[ActiveDirectory: Create Computer Lookup] disabled = 0 search = eventtype=msad_index_windows `admon-computer-lookup-update` run_on_startup = true dispatch.earliest_time = 0 dispatch.latest_time = now [ActiveDirectory: Update Computer Lookup] disabled = 0 search = eventtype=msad_index_windows `admon-computer-lookup-update` enableSched = 1 cron_schedule = */15 * * * * run_on_startup = true dispatch.earliest_time = -30m dispatch.latest_time = now [ActiveDirectory: Create GPO Lookup] disabled = 0 search = eventtype=msad_index_windows `admon-gpo-lookup-update` run_on_startup = true dispatch.earliest_time = 0 dispatch.latest_time = now [ActiveDirectory: Update GPO Lookup] disabled = 0 search = eventtype=msad_index_windows `admon-gpo-lookup-update` enableSched = 1 cron_schedule = */15 * * * * run_on_startup = true dispatch.earliest_time = -30m dispatch.latest_time = now [ActiveDirectory: Create Group Lookup] disabled = 0 search = eventtype=msad_index_windows `admon-group-lookup-update` run_on_startup = true dispatch.earliest_time = 0 dispatch.latest_time = now [ActiveDirectory: Update Group Lookup] disabled = 0 search = eventtype=msad_index_windows `admon-group-lookup-update` enableSched = 1 cron_schedule = */15 * * * * run_on_startup = true dispatch.earliest_time = -30m dispatch.latest_time = now [ActiveDirectory: Create User Lookup] disabled = 0 search = eventtype=msad_index_windows `admon-user-lookup-update` run_on_startup = true dispatch.earliest_time = 0 dispatch.latest_time = now [ActiveDirectory: Update User Lookup] disabled = 0 search = eventtype=msad_index_windows `admon-user-lookup-update` enableSched = 1 cron_schedule = */15 * * * * run_on_startup = true dispatch.earliest_time = -30m dispatch.latest_time = now [DNS: Failing Domains] disabled = 0 search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Snd" response!="NOERROR"|top questiontype,questionname,response|`fix-dnsname(questionname)` enableSched = 0 [DNS: Top Failing Domains] disabled = 0 search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv" response!="NOERROR"|top questiontype,questionname|`fix-dnsname(questionname)` enableSched = 0 [build_winfra_lookup] disabled = 0 search = | runsavedsearcheswinfra enableSched = 0 alert.track = 0 description = It will fill the necessary lookups that are used in populating the Content pack for windows dashboards and reports [DNS: Top Hosts sending failing queries] disabled = 0 search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv" response!="NOERROR"|top src_ip enableSched = 0 [DNS: Top Non-Authoritative Responses] disabled = 0 search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Snd" response!="NOERROR" flags!="A*"|top questiontype,questionname|`fix-dnsname(questionname)` enableSched = 0 [DNS: Top Querying Hosts] disabled = 0 search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv"|top src_ip enableSched = 0 [DNS: Top Recursive Failure Domains] disabled = 0 search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv" flags="*DR" response!="NOERROR"|top questiontype,questionname|`fix-dnsname(questionname)` enableSched = 0 [DNS: Top Requested Queries] disabled = 0 search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv"|top questiontype,questionname|`fix-dnsname(questionname)` enableSched = 0 [DomainSelector_Lookup] disabled = 0 search = eventtype=msad_index_windows `domain-selector-search` \ | eval _key = host \ | outputlookup DomainSelector append=true enableSched = 1 cron_schedule = */15 * * * * realtime_schedule = 1 dispatch.earliest_time = -1h dispatch.latest_time = now [HostToDomain_Lookup_Update] disabled = 0 search = eventtype=msad_index_windows `domain-list` \ | sort host \ | eval _key = host \ | outputlookup HostToDomain append=true enableSched = 1 cron_schedule = 30 2 * * * realtime_schedule = 1 dispatch.earliest_time = -24h@h dispatch.latest_time = now [tHostInfo_Lookup_Update] disabled = 0 search = eventtype=wineventlog_index_windows `thostinfo`|inputlookup append=T tHostInfo|where _time > relative_time(now(), "-30d@d")|sort 0 src_ip,src_hostdomain,_time|dedup consecutive=T src_ip,src_hostdomain|sort 0 -_time|outputlookup tHostInfo enableSched = 1 cron_schedule = */5 * * * * realtime_schedule = 1 dispatch.earliest_time = -5m dispatch.latest_time = now [SiteInfo_Lookup_Update] disabled = 0 search = eventtype=msad_index_windows eventtype=msad-dc-health \ | table host,Site \ | dedup host, Site \ | eval _key = host \ | outputlookup SiteInfo append=true enableSched = 1 cron_schedule = 30 * * * * realtime_schedule = 1 dispatch.earliest_time = -60m dispatch.latest_time = now ######################################################################################### ###### Windows Application Infrastructure Searches ######### ######################################################################################### ########################################## ###### Lookup Tables Lists searches ###### ########################################## [WinApp_Lookup_Event - Event Details] disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True alert.suppress = 0 alert.track = 0 dispatch.earliest_time = @d dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \ | eval EventCodeDescription=if(isnull(EventCodeDescription) OR len(trim(EventCodeDescription))==0 OR EventCode=="No Description Available-Update windows_eventcode_definitions", mvindex(split(Message, "."), 0), EventCodeDescription) \ | stats latest(SourceName) as SourceName, latest(TaskCategory) as TaskCategory, latest(Type) as Type by EventCode, LogName, EventCodeDescription \ | sort LogName, EventCode, SourceName, TaskCategory, Type, EventCodeDescription [WinApp_Lookup_Event - Host] disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = 0 dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = | inputlookup windows_event_system\ | dedup Host\ | table Host\ | sort Host ###### Specific Fields Lists ###### [WinApp_Lookup_Event - EventCode Description] disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True alert.suppress = 0 alert.track = 0 dispatch.earliest_time = @d dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=wineventlog_index_windows eventtype="wineventlog_common"\ | eval EventCodeDescription=if(isnull(EventCodeDescription) OR len(trim(EventCodeDescription))==0 OR EventCode=="No Description Available-Update windows_eventcode_definitions", mvindex(split(Message, "."), 0), EventCodeDescription)\ | stats latest(EventCodeDescription) as EventCodeDescription by EventCode\ | eval Event=EventCode.":".EventCodeDescription\ | table EventCode, EventCodeDescription, Event\ | sort EventCode [WinApp_Lookup_Event - EventCode] disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True alert.suppress = 0 alert.track = 0 dispatch.earliest_time = @d dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \ | stats count by EventCode \ | sort EventCode [WinApp_Lookup_Event - LogName] disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True alert.suppress = 0 alert.track = 0 dispatch.earliest_time = @d dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \ | stats count by LogName \ | sort LogName [WinApp_Lookup_Event - TaskCategory] disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = @d dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \ | stats count by TaskCategory \ | sort TaskCategory [WinApp_Lookup_Perfmon - Combined] disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = @d dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=perfmon_index_windows eventtype="perfmon_windows" object=* \ | eval instance = if(isnull(instance), "NA", instance) \ | stats latest(object) as object, latest(counter) as counter by instance \ | sort object, counter, instance [WinApp_Lookup_Perfmon - Object] disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = @d dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=perfmon_index_windows eventtype="perfmon_windows" object=* \ | stats count by object \ | sort object [WinApp_Lookup_Perfmon - Collections, Object, and counters] disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = @d dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=perfmon_index_windows eventtype="perfmon_windows" object=* \ | stats values(counter) as Perfmon_counters by object\ | sort object [WinApp_Lookup_Perfmon - counters and instances] disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = @d dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=perfmon_index_windows eventtype="perfmon_windows" object=* \ | eval Perfmon_counters=object.": ".counter \ | stats values(instance) as Perfmon_instances by Perfmon_counters [WinApp_Lookup_Perfmon - Host] disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = 0 dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = | inputlookup windows_perfmon_system\ | dedup Host\ | table Host\ | sort Host ###################################################### ###### Lookup Tables - UPDATE Lookups searches ###### ###################################################### [WinApp_Lookup_Build_Perfmon - Update - Server] disabled = 0 action.email.inline = 1 alert.digest_mode = True alert.severity = 1 alert.suppress = 0 alert.track = 0 cron_schedule = 0 * * * * enableSched = 1 dispatch.earliest_time = -80m dispatch.latest_time = now run_on_startup = true search = eventtype=perfmon_index_windows eventtype="perfmon_windows" object=* \ | eval Host=if(isNull(Host),host,Host) \ | stats count by Host \ | eval _key = Host \ | outputlookup windows_perfmon_system append=true [WinApp_Lookup_Build_Event - Update - Server] disabled = 0 is_visible = true action.email.inline = 1 alert.digest_mode = True alert.severity = 1 alert.suppress = 0 alert.track = 0 cron_schedule = 2 * * * * enableSched = 1 dispatch.earliest_time = -80m dispatch.latest_time = now run_on_startup = true search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \ | eval Host=if(isnull(Host), upper(host), upper(Host)) \ | stats count by Host \ | eval _key = Host \ | outputlookup windows_event_system append=true [WinApp_Lookup_Build_Hostmon - Update - Server] disabled = 0 is_visible = true action.email.inline = 1 alert.digest_mode = True alert.severity = 1 alert.suppress = 0 alert.track = 0 cron_schedule = 4 * * * * enableSched = 1 dispatch.earliest_time = -80m dispatch.latest_time = now run_on_startup = true search = eventtype=windows_index_windows eventtype="hostmon_windows" \ | eval Host=if(isnull(Host), upper(host), upper(Host)) \ | stats count by Host \ | eval _key = Host \ | outputlookup windows_hostmon_system append=true [WinApp_Lookup_Build_Netmon - Update - Server] disabled = 0 is_visible = true action.email.inline = 1 alert.digest_mode = True alert.severity = 1 alert.suppress = 0 alert.track = 0 cron_schedule = 9 * * * * enableSched = 1 dispatch.earliest_time = -80m dispatch.latest_time = now run_on_startup = true search = eventtype=windows_index_windows eventtype="netmon_windows" \ | eval Host=if(isnull(Host), upper(host), upper(Host)) \ | stats count by Host \ | eval _key = Host \ | outputlookup windows_netmon_system append=true [WinApp_Lookup_Build_Printmon - Update] disabled = 0 is_visible = true action.email.inline = 1 alert.digest_mode = True alert.severity = 1 alert.suppress = 0 alert.track = 0 cron_schedule = 11 * * * * enableSched = 1 dispatch.earliest_time = -80m dispatch.latest_time = now run_on_startup = true search = eventtype=windows_index_windows sourcetype=WinPrintMon \ | eval Host=if(isnull(Host), upper(host), upper(Host)) \ | stats count by Host printer operation user \ | sort Host printer operation user \ | eval _key = Host . "___" . printer . "___" . operation . "___" . user \ | outputlookup windows_printmon append=true ###################################################### ###### Lookup Tables - CREATE Lookups searches ###### ###################################################### [WinApp_Lookup_Build_Perfmon - CreateNew - Server] disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True alert.suppress = 0 alert.track = 0 dispatch.earliest_time = 0 dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=perfmon_index_windows eventtype="perfmon_windows" object=* earliest=-60m \ | eval Host=if(isNull(Host),host,Host) \ | stats count by Host \ | outputlookup windows_perfmon_system [WinApp_Lookup_Build_Netmon - CreateNew - Server] disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True alert.suppress = 0 alert.track = 0 dispatch.earliest_time = 0 displayview = search request.ui_dispatch_view = search search = eventtype=windows_index_windows eventtype="netmon_windows" \ | eval Host=if(isnull(Host), upper(host), upper(Host)) \ | stats count by Host \ | outputlookup windows_netmon_system [WinApp_Lookup_Build_Printmon - CreateNew] disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True alert.suppress = 0 alert.track = 0 dispatch.earliest_time = 0 displayview = search request.ui_dispatch_view = search search = eventtype=windows_index_windows sourcetype=WinPrintMon \ | eval Host=if(isnull(Host), upper(host), upper(Host)) \ | fields Host printer operation user \ | dedup Host printer operation user \ | table Host printer operation user \ | sort Host printer operation user \ | outputlookup windows_printmon [WinApp_Lookup_Build_Event - CreateNew - Server] disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True alert.suppress = 0 alert.track = 0 dispatch.earliest_time = 0 dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \ | eval Host=if(isnull(Host), upper(host), upper(Host)) \ | fields Host \ | dedup Host \ | table Host \ | sort Host \ | outputlookup windows_event_system [WinApp_Lookup_Build_Hostmon - CreateNew - Server] disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True alert.suppress = 0 alert.track = 0 dispatch.earliest_time = 0 displayview = search request.ui_dispatch_view = search search = eventtype=windows_index_windows eventtype="hostmon_windows"\ | eval Host=if(isnull(Host), upper(host), upper(Host)) \ | fields Host \ | dedup Host \ | table Host \ | sort Host \ | outputlookup windows_hostmon_system #################################### ###### Windows Event Searches ###### #################################### [Generic event counts] disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = -60m@m dispatch.latest_time = now displayview = search request.ui_dispatch_view = search description= Event search try search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \ | stats count by LogName, EventCode, Keywords, TaskCategory, Type [Event categories and counts by host for the last 30 days] disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = -30d@d dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \ | fields host, TaskCategory \ | stats count as EvtCounts by host, TaskCategory \ | sort -EvtCounts \ | eval EvtCatCnt = TaskCategory." (".EvtCounts.")" \ | stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as Event_Category_Count by host \ | sort -Total_Events \ | eval Host_Count = host." (".Total_Events.")" \ | table Host_Count, Event_Category_Count [Event severity counts by host for the last 30 days] disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True alert.suppress = 0 alert.track = 0 dispatch.earliest_time = -30d@d dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" (EventType=2 OR EventType=3 OR EventType=1) \ | eval EventSeverity=case(EventType == 2, "Error", EventType == 3,"Warning", EventType == 1, "Critical") \ | eval host=upper(host) \ | stats count by host EventSeverity \ | xyseries host EventSeverity count \ | eval t=1 \ | addcoltotals \ | sort t desc \ | eval host = if(t>1,"Totals",host) \ | fields - t \ | table host * [Event severity counts by host for the last 7 days] disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True alert.suppress = 0 alert.track = 0 dispatch.earliest_time = -7d@h dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" (EventType=2 OR EventType=3 OR EventType=1) \ | eval EventSeverity=case(EventType == 2, "Error", EventType == 3,"Warning", EventType == 1, "Critical") \ | eval host=upper(host) \ | stats count by host EventSeverity \ | xyseries host EventSeverity count \ | eval t=1 \ | addcoltotals \ | sort t desc \ | eval host = if(t>1,"Totals",host) \ | fields - t \ | table host * [Event severity counts by host for the last 24 hours] disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True alert.suppress = 0 alert.track = 0 dispatch.earliest_time = @d dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" (EventType=2 OR EventType=3 OR EventType=1) \ | eval EventSeverity=case(EventType == 2, "Error", EventType == 3,"Warning", EventType == 1, "Critical") \ | eval host=upper(host) \ | stats count by host EventSeverity \ | xyseries host EventSeverity count \ | eval t=1 \ | addcoltotals \ | sort t desc \ | eval host = if(t>1,"Totals",host) \ | fields - t \ | table host * ###################################### ###### Windows Perfmon Searches ###### ###################################### [Performance counter categories and counts by host for the last 7 days] disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = -7d@h dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=perfmon_index_windows eventtype="perfmon_windows" \ | stats values(object) as Perfmon_counter_Category, dc(counter) as Perfmon_counter_Count by Host \ | table Host, Perfmon_counter_Category, Perfmon_counter_Count \ | sort Host [Number of hosts with Average CPU utilization > 80% in the last 24 hours] disabled = 0 dispatch.earliest_time = -24h dispatch.latest_time = now dispatch.ttl = 2p relation = None search = eventtype=perfmon_index_windows eventtype=perfmon_windows Host=* object="processor" counter="% processor time"|stats avg(Value) as Threshold by Host \ | eval range=case(Threshold<10, "OK (<50%)", Threshold<50, "Warn (80%-94%)", Threshold>50, "Critical (95%+)") \ | chart values(Host), count by range [Average Memory utilization per process, host in the last 24 hours] action.email.sendresults = 0 disabled = 0 dispatch.earliest_time = -24h dispatch.latest_time = now dispatch.ttl = 2p relation = None search = eventtype=perfmon_index_windows eventtype=perfmon_windows object=Process counter="Private Bytes" \ | eval MB=Value/(1024*1024) \ | stats avg(MB) as "Avg. Memory Utilization in MB" by instance, host [Average CPU utilization per process, host in the last 24 hours] action.email.sendresults = 0 disabled = 0 dispatch.earliest_time = -24h dispatch.latest_time = now dispatch.ttl = 2p relation = None search = eventtype=perfmon_index_windows eventtype=perfmon_windows object=Process counter="% Processor Time" \ | stats avg(Value) as "Avg. CPU utilization" by instance, Host ############################################# ###### Windows OS App Crashes Searches ###### ############################################# [Application crash count in the last 24 hours] disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True alert.suppress = 0 alert.track = 0 dispatch.earliest_time = -24h@h dispatch.latest_time = now search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" EventCode="1001" Event_Name="*" \ | eval application=P1." (version: ".P2.")" \ | timechart count by application [Application crash count in the last 7 days] disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True alert.suppress = 0 alert.track = 0 dispatch.earliest_time = -7d@d dispatch.latest_time = now search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" EventCode="1001" Event_Name="*" \ | eval application=P1." (version: ".P2.")" \ | timechart count by application [Application crash count in the last 30 days] disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True alert.suppress = 0 alert.track = 0 dispatch.earliest_time = -30d@d dispatch.latest_time = now search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" EventCode="1001" Event_Name="*" \ | eval application=P1." (version: ".P2.")" \ | timechart count by application ############################################## ###### Windows OS App Installs Searches ###### ############################################## [Count of total installs per user for the last 7 days] disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = -7d@h dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" SourceName=MsiInstaller EventCode=11707 \ | stats count by User \ | sort -count [Count of total installs per user each day for the last 7 days] disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = -7d@h dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" SourceName=MsiInstaller EventCode=11707 \ | timechart count by User [System_App Installs - By Host - Timechart - 7days] disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = -7d@h dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" SourceName=MsiInstaller EventCode=11707 \ | dedup _raw \ | rex field=Message "(?s)Product: (?.*) --" \ | timechart span=1d count by host [Count of total installs per Application each day for the last 7 days] disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = -7d@h dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" SourceName=MsiInstaller EventCode=11707 \ | rex field=Message "(?s)Product: (?.*) --" \ | timechart span=1d count by product_name [List of Applications, Time of install, User and Host for the last 7 days] disabled = 0 action.email.reportServerEnabled = 0 alert.track = 0 dispatch.earliest_time = -7d@h dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" SourceName=MsiInstaller EventCode=11707 \ | rex field=Message "(?s)Product: (?.*) --" \ | table _time host User product_name ##################################### ###### Windows Update searches ###### ##################################### [List of Failed KB installs in the last 7 days] action.email.inline = 1 alert.digest_mode = True alert.suppress = 0 alert.track = 0 disabled = 0 dispatch.earliest_time = -7d dispatch.latest_time = now search = eventtype=windows_index_windows OR eventtype=wineventlog_index_windows NOT [ search eventtype="Update_Successful_windows" | dedup package, host | fields + host, package ] \ eventtype="Update_Failed" package=* \ | dedup host package \ | stats count, max(_time) as latest_failure_time by host,package \ | sort - latest_failure_time | convert ctime(latest_failure_time) \ | eval kb_details="KB".package." (Total Fails=".tostring(count).") (Last Failure at:".latest_failure_time.")" \ | stats sum(count) as total_fails, values(kb_details) as latest_fail_details by host [List of KB successful and failed KB installation for the last 30 days] action.email.inline = 1 alert.digest_mode = True alert.suppress = 0 alert.track = 0 disabled = 0 dispatch.earliest_time = -30d@d dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=windows_index_windows OR eventtype=wineventlog_index_windows tag=Windows_Update package=* \ | dedup package, host \ | eval status=if(eventtype=="Update_Successful_windows", "Success", if(eventtype=="Update_Failed", "Failed", "NA")) \ | search NOT status="NA" \ | stats latest(_time) as ltime, count by status, host, package \ | convert ctime(ltime) \ | eval lsuccess="Succesful at (".ltime.")" \ | eval lfail="Failed at (".ltime.")" \ | eval lstatus=if(status=="Success",lsuccess,lfail) \ | stats values(lstatus) as Status_History by host, package \ | sort host,package \ | eval scount=mvcount(Status_History) \ | eval Last_Status=if(scount>1,"Success",if(match(Status_History, "Success*"),"Success","Failed")) \ | table host, package, Last_Status, Status_History \ | sort host,package [List of Successful installations (non-KB) for the last 7 days] action.email.inline = 1 alert.digest_mode = True alert.suppress = 0 alert.track = 0 disabled = 0 dispatch.earliest_time = -7d dispatch.latest_time = now search = eventtype=windows_index_windows OR eventtype=wineventlog_index_windows eventtype="Update_Successful_windows" \ | dedup package, host \ | chart count,max(_time) as latest_install_time by package \ | sort - latest_install_time \ | convert ctime(latest_install_time) [List of shutdowns for last 30 days] action.email.sendresults = 0 disabled = 0 dispatch.earliest_time = -30d@d dispatch.latest_time = now relation = None search = eventtype=wineventlog_index_windows source=wineventlog:system "EventCode=1076" OR "EventCode=6008" \ | rex field=Message "(?m)(?.*)$" \ | fields + _time,host,cause [List of unexpected service terminations for the last 30 days] action.email.sendresults = 0 disabled = 0 dispatch.earliest_time = -30d@d dispatch.latest_time = now relation = None search = eventtype=wineventlog_index_windows source=wineventlog:system terminated ("EventCode=7034" OR "EventCode=7031") \ | rex field=Message "(?i)^The (?.*) service terminated unexpectedly.\s+It has done this (?\d+)" \ | fields + _time,host,Service_Name [List of failed service starts for the last 30 days] action.email.sendresults = 0 disabled = 0 dispatch.earliest_time = -30d@d dispatch.latest_time = now relation = None search = eventtype=wineventlog_index_windows source=wineventlog:system SourceName="Microsoft-Windows-Service Control Manager" "service failed to start" \ | rex field=Message "^The (?.*) service failed" \ | fields + _time,host,Service_Name [WinMgmt_Security_Logon_Success Overall by Host] alert.track = 0 disabled = 0 dispatch.earliest_time = -7d@h dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=wineventlog_index_windows eventtype="wineventlog_common"("EventCode=4776" AND Keywords="Audit Success") OR ("EventCode=680" AND "Success Audit") NOT (Logon_Account="*$" OR Logon_account="*$") \ | eval "User_Account" = coalesce(Logon_Account,Logon_account) \ | transaction "User_Account",Source_Workstation maxpause=5s \ | stats count by host \ | sort 10 -count [WinMgmt_Security_Logon_Success Overtime] alert.track = 0 disabled = 0 dispatch.earliest_time = -7d@h dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" ("EventCode=4776" AND Keywords="Audit Success") OR ("EventCode=680" AND "Success Audit") NOT (Logon_Account="*$" OR Logon_account="*$") \ | eval "User_Account" = coalesce(Logon_Account,Logon_account) \ | transaction "User_Account",Source_Workstation maxpause=5s \ | timechart bins=1000 count [WinMgmt_Security_Logon_Unsuccessful] alert.track = 0 disabled = 0 dispatch.earliest_time = -7d@h dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" ("EventCode=4776" AND Keywords="Audit Success") OR ("EventCode=680" AND "Success Audit") NOT (Logon_Account="*$" OR Logon_account="*$") \ | eval "User_Account" = coalesce(Logon_Account,Logon_account) \ | transaction "User_Account",Source_Workstation maxpause=5s \ | stats latest(_time) as ltime, count by User_Account, Source_Workstation, dest_nt_host, field_match_sum, duration \ | convert ctime(ltime) [WinMgmt_System_Reboot Overtime] alert.track = 0 disabled = 0 dispatch.earliest_time = -7d@h dispatch.latest_time = now displayview = search request.ui_dispatch_view = search search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" EventCode=1074 SourceName="USER32" \ | rex field=_raw "Comment:.(?.*)" \ | rex field=Message "The process.(?[^ ]+)" \ | transaction host maxspan=5m \ | eval user_count=mvcount(User) \ | eval final_user=case(user_count == 1, User, user_count > 1, mvindex(User, user_count-1))\ | eval process_count=mvcount(process) \ | eval final_process=case(process_count == 1, process, process_count > 1, mvindex(process, process_count-1)) \ | search host="*" final_user="*" \ | table _time host final_user final_process comment \ | rename _time AS Time \ | convert ctime(Time) \ | rename final_user AS Username \ | rename final_process AS "Process name" \ | rename comment AS "Comment" ########################################## ###### Lookup Migration Searches ######### ########################################## [WinApp_Lookup_Build_Hostmon_Machine - Update - Detail] disabled = 0 is_visible = true action.email.inline = 1 alert.digest_mode = True alert.severity = 1 alert.suppress = 0 alert.track = 0 cron_schedule = 5 * * * * enableSched = 1 dispatch.earliest_time = -80m dispatch.latest_time = now run_on_startup = true search = eventtype=windows_index_windows eventtype="hostmon_windows" Type=OperatingSystem \ | join host [search eventtype=windows_index_windows eventtype=hostmon_windows Type=Computer earliest=-80m] \ | stats count by OS, Domain, Architecture, Manufacturer \ | eval _key = OS . "___" . Domain . "___" . Architecture . "___" . Manufacturer \ | outputlookup windows_hostmon_machine_details append=true [WinApp_Lookup_Build_Hostmon_Machine - CreateNew - Detail] disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True alert.suppress = 0 alert.track = 0 dispatch.earliest_time = 0 displayview = search request.ui_dispatch_view = search search = eventtype=windows_index_windows eventtype="hostmon_windows" Type=OperatingSystem \ | join host [search eventtype=windows_index_windows eventtype=hostmon_windows Type=Computer] \ | dedup OS, Domain, Architecture, Manufacturer \ | table OS, Domain, Architecture, Manufacturer \ | outputlookup windows_hostmon_machine_details [WinApp_Lookup_Build_Hostmon_FS - Update - Detail] disabled = 0 is_visible = true action.email.inline = 1 alert.digest_mode = True alert.severity = 1 alert.suppress = 0 alert.track = 0 cron_schedule = 6 * * * * enableSched = 1 dispatch.earliest_time = -80m dispatch.latest_time = now run_on_startup = true search = eventtype=windows_index_windows eventtype=hostmon_windows Type=Disk \ | eval FreeSpacePct=round(FreeSpaceKB/TotalSpaceKB*100) \ | eval TotalSpaceGB=round(TotalSpaceKB/1024/1024) \ | stats count by FileSystem, DriveType, FreeSpacePct, TotalSpaceGB \ | eval _key = FileSystem . "___" . DriveType . "___" . FreeSpacePct . "___" . TotalSpaceGB \ | outputlookup windows_hostmon_fs_details append=true [WinApp_Lookup_Build_Hostmon_FS - CreateNew - Detail] disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True alert.suppress = 0 alert.track = 0 dispatch.earliest_time = 0 displayview = search request.ui_dispatch_view = search search = eventtype=windows_index_windows eventtype=hostmon_windows Type=Disk \ | eval FreeSpacePct=round(FreeSpaceKB/TotalSpaceKB*100) \ | eval TotalSpaceGB=round(TotalSpaceKB/1024/1024) \ | dedup FileSystem, DriveType, FreeSpacePct, TotalSpaceGB \ | table FileSystem, DriveType, FreeSpacePct, TotalSpaceGB \ | outputlookup windows_hostmon_fs_details [WinApp_Lookup_Build_Hostmon_Process - Update - Detail] disabled = 0 is_visible = true action.email.inline = 1 alert.digest_mode = True alert.severity = 1 alert.suppress = 0 alert.track = 0 cron_schedule = 7 * * * * enableSched = 1 dispatch.earliest_time = -80m dispatch.latest_time = now run_on_startup = true search = eventtype=windows_index_windows eventtype=hostmon_windows Type=Process \ | stats count by Name \ | eval _key = Name \ | outputlookup windows_hostmon_process_details append=true [WinApp_Lookup_Build_Hostmon_Process - CreateNew - Detail] disabled = 0 action.email.inline = 1 action.email.reportServerEnabled = 0 alert.digest_mode = True alert.suppress = 0 alert.track = 0 dispatch.earliest_time = 0 displayview = search request.ui_dispatch_view = search search = eventtype=windows_index_windows eventtype=hostmon_windows Type=Process \ | dedup Name \ | table Name \ | outputlookup windows_hostmon_process_details ################################################### ###### Windows AD Entity Import Saved Search ###### ################################################### [ITSI Import Objects - Import Active Directory Entity] action.itsi_import_objects = 1 action.itsi_import_objects.param.backfill_enabled = 0 action.itsi_import_objects.param.entity_identifier_fields = host,Server action.itsi_import_objects.param.entity_informational_fields = DomainNetBIOSName,DomainDNSName,Site,ForestName action.itsi_import_objects.param.entity_merge_field = entity_title action.itsi_import_objects.param.entity_title_field = entity_title action.itsi_import_objects.param.entity_type_field = entity_type action.itsi_import_objects.param.service_enabled = 1 action.itsi_import_objects.param.service_team = default_itsi_security_group action.itsi_import_objects.param.service_templates_config = {} action.itsi_import_objects.param.update_type = upsert cron_schedule = */15 * * * * dispatch.earliest_time = -60m dispatch.latest_time = now enableSched = 1 disabled = 0 search = eventtype=msad_index_windows eventtype="msad-dc-health" | dedup host\ |eval entity_title=host\ |eval entity_type="Active Directory"\ |table entity_title host ForestName Site DomainDNSName DomainNetBIOSName Server entity_type