From 4fd8e8e43460587ef5fc5e1497577430100212e7 Mon Sep 17 00:00:00 2001 From: admingit Date: Mon, 12 Feb 2024 16:03:37 +0100 Subject: [PATCH] Enable_Savedsearches --- .../default/savedsearches.conf | 150 +++++++++--------- 1 file changed, 75 insertions(+), 75 deletions(-) diff --git a/deployment-apps/DA-ITSI-CP-windows-dashboards/default/savedsearches.conf b/deployment-apps/DA-ITSI-CP-windows-dashboards/default/savedsearches.conf index 29f46413..21c6fb6d 100644 --- a/deployment-apps/DA-ITSI-CP-windows-dashboards/default/savedsearches.conf +++ b/deployment-apps/DA-ITSI-CP-windows-dashboards/default/savedsearches.conf @@ -1,12 +1,12 @@ [ActiveDirectory: Create Computer Lookup] -disabled = 1 +disabled = 0 search = eventtype=msad_index_windows `admon-computer-lookup-update` run_on_startup = true dispatch.earliest_time = 0 dispatch.latest_time = now [ActiveDirectory: Update Computer Lookup] -disabled = 1 +disabled = 0 search = eventtype=msad_index_windows `admon-computer-lookup-update` enableSched = 1 cron_schedule = */15 * * * * @@ -15,14 +15,14 @@ dispatch.earliest_time = -30m dispatch.latest_time = now [ActiveDirectory: Create GPO Lookup] -disabled = 1 +disabled = 0 search = eventtype=msad_index_windows `admon-gpo-lookup-update` run_on_startup = true dispatch.earliest_time = 0 dispatch.latest_time = now [ActiveDirectory: Update GPO Lookup] -disabled = 1 +disabled = 0 search = eventtype=msad_index_windows `admon-gpo-lookup-update` enableSched = 1 cron_schedule = */15 * * * * @@ -31,14 +31,14 @@ dispatch.earliest_time = -30m dispatch.latest_time = now [ActiveDirectory: Create Group Lookup] -disabled = 1 +disabled = 0 search = eventtype=msad_index_windows `admon-group-lookup-update` run_on_startup = true dispatch.earliest_time = 0 dispatch.latest_time = now [ActiveDirectory: Update Group Lookup] -disabled = 1 +disabled = 0 search = eventtype=msad_index_windows `admon-group-lookup-update` enableSched = 1 cron_schedule = */15 * * * * @@ -47,14 +47,14 @@ dispatch.earliest_time = -30m dispatch.latest_time = now [ActiveDirectory: Create User Lookup] -disabled = 1 +disabled = 0 search = eventtype=msad_index_windows `admon-user-lookup-update` run_on_startup = true dispatch.earliest_time = 0 dispatch.latest_time = now [ActiveDirectory: Update User Lookup] -disabled = 1 +disabled = 0 search = eventtype=msad_index_windows `admon-user-lookup-update` enableSched = 1 cron_schedule = */15 * * * * @@ -63,53 +63,53 @@ dispatch.earliest_time = -30m dispatch.latest_time = now [DNS: Failing Domains] -disabled = 1 +disabled = 0 search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Snd" response!="NOERROR"|top questiontype,questionname,response|`fix-dnsname(questionname)` enableSched = 0 [DNS: Top Failing Domains] -disabled = 1 +disabled = 0 search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv" response!="NOERROR"|top questiontype,questionname|`fix-dnsname(questionname)` enableSched = 0 [build_winfra_lookup] -disabled = 1 +disabled = 0 search = | runsavedsearcheswinfra enableSched = 0 alert.track = 0 description = It will fill the necessary lookups that are used in populating the Content pack for windows dashboards and reports [DNS: Top Hosts sending failing queries] -disabled = 1 +disabled = 0 search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv" response!="NOERROR"|top src_ip enableSched = 0 [DNS: Top Non-Authoritative Responses] -disabled = 1 +disabled = 0 search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Snd" response!="NOERROR" flags!="A*"|top questiontype,questionname|`fix-dnsname(questionname)` enableSched = 0 [DNS: Top Querying Hosts] -disabled = 1 +disabled = 0 search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv"|top src_ip enableSched = 0 [DNS: Top Recursive Failure Domains] -disabled = 1 +disabled = 0 search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv" flags="*DR" response!="NOERROR"|top questiontype,questionname|`fix-dnsname(questionname)` enableSched = 0 [DNS: Top Requested Queries] -disabled = 1 +disabled = 0 search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv"|top questiontype,questionname|`fix-dnsname(questionname)` enableSched = 0 [DomainSelector_Lookup] -disabled = 1 +disabled = 0 search = eventtype=msad_index_windows `domain-selector-search` \ | eval _key = host \ | outputlookup DomainSelector append=true @@ -120,7 +120,7 @@ dispatch.earliest_time = -1h dispatch.latest_time = now [HostToDomain_Lookup_Update] -disabled = 1 +disabled = 0 search = eventtype=msad_index_windows `domain-list` \ | sort host \ | eval _key = host \ @@ -132,7 +132,7 @@ dispatch.earliest_time = -24h@h dispatch.latest_time = now [tHostInfo_Lookup_Update] -disabled = 1 +disabled = 0 search = eventtype=wineventlog_index_windows `thostinfo`|inputlookup append=T tHostInfo|where _time > relative_time(now(), "-30d@d")|sort 0 src_ip,src_hostdomain,_time|dedup consecutive=T src_ip,src_hostdomain|sort 0 -_time|outputlookup tHostInfo enableSched = 1 cron_schedule = */5 * * * * @@ -145,7 +145,7 @@ dispatch.latest_time = now [SiteInfo_Lookup_Update] -disabled = 1 +disabled = 0 search = eventtype=msad_index_windows eventtype=msad-dc-health \ | table host,Site \ | dedup host, Site \ @@ -166,7 +166,7 @@ dispatch.latest_time = now ########################################## [WinApp_Lookup_Event - Event Details] -disabled = 1 +disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True @@ -182,7 +182,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \ | sort LogName, EventCode, SourceName, TaskCategory, Type, EventCodeDescription [WinApp_Lookup_Event - Host] -disabled = 1 +disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = 0 @@ -196,7 +196,7 @@ search = | inputlookup windows_event_system\ ###### Specific Fields Lists ###### [WinApp_Lookup_Event - EventCode Description] -disabled = 1 +disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True @@ -214,7 +214,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common"\ | sort EventCode [WinApp_Lookup_Event - EventCode] -disabled = 1 +disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True @@ -229,7 +229,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \ | sort EventCode [WinApp_Lookup_Event - LogName] -disabled = 1 +disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True @@ -244,7 +244,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \ | sort LogName [WinApp_Lookup_Event - TaskCategory] -disabled = 1 +disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = @d @@ -256,7 +256,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \ | sort TaskCategory [WinApp_Lookup_Perfmon - Combined] -disabled = 1 +disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = @d @@ -269,7 +269,7 @@ search = eventtype=perfmon_index_windows eventtype="perfmon_windows" object=* \ | sort object, counter, instance [WinApp_Lookup_Perfmon - Object] -disabled = 1 +disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = @d @@ -281,7 +281,7 @@ search = eventtype=perfmon_index_windows eventtype="perfmon_windows" object=* \ | sort object [WinApp_Lookup_Perfmon - Collections, Object, and counters] -disabled = 1 +disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = @d @@ -293,7 +293,7 @@ search = eventtype=perfmon_index_windows eventtype="perfmon_windows" object=* \ | sort object [WinApp_Lookup_Perfmon - counters and instances] -disabled = 1 +disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = @d @@ -305,7 +305,7 @@ search = eventtype=perfmon_index_windows eventtype="perfmon_windows" object=* \ | stats values(instance) as Perfmon_instances by Perfmon_counters [WinApp_Lookup_Perfmon - Host] -disabled = 1 +disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = 0 @@ -323,7 +323,7 @@ search = | inputlookup windows_perfmon_system\ ###################################################### [WinApp_Lookup_Build_Perfmon - Update - Server] -disabled = 1 +disabled = 0 action.email.inline = 1 alert.digest_mode = True alert.severity = 1 @@ -341,7 +341,7 @@ search = eventtype=perfmon_index_windows eventtype="perfmon_windows" object=* \ | outputlookup windows_perfmon_system append=true [WinApp_Lookup_Build_Event - Update - Server] -disabled = 1 +disabled = 0 is_visible = true action.email.inline = 1 alert.digest_mode = True @@ -360,7 +360,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \ | outputlookup windows_event_system append=true [WinApp_Lookup_Build_Hostmon - Update - Server] -disabled = 1 +disabled = 0 is_visible = true action.email.inline = 1 alert.digest_mode = True @@ -379,7 +379,7 @@ search = eventtype=windows_index_windows eventtype="hostmon_windows" \ | outputlookup windows_hostmon_system append=true [WinApp_Lookup_Build_Netmon - Update - Server] -disabled = 1 +disabled = 0 is_visible = true action.email.inline = 1 alert.digest_mode = True @@ -398,7 +398,7 @@ search = eventtype=windows_index_windows eventtype="netmon_windows" \ | outputlookup windows_netmon_system append=true [WinApp_Lookup_Build_Printmon - Update] -disabled = 1 +disabled = 0 is_visible = true action.email.inline = 1 alert.digest_mode = True @@ -423,7 +423,7 @@ search = eventtype=windows_index_windows sourcetype=WinPrintMon \ ###################################################### [WinApp_Lookup_Build_Perfmon - CreateNew - Server] -disabled = 1 +disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True @@ -439,7 +439,7 @@ search = eventtype=perfmon_index_windows eventtype="perfmon_windows" object=* ea | outputlookup windows_perfmon_system [WinApp_Lookup_Build_Netmon - CreateNew - Server] -disabled = 1 +disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True @@ -454,7 +454,7 @@ search = eventtype=windows_index_windows eventtype="netmon_windows" \ | outputlookup windows_netmon_system [WinApp_Lookup_Build_Printmon - CreateNew] -disabled = 1 +disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True @@ -472,7 +472,7 @@ search = eventtype=windows_index_windows sourcetype=WinPrintMon \ | outputlookup windows_printmon [WinApp_Lookup_Build_Event - CreateNew - Server] -disabled = 1 +disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True @@ -492,7 +492,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \ [WinApp_Lookup_Build_Hostmon - CreateNew - Server] -disabled = 1 +disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True @@ -515,7 +515,7 @@ search = eventtype=windows_index_windows eventtype="hostmon_windows"\ #################################### [Generic event counts] -disabled = 1 +disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = -60m@m @@ -527,7 +527,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \ | stats count by LogName, EventCode, Keywords, TaskCategory, Type [Event categories and counts by host for the last 30 days] -disabled = 1 +disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = -30d@d @@ -545,7 +545,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \ | table Host_Count, Event_Category_Count [Event severity counts by host for the last 30 days] -disabled = 1 +disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True @@ -568,7 +568,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" (Eve | table host * [Event severity counts by host for the last 7 days] -disabled = 1 +disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True @@ -591,7 +591,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" (Eve | table host * [Event severity counts by host for the last 24 hours] -disabled = 1 +disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True @@ -619,7 +619,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" (Eve ###################################### [Performance counter categories and counts by host for the last 7 days] -disabled = 1 +disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = -7d@h @@ -632,7 +632,7 @@ search = eventtype=perfmon_index_windows eventtype="perfmon_windows" \ | sort Host [Number of hosts with Average CPU utilization > 80% in the last 24 hours] -disabled = 1 +disabled = 0 dispatch.earliest_time = -24h dispatch.latest_time = now dispatch.ttl = 2p @@ -643,7 +643,7 @@ search = eventtype=perfmon_index_windows eventtype=perfmon_windows Host=* object [Average Memory utilization per process, host in the last 24 hours] action.email.sendresults = 0 -disabled = 1 +disabled = 0 dispatch.earliest_time = -24h dispatch.latest_time = now dispatch.ttl = 2p @@ -654,7 +654,7 @@ search = eventtype=perfmon_index_windows eventtype=perfmon_windows object=Proces [Average CPU utilization per process, host in the last 24 hours] action.email.sendresults = 0 -disabled = 1 +disabled = 0 dispatch.earliest_time = -24h dispatch.latest_time = now dispatch.ttl = 2p @@ -668,7 +668,7 @@ search = eventtype=perfmon_index_windows eventtype=perfmon_windows object=Proces ############################################# [Application crash count in the last 24 hours] -disabled = 1 +disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True @@ -681,7 +681,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" Even | timechart count by application [Application crash count in the last 7 days] -disabled = 1 +disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True @@ -694,7 +694,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" Even | timechart count by application [Application crash count in the last 30 days] -disabled = 1 +disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True @@ -711,7 +711,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" Even ############################################## [Count of total installs per user for the last 7 days] -disabled = 1 +disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = -7d@h @@ -723,7 +723,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" Sour | sort -count [Count of total installs per user each day for the last 7 days] -disabled = 1 +disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = -7d@h @@ -734,7 +734,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" Sour | timechart count by User [System_App Installs - By Host - Timechart - 7days] -disabled = 1 +disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = -7d@h @@ -747,7 +747,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" Sour | timechart span=1d count by host [Count of total installs per Application each day for the last 7 days] -disabled = 1 +disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = -7d@h @@ -759,7 +759,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" Sour | timechart span=1d count by product_name [List of Applications, Time of install, User and Host for the last 7 days] -disabled = 1 +disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = -7d@h @@ -780,7 +780,7 @@ action.email.inline = 1 alert.digest_mode = True alert.suppress = 0 alert.track = 0 -disabled = 1 +disabled = 0 dispatch.earliest_time = -7d dispatch.latest_time = now search = eventtype=windows_index_windows OR eventtype=wineventlog_index_windows NOT [ search eventtype="Update_Successful_windows" | dedup package, host | fields + host, package ] \ @@ -796,7 +796,7 @@ action.email.inline = 1 alert.digest_mode = True alert.suppress = 0 alert.track = 0 -disabled = 1 +disabled = 0 dispatch.earliest_time = -30d@d dispatch.latest_time = now displayview = search @@ -822,7 +822,7 @@ action.email.inline = 1 alert.digest_mode = True alert.suppress = 0 alert.track = 0 -disabled = 1 +disabled = 0 dispatch.earliest_time = -7d dispatch.latest_time = now search = eventtype=windows_index_windows OR eventtype=wineventlog_index_windows eventtype="Update_Successful_windows" \ @@ -833,7 +833,7 @@ search = eventtype=windows_index_windows OR eventtype=wineventlog_index_windows [List of shutdowns for last 30 days] action.email.sendresults = 0 -disabled = 1 +disabled = 0 dispatch.earliest_time = -30d@d dispatch.latest_time = now relation = None @@ -843,7 +843,7 @@ search = eventtype=wineventlog_index_windows source=wineventlog:system "EventCod [List of unexpected service terminations for the last 30 days] action.email.sendresults = 0 -disabled = 1 +disabled = 0 dispatch.earliest_time = -30d@d dispatch.latest_time = now relation = None @@ -853,7 +853,7 @@ search = eventtype=wineventlog_index_windows source=wineventlog:system terminate [List of failed service starts for the last 30 days] action.email.sendresults = 0 -disabled = 1 +disabled = 0 dispatch.earliest_time = -30d@d dispatch.latest_time = now relation = None @@ -863,7 +863,7 @@ search = eventtype=wineventlog_index_windows source=wineventlog:system SourceNam [WinMgmt_Security_Logon_Success Overall by Host] alert.track = 0 -disabled = 1 +disabled = 0 dispatch.earliest_time = -7d@h dispatch.latest_time = now displayview = search @@ -876,7 +876,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common"("Eve [WinMgmt_Security_Logon_Success Overtime] alert.track = 0 -disabled = 1 +disabled = 0 dispatch.earliest_time = -7d@h dispatch.latest_time = now displayview = search @@ -888,7 +888,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" ("Ev [WinMgmt_Security_Logon_Unsuccessful] alert.track = 0 -disabled = 1 +disabled = 0 dispatch.earliest_time = -7d@h dispatch.latest_time = now displayview = search @@ -901,7 +901,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" ("Ev [WinMgmt_System_Reboot Overtime] alert.track = 0 -disabled = 1 +disabled = 0 dispatch.earliest_time = -7d@h dispatch.latest_time = now displayview = search @@ -927,7 +927,7 @@ search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" Even ########################################## [WinApp_Lookup_Build_Hostmon_Machine - Update - Detail] -disabled = 1 +disabled = 0 is_visible = true action.email.inline = 1 alert.digest_mode = True @@ -946,7 +946,7 @@ search = eventtype=windows_index_windows eventtype="hostmon_windows" Type=Operat | outputlookup windows_hostmon_machine_details append=true [WinApp_Lookup_Build_Hostmon_Machine - CreateNew - Detail] -disabled = 1 +disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True @@ -962,7 +962,7 @@ search = eventtype=windows_index_windows eventtype="hostmon_windows" Type=Operat | outputlookup windows_hostmon_machine_details [WinApp_Lookup_Build_Hostmon_FS - Update - Detail] -disabled = 1 +disabled = 0 is_visible = true action.email.inline = 1 alert.digest_mode = True @@ -982,7 +982,7 @@ search = eventtype=windows_index_windows eventtype=hostmon_windows Type=Disk \ | outputlookup windows_hostmon_fs_details append=true [WinApp_Lookup_Build_Hostmon_FS - CreateNew - Detail] -disabled = 1 +disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True @@ -999,7 +999,7 @@ search = eventtype=windows_index_windows eventtype=hostmon_windows Type=Disk \ | outputlookup windows_hostmon_fs_details [WinApp_Lookup_Build_Hostmon_Process - Update - Detail] -disabled = 1 +disabled = 0 is_visible = true action.email.inline = 1 alert.digest_mode = True @@ -1017,7 +1017,7 @@ search = eventtype=windows_index_windows eventtype=hostmon_windows Type=Process | outputlookup windows_hostmon_process_details append=true [WinApp_Lookup_Build_Hostmon_Process - CreateNew - Detail] -disabled = 1 +disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True @@ -1051,7 +1051,7 @@ cron_schedule = */15 * * * * dispatch.earliest_time = -60m dispatch.latest_time = now enableSched = 1 -disabled = 1 +disabled = 0 search = eventtype=msad_index_windows eventtype="msad-dc-health" | dedup host\ |eval entity_title=host\ |eval entity_type="Active Directory"\