||||||
|
| fieldformat First=strftime(First,"%x %X") | fieldformat Last=strftime(Last,"%x %X")</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<option name="count">10</option>
|
||||||
|
<option name="dataOverlayMode">none</option>
|
||||||
|
<option name="drilldown">row</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="rowNumbers">false</option>
|
||||||
|
<option name="wrap">true</option>
|
||||||
|
<drilldown>
|
||||||
|
<link target="_blank">https://www.eventid.net/display.asp?eventid=$row.EventId$&source=$row.SourceName$&app=SplunkEvId</link>
|
||||||
|
</drilldown>
|
||||||
|
</table>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Audit Failure Events</title>
|
||||||
|
<table>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$ AND "Audit Failure"
|
||||||
|
| fillnull
|
||||||
|
| eval user=mvindex(Account_Name,1)
|
||||||
|
| table _time, host, EventCode, Message, user, Failure_Reason, Source_Workstation, Caller_Process_Name
|
||||||
|
| rename EventCode as "EventId", Caller_Process_Name as Process</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<option name="dataOverlayMode">none</option>
|
||||||
|
<option name="drilldown">cell</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="rowNumbers">false</option>
|
||||||
|
<option name="wrap">true</option>
|
||||||
|
</table>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Accounts successfully logged on</title>
|
||||||
|
<chart>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources`AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$ AND TaskCategory=Logon AND NOT Account_Name="*ANONYMOUS*"
|
||||||
|
| timechart count</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||||
|
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||||
|
<option name="charting.axisTitleX.visibility">visible</option>
|
||||||
|
<option name="charting.axisTitleY.visibility">visible</option>
|
||||||
|
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||||
|
<option name="charting.axisX.scale">linear</option>
|
||||||
|
<option name="charting.axisY.scale">linear</option>
|
||||||
|
<option name="charting.axisY2.enabled">0</option>
|
||||||
|
<option name="charting.axisY2.scale">inherit</option>
|
||||||
|
<option name="charting.chart">column</option>
|
||||||
|
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||||
|
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||||
|
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||||
|
<option name="charting.chart.nullValueMode">gaps</option>
|
||||||
|
<option name="charting.chart.showDataLabels">none</option>
|
||||||
|
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||||
|
<option name="charting.chart.stackMode">default</option>
|
||||||
|
<option name="charting.chart.style">shiny</option>
|
||||||
|
<option name="charting.drilldown">all</option>
|
||||||
|
<option name="charting.layout.splitSeries">0</option>
|
||||||
|
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
|
||||||
|
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||||
|
<option name="charting.legend.placement">none</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
</chart>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Audit Success Events</title>
|
||||||
|
<table>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$ "Audit Success"
|
||||||
|
| fillnull
|
||||||
|
| eval Type=if(Keywords=="Audit Success",Keywords, Type)
|
||||||
|
| eval Type=if(Keywords=="Audit Failure",Keywords, Type)
|
||||||
|
| eval user=mvindex(Account_Name,1)
|
||||||
|
| table _time, host, EventCode, Message, user, Source_Workstation, Process_Name
|
||||||
|
| rename EventCode as "EventId", Process_Name as Process</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<option name="dataOverlayMode">none</option>
|
||||||
|
<option name="drilldown">cell</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="rowNumbers">false</option>
|
||||||
|
<option name="wrap">true</option>
|
||||||
|
</table>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Audit events - drill down option</title>
|
||||||
|
<event>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` $Audit_Type$ AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$
|
||||||
|
| fillnull
|
||||||
|
| eval Type=if(Keywords=="Audit Success",Keywords, Type)
|
||||||
|
| eval Type=if(Keywords=="Audit Failure",Keywords, Type)
|
||||||
|
| eval user=mvindex(Account_Name,1)
|
||||||
|
| table _time, host, EventCode, Type, Message, user</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<fields>host, LogName, EventCode, SourceName, Type, Message, user</fields>
|
||||||
|
<option name="list.drilldown">full</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="table.drilldown">all</option>
|
||||||
|
<option name="type">list</option>
|
||||||
|
</event>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
</form>
|
||||||
@ -0,0 +1,55 @@
|
|||||||
|
<dashboard>
|
||||||
|
<label>Documentation</label>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Introduction</title>
|
||||||
|
<html>
|
||||||
|
<p>Welcome to the EventID.Net Windows Event Logs app!</p>
|
||||||
|
</html>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Windows Event Log App sources of information</title>
|
||||||
|
<html>
|
||||||
|
<p>The Windows Event Log App assumes that Splunk is collecting information from Windows servers and workstation via one of the following methods:
|
||||||
|
<ul>
|
||||||
|
<li><a href="https://www.splunk.com/en_us/download/universal-forwarder.html">Splunk Universal Forwarder installed on the source computer</a></li>
|
||||||
|
<li><a href="https://msdn.microsoft.com/en-us/library/cc748890(v=ws.11).aspx">Windows Event Log Forwarding</a> configured on the source computer combined with Splunk Universal Forwarder on the collector computer</li>
|
||||||
|
<li><a href="https://docs.splunk.com/Documentation/Splunk/6.6.1/Data/MonitorWindowseventlogdata">Remote Windows Event Log collection via WMI</a> as Splunk input</li>
|
||||||
|
<li>Events collected with the renderXML feature turned on. See <a href="https://www.splunk.com/blog/2014/11/04/splunk-6-2-feature-overview-xml-event-logs.html">Feature Overview: XML Event Logs</a></li>
|
||||||
|
</ul>
|
||||||
|
</p>
|
||||||
|
|
||||||
|
<p>All these methods will collect the events and either collect them in the "wineventlog" Splunk index or record them in the default index with source the source set as "*WinEventLog*" (notice the wildcards). The app analyzes the entries matching these criteria (index="wineventlog" OR source=*WinEventLog*). This matches the defaults used by the Universal Forwarder, the collection of local Windows event logs and the collection via WMI.</p>
|
||||||
|
|
||||||
|
<p>In order to create the proper indexes, we recommend the installation of the <a href="https://splunkbase.splunk.com/app/742/">Splunk Add-on for Microsoft Windows</a> app.</p>
|
||||||
|
|
||||||
|
<p>To collect the logs from remote computers without installing the Universal Forwarded on each computer, configure the forwarding of event logs to central location using the Windows built-in event forwarding. See <a href="https://msdn.microsoft.com/en-us/library/cc748890(v=ws.11).aspx">Configure Computers to Forward and Collect Events</a> for details on how to configure a computer as a collector of logs.</p>
|
||||||
|
|
||||||
|
</html>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Additional information and troubleshooting</title>
|
||||||
|
<html>
|
||||||
|
<p>If no data is displayed, please verify that the Universal Forwarder is installed properly and that the all the Windows event logs are sent to the "wineventlog" index (or the WinEventLog* sources).</p>
|
||||||
|
|
||||||
|
<p>If the data is stored in a different index, the user can update the macros.conf [event_sources] section by using the application setup.</p>
|
||||||
|
|
||||||
|
<p>The Interesting Processes section from the Processes dashboard is partially based on a presentation by Michael Gough from <a href="https://www.malwarearchaeology.com/">www.malwarearchaeology.com</a>: "<a href="https://www.malwarearchaeology.com/home/2016/5/7/windows-top-10-event-logs-from-my-dell-enterprise-security-summit-talk">The Top 10 Windows Event ID's Used To Catch Hackers In The Act</a>". See for the presentation slides and information on how to enable the auditing of processes, including command-line based ones. The list of "interesting processes" is based on a <a href="https://www.jpcert.or.jp/english/pub/sr/ir_research.html">study by JPCERT CC</a> (Japan Computer Emergency Response Team Coordination Center) on detecting lateral movement through tracking of event logs. The list is stored in C:\Program Files\Splunk\etc\apps\eventid\lookups\interesting_processes.csv and it can be adjusted with a text editor if needed. For full functionality the audit of the command line arguments has to be enabled as described in <a href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing">Command Line Process Auditing</a></p>
|
||||||
|
|
||||||
|
<p>The XML dashboard is design to report Windows events rendered from the XML by using the renderXML stanza. The renderXML option reduced the volume of data to about 25% of the regular events, however some details such as the full description of the event are no longer recorded. See <a href="https://www.splunk.com/blog/2014/11/04/splunk-6-2-feature-overview-xml-event-logs.html">Feature Overview: XML Event Logs</a> for more details.</p>
|
||||||
|
|
||||||
|
<p>Each of the dashboard can be set as an alarm (i.e. notifications when a certain number of failed logins are recorded, when certain processes are executed, etc).</p>
|
||||||
|
|
||||||
|
<p>Send any suggestions and questions to support@altairtech.ca. We can also provide advice in setting up the Splunk receiver for the Universal Forwarder.</p>
|
||||||
|
|
||||||
|
<p>We publish the most current version of EventID.Net Windows Event Logs Splunk app on <a href="https://www.eventid.net/splunk_addon.asp">www.eventid.net</a>. Splunk may takes weeks or months to certify a new version.</p>
|
||||||
|
|
||||||
|
</html>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
|
||||||
|
</dashboard>
|
||||||
@ -0,0 +1,362 @@
|
|||||||
|
<form>
|
||||||
|
<label>Windows Events Summary</label>
|
||||||
|
<description>Click on the event to check it on www.eventid.net</description>
|
||||||
|
<fieldset autoRun="true" submitButton="false">
|
||||||
|
<input type="time" searchWhenChanged="true" token="interval">
|
||||||
|
<label>Select time range</label>
|
||||||
|
<default>
|
||||||
|
<earliest>-24h@h</earliest>
|
||||||
|
<latest>now</latest>
|
||||||
|
</default>
|
||||||
|
</input>
|
||||||
|
<input type="checkbox" searchWhenChanged="true" token="Type">
|
||||||
|
<label>Event types</label>
|
||||||
|
<default>Error,Warning</default>
|
||||||
|
<choice value="Error">Error</choice>
|
||||||
|
<choice value="Warning">Warning</choice>
|
||||||
|
<choice value="Information">Information</choice>
|
||||||
|
<prefix>(</prefix>
|
||||||
|
<suffix>)</suffix>
|
||||||
|
<valuePrefix>Type="</valuePrefix>
|
||||||
|
<valueSuffix>"</valueSuffix>
|
||||||
|
<delimiter> OR </delimiter>
|
||||||
|
<fieldForLabel>Type</fieldForLabel>
|
||||||
|
<fieldForValue>Type</fieldForValue>
|
||||||
|
</input>
|
||||||
|
<input type="checkbox" searchWhenChanged="true" token="Audit_Type">
|
||||||
|
<label>Security Events</label>
|
||||||
|
<default>Denial,Audit Failure</default>
|
||||||
|
<choice value="Audit Failure">Audit Failure</choice>
|
||||||
|
<choice value="Audit Success">Audit Success</choice>
|
||||||
|
<prefix>(</prefix>
|
||||||
|
<suffix>)</suffix>
|
||||||
|
<valuePrefix>"</valuePrefix>
|
||||||
|
<valueSuffix>"</valueSuffix>
|
||||||
|
<delimiter> OR </delimiter>
|
||||||
|
<fieldForLabel>Audit Type</fieldForLabel>
|
||||||
|
<fieldForValue>Audit Type</fieldForValue>
|
||||||
|
<initialValue>Audit Failure</initialValue>
|
||||||
|
</input>
|
||||||
|
<input type="multiselect" searchWhenChanged="true" token="Computer">
|
||||||
|
<label>Computer</label>
|
||||||
|
<choice value="*">All</choice>
|
||||||
|
<default>*</default>
|
||||||
|
<prefix>(</prefix>
|
||||||
|
<suffix>)</suffix>
|
||||||
|
<valuePrefix>host="</valuePrefix>
|
||||||
|
<valueSuffix>"</valueSuffix>
|
||||||
|
<delimiter> OR </delimiter>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` | stats count by host</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<fieldForLabel>host</fieldForLabel>
|
||||||
|
<fieldForValue>host</fieldForValue>
|
||||||
|
</input>
|
||||||
|
<input type="text" searchWhenChanged="true" token="keyword">
|
||||||
|
<label>Keyword:</label>
|
||||||
|
<default>*</default>
|
||||||
|
</input>
|
||||||
|
<input type="multiselect" token="sourcetype_token" searchWhenChanged="true">
|
||||||
|
<label>Excluded event sources</label>
|
||||||
|
<default>none</default>
|
||||||
|
<!-- The final value will be surrounded by prefix and suffix -->
|
||||||
|
<prefix>(</prefix>
|
||||||
|
<suffix>)</suffix>
|
||||||
|
<!-- Each value will be surrounded by the valuePrefix and valueSuffix -->
|
||||||
|
<valuePrefix>SourceName!="</valuePrefix>
|
||||||
|
<valueSuffix>"</valueSuffix>
|
||||||
|
<!-- All the values and their valuePrefix and valueSuffix will be concatenated together with the delimiter between them -->
|
||||||
|
<delimiter> AND </delimiter>
|
||||||
|
<choice value="none">None</choice>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` $Type$ AND $Computer$ AND $keyword$ | stats count by SourceName</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<fieldForLabel>SourceName</fieldForLabel>
|
||||||
|
<fieldForValue>SourceName</fieldForValue>
|
||||||
|
</input>
|
||||||
|
</fieldset>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Errors</title>
|
||||||
|
<single>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` Type="Error" AND $Computer$ AND $keyword$ | stats count</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="colorBy">value</option>
|
||||||
|
<option name="colorMode">block</option>
|
||||||
|
<option name="drilldown">all</option>
|
||||||
|
<option name="numberPrecision">0</option>
|
||||||
|
<option name="rangeColors">["0xd93f3c","0xd93f3c"]</option>
|
||||||
|
<option name="rangeValues">[0]</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="showSparkline">1</option>
|
||||||
|
<option name="showTrendIndicator">1</option>
|
||||||
|
<option name="trellis.enabled">0</option>
|
||||||
|
<option name="trellis.scales.shared">1</option>
|
||||||
|
<option name="trellis.size">medium</option>
|
||||||
|
<option name="trendColorInterpretation">standard</option>
|
||||||
|
<option name="trendDisplayMode">absolute</option>
|
||||||
|
<option name="unitPosition">after</option>
|
||||||
|
<option name="useColors">1</option>
|
||||||
|
<option name="useThousandSeparators">1</option>
|
||||||
|
</single>
|
||||||
|
</panel>
|
||||||
|
<panel>
|
||||||
|
<title>Warnings</title>
|
||||||
|
<single>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` Type="Warning" AND $Computer$ AND $keyword$ | stats count</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="colorBy">value</option>
|
||||||
|
<option name="colorMode">block</option>
|
||||||
|
<option name="drilldown">all</option>
|
||||||
|
<option name="numberPrecision">0</option>
|
||||||
|
<option name="rangeColors">["0xf7bc38","0xf7bc38"]</option>
|
||||||
|
<option name="rangeValues">[0]</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="showSparkline">1</option>
|
||||||
|
<option name="showTrendIndicator">1</option>
|
||||||
|
<option name="trellis.enabled">0</option>
|
||||||
|
<option name="trellis.scales.shared">1</option>
|
||||||
|
<option name="trellis.size">medium</option>
|
||||||
|
<option name="trendColorInterpretation">standard</option>
|
||||||
|
<option name="trendDisplayMode">absolute</option>
|
||||||
|
<option name="unitPosition">after</option>
|
||||||
|
<option name="useColors">1</option>
|
||||||
|
<option name="useThousandSeparators">1</option>
|
||||||
|
</single>
|
||||||
|
</panel>
|
||||||
|
<panel>
|
||||||
|
<title>Information</title>
|
||||||
|
<single>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` Type="Information" AND NOT ("Audit Success" OR "Audit Failure") AND $Computer$ AND $keyword$ | stats count</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="colorBy">value</option>
|
||||||
|
<option name="colorMode">block</option>
|
||||||
|
<option name="drilldown">all</option>
|
||||||
|
<option name="numberPrecision">0</option>
|
||||||
|
<option name="rangeColors">["0x65a637","0x65a637"]</option>
|
||||||
|
<option name="rangeValues">[0]</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="showSparkline">1</option>
|
||||||
|
<option name="showTrendIndicator">1</option>
|
||||||
|
<option name="trellis.enabled">0</option>
|
||||||
|
<option name="trellis.scales.shared">1</option>
|
||||||
|
<option name="trellis.size">medium</option>
|
||||||
|
<option name="trendColorInterpretation">standard</option>
|
||||||
|
<option name="trendDisplayMode">absolute</option>
|
||||||
|
<option name="unitPosition">after</option>
|
||||||
|
<option name="useColors">1</option>
|
||||||
|
<option name="useThousandSeparators">1</option>
|
||||||
|
<drilldown>
|
||||||
|
<link target="_blank">search?q=`event_sources` Type="Information" | stats count&earliest=$interval.earliest$&latest=$interval.latest$</link>
|
||||||
|
</drilldown>
|
||||||
|
</single>
|
||||||
|
</panel>
|
||||||
|
<panel>
|
||||||
|
<title>Audit Failure</title>
|
||||||
|
<single>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` "Audit Failure" AND $Computer$ AND $keyword$
|
||||||
|
| stats count</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="colorMode">block</option>
|
||||||
|
<option name="drilldown">all</option>
|
||||||
|
<option name="rangeColors">["0xf58f39","0xf58f39"]</option>
|
||||||
|
<option name="rangeValues">[0]</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="useColors">1</option>
|
||||||
|
<drilldown>
|
||||||
|
<link target="_blank">/app/eventid/audit_events</link>
|
||||||
|
</drilldown>
|
||||||
|
</single>
|
||||||
|
</panel>
|
||||||
|
<panel>
|
||||||
|
<title>Audit Success</title>
|
||||||
|
<single>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` Keywords="Audit Success" AND $Computer$ AND $keyword$ | stats count</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="colorMode">block</option>
|
||||||
|
<option name="drilldown">none</option>
|
||||||
|
<option name="rangeColors">["0x6db7c6","0x6db7c6"]</option>
|
||||||
|
<option name="rangeValues">[0]</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="useColors">1</option>
|
||||||
|
</single>
|
||||||
|
</panel>
|
||||||
|
<panel>
|
||||||
|
<title>Logon Audit Failure</title>
|
||||||
|
<single>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` Failure_Reason=* ("Audit Failure") AND $Computer$ AND $keyword$ | eval user=mvindex(Account_Name,1) | stats count</query>
|
||||||
|
<earliest>-24h@h</earliest>
|
||||||
|
<latest>now</latest>
|
||||||
|
</search>
|
||||||
|
<option name="colorMode">block</option>
|
||||||
|
<option name="drilldown">all</option>
|
||||||
|
<option name="rangeColors">["0xcc0000","0xcc0000"]</option>
|
||||||
|
<option name="rangeValues">[0]</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="useColors">1</option>
|
||||||
|
<drilldown>
|
||||||
|
<link target="_blank">/app/eventid/audit_events</link>
|
||||||
|
</drilldown>
|
||||||
|
</single>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Accounts with 3 or more failed logons</title>
|
||||||
|
<chart>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` Failure_Reason=* * ("Audit Failure") AND $Computer$ AND $keyword$ | stats count by user | where count > 2</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||||
|
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||||
|
<option name="charting.axisTitleX.visibility">visible</option>
|
||||||
|
<option name="charting.axisTitleY.visibility">visible</option>
|
||||||
|
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||||
|
<option name="charting.axisX.scale">linear</option>
|
||||||
|
<option name="charting.axisY.scale">linear</option>
|
||||||
|
<option name="charting.axisY2.enabled">0</option>
|
||||||
|
<option name="charting.axisY2.scale">inherit</option>
|
||||||
|
<option name="charting.chart">pie</option>
|
||||||
|
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||||
|
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||||
|
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||||
|
<option name="charting.chart.nullValueMode">gaps</option>
|
||||||
|
<option name="charting.chart.showDataLabels">none</option>
|
||||||
|
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||||
|
<option name="charting.chart.stackMode">default</option>
|
||||||
|
<option name="charting.chart.style">shiny</option>
|
||||||
|
<option name="charting.drilldown">all</option>
|
||||||
|
<option name="charting.layout.splitSeries">0</option>
|
||||||
|
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
|
||||||
|
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||||
|
<option name="charting.legend.placement">right</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
</chart>
|
||||||
|
</panel>
|
||||||
|
<panel>
|
||||||
|
<title>Top computers generating events</title>
|
||||||
|
<chart>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` AND $Computer$ AND $keyword$ AND ($Audit_Type$ OR $Type$)
|
||||||
|
| eval SourceName = coalesce(SourceName,source)
|
||||||
|
| fillnull
|
||||||
|
| search $sourcetype_token$
|
||||||
|
| stats count by host</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<option name="charting.chart">pie</option>
|
||||||
|
<option name="charting.legend.placement">none</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<drilldown>
|
||||||
|
<link target="_blank">/app/eventid/eventid?form.Computer=$row.host$</link>
|
||||||
|
</drilldown>
|
||||||
|
</chart>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Windows events over time</title>
|
||||||
|
<chart>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` AND $Computer$ AND $keyword$ AND ($Audit_Type$ OR $Type$)
|
||||||
|
| timechart count</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<option name="charting.axisLabelsY.majorUnit">1</option>
|
||||||
|
<option name="charting.axisTitleX.text">Time</option>
|
||||||
|
<option name="charting.axisTitleY.text">Events</option>
|
||||||
|
<option name="charting.axisY2.enabled">1</option>
|
||||||
|
<option name="charting.chart">area</option>
|
||||||
|
<option name="charting.chart.nullValueMode">gaps</option>
|
||||||
|
<option name="charting.chart.overlayFields">"Audit Failure"</option>
|
||||||
|
<option name="charting.chart.stackMode">default</option>
|
||||||
|
<option name="charting.drilldown">all</option>
|
||||||
|
<option name="charting.layout.splitSeries">0</option>
|
||||||
|
<option name="charting.legend.placement">none</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
</chart>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Events Summary - Links to www.eventid.net</title>
|
||||||
|
<table id="link2">
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` AND $Computer$ AND $keyword$ AND ($Audit_Type$ OR $Type$)
|
||||||
|
| eval SourceName = coalesce(SourceName,Provider)
|
||||||
|
| eval Type = coalesce(Type,Keyword)
|
||||||
|
| fillnull value="-"
|
||||||
|
| stats earliest(_time) as First latest(_time) as Last count by host, EventCode, SourceName, Type
|
||||||
|
| sort -count host, EventCode, SourceName, Type
|
||||||
|
| rename EventCode as "EventId"
|
||||||
|
| fieldformat First=strftime(First,"%x %X")
|
||||||
|
| fieldformat Last=strftime(Last,"%x %X")</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<option name="count">10</option>
|
||||||
|
<option name="dataOverlayMode">none</option>
|
||||||
|
<option name="drilldown">cell</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="rowNumbers">false</option>
|
||||||
|
<option name="wrap">true</option>
|
||||||
|
<drilldown>
|
||||||
|
<link target="_blank">https://www.eventid.net/display.asp?eventid=$row.EventId$&source=$row.SourceName$&app=SplunkEvId</link>
|
||||||
|
</drilldown>
|
||||||
|
</table>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Events List</title>
|
||||||
|
<table id="link">
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` AND $Computer$ AND $keyword$ AND ($Audit_Type$ OR $Type$)
|
||||||
|
| eval SourceName = coalesce(SourceName,Provider)
|
||||||
|
| eval Type = coalesce(Type,Keyword)
|
||||||
|
| fillnull
|
||||||
|
| table _time, host, EventCode, SourceName, Type, Message
|
||||||
|
| rename EventCode as "EventId"</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<option name="count">10</option>
|
||||||
|
<option name="dataOverlayMode">none</option>
|
||||||
|
<option name="drilldown">cell</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="rowNumbers">false</option>
|
||||||
|
<option name="wrap">true</option>
|
||||||
|
</table>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
</form>
|
||||||
@ -0,0 +1,55 @@
|
|||||||
|
<form>
|
||||||
|
<label>Interesting Events</label>
|
||||||
|
<description>Click on the event to check it on www.eventid.net</description>
|
||||||
|
<fieldset autoRun="true" submitButton="false">
|
||||||
|
<input type="time" searchWhenChanged="true" token="interval">
|
||||||
|
<label>Select time range</label>
|
||||||
|
<default>
|
||||||
|
<earliest>-24h@h</earliest>
|
||||||
|
<latest>now</latest>
|
||||||
|
</default>
|
||||||
|
</input>
|
||||||
|
<input type="multiselect" searchWhenChanged="true" token="Computer">
|
||||||
|
<label>Computer</label>
|
||||||
|
<choice value="*">All</choice>
|
||||||
|
<default>*</default>
|
||||||
|
<prefix>(</prefix>
|
||||||
|
<suffix>)</suffix>
|
||||||
|
<valuePrefix>ComputerName="</valuePrefix>
|
||||||
|
<valueSuffix>"</valueSuffix>
|
||||||
|
<delimiter> OR </delimiter>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` | stats count by ComputerName</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<fieldForLabel>ComputerName</fieldForLabel>
|
||||||
|
<fieldForValue>ComputerName</fieldForValue>
|
||||||
|
</input>
|
||||||
|
<input type="text" searchWhenChanged="true" token="keyword">
|
||||||
|
<label>Keyword:</label>
|
||||||
|
<default>*</default>
|
||||||
|
</input>
|
||||||
|
</fieldset>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Interesting Events</title>
|
||||||
|
<table>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` AND $Computer$ AND $keyword$ | lookup interesting_events_lookup event_id AS EventCode, source AS SourceName OUTPUT source,description | search description="*" | table _time, ComputerName, EventCode, SourceName, Type, Message,description | rename EventCode as "EventId", description as "Why is it interesting?"</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="count">20</option>
|
||||||
|
<option name="dataOverlayMode">none</option>
|
||||||
|
<option name="drilldown">none</option>
|
||||||
|
<option name="percentagesRow">false</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="rowNumbers">false</option>
|
||||||
|
<option name="totalsRow">false</option>
|
||||||
|
<option name="wrap">true</option>
|
||||||
|
</table>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
</form>
|
||||||
@ -0,0 +1,189 @@
|
|||||||
|
<form>
|
||||||
|
<label>Processes</label>
|
||||||
|
<description>List of processes identified through event id 4688 and listed in the www.eventid.net list of processes that may indicate suspicious activity. To generate event id 4688, a system requires the audit of process creation. See the documentation for more details.</description>
|
||||||
|
<fieldset autoRun="true" submitButton="false">
|
||||||
|
<input type="time" searchWhenChanged="true" token="interval">
|
||||||
|
<label>Select time range</label>
|
||||||
|
<default>
|
||||||
|
<earliest>-24h@h</earliest>
|
||||||
|
<latest>now</latest>
|
||||||
|
</default>
|
||||||
|
</input>
|
||||||
|
<input type="multiselect" token="Computer" searchWhenChanged="true">
|
||||||
|
<label>Computer</label>
|
||||||
|
<choice value="*">All</choice>
|
||||||
|
<default>*</default>
|
||||||
|
<prefix>(</prefix>
|
||||||
|
<suffix>)</suffix>
|
||||||
|
<valuePrefix>ComputerName="</valuePrefix>
|
||||||
|
<valueSuffix>"</valueSuffix>
|
||||||
|
<delimiter> OR </delimiter>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` (EventCode=4688) | stats count by ComputerName</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<fieldForLabel>ComputerName</fieldForLabel>
|
||||||
|
<fieldForValue>ComputerName</fieldForValue>
|
||||||
|
</input>
|
||||||
|
<input type="multiselect" token="process_id" searchWhenChanged="true">
|
||||||
|
<label>Process Id</label>
|
||||||
|
<choice value="*">All</choice>
|
||||||
|
<default>*</default>
|
||||||
|
<prefix>(</prefix>
|
||||||
|
<suffix>)</suffix>
|
||||||
|
<valuePrefix>New_Process_ID="</valuePrefix>
|
||||||
|
<valueSuffix>"</valueSuffix>
|
||||||
|
<delimiter> OR </delimiter>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` (EventCode=4688) | stats count by New_Process_ID</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<fieldForLabel>New_Process_ID</fieldForLabel>
|
||||||
|
<fieldForValue>New_Process_ID</fieldForValue>
|
||||||
|
</input>
|
||||||
|
<input type="multiselect" token="creator" searchWhenChanged="true">
|
||||||
|
<label>Creator Process Id</label>
|
||||||
|
<choice value="*">All</choice>
|
||||||
|
<default>*</default>
|
||||||
|
<prefix>(</prefix>
|
||||||
|
<suffix>)</suffix>
|
||||||
|
<valuePrefix>Creator_Process_ID="</valuePrefix>
|
||||||
|
<valueSuffix>"</valueSuffix>
|
||||||
|
<delimiter> OR </delimiter>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` (EventCode=4688) | stats count by Creator_Process_ID</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<fieldForLabel>Creator_Process_ID</fieldForLabel>
|
||||||
|
<fieldForValue>Creator_Process_ID</fieldForValue>
|
||||||
|
</input>
|
||||||
|
<input type="text" token="keyword" searchWhenChanged="true">
|
||||||
|
<label>Keyword:</label>
|
||||||
|
<default>*</default>
|
||||||
|
</input>
|
||||||
|
<input type="radio" token="nocomputer" searchWhenChanged="true">
|
||||||
|
<label>Hide computer accounts related events</label>
|
||||||
|
<choice value="Account_Name != "*$*"">Yes</choice>
|
||||||
|
<choice value="">No</choice>
|
||||||
|
<default>Account_Name != "*$*"</default>
|
||||||
|
<initialValue>Account_Name != "*$*"</initialValue>
|
||||||
|
</input>
|
||||||
|
<input type="radio" token="nocmdpowershell" searchWhenChanged="true">
|
||||||
|
<label>Filter out cmd.exe and powershell.exe</label>
|
||||||
|
<choice value="AND NOT (New_Process_Name = "*cmd.exe*" OR New_Process_Name = "*powershell.exe*")">Yes</choice>
|
||||||
|
<choice value="New_Process_Name = "*"">No</choice>
|
||||||
|
<default>New_Process_Name = "*"</default>
|
||||||
|
<initialValue>New_Process_Name = "*"</initialValue>
|
||||||
|
</input>
|
||||||
|
</fieldset>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Interesting Processes</title>
|
||||||
|
<table>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` AND $Computer$ AND $keyword$ $nocomputer$ $creator$ $process_id$ $nocmdpowershell$ (EventCode=4688) | lookup processlookup full_path_process as New_Process_Name OUTPUT process | lookup interesting_process_lookup process OUTPUT Category,Process_Details | search Category="*" | table _time, host, Account_Name, Process_Command_Line, process,Category,Process_Details, New_Process_ID,
|
||||||
|
Creator_Process_ID | rename host as Server,process as Process,Process_Details as "Interesting Process Details"</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="count">20</option>
|
||||||
|
<option name="dataOverlayMode">none</option>
|
||||||
|
<option name="drilldown">cell</option>
|
||||||
|
<option name="percentagesRow">false</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="rowNumbers">false</option>
|
||||||
|
<option name="totalsRow">false</option>
|
||||||
|
<option name="wrap">true</option>
|
||||||
|
</table>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Last 100 Processes</title>
|
||||||
|
<table>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` (EventCode=4688) AND $Computer$ AND $keyword$ $nocomputer$ $creator$ $process_id$ $nocmdpowershell$
|
||||||
|
| head 100
|
||||||
|
| table _time, host,Account_Name, New_Process_Name,Process_Command_Line, New_Process_ID,
|
||||||
|
Creator_Process_ID</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="count">20</option>
|
||||||
|
<option name="dataOverlayMode">none</option>
|
||||||
|
<option name="drilldown">cell</option>
|
||||||
|
<option name="percentagesRow">false</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="rowNumbers">false</option>
|
||||||
|
<option name="totalsRow">false</option>
|
||||||
|
<option name="wrap">true</option>
|
||||||
|
</table>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Top Processes</title>
|
||||||
|
<table>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` (EventCode=4688) AND $Computer$ AND $keyword$ $nocomputer$ $creator$ $process_id$ $nocmdpowershell$ | stats count by host, New_Process_Name | table host, New_Process_Name,count | sort -count | rename count as Count</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="count">20</option>
|
||||||
|
<option name="dataOverlayMode">none</option>
|
||||||
|
<option name="drilldown">cell</option>
|
||||||
|
<option name="percentagesRow">false</option>
|
||||||
|
<option name="rowNumbers">false</option>
|
||||||
|
<option name="totalsRow">false</option>
|
||||||
|
<option name="wrap">true</option>
|
||||||
|
</table>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Least Common Processes</title>
|
||||||
|
<table>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` (EventCode=4688) AND $Computer$ AND $keyword$ $nocomputer$ $creator$ $process_id$ $nocmdpowershell$ | stats count by host, New_Process_Name | table host, New_Process_Name,count | sort count| rename count as Count</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="count">20</option>
|
||||||
|
<option name="dataOverlayMode">none</option>
|
||||||
|
<option name="drilldown">cell</option>
|
||||||
|
<option name="percentagesRow">false</option>
|
||||||
|
<option name="rowNumbers">false</option>
|
||||||
|
<option name="totalsRow">false</option>
|
||||||
|
<option name="wrap">true</option>
|
||||||
|
</table>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Unusually Long CLI Commands</title>
|
||||||
|
<table>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` (EventCode=4688) AND (ComputerName="*") AND * Account_Name != "*$$*" (Creator_Process_ID="*") (New_Process_ID="*") New_Process_Name = "*" | head 100 | table _time, host,Account_Name, New_Process_Name,Process_Command_Line, New_Process_ID,
|
||||||
|
Creator_Process_ID</query>
|
||||||
|
<earliest>-24h@h</earliest>
|
||||||
|
<latest>now</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="count">20</option>
|
||||||
|
<option name="dataOverlayMode">none</option>
|
||||||
|
<option name="drilldown">cell</option>
|
||||||
|
<option name="percentagesRow">false</option>
|
||||||
|
<option name="rowNumbers">false</option>
|
||||||
|
<option name="totalsRow">false</option>
|
||||||
|
<option name="wrap">true</option>
|
||||||
|
</table>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
</form>
|
||||||
@ -0,0 +1,225 @@
|
|||||||
|
<form>
|
||||||
|
<label>Users and Groups</label>
|
||||||
|
<description>Users and Groups Activities</description>
|
||||||
|
<fieldset submitButton="false">
|
||||||
|
<input type="time" token="interval">
|
||||||
|
<label>Time interval</label>
|
||||||
|
<default>
|
||||||
|
<earliest>-24h@h</earliest>
|
||||||
|
<latest>now</latest>
|
||||||
|
</default>
|
||||||
|
</input>
|
||||||
|
<input type="text" token="keyword" searchWhenChanged="true">
|
||||||
|
<label>Filter</label>
|
||||||
|
<default>*</default>
|
||||||
|
<initialValue>*</initialValue>
|
||||||
|
</input>
|
||||||
|
</fieldset>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Users Created</title>
|
||||||
|
<chart>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` eventtype=windows_account_created $keyword$
|
||||||
|
| timechart count</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||||
|
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||||
|
<option name="charting.axisTitleX.visibility">visible</option>
|
||||||
|
<option name="charting.axisTitleY.visibility">visible</option>
|
||||||
|
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||||
|
<option name="charting.axisX.abbreviation">none</option>
|
||||||
|
<option name="charting.axisX.scale">linear</option>
|
||||||
|
<option name="charting.axisY.abbreviation">none</option>
|
||||||
|
<option name="charting.axisY.scale">linear</option>
|
||||||
|
<option name="charting.axisY2.abbreviation">none</option>
|
||||||
|
<option name="charting.axisY2.enabled">0</option>
|
||||||
|
<option name="charting.axisY2.scale">inherit</option>
|
||||||
|
<option name="charting.chart">column</option>
|
||||||
|
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||||
|
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||||
|
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||||
|
<option name="charting.chart.nullValueMode">gaps</option>
|
||||||
|
<option name="charting.chart.showDataLabels">all</option>
|
||||||
|
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||||
|
<option name="charting.chart.stackMode">default</option>
|
||||||
|
<option name="charting.chart.style">shiny</option>
|
||||||
|
<option name="charting.drilldown">all</option>
|
||||||
|
<option name="charting.layout.splitSeries">0</option>
|
||||||
|
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
|
||||||
|
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||||
|
<option name="charting.legend.mode">standard</option>
|
||||||
|
<option name="charting.legend.placement">bottom</option>
|
||||||
|
<option name="charting.lineWidth">2</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="trellis.enabled">0</option>
|
||||||
|
<option name="trellis.scales.shared">1</option>
|
||||||
|
<option name="trellis.size">medium</option>
|
||||||
|
</chart>
|
||||||
|
</panel>
|
||||||
|
<panel>
|
||||||
|
<title>Attempts to login with disabled accounts</title>
|
||||||
|
<table>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` name="*currently disabled*" $keyword$
|
||||||
|
| eval domain=mvindex(Account_Domain,1)
|
||||||
|
| eval source_computer = coalesce(Workstation_Name,src_ip)
|
||||||
|
| eval domain = coalesce(domain,src_nt_domain)
|
||||||
|
| table _time,host,domain,user,source_computer</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="count">20</option>
|
||||||
|
<option name="dataOverlayMode">none</option>
|
||||||
|
<option name="drilldown">cell</option>
|
||||||
|
<option name="percentagesRow">false</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="rowNumbers">false</option>
|
||||||
|
<option name="totalsRow">false</option>
|
||||||
|
<option name="wrap">true</option>
|
||||||
|
</table>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Users Added to Domain Admins or Enterprise Admins</title>
|
||||||
|
<table>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` name="A member was added to a security-enabled *" AND ("Enterprise Admins" OR "Domain Admins") $keyword$
|
||||||
|
| rename dest_nt_domain as domain, EventCode as "event id", Display_Name as "user name",host as server
|
||||||
|
| dedup _time,user
|
||||||
|
| eval added_by=mvindex(Security_ID,0)
|
||||||
|
| eval user=mvindex(Security_ID,1)
|
||||||
|
| table _time, server,domain, user,added_by</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="count">20</option>
|
||||||
|
<option name="dataOverlayMode">none</option>
|
||||||
|
<option name="drilldown">cell</option>
|
||||||
|
<option name="percentagesRow">false</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="rowNumbers">false</option>
|
||||||
|
<option name="totalsRow">false</option>
|
||||||
|
<option name="wrap">true</option>
|
||||||
|
</table>
|
||||||
|
</panel>
|
||||||
|
<panel>
|
||||||
|
<title>Users Added to local Administrators</title>
|
||||||
|
<table>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` name="A member was added to a security-enabled local group" AND user_group="Administrators" $keyword$
|
||||||
|
| rename dest_nt_domain as domain, EventCode as "event id", Display_Name as "user name",host as server
|
||||||
|
| eval added_by=mvindex(Security_ID,0)
|
||||||
|
| eval user=mvindex(Security_ID,1)
|
||||||
|
| table _time, server,domain, user,added_by</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="count">20</option>
|
||||||
|
<option name="dataOverlayMode">none</option>
|
||||||
|
<option name="drilldown">cell</option>
|
||||||
|
<option name="percentagesRow">false</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="rowNumbers">false</option>
|
||||||
|
<option name="totalsRow">false</option>
|
||||||
|
<option name="wrap">true</option>
|
||||||
|
</table>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Users Created</title>
|
||||||
|
<table>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` eventtype=windows_account_created
|
||||||
|
| rename dest_nt_domain as domain, EventCode as "event id", Display_Name as "user name",host as server
|
||||||
|
| dedup _time,user
|
||||||
|
| eval created_by=mvindex(Account_Name,0)
|
||||||
|
| table _time, server,domain, user,"user name", created_by
|
||||||
|
| sort _time</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="count">20</option>
|
||||||
|
<option name="dataOverlayMode">none</option>
|
||||||
|
<option name="drilldown">cell</option>
|
||||||
|
<option name="percentagesRow">false</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="rowNumbers">false</option>
|
||||||
|
<option name="totalsRow">false</option>
|
||||||
|
<option name="wrap">true</option>
|
||||||
|
</table>
|
||||||
|
</panel>
|
||||||
|
<panel>
|
||||||
|
<title>Users Deleted</title>
|
||||||
|
<table>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` AND eventtype=windows_account_deleted $keyword$
|
||||||
|
| eval deleted_by=mvindex(Account_Name,0)
|
||||||
|
| table _time, host, user,deleted_by
|
||||||
|
| sort _time</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="drilldown">cell</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
</table>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Groups Created</title>
|
||||||
|
<table>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` name="A security-enabled global group was created"
|
||||||
|
| dedup _time,Group_Name
|
||||||
|
| rename dest_nt_domain as domain, EventCode as "event id", user as "created_by",host as server
|
||||||
|
| table _time, server,domain,Group_Name, created_by
|
||||||
|
| sort _time</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="count">20</option>
|
||||||
|
<option name="dataOverlayMode">none</option>
|
||||||
|
<option name="drilldown">cell</option>
|
||||||
|
<option name="percentagesRow">false</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="rowNumbers">false</option>
|
||||||
|
<option name="totalsRow">false</option>
|
||||||
|
<option name="wrap">true</option>
|
||||||
|
</table>
|
||||||
|
</panel>
|
||||||
|
<panel>
|
||||||
|
<title>Groups Deleted</title>
|
||||||
|
<table>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` name="A security-enabled global group was deleted" $keyword$
|
||||||
|
| rename dest_nt_domain as domain, EventCode as "event id", user as "Deleted by",host as server
|
||||||
|
| table _time, server,domain,Group_Name, "Deleted by"
|
||||||
|
| sort _time</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="count">20</option>
|
||||||
|
<option name="dataOverlayMode">none</option>
|
||||||
|
<option name="drilldown">cell</option>
|
||||||
|
<option name="percentagesRow">false</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="rowNumbers">false</option>
|
||||||
|
<option name="totalsRow">false</option>
|
||||||
|
<option name="wrap">true</option>
|
||||||
|
</table>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
</form>
|
||||||
@ -0,0 +1,120 @@
|
|||||||
|
<form>
|
||||||
|
<label>Event Sources</label>
|
||||||
|
<description>Click on the event source to check it on www.eventid.net</description>
|
||||||
|
<fieldset autoRun="true" submitButton="false">
|
||||||
|
<input type="time" searchWhenChanged="true">
|
||||||
|
<label>Select time range</label>
|
||||||
|
<default>
|
||||||
|
<earliest>-24h@h</earliest>
|
||||||
|
<latest>now</latest>
|
||||||
|
</default>
|
||||||
|
</input>
|
||||||
|
<input type="multiselect" token="Type" searchWhenChanged="true">
|
||||||
|
<label>Event types</label>
|
||||||
|
<default>Error</default>
|
||||||
|
<prefix>(</prefix>
|
||||||
|
<suffix>)</suffix>
|
||||||
|
<valuePrefix>Type="</valuePrefix>
|
||||||
|
<valueSuffix>"</valueSuffix>
|
||||||
|
<delimiter> OR </delimiter>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources`| stats count by Type</query>
|
||||||
|
<earliest>$earliest$</earliest>
|
||||||
|
<latest>$latest$</latest>
|
||||||
|
</search>
|
||||||
|
<fieldForLabel>Type</fieldForLabel>
|
||||||
|
<fieldForValue>Type</fieldForValue>
|
||||||
|
</input>
|
||||||
|
<input type="multiselect" token="Computer" searchWhenChanged="true">
|
||||||
|
<label>Computer</label>
|
||||||
|
<choice value="*">All</choice>
|
||||||
|
<default>*</default>
|
||||||
|
<prefix>(</prefix>
|
||||||
|
<suffix>)</suffix>
|
||||||
|
<valuePrefix>ComputerName="</valuePrefix>
|
||||||
|
<valueSuffix>"</valueSuffix>
|
||||||
|
<delimiter> OR </delimiter>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` | stats count by ComputerName</query>
|
||||||
|
<earliest>$earliest$</earliest>
|
||||||
|
<latest>$latest$</latest>
|
||||||
|
</search>
|
||||||
|
<fieldForLabel>ComputerName</fieldForLabel>
|
||||||
|
<fieldForValue>ComputerName</fieldForValue>
|
||||||
|
</input>
|
||||||
|
<input type="text" token="keyword" searchWhenChanged="true">
|
||||||
|
<label>Keyword:</label>
|
||||||
|
<default>*</default>
|
||||||
|
</input>
|
||||||
|
</fieldset>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Event sources</title>
|
||||||
|
<table id="link">
|
||||||
|
<title>Click on the source to look it up on www.eventid.net</title>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` $Type$ AND $Computer$ AND $keyword$ | stats count as TotalEvents by SourceName</query>
|
||||||
|
</search>
|
||||||
|
<drilldown>
|
||||||
|
<link target="_blank">https://www.eventid.net/source-name-$row.SourceName$.htm</link>
|
||||||
|
</drilldown>
|
||||||
|
<option name="wrap">true</option>
|
||||||
|
<option name="rowNumbers">false</option>
|
||||||
|
<option name="dataOverlayMode">none</option>
|
||||||
|
<option name="count">10</option>
|
||||||
|
<option name="drilldown">cell</option>
|
||||||
|
</table>
|
||||||
|
</panel>
|
||||||
|
<panel>
|
||||||
|
<title>Event sources percentages</title>
|
||||||
|
<chart>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` $Type$ AND $Computer$ AND $keyword$ | stats count by SourceName</query>
|
||||||
|
</search>
|
||||||
|
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||||
|
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||||
|
<option name="charting.axisTitleX.visibility">visible</option>
|
||||||
|
<option name="charting.axisTitleY.visibility">visible</option>
|
||||||
|
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||||
|
<option name="charting.axisX.scale">linear</option>
|
||||||
|
<option name="charting.axisY.scale">linear</option>
|
||||||
|
<option name="charting.axisY2.enabled">0</option>
|
||||||
|
<option name="charting.axisY2.scale">inherit</option>
|
||||||
|
<option name="charting.chart">pie</option>
|
||||||
|
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||||
|
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||||
|
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||||
|
<option name="charting.chart.nullValueMode">gaps</option>
|
||||||
|
<option name="charting.chart.showDataLabels">none</option>
|
||||||
|
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||||
|
<option name="charting.chart.stackMode">default</option>
|
||||||
|
<option name="charting.chart.style">shiny</option>
|
||||||
|
<option name="charting.drilldown">all</option>
|
||||||
|
<option name="charting.layout.splitSeries">0</option>
|
||||||
|
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
|
||||||
|
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||||
|
<option name="charting.legend.placement">right</option>
|
||||||
|
</chart>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Matching events - drill down option</title>
|
||||||
|
<event>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources` $Type$ AND $Computer$ AND $keyword$| table _time, ComputerName, LogName, EventCode, SourceName, Type, Message, UserName</query>
|
||||||
|
</search>
|
||||||
|
<option name="type">table</option>
|
||||||
|
<option name="count">10</option>
|
||||||
|
<option name="list.drilldown">full</option>
|
||||||
|
<option name="list.wrap">1</option>
|
||||||
|
<option name="maxLines">5</option>
|
||||||
|
<option name="raw.drilldown">full</option>
|
||||||
|
<option name="rowNumbers">0</option>
|
||||||
|
<option name="table.drilldown">all</option>
|
||||||
|
<option name="table.wrap">1</option>
|
||||||
|
<fields>["ComputerName","LogName","EventCode","SourceName","Type","Message","UserName"]</fields>
|
||||||
|
</event>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
</form>
|
||||||
@ -0,0 +1,208 @@
|
|||||||
|
<form>
|
||||||
|
<label>XML</label>
|
||||||
|
<description>Dashboard for events collected using the renderXML option</description>
|
||||||
|
<fieldset autoRun="true" submitButton="false">
|
||||||
|
<input type="time" searchWhenChanged="true" token="interval">
|
||||||
|
<label>Select time range</label>
|
||||||
|
<default>
|
||||||
|
<earliest>-24h@h</earliest>
|
||||||
|
<latest>now</latest>
|
||||||
|
</default>
|
||||||
|
</input>
|
||||||
|
<input type="checkbox" searchWhenChanged="true" token="Type">
|
||||||
|
<label>Event types</label>
|
||||||
|
<choice value="2">Error</choice>
|
||||||
|
<choice value="3">Warning</choice>
|
||||||
|
<choice value="4">Information</choice>
|
||||||
|
<choice value="0">Audit</choice>
|
||||||
|
<prefix>(</prefix>
|
||||||
|
<suffix>)</suffix>
|
||||||
|
<valuePrefix>Level="</valuePrefix>
|
||||||
|
<valueSuffix>"</valueSuffix>
|
||||||
|
<delimiter> OR </delimiter>
|
||||||
|
<fieldForLabel>Level</fieldForLabel>
|
||||||
|
<fieldForValue>Level</fieldForValue>
|
||||||
|
<default>3,2</default>
|
||||||
|
<initialValue>2,3</initialValue>
|
||||||
|
</input>
|
||||||
|
<input type="multiselect" searchWhenChanged="true" token="Computer">
|
||||||
|
<label>Computer</label>
|
||||||
|
<choice value="*">All</choice>
|
||||||
|
<default>*</default>
|
||||||
|
<prefix>(</prefix>
|
||||||
|
<suffix>)</suffix>
|
||||||
|
<valuePrefix>Computer="</valuePrefix>
|
||||||
|
<valueSuffix>"</valueSuffix>
|
||||||
|
<delimiter> OR </delimiter>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources_xml` | stats count by Computer</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<fieldForLabel>Computer</fieldForLabel>
|
||||||
|
<fieldForValue>Computer</fieldForValue>
|
||||||
|
</input>
|
||||||
|
<input type="text" searchWhenChanged="true" token="keyword">
|
||||||
|
<label>Keyword:</label>
|
||||||
|
<default>*</default>
|
||||||
|
</input>
|
||||||
|
<input type="multiselect" token="sourcetype_token" searchWhenChanged="true">
|
||||||
|
<label>Excluded event sources</label>
|
||||||
|
<default>none</default>
|
||||||
|
<!-- The final value will be surrounded by prefix and suffix -->
|
||||||
|
<prefix>(</prefix>
|
||||||
|
<suffix>)</suffix>
|
||||||
|
<!-- Each value will be surrounded by the valuePrefix and valueSuffix -->
|
||||||
|
<valuePrefix>Name!="</valuePrefix>
|
||||||
|
<valueSuffix>"</valueSuffix>
|
||||||
|
<!-- All the values and their valuePrefix and valueSuffix will be concatenated together with the delimiter between them -->
|
||||||
|
<delimiter> AND </delimiter>
|
||||||
|
<choice value="none">None</choice>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources_xml` $Type$ AND $Computer$ AND $keyword$ | rex field=Name mode=sed "s/\'//g" | stats count by Name</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<fieldForLabel>Name</fieldForLabel>
|
||||||
|
<fieldForValue>Name</fieldForValue>
|
||||||
|
</input>
|
||||||
|
</fieldset>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Windows events over time</title>
|
||||||
|
<chart>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources_xml`
|
||||||
|
| search $Type$ $Computer$ AND $keyword$
|
||||||
|
| lookup xmleventtype_lookup xml_type AS Level OUTPUT event_type
|
||||||
|
| timechart count by event_type</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<option name="charting.axisLabelsY.majorUnit">1</option>
|
||||||
|
<option name="charting.axisTitleX.text">Time</option>
|
||||||
|
<option name="charting.axisTitleY.text">Events</option>
|
||||||
|
<option name="charting.chart">line</option>
|
||||||
|
<option name="charting.chart.nullValueMode">gaps</option>
|
||||||
|
<option name="charting.legend.placement">bottom</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
</chart>
|
||||||
|
</panel>
|
||||||
|
<panel>
|
||||||
|
<title>Top computers generating events</title>
|
||||||
|
<chart>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources_xml` | fillnull value="-" | search $Computer$ AND $keyword$ | stats count by Computer</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<option name="charting.chart">pie</option>
|
||||||
|
<option name="charting.legend.placement">none</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
</chart>
|
||||||
|
</panel>
|
||||||
|
<panel>
|
||||||
|
<title>Accounts with 3 or more failed logons</title>
|
||||||
|
<chart>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources_xml` eventtype=windows_logon_failure | stats count by user | where count > 2</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
<sampleRatio>1</sampleRatio>
|
||||||
|
</search>
|
||||||
|
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||||
|
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||||
|
<option name="charting.axisTitleX.visibility">visible</option>
|
||||||
|
<option name="charting.axisTitleY.visibility">visible</option>
|
||||||
|
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||||
|
<option name="charting.axisX.scale">linear</option>
|
||||||
|
<option name="charting.axisY.scale">linear</option>
|
||||||
|
<option name="charting.axisY2.enabled">0</option>
|
||||||
|
<option name="charting.axisY2.scale">inherit</option>
|
||||||
|
<option name="charting.chart">pie</option>
|
||||||
|
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||||
|
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||||
|
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||||
|
<option name="charting.chart.nullValueMode">gaps</option>
|
||||||
|
<option name="charting.chart.showDataLabels">none</option>
|
||||||
|
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||||
|
<option name="charting.chart.stackMode">default</option>
|
||||||
|
<option name="charting.chart.style">shiny</option>
|
||||||
|
<option name="charting.drilldown">all</option>
|
||||||
|
<option name="charting.layout.splitSeries">0</option>
|
||||||
|
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
|
||||||
|
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||||
|
<option name="charting.legend.placement">right</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
</chart>
|
||||||
|
</panel>
|
||||||
|
<panel>
|
||||||
|
<title>Logon Audit Failure events</title>
|
||||||
|
<single>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources_xml` eventtype=windows_logon_failure | eval user=mvindex(Account_Name,1) | stats count</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<option name="rangeValues">[0,2,5,10]</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="useColors">1</option>
|
||||||
|
</single>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Events Summary</title>
|
||||||
|
<table id="link2">
|
||||||
|
<search>
|
||||||
|
<query>`event_sources_xml` | search $Type$ $Computer$ | lookup xmleventtype_lookup xml_type AS Level OUTPUT event_type | rex field=Name mode=sed "s/\'//g" | stats earliest(_time) as First latest(_time) as Last count by Computer,EventID,Name,Channel, event_type,eventtype | sort -count Computer,EventID,Name,Channel, event_type,eventtype | fieldformat First=strftime(First,"%x %X") | fieldformat Last=strftime(Last,"%x %X") | rename Channel as Log, Name as Source,event_type as Level,eventtype as Category</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<option name="count">10</option>
|
||||||
|
<option name="dataOverlayMode">none</option>
|
||||||
|
<option name="drilldown">cell</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="rowNumbers">false</option>
|
||||||
|
<option name="wrap">true</option>
|
||||||
|
<drilldown>
|
||||||
|
<link target="_blank">https://www.eventid.net/display.asp?eventid=$row.EventId$&source=$row.SourceName$&app=SplunkEvId</link>
|
||||||
|
</drilldown>
|
||||||
|
</table>
|
||||||
|
</panel>
|
||||||
|
<panel>
|
||||||
|
<title>Logon Audit Failure events</title>
|
||||||
|
<table>
|
||||||
|
<search>
|
||||||
|
<query>`event_sources_xml` eventtype=windows_logon_failure | table _time,Computer,EventID,user,WorkstationName,LogonType,name | rename name as Details</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<option name="count">10</option>
|
||||||
|
<option name="dataOverlayMode">none</option>
|
||||||
|
<option name="drilldown">cell</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="rowNumbers">false</option>
|
||||||
|
<option name="wrap">true</option>
|
||||||
|
</table>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Events List</title>
|
||||||
|
<table id="link">
|
||||||
|
<search>
|
||||||
|
<query>`event_sources_xml` | search ($Type$) AND $Computer$ AND $keyword$ $sourcetype_token$ | rex field=Name mode=sed "s/\'//g" | lookup xmleventtype_lookup xml_type AS Level OUTPUT event_type | lookup xml_raw_data_lookup raw_xml_data as EventData_Xml OUTPUT extracted_xml_data | eval extracted_xml_data = split(extracted_xml_data,"@") | table _time,EventID,Name,Channel, event_type,eventtype, extracted_xml_data | rename Channel as Log, event_type as Level, eventtype as Category, Name as Source</query>
|
||||||
|
<earliest>$interval.earliest$</earliest>
|
||||||
|
<latest>$interval.latest$</latest>
|
||||||
|
</search>
|
||||||
|
<option name="count">10</option>
|
||||||
|
<option name="dataOverlayMode">none</option>
|
||||||
|
<option name="drilldown">cell</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<option name="rowNumbers">false</option>
|
||||||
|
<option name="wrap">true</option>
|
||||||
|
</table>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
|
</form>
|
||||||
@ -0,0 +1,23 @@
|
|||||||
|
<setup>
|
||||||
|
|
||||||
|
<block title="Specify the index and our data sources matching Windows events"
|
||||||
|
endpoint="admin/macros"
|
||||||
|
entity="event_sources">
|
||||||
|
|
||||||
|
<input field="definition">
|
||||||
|
<label>The EventId App will analyze the specified index</label>
|
||||||
|
<type>text</type>
|
||||||
|
</input>
|
||||||
|
</block>
|
||||||
|
|
||||||
|
<block title="Specify the index storing Windows XML events (only if using renderXML stanza)"
|
||||||
|
endpoint="admin/macros"
|
||||||
|
entity="event_sources_xml">
|
||||||
|
|
||||||
|
<input field="definition">
|
||||||
|
<label>The XML dashboard will analyze the specified index</label>
|
||||||
|
<type>text</type>
|
||||||
|
</input>
|
||||||
|
</block>
|
||||||
|
|
||||||
|
</setup>
|
||||||
@ -0,0 +1,22 @@
|
|||||||
|
[interesting_process_lookup]
|
||||||
|
default_match = N/A
|
||||||
|
filename = eventid_interesting_processes.csv
|
||||||
|
max_matches = 1
|
||||||
|
|
||||||
|
[processlookup]
|
||||||
|
external_cmd = ev_process_proc.py full_path_process process
|
||||||
|
fields_list = full_path_process,process
|
||||||
|
|
||||||
|
[xmleventtype_lookup]
|
||||||
|
default_match = N/A
|
||||||
|
filename = xml_event_types.csv
|
||||||
|
max_matches = 1
|
||||||
|
|
||||||
|
[xml_raw_data_lookup]
|
||||||
|
external_cmd = ev_process_xml_parameters.py raw_xml_data extracted_xml_data
|
||||||
|
fields_list = raw_xml_data,extracted_xml_data
|
||||||
|
|
||||||
|
[interesting_events_lookup]
|
||||||
|
default_match = N/A
|
||||||
|
filename = eventid_interesting_events.csv
|
||||||
|
max_matches = 1
|
||||||