admingit
/
Deploiement_Server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '51f28ad3da'
${ noResults }
Deploiement_Server/deployment-apps/DA-ITSI-CP-windows-dashboards/default/savedsearches.conf

1059 lines
35 KiB
Raw Blame History

[ActiveDirectory: Create Computer Lookup]
disabled = 1
search = eventtype=msad_index_windows `admon-computer-lookup-update`
run_on_startup = true
dispatch.earliest_time = 0
dispatch.latest_time = now
[ActiveDirectory: Update Computer Lookup]
disabled = 1
search = eventtype=msad_index_windows `admon-computer-lookup-update`
enableSched = 1
cron_schedule = */15 * * * *
run_on_startup = true
dispatch.earliest_time = -30m
dispatch.latest_time = now
[ActiveDirectory: Create GPO Lookup]
disabled = 1
search = eventtype=msad_index_windows `admon-gpo-lookup-update`
run_on_startup = true
dispatch.earliest_time = 0
dispatch.latest_time = now
[ActiveDirectory: Update GPO Lookup]
disabled = 1
search = eventtype=msad_index_windows `admon-gpo-lookup-update`
enableSched = 1
cron_schedule = */15 * * * *
run_on_startup = true
dispatch.earliest_time = -30m
dispatch.latest_time = now
[ActiveDirectory: Create Group Lookup]
disabled = 1
search = eventtype=msad_index_windows `admon-group-lookup-update`
run_on_startup = true
dispatch.earliest_time = 0
dispatch.latest_time = now
[ActiveDirectory: Update Group Lookup]
disabled = 1
search = eventtype=msad_index_windows `admon-group-lookup-update`
enableSched = 1
cron_schedule = */15 * * * *
run_on_startup = true
dispatch.earliest_time = -30m
dispatch.latest_time = now
[ActiveDirectory: Create User Lookup]
disabled = 1
search = eventtype=msad_index_windows `admon-user-lookup-update`
run_on_startup = true
dispatch.earliest_time = 0
dispatch.latest_time = now
[ActiveDirectory: Update User Lookup]
disabled = 1
search = eventtype=msad_index_windows `admon-user-lookup-update`
enableSched = 1
cron_schedule = */15 * * * *
run_on_startup = true
dispatch.earliest_time = -30m
dispatch.latest_time = now
[DNS: Failing Domains]
disabled = 1
search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Snd" response!="NOERROR"|top questiontype,questionname,response|`fix-dnsname(questionname)`
enableSched = 0
[DNS: Top Failing Domains]
disabled = 1
search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv" response!="NOERROR"|top questiontype,questionname|`fix-dnsname(questionname)`
enableSched = 0
[build_winfra_lookup]
disabled = 1
search = | runsavedsearcheswinfra
enableSched = 0
alert.track = 0
description = It will fill the necessary lookups that are used in populating the Content pack for windows dashboards and reports
[DNS: Top Hosts sending failing queries]
disabled = 1
search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv" response!="NOERROR"|top src_ip
enableSched = 0
[DNS: Top Non-Authoritative Responses]
disabled = 1
search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Snd" response!="NOERROR" flags!="A*"|top questiontype,questionname|`fix-dnsname(questionname)`
enableSched = 0
[DNS: Top Querying Hosts]
disabled = 1
search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv"|top src_ip
enableSched = 0
[DNS: Top Recursive Failure Domains]
disabled = 1
search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv" flags="*DR" response!="NOERROR"|top questiontype,questionname|`fix-dnsname(questionname)`
enableSched = 0
[DNS: Top Requested Queries]
disabled = 1
search = eventtype=msad_index_windows eventtype=msad-dns-debuglog direction="Rcv"|top questiontype,questionname|`fix-dnsname(questionname)`
enableSched = 0
[DomainSelector_Lookup]
disabled = 1
search = eventtype=msad_index_windows `domain-selector-search` \
| eval _key = host \
| outputlookup DomainSelector append=true
enableSched = 1
cron_schedule = */15 * * * *
realtime_schedule = 1
dispatch.earliest_time = -1h
dispatch.latest_time = now
[HostToDomain_Lookup_Update]
disabled = 1
search = eventtype=msad_index_windows `domain-list` \
| sort host \
| eval _key = host \
| outputlookup HostToDomain append=true
enableSched = 1
cron_schedule = 30 2 * * *
realtime_schedule = 1
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
[tHostInfo_Lookup_Update]
disabled = 1
search = eventtype=wineventlog_index_windows `thostinfo`|inputlookup append=T tHostInfo|where _time > relative_time(now(), "-30d@d")|sort 0 src_ip,src_hostdomain,_time|dedup consecutive=T src_ip,src_hostdomain|sort 0 -_time|outputlookup tHostInfo
enableSched = 1
cron_schedule = */5 * * * *
realtime_schedule = 1
dispatch.earliest_time = -5m
dispatch.latest_time = now
[SiteInfo_Lookup_Update]
disabled = 1
search = eventtype=msad_index_windows eventtype=msad-dc-health \
| table host,Site \
| dedup host, Site \
| eval _key = host \
| outputlookup SiteInfo append=true
enableSched = 1
cron_schedule = 30 * * * *
realtime_schedule = 1
dispatch.earliest_time = -60m
dispatch.latest_time = now
#########################################################################################
###### Windows Application Infrastructure Searches #########
#########################################################################################
##########################################
###### Lookup Tables Lists searches ######
##########################################
[WinApp_Lookup_Event - Event Details]
disabled = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \
| eval EventCodeDescription=if(isnull(EventCodeDescription) OR len(trim(EventCodeDescription))==0 OR EventCode=="No Description Available-Update windows_eventcode_definitions", mvindex(split(Message, "."), 0), EventCodeDescription) \
| stats latest(SourceName) as SourceName, latest(TaskCategory) as TaskCategory, latest(Type) as Type by EventCode, LogName, EventCodeDescription \
| sort LogName, EventCode, SourceName, TaskCategory, Type, EventCodeDescription
[WinApp_Lookup_Event - Host]
disabled = 1
action.email.reportServerEnabled = 0
alert.track = 0
dispatch.earliest_time = 0
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = | inputlookup windows_event_system\
| dedup Host\
| table Host\
| sort Host
###### Specific Fields Lists ######
[WinApp_Lookup_Event - EventCode Description]
disabled = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=wineventlog_index_windows eventtype="wineventlog_common"\
| eval EventCodeDescription=if(isnull(EventCodeDescription) OR len(trim(EventCodeDescription))==0 OR EventCode=="No Description Available-Update windows_eventcode_definitions", mvindex(split(Message, "."), 0), EventCodeDescription)\
| stats latest(EventCodeDescription) as EventCodeDescription by EventCode\
| eval Event=EventCode.":".EventCodeDescription\
| table EventCode, EventCodeDescription, Event\
| sort EventCode
[WinApp_Lookup_Event - EventCode]
disabled = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \
| stats count by EventCode \
| sort EventCode
[WinApp_Lookup_Event - LogName]
disabled = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \
| stats count by LogName \
| sort LogName
[WinApp_Lookup_Event - TaskCategory]
disabled = 1
action.email.reportServerEnabled = 0
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \
| stats count by TaskCategory \
| sort TaskCategory
[WinApp_Lookup_Perfmon - Combined]
disabled = 1
action.email.reportServerEnabled = 0
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=perfmon_index_windows eventtype="perfmon_windows" object=* \
| eval instance = if(isnull(instance), "NA", instance) \
| stats latest(object) as object, latest(counter) as counter by instance \
| sort object, counter, instance
[WinApp_Lookup_Perfmon - Object]
disabled = 1
action.email.reportServerEnabled = 0
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=perfmon_index_windows eventtype="perfmon_windows" object=* \
| stats count by object \
| sort object
[WinApp_Lookup_Perfmon - Collections, Object, and counters]
disabled = 1
action.email.reportServerEnabled = 0
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=perfmon_index_windows eventtype="perfmon_windows" object=* \
| stats values(counter) as Perfmon_counters by object\
| sort object
[WinApp_Lookup_Perfmon - counters and instances]
disabled = 1
action.email.reportServerEnabled = 0
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=perfmon_index_windows eventtype="perfmon_windows" object=* \
| eval Perfmon_counters=object.": ".counter \
| stats values(instance) as Perfmon_instances by Perfmon_counters
[WinApp_Lookup_Perfmon - Host]
disabled = 1
action.email.reportServerEnabled = 0
alert.track = 0
dispatch.earliest_time = 0
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = | inputlookup windows_perfmon_system\
| dedup Host\
| table Host\
| sort Host
######################################################
###### Lookup Tables - UPDATE Lookups searches ######
######################################################
[WinApp_Lookup_Build_Perfmon - Update - Server]
disabled = 1
action.email.inline = 1
alert.digest_mode = True
alert.severity = 1
alert.suppress = 0
alert.track = 0
cron_schedule = 0 * * * *
enableSched = 1
dispatch.earliest_time = -80m
dispatch.latest_time = now
run_on_startup = true
search = eventtype=perfmon_index_windows eventtype="perfmon_windows" object=* \
| eval Host=if(isNull(Host),host,Host) \
| stats count by Host \
| eval _key = Host \
| outputlookup windows_perfmon_system append=true
[WinApp_Lookup_Build_Event - Update - Server]
disabled = 1
is_visible = true
action.email.inline = 1
alert.digest_mode = True
alert.severity = 1
alert.suppress = 0
alert.track = 0
cron_schedule = 2 * * * *
enableSched = 1
dispatch.earliest_time = -80m
dispatch.latest_time = now
run_on_startup = true
search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \
| eval Host=if(isnull(Host), upper(host), upper(Host)) \
| stats count by Host \
| eval _key = Host \
| outputlookup windows_event_system append=true
[WinApp_Lookup_Build_Hostmon - Update - Server]
disabled = 1
is_visible = true
action.email.inline = 1
alert.digest_mode = True
alert.severity = 1
alert.suppress = 0
alert.track = 0
cron_schedule = 4 * * * *
enableSched = 1
dispatch.earliest_time = -80m
dispatch.latest_time = now
run_on_startup = true
search = eventtype=windows_index_windows eventtype="hostmon_windows" \
| eval Host=if(isnull(Host), upper(host), upper(Host)) \
| stats count by Host \
| eval _key = Host \
| outputlookup windows_hostmon_system append=true
[WinApp_Lookup_Build_Netmon - Update - Server]
disabled = 1
is_visible = true
action.email.inline = 1
alert.digest_mode = True
alert.severity = 1
alert.suppress = 0
alert.track = 0
cron_schedule = 9 * * * *
enableSched = 1
dispatch.earliest_time = -80m
dispatch.latest_time = now
run_on_startup = true
search = eventtype=windows_index_windows eventtype="netmon_windows" \
| eval Host=if(isnull(Host), upper(host), upper(Host)) \
| stats count by Host \
| eval _key = Host \
| outputlookup windows_netmon_system append=true
[WinApp_Lookup_Build_Printmon - Update]
disabled = 1
is_visible = true
action.email.inline = 1
alert.digest_mode = True
alert.severity = 1
alert.suppress = 0
alert.track = 0
cron_schedule = 11 * * * *
enableSched = 1
dispatch.earliest_time = -80m
dispatch.latest_time = now
run_on_startup = true
search = eventtype=windows_index_windows sourcetype=WinPrintMon \
| eval Host=if(isnull(Host), upper(host), upper(Host)) \
| stats count by Host printer operation user \
| sort Host printer operation user \
| eval _key = Host . "___" . printer . "___" . operation . "___" . user \
| outputlookup windows_printmon append=true
######################################################
###### Lookup Tables - CREATE Lookups searches ######
######################################################
[WinApp_Lookup_Build_Perfmon - CreateNew - Server]
disabled = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = 0
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=perfmon_index_windows eventtype="perfmon_windows" object=* earliest=-60m \
| eval Host=if(isNull(Host),host,Host) \
| stats count by Host \
| outputlookup windows_perfmon_system
[WinApp_Lookup_Build_Netmon - CreateNew - Server]
disabled = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = 0
displayview = search
request.ui_dispatch_view = search
search = eventtype=windows_index_windows eventtype="netmon_windows" \
| eval Host=if(isnull(Host), upper(host), upper(Host)) \
| stats count by Host \
| outputlookup windows_netmon_system
[WinApp_Lookup_Build_Printmon - CreateNew]
disabled = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = 0
displayview = search
request.ui_dispatch_view = search
search = eventtype=windows_index_windows sourcetype=WinPrintMon \
| eval Host=if(isnull(Host), upper(host), upper(Host)) \
| fields Host printer operation user \
| dedup Host printer operation user \
| table Host printer operation user \
| sort Host printer operation user \
| outputlookup windows_printmon
[WinApp_Lookup_Build_Event - CreateNew - Server]
disabled = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = 0
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \
| eval Host=if(isnull(Host), upper(host), upper(Host)) \
| fields Host \
| dedup Host \
| table Host \
| sort Host \
| outputlookup windows_event_system
[WinApp_Lookup_Build_Hostmon - CreateNew - Server]
disabled = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = 0
displayview = search
request.ui_dispatch_view = search
search = eventtype=windows_index_windows eventtype="hostmon_windows"\
| eval Host=if(isnull(Host), upper(host), upper(Host)) \
| fields Host \
| dedup Host \
| table Host \
| sort Host \
| outputlookup windows_hostmon_system
####################################
###### Windows Event Searches ######
####################################
[Generic event counts]
disabled = 1
action.email.reportServerEnabled = 0
alert.track = 0
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
description= Event search try
search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \
| stats count by LogName, EventCode, Keywords, TaskCategory, Type
[Event categories and counts by host for the last 30 days]
disabled = 1
action.email.reportServerEnabled = 0
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" \
| fields host, TaskCategory \
| stats count as EvtCounts by host, TaskCategory \
| sort -EvtCounts \
| eval EvtCatCnt = TaskCategory." (".EvtCounts.")" \
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as Event_Category_Count by host \
| sort -Total_Events \
| eval Host_Count = host." (".Total_Events.")" \
| table Host_Count, Event_Category_Count
[Event severity counts by host for the last 30 days]
disabled = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" (EventType=2 OR EventType=3 OR EventType=1) \
| eval EventSeverity=case(EventType == 2, "Error", EventType == 3,"Warning", EventType == 1, "Critical") \
| eval host=upper(host) \
| stats count by host EventSeverity \
| xyseries host EventSeverity count \
| eval t=1 \
| addcoltotals \
| sort t desc \
| eval host = if(t>1,"Totals",host) \
| fields - t \
| table host *
[Event severity counts by host for the last 7 days]
disabled = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" (EventType=2 OR EventType=3 OR EventType=1) \
| eval EventSeverity=case(EventType == 2, "Error", EventType == 3,"Warning", EventType == 1, "Critical") \
| eval host=upper(host) \
| stats count by host EventSeverity \
| xyseries host EventSeverity count \
| eval t=1 \
| addcoltotals \
| sort t desc \
| eval host = if(t>1,"Totals",host) \
| fields - t \
| table host *
[Event severity counts by host for the last 24 hours]
disabled = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" (EventType=2 OR EventType=3 OR EventType=1) \
| eval EventSeverity=case(EventType == 2, "Error", EventType == 3,"Warning", EventType == 1, "Critical") \
| eval host=upper(host) \
| stats count by host EventSeverity \
| xyseries host EventSeverity count \
| eval t=1 \
| addcoltotals \
| sort t desc \
| eval host = if(t>1,"Totals",host) \
| fields - t \
| table host *
######################################
###### Windows Perfmon Searches ######
######################################
[Performance counter categories and counts by host for the last 7 days]
disabled = 1
action.email.reportServerEnabled = 0
alert.track = 0
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=perfmon_index_windows eventtype="perfmon_windows" \
| stats values(object) as Perfmon_counter_Category, dc(counter) as Perfmon_counter_Count by Host \
| table Host, Perfmon_counter_Category, Perfmon_counter_Count \
| sort Host
[Number of hosts with Average CPU utilization > 80% in the last 24 hours]
disabled = 1
dispatch.earliest_time = -24h
dispatch.latest_time = now
dispatch.ttl = 2p
relation = None
search = eventtype=perfmon_index_windows eventtype=perfmon_windows Host=* object="processor" counter="% processor time"|stats avg(Value) as Threshold by Host \
| eval range=case(Threshold<10, "OK (<50%)", Threshold<50, "Warn (80%-94%)", Threshold>50, "Critical (95%+)") \
| chart values(Host), count by range
[Average Memory utilization per process, host in the last 24 hours]
action.email.sendresults = 0
disabled = 1
dispatch.earliest_time = -24h
dispatch.latest_time = now
dispatch.ttl = 2p
relation = None
search = eventtype=perfmon_index_windows eventtype=perfmon_windows object=Process counter="Private Bytes" \
| eval MB=Value/(1024*1024) \
| stats avg(MB) as "Avg. Memory Utilization in MB" by instance, host
[Average CPU utilization per process, host in the last 24 hours]
action.email.sendresults = 0
disabled = 1
dispatch.earliest_time = -24h
dispatch.latest_time = now
dispatch.ttl = 2p
relation = None
search = eventtype=perfmon_index_windows eventtype=perfmon_windows object=Process counter="% Processor Time" \
| stats avg(Value) as "Avg. CPU utilization" by instance, Host
#############################################
###### Windows OS App Crashes Searches ######
#############################################
[Application crash count in the last 24 hours]
disabled = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" EventCode="1001" Event_Name="*" \
| eval application=P1." (version: ".P2.")" \
| timechart count by application
[Application crash count in the last 7 days]
disabled = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = -7d@d
dispatch.latest_time = now
search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" EventCode="1001" Event_Name="*" \
| eval application=P1." (version: ".P2.")" \
| timechart count by application
[Application crash count in the last 30 days]
disabled = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" EventCode="1001" Event_Name="*" \
| eval application=P1." (version: ".P2.")" \
| timechart count by application
##############################################
###### Windows OS App Installs Searches ######
##############################################
[Count of total installs per user for the last 7 days]
disabled = 1
action.email.reportServerEnabled = 0
alert.track = 0
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" SourceName=MsiInstaller EventCode=11707 \
| stats count by User \
| sort -count
[Count of total installs per user each day for the last 7 days]
disabled = 1
action.email.reportServerEnabled = 0
alert.track = 0
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" SourceName=MsiInstaller EventCode=11707 \
| timechart count by User
[System_App Installs - By Host - Timechart - 7days]
disabled = 1
action.email.reportServerEnabled = 0
alert.track = 0
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" SourceName=MsiInstaller EventCode=11707 \
| dedup _raw \
| rex field=Message "(?s)Product: (?<product_name>.*) --" \
| timechart span=1d count by host
[Count of total installs per Application each day for the last 7 days]
disabled = 1
action.email.reportServerEnabled = 0
alert.track = 0
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" SourceName=MsiInstaller EventCode=11707 \
| rex field=Message "(?s)Product: (?<product_name>.*) --" \
| timechart span=1d count by product_name
[List of Applications, Time of install, User and Host for the last 7 days]
disabled = 1
action.email.reportServerEnabled = 0
alert.track = 0
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" SourceName=MsiInstaller EventCode=11707 \
| rex field=Message "(?s)Product: (?<product_name>.*) --" \
| table _time host User product_name
#####################################
###### Windows Update searches ######
#####################################
[List of Failed KB installs in the last 7 days]
action.email.inline = 1
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
disabled = 1
dispatch.earliest_time = -7d
dispatch.latest_time = now
search = eventtype=windows_index_windows OR eventtype=wineventlog_index_windows NOT [ search eventtype="Update_Successful_windows" | dedup package, host | fields + host, package ] \
eventtype="Update_Failed" package=* \
| dedup host package \
| stats count, max(_time) as latest_failure_time by host,package \
| sort - latest_failure_time | convert ctime(latest_failure_time) \
| eval kb_details="KB".package." (Total Fails=".tostring(count).") (Last Failure at:".latest_failure_time.")" \
| stats sum(count) as total_fails, values(kb_details) as latest_fail_details by host
[List of KB successful and failed KB installation for the last 30 days]
action.email.inline = 1
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
disabled = 1
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=windows_index_windows OR eventtype=wineventlog_index_windows tag=Windows_Update package=* \
| dedup package, host \
| eval status=if(eventtype=="Update_Successful_windows", "Success", if(eventtype=="Update_Failed", "Failed", "NA")) \
| search NOT status="NA" \
| stats latest(_time) as ltime, count by status, host, package \
| convert ctime(ltime) \
| eval lsuccess="Succesful at (".ltime.")" \
| eval lfail="Failed at (".ltime.")" \
| eval lstatus=if(status=="Success",lsuccess,lfail) \
| stats values(lstatus) as Status_History by host, package \
| sort host,package \
| eval scount=mvcount(Status_History) \
| eval Last_Status=if(scount>1,"Success",if(match(Status_History, "Success*"),"Success","Failed")) \
| table host, package, Last_Status, Status_History \
| sort host,package
[List of Successful installations (non-KB) for the last 7 days]
action.email.inline = 1
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
disabled = 1
dispatch.earliest_time = -7d
dispatch.latest_time = now
search = eventtype=windows_index_windows OR eventtype=wineventlog_index_windows eventtype="Update_Successful_windows" \
| dedup package, host \
| chart count,max(_time) as latest_install_time by package \
| sort - latest_install_time \
| convert ctime(latest_install_time)
[List of shutdowns for last 30 days]
action.email.sendresults = 0
disabled = 1
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
relation = None
search = eventtype=wineventlog_index_windows source=wineventlog:system "EventCode=1076" OR "EventCode=6008" \
| rex field=Message "(?m)(?<cause>.*)$" \
| fields + _time,host,cause
[List of unexpected service terminations for the last 30 days]
action.email.sendresults = 0
disabled = 1
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
relation = None
search = eventtype=wineventlog_index_windows source=wineventlog:system terminated ("EventCode=7034" OR "EventCode=7031") \
| rex field=Message "(?i)^The (?<Service_Name>.*) service terminated unexpectedly.\s+It has done this (?<num_failures>\d+)" \
| fields + _time,host,Service_Name
[List of failed service starts for the last 30 days]
action.email.sendresults = 0
disabled = 1
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
relation = None
search = eventtype=wineventlog_index_windows source=wineventlog:system SourceName="Microsoft-Windows-Service Control Manager" "service failed to start" \
| rex field=Message "^The (?<Service_Name>.*) service failed" \
| fields + _time,host,Service_Name
[WinMgmt_Security_Logon_Success Overall by Host]
alert.track = 0
disabled = 1
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=wineventlog_index_windows eventtype="wineventlog_common"("EventCode=4776" AND Keywords="Audit Success") OR ("EventCode=680" AND "Success Audit") NOT (Logon_Account="*$" OR Logon_account="*$") \
| eval "User_Account" = coalesce(Logon_Account,Logon_account) \
| transaction "User_Account",Source_Workstation maxpause=5s \
| stats count by host \
| sort 10 -count
[WinMgmt_Security_Logon_Success Overtime]
alert.track = 0
disabled = 1
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" ("EventCode=4776" AND Keywords="Audit Success") OR ("EventCode=680" AND "Success Audit") NOT (Logon_Account="*$" OR Logon_account="*$") \
| eval "User_Account" = coalesce(Logon_Account,Logon_account) \
| transaction "User_Account",Source_Workstation maxpause=5s \
| timechart bins=1000 count
[WinMgmt_Security_Logon_Unsuccessful]
alert.track = 0
disabled = 1
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" ("EventCode=4776" AND Keywords="Audit Success") OR ("EventCode=680" AND "Success Audit") NOT (Logon_Account="*$" OR Logon_account="*$") \
| eval "User_Account" = coalesce(Logon_Account,Logon_account) \
| transaction "User_Account",Source_Workstation maxpause=5s \
| stats latest(_time) as ltime, count by User_Account, Source_Workstation, dest_nt_host, field_match_sum, duration \
| convert ctime(ltime)
[WinMgmt_System_Reboot Overtime]
alert.track = 0
disabled = 1
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
displayview = search
request.ui_dispatch_view = search
search = eventtype=wineventlog_index_windows eventtype="wineventlog_common" EventCode=1074 SourceName="USER32" \
| rex field=_raw "Comment:.(?<comment>.*)" \
| rex field=Message "The process.(?<process>[^ ]+)" \
| transaction host maxspan=5m \
| eval user_count=mvcount(User) \
| eval final_user=case(user_count == 1, User, user_count > 1, mvindex(User, user_count-1))\
| eval process_count=mvcount(process) \
| eval final_process=case(process_count == 1, process, process_count > 1, mvindex(process, process_count-1)) \
| search host="*" final_user="*" \
| table _time host final_user final_process comment \
| rename _time AS Time \
| convert ctime(Time) \
| rename final_user AS Username \
| rename final_process AS "Process name" \
| rename comment AS "Comment"
##########################################
###### Lookup Migration Searches #########
##########################################
[WinApp_Lookup_Build_Hostmon_Machine - Update - Detail]
disabled = 1
is_visible = true
action.email.inline = 1
alert.digest_mode = True
alert.severity = 1
alert.suppress = 0
alert.track = 0
cron_schedule = 5 * * * *
enableSched = 1
dispatch.earliest_time = -80m
dispatch.latest_time = now
run_on_startup = true
search = eventtype=windows_index_windows eventtype="hostmon_windows" Type=OperatingSystem \
| join host [search eventtype=windows_index_windows eventtype=hostmon_windows Type=Computer earliest=-80m] \
| stats count by OS, Domain, Architecture, Manufacturer \
| eval _key = OS . "___" . Domain . "___" . Architecture . "___" . Manufacturer \
| outputlookup windows_hostmon_machine_details append=true
[WinApp_Lookup_Build_Hostmon_Machine - CreateNew - Detail]
disabled = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = 0
displayview = search
request.ui_dispatch_view = search
search = eventtype=windows_index_windows eventtype="hostmon_windows" Type=OperatingSystem \
| join host [search eventtype=windows_index_windows eventtype=hostmon_windows Type=Computer] \
| dedup OS, Domain, Architecture, Manufacturer \
| table OS, Domain, Architecture, Manufacturer \
| outputlookup windows_hostmon_machine_details
[WinApp_Lookup_Build_Hostmon_FS - Update - Detail]
disabled = 1
is_visible = true
action.email.inline = 1
alert.digest_mode = True
alert.severity = 1
alert.suppress = 0
alert.track = 0
cron_schedule = 6 * * * *
enableSched = 1
dispatch.earliest_time = -80m
dispatch.latest_time = now
run_on_startup = true
search = eventtype=windows_index_windows eventtype=hostmon_windows Type=Disk \
| eval FreeSpacePct=round(FreeSpaceKB/TotalSpaceKB*100) \
| eval TotalSpaceGB=round(TotalSpaceKB/1024/1024) \
| stats count by FileSystem, DriveType, FreeSpacePct, TotalSpaceGB \
| eval _key = FileSystem . "___" . DriveType . "___" . FreeSpacePct . "___" . TotalSpaceGB \
| outputlookup windows_hostmon_fs_details append=true
[WinApp_Lookup_Build_Hostmon_FS - CreateNew - Detail]
disabled = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = 0
displayview = search
request.ui_dispatch_view = search
search = eventtype=windows_index_windows eventtype=hostmon_windows Type=Disk \
| eval FreeSpacePct=round(FreeSpaceKB/TotalSpaceKB*100) \
| eval TotalSpaceGB=round(TotalSpaceKB/1024/1024) \
| dedup FileSystem, DriveType, FreeSpacePct, TotalSpaceGB \
| table FileSystem, DriveType, FreeSpacePct, TotalSpaceGB \
| outputlookup windows_hostmon_fs_details
[WinApp_Lookup_Build_Hostmon_Process - Update - Detail]
disabled = 1
is_visible = true
action.email.inline = 1
alert.digest_mode = True
alert.severity = 1
alert.suppress = 0
alert.track = 0
cron_schedule = 7 * * * *
enableSched = 1
dispatch.earliest_time = -80m
dispatch.latest_time = now
run_on_startup = true
search = eventtype=windows_index_windows eventtype=hostmon_windows Type=Process \
| stats count by Name \
| eval _key = Name \
| outputlookup windows_hostmon_process_details append=true
[WinApp_Lookup_Build_Hostmon_Process - CreateNew - Detail]
disabled = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = 0
displayview = search
request.ui_dispatch_view = search
search = eventtype=windows_index_windows eventtype=hostmon_windows Type=Process \
| dedup Name \
| table Name \
| outputlookup windows_hostmon_process_details
###################################################
###### Windows AD Entity Import Saved Search ######
###################################################
[ITSI Import Objects - Import Active Directory Entity]
action.itsi_import_objects = 1
action.itsi_import_objects.param.backfill_enabled = 0
action.itsi_import_objects.param.entity_identifier_fields = host,Server
action.itsi_import_objects.param.entity_informational_fields = DomainNetBIOSName,DomainDNSName,Site,ForestName
action.itsi_import_objects.param.entity_merge_field = entity_title
action.itsi_import_objects.param.entity_title_field = entity_title
action.itsi_import_objects.param.entity_type_field = entity_type
action.itsi_import_objects.param.service_enabled = 1
action.itsi_import_objects.param.service_team = default_itsi_security_group
action.itsi_import_objects.param.service_templates_config = {}
action.itsi_import_objects.param.update_type = upsert
cron_schedule = */15 * * * *
dispatch.earliest_time = -60m
dispatch.latest_time = now
enableSched = 1
disabled = 1
search = eventtype=msad_index_windows eventtype="msad-dc-health" | dedup host\
|eval entity_title=host\
|eval entity_type="Active Directory"\
|table entity_title host ForestName Site DomainDNSName DomainNetBIOSName Server entity_type
Reference in new issue View Git Blame Copy Permalink