admingit
/
Deploiement_Server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a480f5a4bd'
${ noResults }
Deploiement_Server/deployment-apps/DA-ITSI-CP-windows-dashboards/default/macros.conf

358 lines
24 KiB
Raw Blame History

[ad-domains]
definition = inputlookup DomainSelector|stats count by DomainNetBIOSName|where length(DomainNetBIOSName)>0|rename DomainNetBIOSName as src_nt_domain
[itsi_cp_windows_ad_metric_index]
definition = index=itsi_im_metrics
[admon-computer-lookup-update]
definition = eventtype=admon-computer \
| lookup HostToDomain host \
| eval deletedDate=if(match(lower(admonEventType), "deleted") OR match(lower(isDeleted), "true"), strptime(whenChanged, "%I:%M.%S %p, %a %m/%d/%Y"), 0) \
| table src_nt_domain, distinguishedName, displayName, cn, objectGUID, deletedDate \
| stats max(deletedDate) as deletedDate, first(displayName) as displayName, first(cn) as cn by src_nt_domain, distinguishedName, objectGUID \
| outputlookup append=true ActiveDirectory_ComputerInfoLookup key_field=objectGUID
[admon-gpo-lookup-update]
definition = eventtype=admon-gpo \
| lookup HostToDomain host \
| eval deletedDate=if(match(lower(admonEventType), "deleted") OR match(lower(isDeleted), "true"), strptime(whenChanged, "%I:%M.%S %p, %a %m/%d/%Y"), 0) \
| table src_nt_domain, distinguishedName, displayName, cn, objectGUID, deletedDate \
| stats max(deletedDate) as deletedDate, first(displayName) as displayName, first(cn) as cn by src_nt_domain, distinguishedName, objectGUID \
| outputlookup append=true ActiveDirectory_GPOInfoLookup key_field=objectGUID
[admon-group-lookup-update]
definition = eventtype=admon-group \
| lookup HostToDomain host \
| eval deletedDate=if(match(lower(admonEventType), "deleted") OR match(lower(isDeleted), "true"), strptime(whenChanged, "%I:%M.%S %p, %a %m/%d/%Y"), 0) \
| table src_nt_domain, distinguishedName, displayName, cn, objectGUID, deletedDate \
| stats max(deletedDate) as deletedDate, first(displayName) as displayName, first(cn) as cn by src_nt_domain, distinguishedName, objectGUID \
| outputlookup ActiveDirectory_GroupInfoLookup append=true key_field=objectGUID
[admon-user-lookup-update]
definition = eventtype=admon-user \
| lookup HostToDomain host \
| eval deletedDate=if(match(lower(admonEventType), "deleted") OR match(lower(isDeleted), "true"), strptime(whenChanged, "%I:%M.%S %p, %a %m/%d/%Y"), 0) \
| table src_nt_domain, distinguishedName, displayName, cn, objectGUID, deletedDate \
| stats max(deletedDate) as deletedDate, first(displayName) as displayName, first(cn) as cn by src_nt_domain, distinguishedName, objectGUID \
| outputlookup ActiveDirectory_UserInfoLookup append=true key_field=objectGUID
[audit-gpo-changes(1)]
args = domain
definition = eventtype=msad-ad-access Object_Type=groupPolicyContainer \
| lookup HostToDomain host \
| search src_nt_domain="$domain$" \
| eval src_user=if(isnull(src_user),user,src_user) \
| eval adminuser=src_nt_domain."\\".src_user|eval Object_Name=replace(Object_Name,"}CN","},CN") \
| fields _time,Object_Name,adminuser,session_id \
| transaction maxspan=10m Object_Name,adminuser,session_id \
| lookup ActiveDirectory_GPOInfoLookup distinguishedName as Object_Name OUTPUT displayName,deletedDate,cn \
| `format-ad-object-displayname(displayName,deletedDate)`
[construct-user-subject]
definition = eval user_subject=src_nt_domain."\\".user
[dc-health-perfmon-list]
definition = (counter="DS Threads In Use" OR counter="LDAP Bind Time" OR counter="LDAP Client Sessions" OR counter="LDAP Searches/sec" OR counter="*Binds/sec")
[dns-query-perfmon-list]
definition = (counter="TCP Query Received/sec" OR counter="TCP Response Sent/sec" OR counter="UDP Query Received/sec" OR counter="UDP Response Sent/sec" OR counter="Total Query Received/sec" OR counter="Total Response Sent/sec")
[dns-recursion-perfmon-list]
definition = (counter="Recursive */sec" OR counter="Zone Transfer*")
[domain-list]
definition = eventtype=msad-dc-health|stats count by DomainNetBIOSName,host|where length(DomainNetBIOSName)>0|rename DomainNetBIOSName as src_nt_domain|table host,src_nt_domain
[domain-selector-search]
definition = eventtype=msad-dc-health|dedup host, DomainNetBIOSName,DomainDNSName,ForestName,Site|table host,DomainNetBIOSName,DomainDNSName,ForestName,Site|sort ForestName,Site,DomainDNSName,host
[domain-selector]
definition = inputlookup DomainSelector|table host,DomainDNSName,ForestName,Site
[fix-dnsname(1)]
args = name
definition = eval $name$=replace($name$, "\(\d+\)",".")|eval $name$=replace($name$, "^\.", "")
[fix-localhost]
definition = eval src_host=if(src_ip=="127.0.0.1" OR src_ip=="-",upper(host),src_host)|eval src_host=src_nt_domain."\\".src_host
[format-ad-object-displayname(2)]
args = displayName,deletedDate
definition = eval $displayName$ = if ($deletedDate$==0, $displayName$, $displayName$." (Deleted on ".strftime($deletedDate$, "%F %T").")")
[group-changes-for-group(2)]
args = domain,group
definition = eventtype=msad-groupmembership-changes dest_nt_domain="$domain$" user_group="$group$"|eval adminuser=src_nt_domain."\\".src_user|table _time,adminuser,msad_action,member_id|rename adminuser as "Administrator",msad_action as "Action", member_id as "User"
[ip-to-host]
definition = join src_ip [|inputlookup tHostInfo | table src_ip,src_host,src_nt_domain]
[lockouts-for-user(2)]
args = domain,user
definition = eventtype=msad-failed-user-logons src_nt_domain="$domain$" user="$user$" \
| eval src_nt_host=if(isnull(src_nt_host),src,src_nt_host) \
| stats min(_time) as mintime,max(_time) as maxtime,count by src,src_nt_host,src_ip,signature, src_nt_domain \
| eval mintime=strftime(mintime,"%F %T") \
| eval maxtime=strftime(maxtime,"%F %T") \
| join src_ip type=outer [|inputlookup tHostInfo | dedup src_ip, src_host,src_nt_domain | table src_ip, src_host, src_nt_domain]
[msad-anomalous-events]
definition = eventtype=wineventlog_index_windows ((eventtype=wineventlog-ds Type=Error) OR (eventtype=wineventlog-ds Type=Warning) OR (eventtype=wineventlog_security EventCode=512) OR (eventtype=wineventlog_security EventCode=513) OR (eventtype=wineventlog_security EventCode=516) OR (eventtype=wineventlog_security EventCode=517) OR (eventtype=wineventlog_security EventCode=1100) OR (eventtype=wineventlog_security EventCode=1101) OR (eventtype=wineventlog_security EventCode=1102) OR (eventtype=wineventlog_security EventCode=1104) OR (eventtype=wineventlog_security EventCode=4608) OR (eventtype=wineventlog_security EventCode=4609) OR (eventtype=wineventlog_security EventCode=4612) OR (eventtype=wineventlog_security EventCode=4621))
[msad-changed-attributes]
definition = eval f=replace(MSADChangedAttributes, "(?ms)\r|\n", "########")|eval g=split(f, "########")|eval MSADChanges=mvfilter(NOT match(g, ":\s*-\s*$"))
[rep-health-perfmon-list]
definition = (counter="DRA Inbound Bytes Total/sec" OR counter="DRA Outbound Bytes Total/sec" OR counter="DRA Inbound Object Updates Remaining in Packet" OR counter="DRA Pending Replication Synchronizations")
[secrpt-active-computers(1)]
args = domain
definition = eventtype=msad-successful-computer-logons dest_nt_domain="$domain$"|stats max(_time) as lastLogonTime by dest_nt_domain,user|ldapfilter domain=$domain$ search="(&(objectClass=computer)(sAMAccountName=$user$))" attrs="cn,dNSHostName,operatingSystem,operatingSystemServicePack"|eval lastLogonTime=strftime(lastLogonTime,"%c")|table cn,dNSHostName,operatingSystem,operatingSystemServicePack,lastLogonTime|rename cn as Computer,operatingSystem as "Operating System",operatingSystemServicePack as "Service Pack",lastLogonTime as "Last Logon Time"
[secrpt-active-users(1)]
args = domain
definition = eventtype=msad-successful-user-logons dest_nt_domain="$domain$"|stats max(_time) as lastLogonTime by dest_nt_domain,user|ldapfilter domain=$domain$ search="(&(objectClass=user)(sAMAccountName=$user$))" attrs="cn,userPrincipalName"|eval lastLogonTime=strftime(lastLogonTime,"%c")|table user,cn,userPrincipalName,lastLogonTime|rename user as Username,cn as "Full Name", lastLogonTime as "Last Logon Time"
[secrpt-all-computers(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(objectClass=computer)"|sort cn|table cn,dNSHostName,userAccountControl,operatingSystem,operatingSystemServicePack
[secrpt-all-domain-controllers(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=532480))"|sort cn|table cn,dNSHostName,userAccountControl,operatingSystem,operatingSystemServicePack
[secrpt-all-group-policies(1)]
args = domain
definition = ldapsearch domain=$domain$ search="(objectClass=groupPolicyContainer)" attrs="displayName,cn,versionNumber"|join type=outer cn [ldapsearch domain=$domain$ search="(gPLink=*)" attrs="distinguishedName,gPLink"|where isnotnull(gPLink)|rex field=gPLink max_match=10 "\[LDAP://(CN|cn)=(?<cn>[^,]+),"|table cn,distinguishedName|mvexpand cn|mvcombine distinguishedName|eval lc=mvjoin(distinguishedName,"###")|fields cn,lc]|eval linkedContainers=split(lc,"###")|table cn,displayName,versionNumber,linkedContainers|rename cn as "Group Policy ID",displayName as "Group Policy Name",versionNumber as "Version",linkedContainers as "Linked Containers"
[secrpt-all-groups(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(&(objectclass=group)(groupType:1.2.840.113556.1.4.803:=2147483648))" attrs="cn,distinguishedName,primaryGroupToken,member,groupType,systemFlags"|ldapgroup domain="$domain$" |sort cn|table cn,groupType,member_dn,member_type
[secrpt-all-orgunits(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(objectclass=organizationalUnit)" attrs="ou,description,gPLink,gPOptions"|sort ou|rex field=gPLink max_match=10 "\[LDAP://(?<gpo>[^;]+);\d+\]"|ldapfetch domain="$domain$" dn=gpo attrs=displayName|table ou,description,displayName|rename ou as "Name",displayName as "Linked GPO"
[secrpt-all-users(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(&(objectclass=user)(!(objectClass=computer)))"|sort sAMAccountName|table sAMAccountName,cn,userPrincipalName,userAccountControl
[secrpt-changed-groups(1)]
args = domain
definition = eventtype=wineventlog_index_windows eventtype=wineventlog_security (EventCode=668 OR EventCode=4764) dest_nt_domain="$domain$"|eval adminuser=src_nt_domain."\\".src_user|lookup GroupType MSADGroupClassID OUTPUT MSADGroupClass|lookup GroupType MSADGroupClassID AS MSADNewGroupClassID OUTPUT MSADGroupClass AS MSADNewGroupClass|table _time,signature,user_group,adminuser,MSADGroupClass,MSADGroupType,MSADNewGroupClass,MSADNewGroupType|rename signature as "Action",user_group as "Group Name",adminuser as "Changed By",MSADGroupClass as "Old Class",MSADGroupType as "Old Type",MSADNewGroupClass as "New Class",MSADNewGroupType as "New Type"
[secrpt-deleted-computers(1)]
args = domain
definition = eventtype=wineventlog_index_windows eventtype=wineventlog_security (EventCode=647 OR EventCode=4743) dest_nt_domain="$domain$"|eval adminuser=src_nt_domain."\\".src_user|table _time,user,adminuser|rename user as "Deleted Computer",adminuser as "Deleted By"
[secrpt-deleted-group-policies(1)]
args = domain
definition = eventtype=msad_index_windows eventtype=admon-gpo isDeleted=TRUE|lookup HostToDomain host|search src_nt_domain="$domain$"|table _time,cn|dedup cn
[secrpt-deleted-groups(1)]
args = domain
definition = eventtype=wineventlog_index_windows eventtype=wineventlog_security (EventCode=634 OR EventCode=638 OR EventCode=662 OR EventCode=4730 OR EventCode=4734 OR EventCode=4758) dest_nt_domain="$domain$"|lookup GroupType MSADGroupClassID OUTPUT MSADGroupClass|eval adminuser=src_nt_domain."\\".src_user|table _time,user_group,MSADGroupClass,MSADGroupType,adminuser|rename user_group as "Group Name",MSADGroupClass as "Class",MSADGroupType as "Type",adminuser as "Deleted By"
[secrpt-deleted-orgunits(1)]
args = domain
definition = eventtype=msad_index_windows eventtype=admon objectClass="*organizationalUnit*" isDeleted=TRUE|lookup HostToDomain host|search src_nt_domain="$domain$"|dedup objectGUID|table _time,ou,description|rename ou as "Name"
[secrpt-deleted-users(1)]
args = domain
definition = eventtype=wineventlog_index_windows eventtype=wineventlog_security (EventCode=630 OR EventCode=4726) dest_nt_domain="$domain$"|eval adminuser=src_nt_domain."\\".src_user|table _time,user,adminuser|rename user as "Deleted User", adminuser as "Deleted By"
[secrpt-disabled-computers(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=2))"|sort sAMAccountName|table cn,dNSHostName,userAccountControl,whenChanged
[secrpt-disabled-group-policies(1)]
args = domain
definition = ldapsearch domain=$domain$ search="(&(objectClass=groupPolicyContainer)(!(flags=0)))" attrs="displayName,cn,versionNumber,flags,whenChanged"|join type=outer cn [ldapsearch domain=$domain$ search="(gPLink=*)" attrs="distinguishedName,gPLink"|where isnotnull(gPLink)|rex field=gPLink max_match=10 "\[LDAP://(CN|cn)=(?<cn>[^,]+),"|table cn,distinguishedName|mvexpand cn|mvcombine distinguishedName|eval lc=mvjoin(distinguishedName,"###")|fields cn,lc]|eval linkedContainers=split(lc,"###")|eval Status=case(flags==1,"User Settings Disabled",flags==2,"Computer Settings Disabled",flags==3,"All Settings Disabled",flags==0,"Enabled")|table cn,displayName,versionNumber,Status,,whenChanged,linkedContainers|rename cn as "Group Policy ID",displayName as "Group Policy Name",versionNumber as "Version",linkedContainers as "Linked Containers"
[secrpt-disabled-users(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(&(objectclass=user)(!(objectClass=computer))(userAccountControl:1.2.840.113556.1.4.803:=2))"|sort sAMAccountName|table sAMAccountName,cn,userPrincipalName,userAccountControl,whenChanged
[secrpt-empty-groups(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(&(objectclass=group)(groupType:1.2.840.113556.1.4.803:=2147483648))" attrs="cn,distinguishedName,primaryGroupToken,member,groupType,systemFlags"|ldapgroup domain="$domain$"|where isnull(member_dn)|sort cn|table cn,groupType|rename cn as "Group Name",groupType as "Type"
[secrpt-gpolinked-orgunits(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(objectclass=organizationalUnit)" attrs="ou,description,gPLink,gPOptions"|where isnotnull(gPLink)|sort ou|rex field=gPLink max_match=10 "\[LDAP://(?<gpo>[^;]+);\d+\]"|ldapfetch domain="$domain$" dn=gpo attrs=displayName|table ou,description,displayName|rename ou as "Name",displayName as "Linked GPO"
[secrpt-inactive-computers(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(&(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" attrs="sAMAccountName,cn,dNSHostName,operatingSystem,operatingSystemServicePack,userAccountControl"|join type=outer sAMAccountName [search eventtype=msad-successful-computer-logons dest_nt_domain="$domain$"|stats max(_time) as lastLogonTime by user|rename user as sAMAccountName]|where isnull(lastLogonTime)|table cn,dNSHostName,operatingSystem,operatingSystemServicePack,userAccountControl|rename cn as Computer,operatingSystem as "Operating System",operatingSystemServicePack as "Service Pack"
[secrpt-inactive-users(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(&(objectclass=user)(!(objectclass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" attrs="sAMAccountName,cn,userPrincipalName,userAccountControl"|join type=outer sAMAccountName [search eventtype=msad-successful-user-logons dest_nt_domain="$domain$"|stats max(_time) as lastLogonTime by user|rename user as sAMAccountName]|where isnull(lastLogonTime)|table sAMAccountName,cn,userPrincipalName,userAccountControl
[secrpt-large-groups(2)]
args = domain,minsize
definition = ldapsearch domain="$domain$" search="(&(objectclass=group)(groupType:1.2.840.113556.1.4.803:=2147483648))" attrs="cn,distinguishedName,primaryGroupToken,member,groupType,systemFlags"|ldapgroup domain="$domain$"|eval membercount=if(isnull(member_dn),0,mvcount(member_dn))|where membercount>$minsize$|sort cn|table cn,groupType,membercount,member_dn,member_type|rename cn as "Group Name",groupType as "Type",membercount as "# Members",member_dn as "Member DN",member_type as "Member Type"
[secrpt-nested-groups(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(&(objectclass=group)(groupType:1.2.840.113556.1.4.803:=2147483648)(member=*))" attrs="distinguishedName,cn,groupType,member"|ldapgroup domain="$domain$"|mvexpand member_type|search member_type="NESTED*"|dedup cn,member_type|sort distinguishedName|transaction distinguishedName|table distinguishedName,cn,groupType,member_type
[secrpt-new-computers(1)]
args = domain
definition = eventtype=wineventlog_index_windows eventtype=wineventlog_security (EventCode=645 OR EventCode=4741) dest_nt_domain="$domain$"|table _time,src_user,src_nt_domain,dest_nt_domain,user|eval adminuser=src_nt_domain."\\".src_user|ldapfilter domain=$domain$ search="(&(objectClass=computer)(sAMAccountName=$user$))" attrs="cn,dNSHostName,operatingSystem,operatingSystemServicePack"|table _time,cn,dNSHostName,operatingSystem,operatingSystemServicePack,adminuser|rename cn as "Added Computer",operatingSystem as "Operating System",operatingSystemServicePack as "ServicePack",adminuser as "Added By"
[secrpt-new-group-policies(1)]
args = domain
definition = eventtype=msad_index_windows eventtype=admon-gpo|where uSNCreated==uSNChanged|lookup HostToDomain host|search src_nt_domain="$domain$"|dedup distinguishedName|table _time,cn,distinguishedName|join type=outer cn [ldapsearch domain=$domain$ search="(gPLink=*)" attrs="distinguishedName,gPLink"|where isnotnull(gPLink)|rex field=gPLink max_match=10 "\[LDAP://(CN|cn)=(?<cn>[^,]+),"|table cn,distinguishedName|mvexpand cn|mvcombine distinguishedName|eval lc=mvjoin(distinguishedName,"###")|fields cn,lc]|ldapfetch attrs="displayName,versionNumber"|lookup ActiveDirectory_GPOInfoLookup distinguishedName OUTPUT displayName, deletedDate | `format-ad-object-displayname(displayName,deletedDate)`|eval linkedContainers=split(lc,"###")|table _time,cn,displayName,versionNumber,linkedContainers
[secrpt-new-groups(1)]
args = domain
definition = eventtype=wineventlog_index_windows eventtype=wineventlog_security (EventCode=631 OR EventCode=635 OR EventCode=658 OR EventCode=4727 OR EventCode=4731 OR EventCode=4754) dest_nt_domain="$domain$"|lookup GroupType MSADGroupClassID OUTPUT MSADGroupClass|eval adminuser=src_nt_domain."\\".src_user|table _time,user_group,MSADGroupClass,MSADGroupType,adminuser|rename user_group as "Group Name",MSADGroupClass as "Class",MSADGroupType as "Type",adminuser as "Added By"
[secrpt-new-orgunits(1)]
args = domain
definition = eventtype=msad_index_windows eventtype=admon objectClass="*organizationalUnit*"|where uSNChanged==uSNCreated|dedup ou|lookup HostToDomain host|search src_nt_domain="$domain$"|ldapfetch dn=distinguishedName attrs="description,gPLink"|rex field=gPLink max_match=10 "\[LDAP://(?<gpo>[^;]+);\d+\]"|lookup ActiveDirectory_GPOInfoLookup distinguishedName as gpo OUTPUT displayName, deletedDate| `format-ad-object-displayname(displayName,deletedDate)`| table _time,ou,description,displayName|rename ou as "Name",displayName as "Linked GPO"
[secrpt-new-users(1)]
args = domain
definition = eventtype=wineventlog_index_windows eventtype=wineventlog_security (EventCode=624 OR EventCode=4720) dest_nt_domain="$domain$"|eval adminuser=src_nt_domain."\\".src_user|table _time,user,adminuser|rename user as "Added User", adminuser as "Added By"
[secrpt-sensitive-users(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(&(objectclass=user)(!(objectClass=computer))(userAccountControl:1.2.840.113556.1.4.803:=1048576))"|sort sAMAccountName|table sAMAccountName,cn,userPrincipalName,userAccountControl
[secrpt-trusted-computers(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))"|table cn,dNSHostName,userAccountControl,operatingSystem,operatingSystemServicePack
[secrpt-unmanaged-computers(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(&(objectClass=computer)(!(managedBy=*)))"|sort sAMAccountName|table cn,dNSHostName,userAccountControl,operatingSystem,operatingSystemServicePack
[secrpt-unmanaged-groups(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(&(objectclass=group)(!(manager=*))(groupType:1.2.840.113556.1.4.803:=2147483648))" attrs="cn,distinguishedName,primaryGroupToken,member,groupType,systemFlags"|ldapgroup domain="$domain$"|sort cn|table cn,groupType,member_dn,member_type|rename cn as "Group Name",groupType as "Type",member_dn as "Member DN",member_type as "Member Type"
[secrpt-unmanaged-orgunits(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(&(!(managedBy=*))(objectclass=organizationalUnit))" attrs="ou,description,gPLink,gPOptions"|sort ou|rex field=gPLink max_match=10 "\[LDAP://(?<gpo>[^;]+);\d+\]"|ldapfetch domain="$domain$" dn=gpo attrs=displayName|table ou,description,displayName|rename ou as "Name",displayName as "Linked GPO"
[secrpt-unused-computers(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(&(objectClass=computer)(|(!(logonCount=*))(logonCount=0)))"|table cn,dNSHostName,userAccountControl
[secrpt-unused-users(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(&(objectclass=user)(!(objectClass=computer))(|(!(logonCount=*))(logonCount=0)))"|sort sAMAccountName|table sAMAccountName,cn,userPrincipalName,userAccountControl
[secrpt-users-no-smartcard-required(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(&(objectclass=user)(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=262144)))"|sort sAMAccountName|table sAMAccountName,cn,userPrincipalName,userAccountControl
[secrpt-users-password-too-old(1)]
args = domain
definition = ldapsearch domain=$domain$ search="(&(objectclass=user)(!(objectclass=computer)))"|join type=outer sAMAccountName [search eventtype=msad-password-changes dest_nt_domain=$domain$|stats max(_time) as maxtime by user|rename user as sAMAccountName]|where isnull(maxtime)|table sAMAccountName,cn,userPrincipalName,userAccountControl,pwdLastSet
[secrpt-users-smartcard-required(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(&(objectclass=user)(!(objectClass=computer))(userAccountControl:1.2.840.113556.1.4.803:=262144))"|sort sAMAccountName|table sAMAccountName,cn,userPrincipalName,userAccountControl
[secrpt-users-that-dont-expire(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(&(objectclass=user)(!(objectClass=computer))(accountExpires=9223372036854775807))"|sort sAMAccountName|table sAMAccountName,cn,userPrincipalName,userAccountControl
[secrpt-users-that-dont-require-password(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(&(objectclass=user)(!(objectClass=computer))(userAccountControl:1.2.840.113556.1.4.803:=32))"|sort sAMAccountName|table sAMAccountName,cn,userPrincipalName,userAccountControl
[secrpt-users-whose-password-doesnt-expire(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(&(objectclass=user)(!(objectClass=computer))(userAccountControl:1.2.840.113556.1.4.803:=65536))"|sort sAMAccountName|table sAMAccountName,cn,userPrincipalName,userAccountControl
[secrpt-users-with-no-manager(1)]
args = domain
definition = ldapsearch domain="$domain$" search="(&(objectclass=user)(!(objectClass=computer))(!(manager=*)))"|sort sAMAccountName|table sAMAccountName,cn,userPrincipalName,userAccountControl
[split-ldapgroup]
definition = table mv_combo|mvexpand mv_combo|eval mm=split(mv_combo,"###")|eval member_dn=mvindex(mm,0)|eval member_name=mvindex(mm,1)|eval member_domain=mvindex(mm,2)|eval member_type=mvindex(mm,3)
[thostinfo]
definition = (eventtype=msad-successful-computer-logons OR eventtype=msad-failed-computer-logons) NOT (src_ip="127.0.0.1" OR src_ip="::1" OR src_ip="-")|eval src_host=rtrim(user,"$")|rename dest_nt_domain as src_nt_domain|eval src_hostdomain=src_nt_domain."\\".src_host|where isnotnull(src_ip)|table _time,src_ip,src_hostdomain,src_nt_domain,src_host|sort 0 src_ip,_time|dedup consecutive=T src_ip,src_hostdomain|sort 0 -_time
[ldap_lookup_member_split]
definition = table cn, mv_combo, member_dn\
| makemv delim="###" mv_combo\
| eval member_name=mvindex(mv_combo,1)\
| eval member_domain=mvindex(mv_combo,2)\
| eval member_type=mvindex(mv_combo,3)\
| makemv delim="," member_name\
| makemv delim="," member_domain\
| makemv delim="," member_type\
| eval member_details=mvzip(mvzip(member_domain,member_name,"\\"),member_type," - Type: ")\
| eval member_security_id=mvzip(member_domain,member_name,"\\")
Reference in new issue View Git Blame Copy Permalink