Deploiement_Server/deployment-apps/ms_windows_ad_objects/default/macros.conf

##Index Pre-Filters
[ms__obj_win_events_index]
definition = index="wineventlog"
iseval = 0

[ms__obj_win_perfmon_index]
definition = index=perfmon
iseval = 0

[ms__obj_win_api_index]
definition = index=windows
iseval = 0

[ms__obj_win_ad_index]
definition = index=msad
iseval = 0

##Windows WinHostMon Search
[ms_obj_winhostmon_base]
definition = `ms__obj_win_api_index` sourcetype="WinHostMon"
iseval = 0

##Windows EventLog Sourcetype and Source Searches##
[ms_obj_win_events_all]
definition = `ms__obj_win_events_index` (sourcetype="WinEventLog" OR sourcetype="XMLWinEventLog" OR sourcetype="WMIWineventLog")
iseval = 0

[ms_obj_win_events_security]
definition = `ms__obj_win_events_index` (source="WinEventLog:Security" OR source="XMLWinEventLog:Security" OR source="WMIWineventLog:Security")
iseval = 0

[ms_obj_win_events_application]
definition = `ms__obj_win_events_index` (source="WinEventLog:Application" OR source="XMLWinEventLog:Application" OR source="WMIWineventLog:Application")
iseval = 0

[ms_obj_win_events_system]
definition = `ms__obj_win_events_index` (source="WinEventLog:System" OR source="XMLWinEventLog:System" OR source="WMIWineventLog:System")
iseval = 0

##Active Directory Searches
##- admon - base index and sourcetype search
[ms_obj_admon_base]
definition = `ms__obj_win_ad_index` sourcetype="ActiveDirectory"
iseval = 0

##- admon - Filter components - Types admonEventType
[ms_obj_admon_base_a_type]
definition = ("admonEventType=Sync" OR "admonEventType=Update" OR "admonEventType=Deleted")
iseval = 0

[ms_obj_admon_base_del_type]
definition = "admonEventType=Deleted"
iseval = 0

[ms_obj_admon_base_upd_type]
definition = "admonEventType=Update"
iseval = 0

[ms_obj_admon_base_sync_type]
definition = "admonEventType=Sync"
iseval = 0

[ms_obj_admon_base_start_type]
definition = "admonEventType=Start"
iseval = 0

##- admon - Filter components - Object Type
[ms_obj_admon_base_a_obj]
definition = `ms_obj_admon_base` ("objectClass=top|person|organizationalPerson|user" OR "objectClass=top|group" OR "objectClass=top|container|groupPolicyContainer" OR (("objectClass=top|organizationalUnit") OR ("objectClass=top|container" NOT "CN=Policies," NOT "CN=DomainUpdates")))
iseval = 0

[ms_obj_admon_user]
definition = `ms_obj_admon_base` "objectClass=top|person|organizationalPerson|user" NOT "objectClass=top|person|organizationalPerson|user|computer" NOT ([| inputlookup AD_Obj_Domain WHERE multi_lkps_enabled="t" | stats count by dc_val | table dc_val])
iseval = 0

[ms_obj_admon_group]
definition = `ms_obj_admon_base` "objectClass=top|group" NOT ([| inputlookup AD_Obj_Domain WHERE multi_lkps_enabled="t" | stats count by dc_val | table dc_val])
iseval = 0

[ms_obj_admon_computer]
definition = `ms_obj_admon_base` "objectClass=top|person|organizationalPerson|user|computer" NOT ([| inputlookup AD_Obj_Domain WHERE multi_lkps_enabled="t" | stats count by dc_val | table dc_val])
iseval = 0

[ms_obj_admon_ou]
definition = `ms_obj_admon_base` (("objectClass=top|organizationalUnit") OR ("objectClass=top|container" NOT "CN=Policies," NOT "CN=DomainUpdates"))
iseval = 0

[ms_obj_admon_gpo]
definition = `ms_obj_admon_base` "objectClass=top|container|groupPolicyContainer"
iseval = 0

[ms_obj_admon_gpo(1)]
args = domain_dc_val
definition = `ms_obj_admon_base` "objectClass=top|container|groupPolicyContainer" dc_val="$domain_dc_val$"
iseval = 0

###-------------------------------------------------------------------------------###
#--- 		Macro's Used for Filtering either raw text, using IN() or a Field    ---#
###-------------------------------------------------------------------------------###
###-------------------------------------------------------------------------------###
#--   NOTE: Requires a | before the macro (ie |`ms_obj_ss_filt_raw("User","*","sAMAccountName","joebob","sAMAccountName,dn,cn,userPrincipalName")`)
#--   Arguments:
#--  	- tok_obj_type = Object Type part of the Lookup Name
#--			- Has to be one of the following (User, Group, Computer, OU, GPO)
#--  	- tok_domain = Past AD Domain or *
#--  	- tok_match_field = This is the field from the lookup that matches the
#--			passed filtering value, $tok_obj_val$.
#--  	- tok_obj_val = This is the value that is passed and will be used to match the
#--			$tok_match_field$ specified field.
#--  	- tok_comb_fields = This is a comma seperated list of the lookup fields that
#--			will be combined for the filtering search.
#--  	- tok_link_field = This is the field in the source results that will be
#--			linked to the passed object value $tok_obj_val$.
###-------------------------------------------------------------------------------###
###-------------------------------------------------------------------------------###
#--	  Examples:
## 		- Raw Text Sub Search:
##			- ms_obj_ss_filt_raw(5) Subsearch Ex:
##				index=wineventlog [|`ms_obj_ss_filt_raw("User","*","sAMAccountName","joebob","sAMAccountName,dn,cn,userPrincipalName")`
##					- Example txt Output = "joebob" OR "CN=Joe Bob,CN=Users,DC=sedemo,DC=local" OR "Joe Bob" OR "joebob@sedemo.local"
##			- ms_obj_ss_filt_raw(5) Basic Example:
##				|`ms_obj_ss_filt_raw("User","*","sAMAccountName","joebob","sAMAccountName,dn,cn,userPrincipalName")`
## 		- Search IN() Sub Search:
##			- ms_obj_ss_filt_raw(5) Ex:
##				index=wineventlog | fields _time,user | search user IN([|`ms_obj_ss_filt_in("User","*","sAMAccountName","joebob","sAMAccountName,dn,cn,userPrincipalName")`)
##					- Example txt Output = "joebob","CN=Administrator,CN=Users,DC=sedemo,DC=local","Joe Bob","joebob@sedemo.local"
## 		- Linking to a results field:
##			- ms_obj_ss_filt_raw(6) Ex:
##				index=wineventlog | fields _time,user | search user IN([|`ms_obj_ss_filt_in("User","*","sAMAccountName","joebob","sAMAccountName,dn,cn,userPrincipalName")`)
##					- Example txt Output = user="joebob" OR user="CN=Administrator,CN=Users,DC=sedemo,DC=local" OR user="Joe Bob" OR user="joebob@sedemo.local"
#--	  Multi-Domain Examples - With kv_suffix(sedemo):
## 		- Raw Text Sub Search:
##			- ms_obj_ss_filt_raw(5) Subsearch Ex:
##				index=wineventlog [|`ms_obj_ss_filt_raw("User_sedemo","*","sAMAccountName","joebob","sAMAccountName,dn,cn,userPrincipalName")`
##					- Example txt Output = "joebob" OR "CN=Joe Bob,CN=Users,DC=sedemo,DC=local" OR "Joe Bob" OR "joebob@sedemo.local"
##			- ms_obj_ss_filt_raw(5) Basic Example:
##				|`ms_obj_ss_filt_raw("User_sedemo","*","sAMAccountName","joebob","sAMAccountName,dn,cn,userPrincipalName")`
## 		- Search IN() Sub Search:
##			- ms_obj_ss_filt_raw(5) Ex:
##				index=wineventlog | fields _time,user | search user IN([|`ms_obj_ss_filt_in("User_sedemo","*","sAMAccountName","joebob","sAMAccountName,dn,cn,userPrincipalName")`)
##					- Example txt Output = "joebob","CN=Administrator,CN=Users,DC=sedemo,DC=local","Joe Bob","joebob@sedemo.local"
## 		- Linking to a results field:
##			- ms_obj_ss_filt_raw(6) Ex:
##				index=wineventlog | fields _time,user | search user IN([|`ms_obj_ss_filt_in("User_sedemo","*","sAMAccountName","joebob","sAMAccountName,dn,cn,userPrincipalName")`)
##					- Example txt Output = user="joebob" OR user="CN=Administrator,CN=Users,DC=sedemo,DC=local" OR user="Joe Bob" OR user="joebob@sedemo.local"

[ms_obj_ss_filt_raw(5)]
args = tok_obj_type,tok_domain,tok_match_field,tok_obj_val,tok_comb_fields
definition = inputlookup AD_Obj_$tok_obj_type$ WHERE domain="$tok_domain$" AND $tok_match_field$="$tok_obj_val$"\
| fields $tok_comb_fields$\
| eval search=mvdedup(mvappend($tok_comb_fields$))\
| stats values(search) AS search\
| eval search=if(mvcount(search)==1,"\"".search."\"",replace("\"".mvjoin(search,"\" OR \"")."\"","(^\"\"\sOR\s|\sOR\s\"\"$)",""))\
| table search
iseval = 0

[ms_obj_ss_filt_in(5)]
args = tok_obj_type,tok_domain,tok_match_field,tok_obj_val,tok_comb_fields
definition = inputlookup AD_Obj_$tok_obj_type$ WHERE domain="$tok_domain$" AND $tok_match_field$="$tok_obj_val$"\
| fields $tok_comb_fields$\
| eval search=mvdedup(mvappend($tok_comb_fields$))\
| stats values(search) AS search\
| eval search=if(mvcount(search)==1,"\"".search."\"",replace("\"".mvjoin(search,"\",\"")."\"","(^\"\",|,\"\"$)",""))\
| table search
iseval = 0

[ms_obj_ss_filt_field(6)]
args = tok_obj_type,tok_domain,tok_match_field,tok_obj_val,tok_comb_fields,tok_link_field
definition = inputlookup AD_Obj_$tok_obj_type$ WHERE domain="$tok_domain$" AND $tok_match_field$="$tok_obj_val$"\
| fields $tok_comb_fields$\
| eval search=mvdedup(mvappend($tok_comb_fields$))\
| stats values(search) AS search\
| eval search=if(mvcount(search)==1,"$tok_link_field$=\"".search."\"",replace("$tok_link_field$=\"".mvjoin(search,"\" OR $tok_link_field$=\"")."\"","(^$tok_link_field$=\"\"\sOR\s|\sOR\s$tok_link_field$=\"\"$)",""))\
| table search
iseval = 0
###-------------------------------------------------------------------------------###
####  By Group Filters ####
###-------------------------------------------------------------------------------###
## ms_obj_ss_filt_multi_raw  - Multiple Object Filter - Requires | before
##  - The tok_match_field and the tok_obj_val are for retrieving a specific group's members.
##	- Example: | `ms_obj_ss_filt_by_groupm_raw("User","*","dn","CN=Administrators,CN=Builtin,DC=sedemo,DC=local","sAMAccountName,dn,cn,userPrincipalName")`
[ms_obj_ss_filt_by_groupm_raw(5)]
args = tok_obj_type,tok_domain,tok_match_field,tok_obj_val,tok_comb_fields
definition = inputlookup AD_Obj_$tok_obj_type$ WHERE domain="$tok_domain$" AND [| inputlookup AD_Obj_Group WHERE $tok_match_field$="$tok_obj_val$" | fields member | rename member AS dn | table dn]\
| fields $tok_comb_fields$\
| eval search=mvdedup(mvappend($tok_comb_fields$))\
| stats values(search) AS search\
| eval search=if(mvcount(search)==1,"\"".search."\"",replace("\"".mvjoin(search,"\" OR \"")."\"","(^\"\"\sOR\s|\sOR\s\"\"$)",""))\
| table search
iseval = 0

[ms_obj_ss_filt_by_groupm_in(5)]
args = tok_obj_type,tok_domain,tok_match_field,tok_obj_val,tok_comb_fields
definition = inputlookup AD_Obj_$tok_obj_type$ WHERE domain="$tok_domain$" AND [| inputlookup AD_Obj_Group WHERE $tok_match_field$="$tok_obj_val$" | fields member | rename member AS dn | table dn]\
| fields $tok_comb_fields$\
| eval search=mvdedup(mvappend($tok_comb_fields$))\
| stats values(search) AS search\
| eval search=if(mvcount(search)==1,"\"".search."\"",replace("\"".mvjoin(search,"\",\"")."\"","(^\"\",|,\"\"$)",""))\
| table search
iseval = 0

[ms_obj_ss_filt_by_groupm_field(6)]
args = tok_obj_type,tok_domain,tok_match_field,tok_obj_val,tok_comb_fields,tok_link_field
definition = inputlookup AD_Obj_$tok_obj_type$ WHERE domain="$tok_domain$" AND [| inputlookup AD_Obj_Group WHERE $tok_match_field$="$tok_obj_val$" | fields member | rename member AS dn | table dn]\
| fields $tok_comb_fields$\
| eval search=mvdedup(mvappend($tok_comb_fields$))\
| stats values(search) AS search\
| eval search=if(mvcount(search)==1,"$tok_link_field$=\"".search."\"",replace("$tok_link_field$=\"".mvjoin(search,"\" OR $tok_link_field$=\"")."\"","(^$tok_link_field$=\"\"\sOR\s|\sOR\s$tok_link_field$=\"\"$)",""))\
| table search
iseval = 0

###-------------------------------------------------------------------------------###
####  MULTI-DOMAIN - Split KV - By Group Filters ####
###-------------------------------------------------------------------------------###
## ms_obj_ss_filt_multi_raw  - Multiple Object Filter - Requires | before
##  - The tok_match_field and the tok_obj_val are for retrieving a specific group's members.
##	- Example: | `ms_obj_ss_filt_by_groupm_raw("User","sedemo","*","dn","CN=Administrators,CN=Builtin,DC=sedemo,DC=local","sAMAccountName,dn,cn,userPrincipalName")`
[ms_obj_md_ss_filt_by_groupm_raw(6)]
args = tok_obj_type,tok_kv_suffix_type,tok_domain,tok_match_field,tok_obj_val,tok_comb_fields
definition = inputlookup AD_Obj_$tok_obj_type$_$tgt_kv_suffix$ WHERE domain="$tok_domain$" AND [| inputlookup AD_Obj_Group_$tgt_kv_suffix$ WHERE $tok_match_field$="$tok_obj_val$" | fields member | rename member AS dn | table dn]\
| fields $tok_comb_fields$\
| eval search=mvdedup(mvappend($tok_comb_fields$))\
| stats values(search) AS search\
| eval search=if(mvcount(search)==1,"\"".search."\"",replace("\"".mvjoin(search,"\" OR \"")."\"","(^\"\"\sOR\s|\sOR\s\"\"$)",""))\
| table search
iseval = 0

[ms_obj_md_ss_filt_by_groupm_in(6)]
args = tok_obj_type,tok_kv_suffix,tok_domain,tok_match_field,tok_obj_val,tok_comb_fields
definition = inputlookup AD_Obj_$tok_obj_type$_$tgt_kv_suffix$ WHERE domain="$tok_domain$" AND [| inputlookup AD_Obj_Group_$tgt_kv_suffix$ WHERE $tok_match_field$="$tok_obj_val$" | fields member | rename member AS dn | table dn]\
| fields $tok_comb_fields$\
| eval search=mvdedup(mvappend($tok_comb_fields$))\
| stats values(search) AS search\
| eval search=if(mvcount(search)==1,"\"".search."\"",replace("\"".mvjoin(search,"\",\"")."\"","(^\"\",|,\"\"$)",""))\
| table search
iseval = 0

[ms_obj_md_ss_filt_by_groupm_field(7)]
args = tok_obj_type,tok_kv_suffix,tok_domain,tok_match_field,tok_obj_val,tok_comb_fields,tok_link_field
definition = inputlookup AD_Obj_$tok_obj_type$_$tgt_kv_suffix$ WHERE domain="$tok_domain$" AND [| inputlookup AD_Obj_Group_$tgt_kv_suffix$ WHERE $tok_match_field$="$tok_obj_val$" | fields member | rename member AS dn | table dn]\
| fields $tok_comb_fields$\
| eval search=mvdedup(mvappend($tok_comb_fields$))\
| stats values(search) AS search\
| eval search=if(mvcount(search)==1,"$tok_link_field$=\"".search."\"",replace("$tok_link_field$=\"".mvjoin(search,"\" OR $tok_link_field$=\"")."\"","(^$tok_link_field$=\"\"\sOR\s|\sOR\s$tok_link_field$=\"\"$)",""))\
| table search
iseval = 0
###-------------------------------------------------------------------------------###
####  By Admin Audit Specific - By Group Filters ####
###-------------------------------------------------------------------------------###
## ms_obj_ss_filt_multi_raw  - Multiple Object Filter - Requires | before
##  - The tok_match_field and the tok_obj_val are for retrieving a specific group's members.
##	- Example: | `ms_obj_aa_filt_by_groupm_raw("*","dn","CN=Administrators,CN=Builtin,DC=sedemo,DC=local","sAMAccountName,dn,cn,userPrincipalName","AD_Obj_User","AD_Obj_Group")`
##	- Example Multi-Domain: | `ms_obj_aa_filt_by_groupm_raw("*","dn","CN=Administrators,CN=Builtin,DC=sedemo,DC=local","sAMAccountName,dn,cn,userPrincipalName","AD_Obj_User_sedemo","AD_Obj_Group_sedemo")`
[ms_obj_aa_filt_by_groupm_raw(6)]
args = tok_domain,tok_match_field,tok_obj_val,tok_comb_fields,user_lookup,group_lookup
definition = inputlookup AD_Obj_Admin_Audit WHERE admin_domain="$tok_domain$" AND [| inputlookup $group_lookup$ WHERE $tok_match_field$="$tok_obj_val$"| fields member | rename member AS dn | lookup $user_lookup$ dn OUTPUT lookup_usr AS admin_user| stats values(admin_user) AS admin_user | format]\
| lookup $user_lookup$ lookup_usr AS admin_user OUTPUT cn,sAMAccountName,userPrincipalName\
| `ms_obj_ss_filt_flds_raw("$tok_comb_fields$")`
iseval = 0

[ms_obj_aa_filt_by_groupm_in(6)]
args = tok_domain,tok_match_field,tok_obj_val,tok_comb_fields,user_lookup,group_lookup
definition = inputlookup AD_Obj_Admin_Audit WHERE admin_domain="$tok_domain$" AND [| inputlookup $group_lookup$ WHERE $tok_match_field$="$tok_obj_val$"| fields member | rename member AS dn | lookup $user_lookup$ dn OUTPUT lookup_usr AS admin_user| stats values(admin_user) AS admin_user | format]\
| lookup $user_lookup$ lookup_usr AS admin_user OUTPUT cn,sAMAccountName,userPrincipalName\
| `ms_obj_ss_filt_flds_in("$tok_comb_fields$")`
iseval = 0
###-------------------------------------------------------------------------------###
####  By Admin Audit Specific - By Admin Filters ####
###-------------------------------------------------------------------------------###
[ms_obj_aa_filt_by_admin_raw(5)]
args = tok_domain,tok_match_field,tok_obj_val,tok_comb_fields,user_lookup
definition = inputlookup AD_Obj_Admin_Audit WHERE admin_domain="$tok_domain$"\
| lookup $user_lookup$ lookup_usr AS admin_user OUTPUT dn,cn,sAMAccountName,userPrincipalName\
| search $tok_match_field$="$tok_obj_val$"\
| `ms_obj_ss_filt_flds_raw("$tok_comb_fields$")`
iseval = 0

[ms_obj_aa_filt_by_admin_in(5)]
args = tok_domain,tok_match_field,tok_obj_val,tok_comb_fields,user_lookup
definition = inputlookup AD_Obj_Admin_Audit WHERE admin_domain="$tok_domain$"\
| lookup $user_lookup$ lookup_usr AS admin_user OUTPUT dn,cn,sAMAccountName,userPrincipalName\
| search $tok_match_field$="$tok_obj_val$"\
| `ms_obj_ss_filt_flds_in("$tok_comb_fields$")`
iseval = 0
##  - Replaced with ms_obj_aa_filt_by_groupm_raw(6) for supporting Multi-Domain KV Split
##[ms_obj_aa_filt_by_groupm_raw(4)]
##args = tok_domain,tok_match_field,tok_obj_val,tok_comb_fields
##definition = inputlookup AD_Obj_Admin_Audit WHERE domain="$tok_domain$" AND [| inputlookup AD_Obj_Group WHERE $tok_match_field$="$tok_obj_val$" | fields member | rename member AS admin_dn | table admin_dn]\
##| fields $tok_comb_fields$\
##| eval search=mvdedup(mvappend($tok_comb_fields$))\
##| stats values(search) AS search\
##| eval search=if(mvcount(search)==1,"\"".search."\"",replace("\"".mvjoin(search,"\" OR \"")."\"","(^\"\"\sOR\s|\sOR\s\"\"$)",""))\
##| table search
##iseval = 0
##  - Replaced with ms_obj_aa_filt_by_groupm_in(6) for supporting Multi-Domain KV Split
##[ms_obj_aa_filt_by_groupm_in(4)]
##args = tok_domain,tok_match_field,tok_obj_val,tok_comb_fields
##definition = inputlookup AD_Obj_Admin_Audit WHERE domain="$tok_domain$" AND [| inputlookup AD_Obj_Group WHERE $tok_match_field$="$tok_obj_val$" | fields member | rename member AS admin_dn | table admin_dn]\
##| fields $tok_comb_fields$\
##| eval search=mvdedup(mvappend($tok_comb_fields$))\
##| stats values(search) AS search\
##| eval search=if(mvcount(search)==1,"\"".search."\"",replace("\"".mvjoin(search,"\",\"")."\"","(^\"\",|,\"\"$)",""))\
##| table search
##iseval = 0

###-------------------------------------------------------------------------------###
####  REMOVE - Using Single macro for MULTI-DOMAIN OR non-Split KV - By Admin Audit Specific - By Group Filters ####
###-------------------------------------------------------------------------------###
## ms_obj_ss_filt_multi_raw  - Multiple Object Filter - Requires | before
##  - The tok_match_field and the tok_obj_val are for retrieving a specific group's members.
##	- Example: | `ms_obj_aa_filt_by_groupm_raw("*","sedemo","dn","CN=Administrators,CN=Builtin,DC=sedemo,DC=local","sAMAccountName,dn,cn,userPrincipalName")`
##[ms_obj_md_aa_filt_by_groupm_raw(5)]
##args = tok_domain,tok_kv_suffix,tok_match_field,tok_obj_val,tok_comb_fields
##definition = inputlookup AD_Obj_Admin_Audit WHERE domain="$tok_domain$" AND [| inputlookup AD_Obj_Group_$tok_kv_suffix$ WHERE $tok_match_field$="$tok_obj_val$" | fields member | rename member AS admin_dn | table admin_dn]\
##| fields $tok_comb_fields$\
##| eval search=mvdedup(mvappend($tok_comb_fields$))\
##| stats values(search) AS search\
##| eval search=if(mvcount(search)==1,"\"".search."\"",replace("\"".mvjoin(search,"\" OR \"")."\"","(^\"\"\sOR\s|\sOR\s\"\"$)",""))\
##| table search
##iseval = 0

##[ms_obj_md_aa_filt_by_groupm_in(5)]
##args = tok_domain,tok_kv_suffix,tok_match_field,tok_obj_val,tok_comb_fields
##definition = inputlookup AD_Obj_Admin_Audit WHERE domain="$tok_domain$" AND [| inputlookup AD_Obj_Group_$tok_kv_suffix$ WHERE $tok_match_field$="$tok_obj_val$" | fields member | rename member AS admin_dn | table admin_dn]\
##| fields $tok_comb_fields$\
##| eval search=mvdedup(mvappend($tok_comb_fields$))\
##| stats values(search) AS search\
##| eval search=if(mvcount(search)==1,"\"".search."\"",replace("\"".mvjoin(search,"\",\"")."\"","(^\"\",|,\"\"$)",""))\
##| table search
##iseval = 0
###-------------------------------------------------------------------------------###
#--- 					Macros Used for AD Changes    							 ---#
###-------------------------------------------------------------------------------###
###-------------------------------------------------------------------------------###
### NOTE: UPDATED MACROS - Consolidated
##-- User --##
## ms_obj_user_changes_base Replaced With `ms_obj_changes_base_cat("User")`
## ms_obj_user_changes_action(1) Replaced With `ms_obj_changes_base_cat_act("User",<passed_action>)`
##-- Groups --##
## ms_obj_group_changes_base Replaced With `ms_obj_changes_base_cat("Group")`
## ms_obj_group_changes_action(1) Replaced With `ms_obj_changes_base_cat_act("Group",<passed_action>)`
##-- Group Membership --##
## ms_obj_group_membership_changes_base Replaced With `ms_obj_changes_base_cat("Group Membership")`
## ms_obj_group_membership_changes_action(1) Replaced With `ms_obj_changes_base_cat_act("Group Membership",<passed_action>)`
##-- Computer --##
## ms_obj_computer_changes_base Replaced With `ms_obj_changes_base_cat("Computer")`
## ms_obj_computer_changes_action(1) Replaced With `ms_obj_changes_base_cat_act("Computer",<passed_action>)`
##-- Organizational Units --##
## ms_obj_ou_changes_base Replaced With `ms_obj_changes_base_cat("OU")`
## ms_obj_ou_changes_action(1) Replaced With `ms_obj_changes_base_cat_act("OU",<passed_action>)`
##-- Group Policy --##
## ms_obj_gpo_changes_base Replaced With `ms_obj_changes_base_cat("Group Policy")`
## ms_obj_gpo_changes_action(1) Replaced With `ms_obj_changes_base_cat_act("Group Policy",<passed_action>)`
##-- Change Search with formatted output --##
## ms_obj_computer_changes_search(3) AND ms_obj_user_changes_search(3) Replaced with `ms_obj_changes_search(4)`
###-------------------------------------------###
## Macros to speed up searches
[ms_obj_change_raw_std]
definition = inputlookup AD_Audit_Change_EventCodes \
| fields EventCode \
| stats values(EventCode) AS search \
| eval search="\"EventCode=".mvjoin(search,"\" OR \"EventCode=")."\"" \
| table search
iseval = 0

[ms_obj_change_raw_xml]
definition = inputlookup AD_Audit_Change_EventCodes \
| fields EventCode \
| stats values(EventCode) AS search \
| eval search="\"<EventID>".mvjoin(search,"</EventID>\" OR \"<EventID>")."</EventID>\"" \
| table search
iseval = 0

[ms_obj_change_raw_cmb]
definition = inputlookup AD_Audit_Change_EventCodes\
| fields EventCode\
| stats values(EventCode) AS search\
| eval search="\"EventCode=".mvjoin(search,"\" OR \"EventCode=")."\" OR \"<EventID>".mvjoin(search,"</EventID>\" OR \"<EventID>")."</EventID>\"" \
| table search
iseval = 0

[ms_obj_change_raw_cmb(1)]
args = tok_chg_cat
definition = inputlookup AD_Audit_Change_EventCodes WHERE change_category="$tok_chg_cat$"\
| fields EventCode\
| stats values(EventCode) AS search\
| eval search="\"EventCode=".mvjoin(search,"\" OR \"EventCode=")."\" OR \"<EventID>".mvjoin(search,"</EventID>\" OR \"<EventID>")."</EventID>\"" \
| table search
iseval = 0

[ms_obj_change_raw_cmb(2)]
args = tok_chg_cat,tok_obj_type
definition = inputlookup AD_Audit_Change_EventCodes WHERE change_category="$tok_chg_cat$"\
| fields EventCode\
| stats values(EventCode) AS search\
| eval search="obj_type=\"$tok_obj_type$\" (\"EventCode=".mvjoin(search,"\" OR \"EventCode=")."\" OR \"<EventID>".mvjoin(search,"</EventID>\" OR \"<EventID>")."</EventID>\")" \
| table search
iseval = 0

## Base Change Macros
[ms_obj_changes_base_type(1)]
args = tok_chg_type
definition = `ms_obj_win_events_security` [|inputlookup AD_Audit_Change_EventCodes WHERE obj_type="$tok_chg_type$" |stats values(EventCode) AS EventCode,values(obj_type) AS obj_type | format] src_user_type="user" NOT((EventCode=4723 OR EventCode=4738) AND src_user=user)
iseval = 0

##-- User Changing their Own Password --##
[ms_obj_changes_filt_pwd_res]
definition = NOT((EventCode=4723 OR EventCode=4738) AND src_user!=user)
iseval = 0

##-- All Changes --##
[ms_obj_changes_base_all]
args = tok_chg_cat,tok_chg_action
definition = `ms_obj_win_events_security` [|inputlookup AD_Audit_Change_EventCodes |stats values(EventCode) AS EventCode,values(obj_type) AS obj_type | format] src_user_type="user" NOT((EventCode=4723 OR EventCode=4738) AND src_user!=user)
iseval = 0

##-- All Changes for Category--##
[ms_obj_changes_base_cat(1)]
args = tok_chg_cat
definition = `ms_obj_win_events_security` [|inputlookup AD_Audit_Change_EventCodes WHERE change_category="$tok_chg_cat$" |stats values(EventCode) AS EventCode,values(obj_type) AS obj_type | format] src_user_type="user" NOT((EventCode=4723 OR EventCode=4738) AND src_user=user)
iseval = 0

##-- All Changes for Action--##
[ms_obj_changes_base_act(1)]
args = tok_chg_action
definition = `ms_obj_win_events_security` [|inputlookup AD_Audit_Change_EventCodes WHERE change_action="$tok_chg_action$"|stats values(EventCode) AS EventCode,values(obj_type) AS obj_type | format] src_user_type="user" NOT((EventCode=4723 OR EventCode=4738) AND src_user!=user)
iseval = 0

##-- All Changes for Category and Action--##
[ms_obj_changes_base_cat_act(2)]
args = tok_chg_cat,tok_chg_action
definition = `ms_obj_win_events_security` [|inputlookup AD_Audit_Change_EventCodes WHERE change_category="$tok_chg_cat$" AND change_action="$tok_chg_action$" | stats values(EventCode) AS EventCode,values(obj_type) AS obj_type | format] src_user_type="user" NOT((EventCode=4723 OR EventCode=4738) AND src_user=user)
iseval = 0

##-- Changes Formated Output - All ##
##-- Important for Computer add $ for tok_user value
[ms_obj_changes_search(4)]
args = tok_domain,tok_user,tok_action,tok_category
definition = `ms_obj_changes_base_cat_act($tok_category$,$tok_action$)` (cn="$tok_user$" OR user="$tok_user$" OR New_Account_Name="$tok_user$" OR Old_Account_Name="$tok_user$") (src_nt_domain="$tok_domain$" OR dest_nt_domain="$tok_domain$") msad_action=$tok_action$ \
| eval adminuser=src_nt_domain."\\".src_user\
| eval dest_user_subject=dest_nt_domain."\\".user\
| `ms_obj_msad-changed-attributes`\
| table _time,adminuser,user,msad_action,dest_user_subject,MSADChanges\
| rename adminuser as "Administrator",msad_action as "Action",user as "Target_$tok_category$",dest_user_subject as "Target $tok_category$ ID",MSADChanges as "Changes"
iseval = 0

##-- All Changes for Computer Category--##
[ms_obj_changes_base_cat_computer]
definition = `ms_obj_win_events_security` [|inputlookup AD_Audit_Change_EventCodes WHERE change_category="Computer" |stats values(EventCode) AS EventCode,values(obj_type) AS obj_type | format] src_user_type="user" NOT((EventCode=4723 OR EventCode=4738) AND src_user=user)
iseval = 0

##-- All Changes for Group Category--##
[ms_obj_changes_base_cat_group]
definition = `ms_obj_win_events_security` [|inputlookup AD_Audit_Change_EventCodes WHERE change_category="Group" |stats values(EventCode) AS EventCode,values(obj_type) AS obj_type | format] src_user_type="user" NOT((EventCode=4723 OR EventCode=4738) AND src_user=user)
iseval = 0

##-- All Changes for Group Membership Category--##
[ms_obj_changes_base_cat_group_membership]
definition = `ms_obj_win_events_security` [|inputlookup AD_Audit_Change_EventCodes WHERE change_category="Group Membership" |stats values(EventCode) AS EventCode,values(obj_type) AS obj_type | format] src_user_type="user" NOT((EventCode=4723 OR EventCode=4738) AND src_user=user)
iseval = 0

##-- All Changes for User Membership Category--##
[ms_obj_changes_base_cat_user]
definition = `ms_obj_win_events_security` [|inputlookup AD_Audit_Change_EventCodes WHERE change_category="User" |stats values(EventCode) AS EventCode,values(obj_type) AS obj_type | format] src_user_type="user" NOT((EventCode=4723 OR EventCode=4738) AND src_user=user)
iseval = 0

##-- OU Changes for OU's with specified GPO --##
[ms_obj_ou_changes_gplink(1)]
args = gPLink
definition = `ms_obj_changes_base_cat("OU")` Value="$gPLink$"
iseval = 0

##-- Groups And Group Membership Changes --##
[ms_obj_group_all_changes_base]
definition = `ms_obj_changes_base_cat("Group*")`
iseval = 0

##-- Group Policy Change Search --##
[ms_obj_gpo_changes(2)]
args = domain,gpo_guid
definition = `ms_obj_changes_base_cat("Group Policy")` src_nt_domain="$domain$"\
| eval adminuser=src_user\
| eval Object_Lookup_Name="{" . lower(Object_Name_Guid) . "}"\
| search Object_Lookup_Name="$gpo_guid$"\
| lookup AD_Obj_GPO cn AS Object_Lookup_Name OUTPUT displayName\
| stats max(_time) AS last_time, min(_time) AS start_time, count by session_id,src_nt_domain,src_user,displayName\
| sort -last_time\
| eval start_session_event_time=strftime(start_time,"%m/%d/%y %I:%M:%S %P")\
| eval last_session_event_time=strftime(last_time,"%m/%d/%y %I:%M:%S %P")\
| table displayName,src_nt_domain,src_user,start_session_event_time, last_session_event_time, session_id\
| rename src_nt_domian as "Domain",src_user as "Administrator", displayName as "Group Policy Name"
iseval = 0

[audit-gpo-changes(1)]
args = domain
definition = `ms_obj_changes_base_cat("Group Policy")`|lookup HostToDomain host|search src_nt_domain="$domain$"|eval adminuser=src_nt_domain."\\".src_user|eval Object_Name=replace(Object_Name,"}CN","},CN")|fields _time,Object_Name,adminuser,session_id|transaction maxspan=10m Object_Name,adminuser,session_id|lookup AD_Obj_GPO distinguishedName as Object_Name OUTPUT displayName,deletedDate,cn | `format-ad-object-displayname(displayName,deletedDate)`
iseval = 0

##-------------------------------------------##
#--- 	User,Group,Computer Changes Macros ---#
##-------------------------------------------##
[ms_obj_user_change_out]
definition = fields _time, src_user, user, user_obj_dn, user_obj_email,msad_action, MSADChanges, dest_nt_domain, signature, MSADChangedAttributes,Correlation_ID,AttributeLDAPDisplayName,AttributeValue,DN,Old_DN,New_DN,dir_svcs_action\
| eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\
| eval user_obj_lkp=if(isnull(user_obj_dn),if(isnull(user_obj_email),if(isnull(DN),if(isnull(Old_DN),if(isnull(New_DN),lower(user),lower(New_DN)),lower(Old_DN)),lower(DN)),lower(user_obj_email)),lower(user_obj_dn))\
| lookup AD_Obj_User lookup_usr AS user_obj_lkp OUTPUT sAMAccountName AS b_user_obj_sam,cn AS b_user_obj_cn\
| eval user=if(isnull(b_user_obj_sam),if(isnull(b_user_obj_cn),if(isnull(user_obj_lkp),"NA",lower(user_obj_lkp)),lower(b_user_obj_cn)),lower(b_user_obj_sam))\
| eval dest_user_subject=if(isnull(dest_nt_domain),user,dest_nt_domain."\\".lower(user))\
| `ms_obj_msad-changed-attributes`\
| stats count, values(Correlation_ID) AS Correlation_IDs,values(MSADChanges) AS MSADChanges by _time,src_user,adminuser,msad_action,dest_user_subject,user,signature\
| eval signature=mvdedup(signature)\
| eval MSADChanges=mvjoin(MSADChanges, "########")\
| eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnull(MSADChanges),"Signature: ".signature,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\
| makemv delim="########" MSADChanges\
| table _time,src_user,adminuser,msad_action,user,dest_user_subject,Correlation_IDs,MSADChanges
iseval = 0

[ms_obj_computer_change_out]
definition = fields _time, src_user, user, comp_obj_dn, comp_obj_sam,msad_action, MSADChanges, dest_nt_domain, signature, MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,Old_DN,New_DN,dir_svcs_action\
| eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\
| eval comp_obj_lkp=if(isnull(comp_obj_dn),if(isnull(DN),if(isnull(Old_DN),if(isnull(New_DN),if(isnull(comp_obj_sam),lower(user),lower(comp_obj_sam)),lower(New_DN)),lower(Old_DN)),lower(DN)),lower(comp_obj_dn))\
| lookup AD_Obj_Computer lookup_cmp AS comp_obj_lkp OUTPUT sAMAccountName AS b_comp_obj_sam\
| eval user=if(isnull(b_comp_obj_sam),if(isnull(comp_obj_lkp),"NA",lower(comp_obj_lkp)),lower(b_comp_obj_sam))\
| eval dest_user_subject=if(isnull(dest_nt_domain),user,dest_nt_domain."\\".lower(user))\
| `ms_obj_msad-changed-attributes`\
| stats count, values(MSADChanges) AS MSADChanges by _time,adminuser,msad_action,dest_user_subject,user,signature\
| eval signature=mvdedup(signature)\
| eval MSADChanges=mvjoin(MSADChanges, "########")\
| eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnull(MSADChanges),"Signature: ".signature,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\
| makemv delim="########" MSADChanges\
| table _time,adminuser,msad_action,user,dest_user_subject,MSADChanges
iseval = 0

[ms_obj_group_change_out]
definition = fields _time, _raw, src_user, src_nt_domain, dest_nt_domain, msad_action, signature,DN,New_DN,Old_DN,group_obj_lkp,member_obj_lkp,MSADGroupClass,MSADGroupClassID,MSADGroupType,MSADChanges,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,dir_svcs_action \
| eval msad_action=if(isnull(msad_action),if(isnull(dir_svcs_action),"NA",dir_svcs_action),if(isnull(dir_svcs_action),msad_action,msad_action." (".dir_svcs_action.")"))\
| eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\
| lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass\
| lookup AD_Obj_Group lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\
| eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\
| eval MSADGroupClass=if(isnull(MSADGroupClass),if(isnull(MSADGroupClass_u),"NA",MSADGroupClass_u),MSADGroupClass)\
| eval MSADGroupType=if(isnull(MSADGroupType),if(isnull(MSADGroupType_u),"NA",MSADGroupType_u),MSADGroupType)\
| fillnull value="N/A" Correlation_ID,member_obj_lkp\
| `ms_obj_msad-changed-attributes`\
| stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,adminuser,msad_action,group_obj_nm,MSADGroupType,MSADGroupClass,member_obj_lkp,signature\
| eval MSADChanges=mvjoin(MSADChanges, "########")\
| eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\
| makemv delim="########" MSADChanges\
| table _time, adminuser, group_obj_nm,msad_action,MSADGroupType,MSADGroupClass,member_obj_lkp,MSADChanges
iseval = 0

## Group Membership Changes - Output Part - needs | before ##
[ms_obj_groupmembership_change_out]
definition = fields _time, _raw, src_user, src_nt_domain, dest_nt_domain, msad_action, signature,DN,New_DN,Old_DN,group_obj_lkp,member_obj_domain,member_obj_id,member_obj_lkp,MSADGroupClass,MSADGroupClassID,MSADGroupType,MSADChanges,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,dir_svcs_action \
| eval member=if(isnull(member_obj_domain),member_obj_id,member_obj_domain."\\".member_obj_id) \
| eval member=if(isnull(member),if(isnull(member_obj_dn),"NA",member_obj_dn),member) \
| eval msad_action=if(isnull(msad_action),if(isnull(dir_svcs_action),"NA",dir_svcs_action),if(isnull(dir_svcs_action),msad_action,msad_action." (".dir_svcs_action.")"))\
| eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\
| lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass\
| lookup AD_Obj_Group lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\
| eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\
| eval MSADGroupClass=if(isnull(MSADGroupClass),if(isnull(MSADGroupClass_u),"NA",MSADGroupClass_u),MSADGroupClass)\
| eval MSADGroupType=if(isnull(MSADGroupType),if(isnull(MSADGroupType_u),"NA",MSADGroupType_u),MSADGroupType)\
| fillnull value="N/A" Correlation_ID,member_obj_lkp\
| `ms_obj_msad-changed-attributes`\
| stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,adminuser,msad_action,group_obj_nm,member,MSADGroupType,MSADGroupClass,member_obj_lkp,signature\
| eval MSADChanges=mvjoin(MSADChanges, "########")\
| eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\
| makemv delim="########" MSADChanges\
| lookup AD_Obj_User lookup_usr AS member_obj_lkp OUTPUT cn AS u_cn, dn AS u_dn \
| lookup AD_Obj_Group lookup_grp AS member_obj_lkp OUTPUT cn AS g_cn, dn AS g_dn \
| lookup AD_Obj_Computer lookup_cmp AS member_obj_lkp OUTPUT cn AS c_cn, dn AS c_dn \
| eval member_obj_dn=if(isnull(u_dn),if(isnull(g_dn),if(isnull(c_dn),member_obj_dn,c_dn),g_dn),u_dn) \
| eval Member_Type=if(isnull(u_cn),if(isnull(g_cn),"Computer","Group"),"User") \
| table _time, adminuser,group_obj_nm,msad_action,MSADGroupType,MSADGroupClass,Member_Type,member_obj_lkp,member,MSADChanges
iseval = 0

[ms_obj_groupmembership_change_events(2)]
args = domain,group
definition = `ms_obj_changes_base_cat("Group Membership")` "$group$"\
| fields _time,_raw,member_obj_dn,member_obj_id,member_obj_domain,member_obj_class,src_user,src_nt_domain,group_obj_id,group_obj_dn,group_obj_nm,user_group,group_id,Group_Name,msad_action,MSADGroupClassID,MSADGroupType,MSADGroupClass,signature,Correlation_ID,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action,Old_DN,New_DN\
| search (group_obj_dn="$group$" OR user_group="$group$" OR group_id="$group$" OR Group_Name="$group$") (src_nt_domain="$domain$" OR dest_nt_domain="$domain$") \
| eval adminuser=if(isnull(src_nt_domain),lower(src_user),lower(src_nt_domain)."\\".lower(src_user)\
| eval group_obj_dn=if(isnull(group_obj_dn),if(isnull(user_group),if(isnull(group_id),"",lower(group_id)),lower(user_group)),lower(group_obj_dn))\
| eval group_obj_cn=if(isnull(Group_Name),"",lower(Group_Name))\
| eval member=if(isnull(member_obj_domain),replace(member_obj_id,"\x5C{1}",""),member_obj_domain."\\".lower(replace(member_obj_id,"\x5C{1}","")))\
| eval member=if(isnull(member),if(isnull(member_obj_dn),"NA",lower(member_obj_dn)),member)\
| lookup AD_Obj_Group dn AS group_obj_dn OUTPUT cn AS group_obj_nm,MSADGroupType,MSADGroupClass\
| lookup AD_Obj_Group cn AS group_obj_cn OUTPUT cn AS c_group_obj_nm,MSADGroupType AS c_MSADGroupType,MSADGroupClass AS c_MSADGroupClass\
| eval group_obj_nm=if(isnull(group_obj_nm),if(isnull(c_group_obj_nm),if(isnull(group_obj_id),if(isnull(user_group),lower(group_obj_dn),lower(user_group)),lower(group_obj_id)),lower(c_group_obj_nm)),lower(group_obj_nm)),MSADGroupType = if(isnull(MSADGroupType),c_MSADGroupType,MSADGroupType),MSADGroupClass=if(isnull(MSADGroupClass),c_MSADGroupClass,MSADGroupClass)\
| `ms_obj_msad-changed-attributes`\
| stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,adminuser,src_user,msad_action,group_obj_nm,MSADGroupType,MSADGroupClass,member,signature\
| eval MSADChanges=mvjoin(MSADChanges, "########")\
| eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\
| makemv delim="########" MSADChanges\
| table _time,adminuser,msad_action,group_obj_nm,MSADGroupType,MSADGroupClass,member,MSADChanges, src_user
iseval = 0

[ms_obj_group_change_events(2)]
args = domain,group
definition = `ms_obj_changes_base_cat("Group")` "$group$"\
| fields _time,_raw,member_obj_dn,member_obj_id,member_obj_domain,member_obj_class,src_user,src_nt_domain,dest_nt_domain,group_obj_id,group_obj_dn,group_obj_nm,user_group,Group_Name,group_id,msad_action,MSADGroupClassID,MSADGroupType,MSADGroupClass,signature,Correlation_ID,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action,Old_DN,New_DN \
| search (group_obj_dn="$group$" OR user_group="$group$" OR group_id="$group$" OR Group_Name="$group$") (src_nt_domain="$domain$" OR dest_nt_domain="$domain$")  NOT AttributeLDAPDisplayName="member"\
| eval group_obj_dn=if(isnull(group_obj_dn),if(isnull(user_group),if(isnull(group_id),"",lower(group_id)),lower(user_group)),lower(group_obj_dn))\
| eval group_obj_cn=if(isnull(Group_Name),"",lower(Group_Name))\
| eval adminuser=if(isnull(src_nt_domain),lower(src_user),lower(src_nt_domain)."\\".lower(src_user)) \
| eval member=if(isnull(member_obj_domain),replace(member_obj_id,"\x5C{1}",""),member_obj_domain."\\".lower(replace(member_obj_id,"\x5C{1}",""))) \
| eval member=if(isnull(member),"NA",member) \
| lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass \
| eval objectGUID=lower(objectGUID)\
| lookup AD_Obj_Group dn AS group_obj_dn OUTPUT cn AS group_obj_nm,MSADGroupType,MSADGroupClass\
| lookup AD_Obj_Group cn AS group_obj_cn OUTPUT cn AS c_group_obj_nm,MSADGroupType AS c_MSADGroupType,MSADGroupClass AS c_MSADGroupClass\
| eval group_obj_nm=if(isnull(group_obj_nm),c_group_obj_nm,group_obj_nm),MSADGroupType = if(isnull(MSADGroupType),c_MSADGroupType,MSADGroupType),MSADGroupClass=if(isnull(MSADGroupClass),c_MSADGroupClass,MSADGroupClass)\
| eval dir_svcs_action=if(isnull(dir_svcs_action) OR dir_svcs_action="Unknown","","Action: ".dir_svcs_action."########") \
| eval MSADChangedAttributes=mvfilter(NOT match(MSADChangedAttributes, ":(\s*\-\s*|)$")) \
| fillnull value="" signature,Correlation_IDs \
| eval MSADChanges=if(isnull(MSADChangedAttributes),if(isnull(AttributeLDAPDisplayName),if(msad_action="moved","Moved:########--From: ".Old_DN."########--To: ".New_DN,dir_svcs_action.""),if(isnull(AttributeValue) OR AttributeValue="-" OR AttributeValue="",NULL,dir_svcs_action."-- ".AttributeLDAPDisplayName.": ".AttributeValue)),dir_svcs_action."".MSADChangedAttributes) \
| stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,adminuser,msad_action,group_obj_nm,MSADGroupType,MSADGroupClass,member,signature \
| eval MSADChanges=mvjoin(MSms_obj_admon_bld_upd_outADChanges, "########") \
| eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges) \
| makemv delim="########" MSADChanges \
| table _time,adminuser,msad_action,group_obj_nm,MSADGroupType,MSADGroupClass,member,MSADChanges
iseval = 0

[ms_obj_group_members_list_all(2)]
args = domain,group
definition = inputlookup AD_Obj_Group WHERE cn="$group$" AND domain="$domain$"\
| eval group_members="####".mvjoin(member,"####")\
| rex mode=sed field=group_members "s/####/####(Direct)/g"\
| makemv delim="####" member \
| mvexpand member\
| eval emb_group=member\
| fields cn, description, emb_group, emb_group_name, group_members_emb,member,group_members\
| join type=left emb_group [| inputlookup AD_Obj_Group| eval emb_group=distinguishedName | eval emb_group_name=cn | makemv delim="|" member | mvexpand member | eval group_members_emb="####(Embedded Group -".emb_group_name.")".member | stats values(group_members_emb) AS group_members_emb by emb_group, emb_group_name | mvcombine group_members_emb | table emb_group,emb_group_name,group_members_emb]\
| table cn, description,member,emb_group,emb_group_name,group_members,group_members_emb\
| eval group_members_comb=if(isnull(group_members_emb),group_members,group_members."".group_members_emb)\
| table cn, description, group_members,group_members_emb,group_members_comb\
| makemv delim="####" group_members_comb\
| mvexpand group_members_comb\
| table cn, description, group_members_comb\
| rex field=group_members_comb "\((?<member_assoc_type>Direct|Embedded Group)"\
| rex field=group_members_comb "\(Embedded Group\s\-(?<embedded_group>[^\)]+)"\
| rex field=group_members_comb "\)(?<member_dn>.*)"\
| rex field=member_dn "^CN\=(?<member_name>[^\,]+)\,(OU|DC|CN)"\
| eval member_emb_assoc_group=case(member_assoc_type="Embedded Group",member_assoc_type."( ".embedded_group." )")\
| eval member_dn=trim(member_dn)\
| table cn, description, member_assoc_type,embedded_group,member_dn,member_name,member_emb_assoc_group
iseval = 0

[ms_obj_member_groupmembership_change_events(2)]
args = domain,member
definition = `ms_obj_changes_base_cat("Group Membership")` (src_nt_domain="$domain$" OR dest_nt_domain="$domain$") [|inputlookup AD_Obj_User WHERE cn="$member$" | fields sAMAccountName,distinguishedName,cn | eval member_obj_id=cn."|".sAMAccountName."|".distinguishedName | makemv delim="|" member_obj_id | stats values(member_obj_id) AS member_obj_id | format]\
| fields _raw,_time,member_obj_domain, member_obj_sam,member_obj_id,member_obj_dn,member_obj_cn,src_user, group_obj_id,src_nt_domain,MSADGroupClassID,msad_action,signature,group_obj_dn\
| eval member_obj_dn=lower(replace(member_obj_dn,"\x5C{1}",""))\
| eval adminuser=if(isnull(src_nt_domain),lower(src_user),lower(src_nt_domain)."\\".lower(src_user))\
| eval member=if(isnull(member_obj_domain),lower(member_obj_id),member_obj_domain."\\".lower(member_obj_id))\
| lookup AD_Obj_Group cn AS group_obj_id OUTPUT MSADGroupType,MSADGroupClass,dn AS group_obj_dn\
| eval group_obj_dn=lower(group_obj_dn)\
| join type=left group_obj_dn [|inputlookup AD_Obj_Group | search NOT dn_hist="" |eval group_obj_dn=lower(dn_hist)| rename cn AS group_obj_nm| table group_obj_dn, group_obj_nm, MSADGroupClass, MSADGroupType,orig_cn]\
| eval group_obj_nm=if(isnull(group_obj_nm),if(isnull(group_obj_id),if(isnull(user_group),group_obj_dn,user_group),group_obj_id),group_obj_nm)\
| `ms_obj_msad-changed-attributes`\
| fillnull value="N/A" \
| stats values(MSADChanges) AS MSADChanges by _time,group_obj_nm,msad_action,adminuser,member, member_obj_dn, signature,MSADGroupClass,MSADGroupType\
| table _time,adminuser,msad_action,member,member_obj_dn,group_obj_nm,MSADGroupClass,MSADGroupType,MSADChanges\
| rename  group_obj_nm as "Group Name",MSADGroupClass as "Class",msad_action AS "Action",member AS "Target Member",member_obj_dn AS "Target MemberDN",MSADGroupType as "Type",adminuser as "Admin User"
iseval = 0

[ms_obj_user_action_events(3)]
args = domain,user,action
definition = `ms_obj_changes_base_cat("User")` ([| inputlookup AD_Obj_User WHERE lookup_usr="$user$" | fields lookup_usr | stats values(lookup_usr) AS search | eval search="\"".mvjoin(search,"\" OR \"")."\""]) (src_nt_domain="$domain$" OR dest_nt_domain="$domain$") ($action$)\
| `ms_obj_user_change_out`\
| rename adminuser as "Administrator",msad_action as "Action",dest_user_subject as "Target User ID",MSADChanges as "Changes"
iseval = 0

[ms_obj_user_change_events(3)]
args = domain,user,action
definition = `ms_obj_win_events_security` \
    [| inputlookup AD_Audit_Change_EventCodes WHERE change_category="User" \
    | stats values(EventCode) AS EventCode by obj_type \
    | format \
    | table search] src_user_type="user"  [|inputlookup AD_Obj_User WHERE sAMAccountName="$user$" | fields cn,sAMAccountName,userPrincipalName,distinguishedName | eval search="\"".cn."\" OR \"".sAMAccountName."\" OR \"".userPrincipalName."\" OR \"".distinguishedName."\"" | table search]\
| eval user_obj_dn=lower(user_obj_dn)\
| lookup AD_Obj_User distinguishedName AS user_obj_dn OUTPUTNEW cn AS user_cn sAMAccountName AS user\
| eval adminuser=if(isnull(src_nt_domain),lower(src_user),lower(src_nt_domain)."\\".lower(src_user))\
| eval user=if(isnull(user),user_obj_dn,lower(user))\
| search (user="$user$" OR New_Account_Name="$user$" OR Old_Account_Name="$user$") (src_nt_domain="$domain$" OR dest_nt_domain="$domain$") msad_action=$action$\
| eval dest_user_subject=if(isnull(dest_nt_domain) OR match(user,"(?si)cn\="),user,upper(dest_nt_domain)."\\".user)\
| `ms_obj_msad-changed-attributes`\
| fillnull value="" adminuser,msad_action,dest_user_subject,Correlation_ID,signature,MSADChanges\
| stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,adminuser,msad_action,dest_user_subject,signature,src_user\
| eval MSADChanges=mvjoin(MSADChanges, "########")\
| eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\
| makemv delim="########" MSADChanges\
| table _time,adminuser,msad_action,dest_user_subject,MSADChanges,src_user
iseval = 0

[ms_obj_group_members_user_accounts(2)]
args = domain,group
definition = inputlookup AD_Obj_Group WHERE cn="$group$" AND domain="$domain$"\
| fields member\
| mvexpand member\
| eval emb_group=member\
| fields emb_group, group_members\
| join type=left emb_group [| inputlookup AD_Obj_Group | fields distinguishedName,member| eval emb_group=distinguishedName | eval group_members_emb="####".mvjoin(member,"####") | table emb_group,group_members_emb]\
| eval group_members_comb=if(isnull(group_members_emb),group_members,group_members."".group_members_emb)\
| makemv delim="####" group_members_comb\
| mvexpand group_members_comb\
| eval member_dn=trim(group_members_comb)\
| table member_dn \
| join type=left member_dn[| inputlookup AD_Obj_Group | fields distinguishedName | eval member_dn=distinguishedName | eval group_account="True" | table member_dn, group_account] \
| join type=left member_dn[| inputlookup AD_Obj_User | fields distinguishedName | eval member_dn=distinguishedName | eval user_account=sAMAccountName | table member_dn, user_account] \
| join type=left member_dn[| inputlookup AD_Obj_Computer | fields distinguishedName | eval member_dn=distinguishedName | eval user_account=sAMAccountName | table member_dn, user_account] \
| search NOT group_account="True"            \
| table user_account\
| dedup user_account
iseval = 0

###-------------------------------------------------------------------------------###
#--- 		Macro's Used for Building Object KV Store Lookups    				 ---#
###-------------------------------------------------------------------------------###
##- admon - Filter Macros
##	- Example Filters:
##		- `ms_obj_admon_flt_obj_type(ms_obj_admon_user,ms_obj_admon_base_a_type)`
##		- Resulting search Example:
##			- index=msad sourcetype=ActiveDirectory "objectClass=top|person|organizationalPerson|user" NOT "objectClass=top|person|organizationalPerson|user|computer" ("admonEventType=Sync" OR "admonEventType=Update" OR "admonEventType=Deleted")
[ms_obj_admon_flt_obj_type(2)]
args = tok_tgt_obj_macro,tok_tgt_type_macro
definition = `$tok_tgt_obj_macro$` `$tok_tgt_type_macro$`
iseval = 0

## Replaced with ms_obj_admon_get_begin_sync_t
## Get the day before the first Sync time was ran for a specified object type.  Will use the search time for where the first sync event is.##
##[ms_obj_admon_last_sync(2)]
##args = tok_tgt_obj_macro,tok_tgt_type_macro
##definition = `$tok_tgt_obj_macro$` `$tok_tgt_type_macro$`\
##| fields _time\
##| tail 2\
##| stats min(_time) AS earliest\
##| eval earliest=earliest-86400\
##| table earliest
##iseval = 0

## Replaced with ms_obj_admon_get_begin_sync_t_val
## Get the days for the last Sync Counts - Using the admonEventType="Start" for getting the earliest/latest time ranges by day ##
##[ms_obj_admon_last_start_sync]
##definition = `ms__obj_win_ad_index` `ms_obj_admon_base_sync_type` [search `ms__obj_win_ad_index` `ms_obj_admon_base_start_type`\
##| fields _time\
##| eval s_time=strftime(_time,"%m/%d/%y")\
##| stats count by s_time\
##| eval earliest=strptime(s_time,"%m/%d/%y")\
##| eval latest=earliest+86400\
##| eval search="earliest=".earliest." latest=".latest\
##| stats values(search) AS search\
##| eval search="(".mvjoin(search,") OR (").")"]\
##| fields _time\
##| eval Sync_Day=strftime(_time,"%m/%d/%y")\
##| stats min(_time) AS first_time,max(_time) AS last_time,count AS Sync_Count by Sync_Day\
##| search Sync_Count>10\
##| eventstats min(first_time) AS first_time,max(last_time) AS last_time\
##| eval First_Sync_Day=strftime(first_time,"%m/%d/%y")\
##| eval Last_Sync_Day=strftime(last_time,"%m/%d/%y")\
##| table Sync_Day,First_Sync_Day,Last_Sync_Day,Sync_Count\
##| sort -Sync_Count
##iseval = 0

## Macro for getting Powershell Script data that contains the AD Details
[ms_obj_admon_get_ad_health_cnt]
definition = `ms__obj_win_ad_index` source=powershell sourcetype="MSAD:*:Health"\
| fields _time,DomainDNSName \
| stats max(_time) AS l_evt_time by DomainDNSName\
| stats max(l_evt_time) AS l_evt_time, dc(DomainDNSName) AS count\
| eval ObjectType="Domain Details",s_evt_time="",domain_count=count\
| table s_evt_time,l_evt_time,count,ObjectType,domain_count

## Macro for getting the Sync Start (for earliest) timestamp for building or a range, Sync Start and Last Sync timestamp for counting objects.
## Variables:
##		tok_target_obj = Use for specifying an object type to get sync time rang. This will determine the objects specific macro to use.
##			Use ms_obj_admon_(ou/gpo/user/group/computer)
##			Use ms_obj_admon_base_a_obj for all objects
##			Note fastest would be to use ms_obj_admon_gpo since there should be less gpo's then the other objects
##		tok_time_type = Use "sync_count" for getting the count, Use "build" for using to build lookup.
[ms_obj_admon_get_begin_sync_t(2)]
args = tok_target_obj,tok_time_type
definition = `ms__obj_win_ad_index` `ms_obj_admon_base_sync_type` `$tok_target_obj$`\
| fields _time,dc_val\
| eval r_time=round(_time,0)\
| stats max(r_time) AS ls_time by dc_val\
| eval s_time=ls_time-864000\
| stats min(s_time) AS e_time,max(s_time) AS l_time\
| eval e_time_str=strftime(e_time,"%m/%d/%y"),l_time=l_time+864000\
| eval search=if("$tok_time_type$"=="none","",if("$tok_time_type$"=="sync_count","earliest=\"".e_time."\" latest=\"".l_time."\"","earliest=\"".e_time."\""))\
| table search

## Macro for getting the Sync Time Values - Helper Tool.
[ms_obj_admon_get_begin_sync_t_val]
args = tok_target_obj,tok_time_type
definition = `ms__obj_win_ad_index` `ms_obj_admon_base_sync_type` `ms_obj_admon_base_a_obj` [search `ms_obj_admon_get_begin_sync_t(ms_obj_admon_gpo,"sync_count")`]\
| fields _time,dc_val\
| eval r_time=round(_time,0)\
| stats max(r_time) AS ls_time,count by dc_val\
| eval s_time=ls_time-864000\
| stats min(s_time) AS e_time,max(s_time) AS l_time,sum(count) AS Sync_Count\
| eval l_time=l_time+864000\
| eval Recommended_Sync_Start_Day=strftime(e_time,"%m/%d/%y")\
| eval Last_Sync_Day=strftime(l_time,"%m/%d/%y")\
| table Recommended_Sync_Start_Day,First_Sync_Day,Last_Sync_Day,Sync_Count

## Combined Macro for Checking admon Baseline (Sync) Object (User/Groups/Computers/OU/GPO) counts using an auto time setting
## Variables:
##		tok_target_obj = Use for specifying an object type to get sync time rang. This will determine the objects specific macro to use.
##			Use ms_obj_admon_(ou/gpo/user/group/computer)
##			Use ms_obj_admon_base_a_obj for all objects
[ms_obj_admon_get_sync_cnt(1)]
args = tok_target_obj
definition = `ms__obj_win_ad_index` `ms_obj_admon_base_sync_type` `$tok_target_obj$` [search `ms_obj_admon_get_begin_sync_t(ms_obj_admon_gpo,"sync_count")`]\
| fields _time,objectClass, objectGUID,dc_val\
| stats dc(objectGUID) AS count, min(_time) AS s_evt_time,max(_time) AS l_evt_time,dc(dc_val) AS domain_count by objectClass\
| eval ObjectType=case(objectClass="top|person|organizationalPerson|user","User",objectClass="top|group","Group",objectClass="top|person|organizationalPerson|user|computer","Computer",objectClass="top|organizationalUnit","Organization Units",objectClass="top|container","Containers",objectClass="top|container|groupPolicyContainer","Group Policies")\
| where isnotnull(ObjectType)\
| append [search `ms_obj_admon_get_ad_health_cnt`]\
| eval min_l_evt = (now()-l_evt_time)/60\
| eval completion_check=if(ObjectType="Domain Details",if(count>0,"OK: Domain ms-dc-health data Collected","Warning - Missing eventtype=\"ms_ad_obj_msad-dc-health\" Data, Please review the Getting Data In to ensure the AD Domain Data is either collected or manually added"),if(count>0 AND min_l_evt>5,"OK: Baseline Collection Completed (".round(min_l_evt,0)." Minutes Ago".")","Wait for Baseline Collection to Complete before building Lookups"))\
| eval last_event_event_time=strftime(l_evt_time,"%m/%d/%y %H:%M:%S")\
| eval sync_start_event_time=strftime(s_evt_time,"%m/%d/%y %H:%M:%S")\
| sort -count\
| eval min_l_evt = round(min_l_evt,0)." Minutes Ago",count=tostring(count,"commas")\
| table domain_count,ObjectType,count,sync_start_event_time,last_event_event_time,completion_check

## Combined Macro for Checking admon Baseline (Sync) Object (User/Groups/Computers/OU/GPO) counts using the time selector
## Variables:
##		tok_target_obj = Use for specifying an object type to get sync time rang. This will determine the objects specific macro to use.
##			Use ms_obj_admon_(ou/gpo/user/group/computer)
##			Use ms_obj_admon_base_a_obj for all objects
[ms_obj_admon_get_sync_cnt_nt(1)]
args = tok_target_obj
definition = `ms__obj_win_ad_index` `ms_obj_admon_base_sync_type` `$tok_target_obj$`\
| fields _time,objectClass, objectGUID,dc_val\
| stats dc(objectGUID) AS count, min(_time) AS s_evt_time,max(_time) AS l_evt_time,dc(dc_val) AS domain_count by objectClass\
| eval ObjectType=case(objectClass="top|person|organizationalPerson|user","User",objectClass="top|group","Group",objectClass="top|person|organizationalPerson|user|computer","Computer",objectClass="top|organizationalUnit","Organization Units",objectClass="top|container","Containers",objectClass="top|container|groupPolicyContainer","Group Policies")\
| where isnotnull(ObjectType)\
| append [search `ms_obj_admon_get_ad_health_cnt`]\
| eval min_l_evt = (now()-l_evt_time)/60\
| eval completion_check=if(ObjectType="Domain Details",if(count>0,"OK: Domain ms-dc-health data Collected","Warning - Missing eventtype=\"ms_ad_obj_msad-dc-health\" Data, Please review the Getting Data In to ensure the AD Domain Data is either collected or manually added"),if(count>0 AND min_l_evt>5,"OK: Baseline Collection Completed (".round(min_l_evt,0)." Minutes Ago".")","Wait for Baseline Collection to Complete before building Lookups"))\
| eval last_event_event_time=strftime(l_evt_time,"%m/%d/%y %H:%M:%S")\
| eval sync_start_event_time=strftime(s_evt_time,"%m/%d/%y %H:%M:%S")\
| sort -count\
| eval min_l_evt = round(min_l_evt,0)." Minutes Ago",count=tostring(count,"commas")\
| table domain_count,ObjectType,count,sync_start_event_time,last_event_event_time,completion_check

###-----------------------------------------###
#--- 		Initial Build Macros    	   ---#
###-----------------------------------------###
##	- AD_Obj_Domain Lookup - Initial Build and Update##
[ms_obj_admon_bld_domain]
definition = `ms__obj_win_ad_index` eventtype="ms_ad_obj_msad-dc-health"\
| fields host, DomainNetBIOSName,DomainDNSName,ForestName,Site\
| stats count by host, DomainNetBIOSName,DomainDNSName,ForestName,Site\
| eval domain=lower(DomainNetBIOSName),DomainDNSName=lower(DomainDNSName),ForestName=lower(ForestName),Site=lower(Site),host=lower(host),DomainNetBIOSName=lower(DomainNetBIOSName)\
| join type=left host [| inputlookup AD_Obj_Domain | table host,domain,multi_lkps_enabled,kv_suffix,dc_val,user_lookup,group_lookup,computer_lookup]\
| eval multi_lkps_enabled=if(isnull(multi_lkps_enabled),"f",multi_lkps_enabled)\
| eval kv_suffix=if(isnull(kv_suffix),lower(domain),kv_suffix)\
| eval dc_val=if(isnull(dc_val),DomainDNSName,dc_val)\
| eval user_lookup=if(isnull(user_lookup),"AD_Obj_User",if(multi_lkps_enabled="f","AD_Obj_User","AD_Obj_User_".kv_suffix))\
| eval group_lookup=if(isnull(group_lookup),"AD_Obj_Group",if(multi_lkps_enabled="f","AD_Obj_Group","AD_Obj_Group_".kv_suffix))\
| eval computer_lookup=if(isnull(computer_lookup),"AD_Obj_Computer",if(multi_lkps_enabled="f","AD_Obj_Computer","AD_Obj_Computer_".kv_suffix))\
| table host,domain,DomainNetBIOSName,DomainDNSName,ForestName,Site,multi_lkps_enabled,kv_suffix,dc_val,user_lookup,group_lookup,computer_lookup\
| sort ForestName,Site,DomainDNSName,host\
| stats values(*) AS * by host\
| eval _key=host\
| outputlookup AD_Obj_Domain append=true
iseval = 0

## - Consolidated Build, Update and Migrate - AD Object Lookups
## 	- Initial Build and Output
## 		- Example - Init User - `ms_obj_admon_bld_init_out(user,User)`
## 		- Example - Init Group - `ms_obj_admon_bld_init_out(group,Group)`
## 		- Example - Init Computer - `ms_obj_admon_bld_init_out(computer,Computer)`
## 		- Example - Init OU - `ms_obj_admon_bld_init_out(ou,OU)`
## 		- Example - Init GPO - `ms_obj_admon_bld_init_out(gpo,GPO)`
[ms_obj_admon_bld_init_out_no_sync(2)]
args = tok_obj_l_abrv,tok_obj_u_abrv
definition = `ms_obj_admon_flt_obj_type(ms_obj_admon_$tok_obj_l_abrv$,ms_obj_admon_base_a_type)` \
| `ms_obj_admon_base_out_$tok_obj_l_abrv$`\
| eval _key=key_val\
| outputlookup AD_Obj_$tok_obj_u_abrv$ append=true
iseval = 0

[ms_obj_admon_bld_init_out(2)]
args = tok_obj_l_abrv,tok_obj_u_abrv
definition = `ms_obj_admon_flt_obj_type(ms_obj_admon_$tok_obj_l_abrv$,ms_obj_admon_base_a_type)` [search `ms_obj_admon_get_begin_sync_t(ms_obj_admon_$tok_obj_l_abrv$,"build")`]\
| `ms_obj_admon_base_out_$tok_obj_l_abrv$`\
| eval _key=key_val\
| outputlookup AD_Obj_$tok_obj_u_abrv$
iseval = 0

##		- Initial Admin Audit Lookup
[ms_obj_winevt_init_admin_audit]
definition = `ms_obj_winevt_base_out_admin_audit`\
| stats values(*) AS * by key_val\
| eval _key=key_val\
| outputlookup AD_Obj_Admin_Audit append=true
iseval = 0

## UAC Details - Build New using the ms_ad_obj_uac_temp.csv - Only during first time
[ms_obj_UAC_new]
definition = inputlookup ms_ad_obj_uac_temp\
| table userAccountControl,uac_details,uac_bin_map\
| eval key_val=userAccountControl\
| stats values(*) AS * by key_val\
| eval _key=key_val\
| outputlookup AD_Obj_UAC append=true
iseval = 0

## Migrate the Previous csv Version(AD_UAC_Details) and Output to new KV Store
## Ex: | `ms_obj_UAC_migrate`
[ms_obj_UAC_migrate]
definition = inputlookup AD_UAC_Details\
| table userAccountControl,uac_details,uac_bin_map\
| eval key_val=userAccountControl\
| stats values(*) AS * by key_val\
| eval _key=key_val\
| outputlookup AD_Obj_UAC append=true
iseval = 0

## - First Build - Update OU Lookup with GPO Links
## Examples - First Build: | `ms_ad_admon_upd_ou_wgpo`
[ms_ad_admon_upd_ou_wgpo]
definition = inputlookup AD_Obj_OU WHERE gpo_link!=""\
| mvexpand gpo_link\
| lookup AD_Obj_GPO gpo_link AS gpo_link, domain AS domain OUTPUT displayName AS Linked_GPO\
| stats values(Linked_GPO) AS Linked_GPO,values(*) AS * by objectGUID,domain\
| eval _key=objectGUID."#".DomainDNSName\
| outputlookup AD_Obj_OU append=true
iseval = 0

## - First Build - Update GPO Lookup with OU Links
## Examples - First Build: | `ms_ad_admon_upd_gpo_wou`
[ms_ad_admon_upd_gpo_wou]
definition = inputlookup AD_Obj_GPO WHERE gpo_link!=""\
| lookup AD_Obj_OU gpo_link AS gpo_link, domain AS domain OUTPUT distinguishedName AS lc\
| makemv delim="####" lc\
| eval key=objectGUID."#".DomainDNSName\
| outputlookup AD_Obj_GPO append=true
iseval = 0

###-----------------------------------------###
#--- 		Scheduled Update Macros    	   ---#
###-----------------------------------------###
##	- Update Build and Output
## Arguments = target object lowercase,target Object uppercase
## 		- Example - Update User = `ms_obj_admon_bld_upd_out(user,User)`
## 		- Example - Update Group = `ms_obj_admon_bld_upd_out(group,Group)`
## 		- Example - Update Computer = `ms_obj_admon_bld_upd_out(computer,Computer)`
[ms_obj_admon_bld_upd_out(2)]
args = tok_obj_l_abrv,tok_obj_u_abrv
definition = `ms_obj_admon_flt_obj_type(ms_obj_admon_$tok_obj_l_abrv$,ms_obj_admon_base_a_type)`\
| `ms_obj_admon_base_out_$tok_obj_l_abrv$`\
| `ms_obj_admon_base_hist_$tok_obj_l_abrv$`\
| eval _key=key_val\
| outputlookup AD_Obj_$tok_obj_u_abrv$ append=true
iseval = 0

## - Update History for Object lookup_usr/grp/cmp ##
##		- Update Admin Audit Lookup
[ms_obj_winevt_upd_admin_audit]
definition = `ms_obj_winevt_base_out_admin_audit`\
| stats values(*) AS * by key_val\
| eval _key=key_val\
| outputlookup AD_Obj_Admin_Audit append=true
iseval = 0

[ms_obj_admon_base_hist_user]
definition = lookup AD_Obj_User domain,objectGUID OUTPUT lookup_usr AS p_lookup_usr\
| eval lookup_usr=if(isnull(p_lookup_usr),mvjoin(lookup_usr,"|"),mvjoin(lookup_usr,"|")."|".mvjoin(p_lookup_usr,"|"))\
| eval key_val=((objectGUID . "#") . DomainDNSName)\
| makemv delim="|" lookup_usr\
| fields - p_lookup_usr\
| stats values(*) AS * by key_val
iseval = 0

[ms_obj_admon_base_hist_ou]
definition = lookup AD_Obj_OU domain objectGUID OUTPUT lookup_ou AS p_lookup_ou\
| eval lookup_oup=if(isnull(p_lookup_ou),mvjoin(lookup_ou,"|"),mvjoin(lookup_ou,"|")."|".mvjoin(p_lookup_ou,"|"))\
| eval key_val=((objectGUID . "#") . DomainDNSName)\
| makemv delim="|" lookup_ou\
| fields - p_lookup_ou\
| stats values(*) AS * by key_val
iseval = 0

[ms_obj_admon_base_hist_group]
definition = lookup AD_Obj_Group domain,objectGUID OUTPUT lookup_grp AS p_lookup_grp\
| eval lookup_grp=if(isnull(p_lookup_grp),mvjoin(lookup_grp,"|"),mvjoin(lookup_grp,"|")."|".mvjoin(p_lookup_grp,"|"))\
| eval key_val=((objectGUID . "#") . DomainDNSName)\
| makemv delim="|" lookup_grp\
| fields - p_lookup_grp\
| stats values(*) AS * by key_val
iseval = 0

[ms_obj_admon_base_hist_gpo]
definition = stats values(*) AS * by key_val
iseval = 0

[ms_obj_admon_base_hist_computer]
definition = lookup AD_Obj_Computer domain objectGUID OUTPUT lookup_cmp AS p_lookup_cmp\
| eval lookup_cmp=if(isnull(p_lookup_cmp),mvjoin(lookup_cmp,"|"),mvjoin(lookup_cmp,"|")."|".mvjoin(p_lookup_cmp,"|"))\
| eval key_val=((objectGUID . "#") . DomainDNSName)\
| makemv delim="|" lookup_cmp\
| fields - p_lookup_cmp\
| stats values(*) AS * by key_val
iseval = 0

##	- AD Domain Lookup - Update Build##
[ms_obj_admon_upd_domain]
definition = `ms__obj_win_ad_index` eventtype="ms_ad_obj_msad-dc-health"\
| fields host, DomainNetBIOSName,DomainDNSName,ForestName,Site\
| stats count by host, DomainNetBIOSName,DomainDNSName,ForestName,Site\
| eval domain=lower(DomainNetBIOSName),DomainDNSName=lower(DomainDNSName),ForestName=lower(ForestName),Site=lower(Site),host=lower(host),DomainNetBIOSName=lower(DomainNetBIOSName)\
| join type=left host [| inputlookup AD_Obj_Domain | table host,domain,multi_lkps_enabled,kv_suffix,dc_val,user_lookup,group_lookup,computer_lookup]\
| eval multi_lkps_enabled=if(isnull(multi_lkps_enabled),"f",multi_lkps_enabled)\
| eval kv_suffix=if(isnull(kv_suffix),lower(domain),kv_suffix)\
| eval dc_val=if(isnull(dc_val),DomainDNSName,dc_val)\
| eval user_lookup=if(isnull(user_lookup),"AD_Obj_User",if(multi_lkps_enabled="f","AD_Obj_User","AD_Obj_User_".kv_suffix))\
| eval group_lookup=if(isnull(group_lookup),"AD_Obj_Group",if(multi_lkps_enabled="f","AD_Obj_Group","AD_Obj_Group_".kv_suffix))\
| eval computer_lookup=if(isnull(computer_lookup),"AD_Obj_Computer",if(multi_lkps_enabled="f","AD_Obj_Computer","AD_Obj_Computer_".kv_suffix))\
| table host,domain,DomainNetBIOSName,DomainDNSName,ForestName,Site,multi_lkps_enabled,kv_suffix,dc_val,user_lookup,group_lookup,computer_lookup\
| sort ForestName,Site,DomainDNSName,host\
| eval _key = host\
| outputlookup AD_Obj_Domain append=true
iseval = 0
###-----------------------------------------###
#---   Migrate from csv to Kvstore Macros  ---#
###-----------------------------------------###
##	- Migrate CSV Lookup to KVStore Lookups
## 		- Example - Migrate User - `ms_obj_admon_migrate_out(user,User)`
## 		- Example - Migrate Group - `ms_obj_admon_migrate_out(group,Group)`
## 		- Example - Migrate Computer - `ms_obj_admon_migrate_out(computer,Computer)`
## 		- Example - Migrate OU - `ms_obj_admon_migrate_out(ou,OU)`
## 		- Example - Migrate GPO - `ms_obj_admon_migrate_out(gpo,GPO)`
[ms_obj_admon_migrate_out(2)]
args = tok_obj_l_abrv,tok_obj_u_abrv
definition = `ms_obj_$tok_obj_l_abrv$_base_migrate`\
| stats values(*) AS * by key_val\
| eval _key=key_val\
| outputlookup AD_Obj_$tok_obj_u_abrv$ append=true
iseval = 0

## Migrate AD_User_LDAP_list to AD_Obj_User kvstore
[ms_obj_user_base_migrate]
definition = inputlookup AD_User_LDAP_list\
| fields _time,DomainDNSName,OU,accountExpires,adminCount,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dSCorePropagationData,dcName,deletedDate,department,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,givenName,guid_lookup,initials,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,admonEventType,lockoutTime,logonCount,logonHours,managedBy,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,physicalDeliveryOfficeName,postalCode,primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType,servicePrincipalName,showInAdvancedViewOnly,sid_lookup,sn,st,streetAddress,title,uac_details,uSNChanged,uSNCreated,userAccountControl,userPrincipalName,userWorkstations,whenChanged,whenCreated\
| eval objectGUID=lower(objectGUID),domain=lower(domain),DomainDNSName=lower(DomainDNSName),distinguishedName=lower(distinguishedName),dn=lower(dn),dn_hist=lower(dn_hist),dn_path=lower(dn_path),sAMAccountName=lower(sAMAccountName),userPrincipalName=lower(userPrincipalName)\
| join type=left DomainDNSName [|inputlookup AD_Obj_Domain | stats count by DomainDNSName,domain | table DomainDNSName,domain]\
| rex field=distinguishedName "(?si)(?:(cn|ou)\=)(?<other_ou>[^\,]+)\,dc\="\
| eval OU=if(isnull(OU),lower(other_ou),lower(OU))\
| eval d_dn=if(dn_hist=="",dn,mvjoin(dn_hist,"|")),d_cn=if(orig_cn=="",cn,cn."|".orig_cn),d_sam=if(sAMAccountName=cn,"",lower(sAMAccountName)),d_princ=if(userPrincipalName=="","",userPrincipalName)\
| eval lookup_usr=lower(d_cn)."|".lower(d_dn)."|".d_sam."|".d_princ\
| eval user_type="user"\
| makemv delim="|" lookup_usr\
| eval key_val=objectGUID."#".DomainDNSName\
| table key_val,DomainDNSName,OU,accountExpires,adminCount,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dSCorePropagationData,dcName,deletedDate,department,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,givenName,guid_lookup,initials,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,last_evt_flg,lockoutTime,logonCount,logonHours,lookup_usr,managedBy,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,orig_evt_dn,physicalDeliveryOfficeName,postalCode,primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType,servicePrincipalName,showInAdvancedViewOnly,sid_lookup,sn,st,streetAddress,title,uac_details,uSNChanged,uSNCreated,userAccountControl,userPrincipalName,userWorkstations,whenChanged,whenCreated,user_type,time
iseval = 0

## Migrate AD_Groups_LDAP_list to AD_Obj_Group kvstore
[ms_obj_group_base_migrate]
definition = inputlookup AD_Groups_LDAP_list\
| fields DomainDNSName,OU,adminCount,c,cn,orig_cn,dSCorePropagationData,dcName,deletedDate,description,displayName,distinguishedName,dn,dn_path,dn_hist,domain,groupType,groupType_Name,guid_lookup,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,last_evt_flg,managedBy,member,name,objectCategory,objectClass,objectGUID,objectSid,primaryGroupToken,sAMAccountName,sAMAccountType,showInAdvancedViewOnly,sid_lookup,st,systemFlags,uSNChanged,uSNCreated,whenChanged,whenCreated\
| eval displayName=if(isnull(displayName),cn,displayName)\
| eval d_dn=if(dn_hist=="",dn,mvjoin(dn_hist,"|")),d_cn=if(orig_cn=="",cn,cn."|".orig_cn),d_sam=sAMAccountName\
| rex field=distinguishedName "(?si)(?:(cn|ou)\=)(?<other_ou>[^\,]+)\,dc\="\
| eval OU=if(isnull(OU),lower(other_ou),lower(OU))\
| eval objectGUID=lower(objectGUID),domain=lower(domain),DomainDNSName=lower(DomainDNSName),distinguishedName=lower(distinguishedName),dn=lower(dn),dn_hist=lower(dn_hist),dn_path=lower(dn_path),sAMAccountName=lower(sAMAccountName),member=lower(member),cn=lower(cn)\
| lookup AD_Audit_Group_Details groupType,sAMAccountType OUTPUT groupType_Name,MSADGroupType,MSADGroupClass\
| eval isDistributionList=if(sAMAccountType="268435457","TRUE","FALSE"),lookup_grp=lower(d_cn)."|".lower(d_dn)."|".lower(d_sam)\
| join type=left DomainDNSName [|inputlookup AD_Obj_Domain | stats count by DomainDNSName,domain | table DomainDNSName,domain]\
| makemv delim="####" member\
| makemv delim="|" member\
| eval membercount=mvcount(member)\
| fillnull value="0" membercount\
| makemv delim="|" lookup_grp\
| eval key_val=objectGUID."#".DomainDNSName\
| table key_val,DomainDNSName,OU,adminCount,c,cn,orig_cn,dSCorePropagationData,dcName,deletedDate,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,groupType,groupType_Name,guid_lookup,instanceType,isCriticalSystemObject,isDeleted,isDistributionList,isRecycled,l,lastKnownParent,last_evt_flg,lookup_grp,managedBy,member,membercount,MSADGroupType,MSADGroupClass,name,objectCategory,objectClass,objectGUID,objectSid,orig_evt_dn,primaryGroupToken,sAMAccountName,sAMAccountType,showInAdvancedViewOnly,sid_lookup,src_nt_domain,st,systemFlags,uSNChanged,uSNCreated,whenChanged,whenCreated,time
iseval = 0

## Migrate AD_Computer_LDAP_list to AD_Obj_Computer kvstore
[ms_obj_computer_base_migrate]
definition = inputlookup AD_Computer_LDAP_list\
| fields DomainDNSName,OU,accountExpires,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dNSHostName,dSCorePropagationData,dcName,deletedDate,description,displayName,distinguishedName,dn,dn_path,dn_hist,domain,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,last_evt_flg,localPolicyFlags,logonCount,managedBy,msDFSR-ComputerReferenceBL,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,operatingSystem,operatingSystemServicePack,operatingSystemVersion,primaryGroupID,pwdLastSet,rIDSetReferences,sAMAccountName,sAMAccountType,serverReferenceBL,servicePrincipalName,sid_lookup,st,uac_details,uSNChanged,uSNCreated,userAccountControl,whenChanged,whenCreated\
| fillnull value="FALSE" isRecycled,isDeleted,isCriticalSystemObject,showInAdvancedViewOnly \
| fillnull value="" \
| rex field=distinguishedName "(?si)(?:(cn|ou)\=)(?<other_ou>[^\,]+)\,dc\="\
| eval OU=if(isnull(OU),lower(other_ou),lower(OU))\
| eval objectGUID=lower(objectGUID),domain=lower(domain),dNSHostName=lower(dNSHostName),DomainDNSName=lower(DomainDNSName),distinguishedName=lower(distinguishedName),dn=lower(dn),dn_hist=lower(dn_hist),dn_path=lower(dn_path),sAMAccountName=lower(sAMAccountName)\
| eval d_dn=if(dn_hist=="",dn,mvjoin(dn_hist,"|")),d_cn=if(orig_cn=="",cn,cn."|".orig_cn),d_sam=sAMAccountName\
| eval deletedDate=if(match(lower(last_evt_flg), "deleted") OR match(lower(isDeleted), "true"), strptime(whenChanged, "%I:%M.%S %p, %a %m/%d/%Y"), 0)\
| join type=left DomainDNSName [|inputlookup AD_Obj_Domain | stats count by DomainDNSName,domain | table DomainDNSName,domain] \
| eval src_nt_domain=domain,lookup_cmp=lower(d_cn)."|".lower(d_dn)."|".lower(d_sam)\
| makemv delim="|" lookup_cmp\
| eval key_val=objectGUID."#".DomainDNSName\
| table key_val,DomainDNSName,OU,accountExpires,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dNSHostName,dSCorePropagationData,dcName,deletedDate,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,last_evt_flg,localPolicyFlags,logonCount,lookup_cmp,managedBy,msDFSR-ComputerReferenceBL,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,operatingSystem,operatingSystemServicePack,operatingSystemVersion,orig_evt_dn,primaryGroupID,pwdLastSet,rIDSetReferences,sAMAccountName,sAMAccountType,serverReferenceBL,servicePrincipalName,sid_lookup,src_nt_domain,st,uac_details,uSNChanged,uSNCreated,userAccountControl,whenChanged,whenCreated,time
iseval = 0

## OU - Migrate from csv AD_OU_LDAP_list to AD_Obj_OU kvstore
[ms_obj_ou_base_migrate]
definition = inputlookup AD_OU_LDAP_list\
| fields DomainDNSName,Linked_GPO,c,cn,orig_cn,dSCorePropagationData,deletedDate,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,gPLink,gpo_link,guid_lookup,host,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,admonEventType,managedBy,name,objectCategory,objectClass,objectGUID,ou,revision,showInAdvancedViewOnly,st,systemFlags,uSNChanged,uSNCreated,versionNumber,whenChanged,whenCreated \
| eval DomainDNSName=lower(DomainDNSName)\
| eval d_dn=if(dn_hist=="",dn,mvjoin(dn_hist,"|")),d_cn=if(orig_cn="" OR isnull(orig_cn),if(cn="" OR isnull(cn),if(displayName="" OR isnull(displayName),"",lower(displayName)),lower(cn)),lower(orig_cn))\
| fillnull value=""\
| join type=left DomainDNSName [|inputlookup AD_Obj_Domain | stats count by DomainDNSName,domain  | table DomainDNSName,domain]\
| rex field=gPLink max_match=0 "(?msi)(?:\[LDAP\:\/\/cn\=\{)(?<gpo_link>[^\}]+)"\
| eval objectGUID=lower(objectGUID),domain=lower(domain),dNSHostName=lower(dNSHostName),Linked_GPO=lower(Linked_GPO),gPLink=lower(gPLink),gpo_link=lower(gpo_link),OU=lower(OU),distinguishedName=lower(distinguishedName),dn=lower(dn),dn_hist=lower(dn_hist),dn_path=lower(dn_path),OU=lower(ou)\
| eval key_val=objectGUID."#".DomainDNSName,lookup_ou=lower(d_cn)."|".lower(d_dn)\
| makemv delim="|" lookup_ou\
| table key_val,c,cn,deletedDate,description,displayName,distinguishedName,dn,dn_hist,domain,DomainDNSName,dSCorePropagationData,gPLink,gpo_link,guid_lookup,host,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,last_evt_flg,Linked_GPO,lookup_ou,managedBy,name,objectCategory,objectClass,objectGUID,orig_cn,orig_evt_dn,OU,q,revision,showInAdvancedViewOnly,st,systemFlags,uSNChanged,uSNCreated,versionNumber,whenChanged,whenCreated,time
iseval = 0

## GPO - Migrate from csv AD_GroupPolicies_LDAP_list to AD_Obj_GPO kvstore
[ms_obj_gpo_base_migrate]
definition = inputlookup AD_GroupPolicies_LDAP_list\
| fields DomainDNSName,Linked_GPO,c,cn,orig_cn,dSCorePropagationData,deletedDate,description,displayName,distinguishedName,dn,dn_path,dn_hist,domain,gPLink,gpo_link,guid_lookup,host,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lc,admonEventType,managedBy,name,objectCategory,objectClass,objectGUID,ou,revision,showInAdvancedViewOnly,st,systemFlags,uSNChanged,uSNCreated,versionNumber,whenChanged,whenCreated\
| eval DomainDNSName=lower(DomainDNSName)\
| rex field=distinguishedName "(?msi)(?:CN\=\{)(?<gpo_link>[^\}]+)\}\,CN\=Policies"\
| eval objectGUID=lower(objectGUID),domain=lower(domain),dNSHostName=lower(dNSHostName),DomainDNSName=lower(DomainDNSName),gPLink=lower(gPLink),gpo_link=lower(gpo_link),lc=lower(lc),OU=lower(OU),distinguishedName=lower(distinguishedName),cn=lower(cn),dn=lower(dn),dn_hist=lower(dn_hist),dn_path=lower(dn_path),ou=lower(ou)\
| makemv delim="####" lc\
| lookup AD_Obj_Domain DomainDNSName OUTPUT domain\
| eval key_val=objectGUID."#".DomainDNSName\
| table key_val,cn,dSCorePropagationData,displayName,distinguishedName,dn,dn_hist,dn_path,flags,gpo_link,gPCFileSysPath,gPCFunctionalityVersion,gPCMachineExtensionNames,instanceType,isCriticalSystemObject,name,objectCategory,objectClass,objectGUID,showInAdvancedViewOnly,systemFlags,uSNChanged,uSNCreated,versionNumber,whenChanged,whenCreated,lastKnownParent,isRecycled,isDeleted,domain,src_nt_domain,DomainDNSName,lc,last_evt_flg,deletedDate,time
iseval = 0

[ms_obj_domain_base_migrate]
definition = inputlookup AD_Domain_Selector\
| fields host,DomainNetBIOSName,DomainDNSName,ForestName,Site,domain\
| eval host=lower(host),DomainNetBIOSName=lower(DomainNetBIOSName),DomainDNSName=lower(DomainDNSName),ForestName=lower(ForestName),Site=lower(Site),domain=lower(domain)\
| stats count by host, DomainNetBIOSName,DomainDNSName,ForestName,Site,domain\
| eval domain=if(isnull(domain),DomainNetBIOSName,domain)\
| join type=left host [| inputlookup AD_Obj_Domain | table host,domain,multi_lkps_enabled,kv_suffix,dc_val,user_lookup,group_lookup,computer_lookup]\
| eval multi_lkps_enabled=if(isnull(multi_lkps_enabled),"f",multi_lkps_enabled)\
| eval kv_suffix=if(isnull(kv_suffix),lower(domain),kv_suffix)\
| eval dc_val=if(isnull(dc_val),DomainDNSName,dc_val)\
| eval user_lookup=if(isnull(user_lookup),"AD_Obj_User",if(multi_lkps_enabled="f","AD_Obj_User","AD_Obj_User_".kv_suffix))\
| eval group_lookup=if(isnull(group_lookup),"AD_Obj_Group",if(multi_lkps_enabled="f","AD_Obj_Group","AD_Obj_Group_".kv_suffix))\
| eval computer_lookup=if(isnull(computer_lookup),"AD_Obj_Computer",if(multi_lkps_enabled="f","AD_Obj_Computer","AD_Obj_Computer_".kv_suffix))\
| sort ForestName,Site,DomainDNSName,host\
| eval key_val = lower(host)\
| table host,domain,DomainNetBIOSName,DomainDNSName,ForestName,Site,multi_lkps_enabled,kv_suffix,dc_val,user_lookup,group_lookup,computer_lookup
iseval = 0

[ms_obj_winevt_migrate_admin_audit]
definition = inputlookup AD_Audit_Admin_list\
| eval last_time_string=strftime(last_time_utc,"%m/%d/%y %H:%M:%S") \
| fillnull value="" admin_dn,admin_dn_hist,admin_dn_path,admin_cn,admin_userPrincipalName \
| eval key_val=lower(admin_objectGUID)."#".lower(admin_domain)\
| eval admin_user=lower(admin_user), admin_domain=lower(admin_domain), admin_dn=lower(admin_dn), admin_dn_history=lower(admin_dn_history), admin_dn_path=lower(admin_dn_path),admin_objectGUID=lower(admin_objectGUID),admin_userPrincipalName=lower(admin_userPrincipalName)\
| table key_val,admin_user, admin_domain, admin_dn, admin_dn_history, admin_dn_path,admin_cn,admin_objectGUID,last_time_string,last_time_utc,admin_userPrincipalName\
| stats values(*) AS * by key_val\
| eval _key=key_val\
| outputlookup AD_Obj_Admin_Audit append=true
iseval = 0
###-----------------------------------------###
#---           Format Output Macros -      ---#
#---   	   Updates, Builds, and Migrate	   ---#
#--- Also used for Multi-Domain Split KVs  ---#
###-----------------------------------------###
## - User Base admon Lookup Formatting Output ##
[ms_obj_admon_base_out_user]
definition = fields _time,DomainDNSName,OU,accountExpires,adminCount,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dSCorePropagationData,dcName,deletedDate,department,description,displayName,distinguishedName,dn,dn_path,domain,givenName,guid_lookup,initials,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,admonEventType,lockoutTime,logonCount,logonHours,managedBy,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,physicalDeliveryOfficeName,postalCode,primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType,servicePrincipalName,showInAdvancedViewOnly,sid_lookup,sn,st,streetAddress,title,uSNChanged,uSNCreated,userAccountControl,userPrincipalName,userWorkstations,whenChanged,whenCreated\
| rex max_match=0 field=distinguishedName "\,DC\=(?<DomainDNSName>[^(\,|$)]+)"\
| eval DomainDNSName=mvjoin(lower(DomainDNSName),".")\
| stats max(_time) AS time,earliest(distinguishedName) AS orig_evt_dn,values(distinguishedName) AS dn_hist_hold,latest(*) AS * by objectGUID\
| rex field=cn "(?<orig_cn>[a-zA-Z0-9._\-\s,\$(.+\x5C{1}.+)[^\sDEL:]+)\sDEL:"\
| rex field=distinguishedName "(?i)(?:\,(?<!\x5C{1}))(cn|ou)\=(?<other_ou>[^\,]+)"\
| eval OU=if(isnull(other_ou),lower(OU),lower(other_ou))\
| eval distinguishedName=lower(distinguishedName),displayName=if(isnull(displayName),if(isnull(cn),orig_cn,cn),displayName),dn=lower(distinguishedName),last_evt_flg=admonEventType,cn=lower(cn),lastKnownParent=lower(lastKnownParent),user_type="user",objectGUID=lower(objectGUID),DomainDNSName=lower(DomainDNSName),sAMAccountName=lower(sAMAccountName),userPrincipalName=lower(userPrincipalName),orig_evt_dn=lower(orig_evt_dn)\
| rex  field=distinguishedName "(?i)(?:\,(?<!\x5C{1}))(?<dn_path>(cn|ou|dc)\=[^$]+)"\
| fillnull value="FALSE" isRecycled,isDeleted,isCriticalSystemObject,showInAdvancedViewOnly\
| eval deletedDate=if(match(lower(last_evt_flg), "deleted") OR match(lower(isDeleted), "true"), strptime(whenChanged, "%I:%M.%S %p, %a %m/%d/%Y"), 0)\
| lookup AD_Obj_UAC userAccountControl OUTPUT uac_bin_map, uac_details\
| makemv delim=":" uac_details\
| join type=left DomainDNSName [|inputlookup AD_Obj_Domain | stats count by DomainDNSName,domain | table DomainDNSName,domain]\
| eval dn_hist_cnt=mvcount(dn_hist_hold)\
| eval dn_hist=if(dn_hist_cnt>1,lower(dn_hist_hold),"")\
| fillnull value=0 adminCount,badPwdCount,lastLogonTimestamp,logonCount,primaryGroupID,pwdLastSet,uSNChanged,uSNCreated,userAccountControl,whenChanged,whenCreated\
| fillnull value="" OU,accountExpires,badPasswordTime,c,cn,orig_cn,codePage,countryCode,dSCorePropagationData,dcName,department,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,givenName,guid_lookup,initials,instanceType,l,lastKnownParent,last_evt_flg,lockoutTime,logonHours,managedBy,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,orig_evt_dn,physicalDeliveryOfficeName,postalCode,primaryGroupID,sAMAccountName,sAMAccountType,servicePrincipalName,sid_lookup,sn,st,streetAddress,title,uSNChanged,uSNCreated,uac_details,userPrincipalName,userWorkstations,uac_bin_map\
| eval d_dn=if(dn_hist=="",dn,mvjoin(dn_hist,"|")),d_cn=if(orig_cn=="",cn,cn."|".orig_cn),d_sam=if(sAMAccountName=cn,"",lower(sAMAccountName)),d_princ=if(userPrincipalName=="","",userPrincipalName)\
| eval key_val=objectGUID."#".DomainDNSName,lookup_usr=lower(d_cn)."|".lower(d_dn)."|".d_sam."|".d_princ\
| makemv delim="|" lookup_usr\
| eventstats values(lookup_usr) AS lookup_usr by key_val\
| table key_val,DomainDNSName,OU,accountExpires,adminCount,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dSCorePropagationData,dcName,deletedDate,department,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,givenName,guid_lookup,initials,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,last_evt_flg,lockoutTime,logonCount,logonHours,lookup_usr,managedBy,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,orig_evt_dn,physicalDeliveryOfficeName,postalCode,primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType,servicePrincipalName,showInAdvancedViewOnly,sid_lookup,sn,st,streetAddress,title,uac_details,uSNChanged,uSNCreated,userAccountControl,userPrincipalName,userWorkstations,whenChanged,whenCreated,user_type,time
iseval = 0

## - Group Base admon Lookup Formatting Output ##
[ms_obj_admon_base_out_group]
definition = fields DomainDNSName, OU, admonEventType, adminCount, c, cn, orig_cn, dSCorePropagationData, dcName, deletedDate, description, displayName, distinguishedName, dn, dn_hist, dn_path, domain, groupType, groupType_Name, guid_lookup, instanceType, isCriticalSystemObject, isDeleted, isRecycled, l, lastKnownParent, managedBy, member, name, objectCategory, objectClass, objectGUID, objectSid, primaryGroupToken, sAMAccountName, sAMAccountType, showInAdvancedViewOnly, sid_lookup, st, systemFlags, uSNChanged, uSNCreated, whenChanged, whenCreated \
| rex field=distinguishedName max_match=0 "\\,DC\\=(?<DomainDNSName>[^(\\,|$)]+)" \
| eval DomainDNSName=mvjoin(lower(DomainDNSName),".") \
| stats max(_time) AS time,earliest(distinguishedName) AS orig_evt_dn,values(distinguishedName) AS dn_hist_hold,latest(*) AS * by objectGUID \
| rex field=cn "(?<orig_cn>[a-zA-Z0-9._\\-\\s,\\$(.+\\x5C{1}.+)[^\\sDEL:]+)\\sDEL:" \
| rex field=objectSid "\\d+\\-(?<primaryGroupToken>\\d+)$"\
| rex field=distinguishedName "(?i)(?:\,(?<!\x5C{1}))(cn|ou)\=(?<other_ou>[^\,]+)"\
| eval distinguishedName=lower(distinguishedName), displayName=if(isnull(displayName),if(isnull(cn),orig_cn,cn),displayName), dn=lower(distinguishedName), last_evt_flg=admonEventType, cn=lower(cn), lastKnownParent=lower(lastKnownParent), objectGUID=lower(objectGUID), DomainDNSName=lower(DomainDNSName), sAMAccountName=lower(sAMAccountName), dNSHostName=if(isnull(dNSHostName),if(isnull(orig_cn),((displayName . ".") . DomainDNSName),((orig_cn . ".") . DomainDNSName)),dNSHostName), orig_evt_dn=lower(orig_evt_dn), member=lower(member), adminCount=if(isnull(adminCount),0,adminCount) \
| rex field=distinguishedName "(?i)(?:\\,(?<!\\x5C{1}))(?<dn_path>(cn|ou|dc)\\=[^$]+)" \
| rex field=distinguishedName "(?i)(?:\\,(?<!\\x5C{1}))(cn|ou|dc)\\=(?<orig_ou>[^\\,]+)" \
| fillnull value="FALSE" isRecycled,isDeleted,isCriticalSystemObject,showInAdvancedViewOnly \
| eval deletedDate=if((match(lower(last_evt_flg),"deleted") OR match(lower(isDeleted),"true")),strptime(whenChanged,"%I:%M.%S %p, %a %m/%d/%Y"),0), OU=if(isnull(other_ou),if(isnull(orig_ou),lower(OU),lower(orig_ou)),lower(other_ou))\
| join type=left DomainDNSName \
[| inputlookup AD_Obj_Domain \
| stats count by DomainDNSName,domain \
| table DomainDNSName, domain] \
| lookup AD_Audit_Group_Details groupType,sAMAccountType OUTPUT groupType_Name,MSADGroupType,MSADGroupClass \
| eval isDistributionList=if((sAMAccountType == "268435457"),"TRUE","FALSE") \
| eval dn_hist_cnt=mvcount(dn_hist_hold) \
| eval dn_hist=if((dn_hist_cnt > 1),lower(dn_hist_hold),""), src_nt_domain=domain \
| fillnull value=0 uSNChanged,uSNCreated,whenChanged,whenCreated \
| fillnull value="" OU,c,orig_cn,dSCorePropagationData,dcName,description,displayName,distinguishedName,dn,dn_path,groupType,groupType_Name,MSADGroupType,MSADGroupClass,guid_lookup,instanceType,l,lastKnownParent,last_evt_flg,managedBy,member,name,objectCategory,objectSid,primaryGroupToken,sAMAccountName,sAMAccountType,sid_lookup,st,systemFlags,uSNChanged,uSNCreated \
| eval d_dn=if(dn_hist=="",dn,mvjoin(dn_hist,"|")),d_cn=if(orig_cn=="",cn,cn."|".orig_cn),d_sam=if(sAMAccountName==cn,"",sAMAccountName) \
| eval lookup_grp=lower(d_cn)."|".lower(d_dn)."|".lower(d_sam) \
| makemv delim="|" lookup_grp \
| eval member=replace(member,"####","|")\
| makemv delim="|" member \
| eval membercount=if((member == ""),0,mvcount(member)) \
| eval key_val=((objectGUID . "#") . DomainDNSName) \
| table key_val, DomainDNSName, OU, adminCount, c, cn, orig_cn, dSCorePropagationData, dcName, deletedDate, description, displayName, distinguishedName, dn, dn_hist, dn_path, domain, groupType, groupType_Name, guid_lookup, instanceType, isCriticalSystemObject, isDeleted, isDistributionList, isRecycled, l, lastKnownParent, last_evt_flg, lookup_grp, managedBy, member, membercount, MSADGroupType, MSADGroupClass, name, objectCategory, objectClass, objectGUID, objectSid, orig_evt_dn, primaryGroupToken, sAMAccountName, sAMAccountType, showInAdvancedViewOnly, sid_lookup, src_nt_domain, st, systemFlags, uSNChanged, uSNCreated, whenChanged, whenCreated, time
iseval = 0

## - Computer Base admon Lookup Formatting Output ##
[ms_obj_admon_base_out_computer]
definition = fields DomainDNSName,OU,admonEventType,accountExpires,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dNSHostName,dSCorePropagationData,dcName,deletedDate,description,displayName,distinguishedName,dn,dn_path,domain,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,localPolicyFlags,logonCount,managedBy,msDFSR-ComputerReferenceBL,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,operatingSystem,operatingSystemServicePack,operatingSystemVersion,primaryGroupID,pwdLastSet,rIDSetReferences,sAMAccountName,sAMAccountType,serverReferenceBL,servicePrincipalName,sid_lookup,st,uSNChanged,uSNCreated,userAccountControl,whenChanged,whenCreated\
| rex max_match=0 field=distinguishedName "\,DC\=(?<DomainDNSName>[^(\,|$)]+)"\
| eval DomainDNSName=mvjoin(lower(DomainDNSName),".")\
| stats max(_time) AS time,earliest(distinguishedName) AS orig_evt_dn,values(distinguishedName) AS dn_hist_hold,latest(*) AS * by objectGUID\
| rex field=cn "(?<orig_cn>[a-zA-Z0-9._\-\s,\$(.+\x5C{1}.+)[^\sDEL:]+)\sDEL:"\
| rex field=distinguishedName "(?i)(?:\,(?<!\x5C{1}))(cn|ou)\=(?<other_ou>[^\,]+)"\
| eval OU=if(isnull(other_ou),lower(OU),lower(other_ou))\
| eval distinguishedName=lower(distinguishedName),displayName=if(isnull(displayName),if(isnull(cn),orig_cn,cn),displayName),dn=lower(distinguishedName),last_evt_flg=admonEventType,cn=lower(cn),lastKnownParent=lower(lastKnownParent),objectGUID=lower(objectGUID),DomainDNSName=lower(DomainDNSName),sAMAccountName=lower(sAMAccountName),dNSHostName=if(isnull(dNSHostName),if(isnull(orig_cn),displayName.".".DomainDNSName,orig_cn.".".DomainDNSName),dNSHostName),orig_evt_dn=lower(orig_evt_dn)\
| rex  field=distinguishedName "(?i)(?:\,(?<!\x5C{1}))(?<dn_path>(cn|ou|dc)\=[^$]+)"\
| fillnull value="FALSE" isRecycled,isDeleted,isCriticalSystemObject,showInAdvancedViewOnly\
| eval deletedDate=if(match(lower(last_evt_flg), "deleted") OR match(lower(isDeleted), "true"), strptime(whenChanged, "%I:%M.%S %p, %a %m/%d/%Y"), 0)\
| lookup AD_Obj_UAC userAccountControl OUTPUT uac_bin_map, uac_details\
| makemv delim=":" uac_details\
| join type=left DomainDNSName [|inputlookup AD_Obj_Domain | stats count by DomainDNSName,domain | table DomainDNSName,domain]\
| eval dn_hist_cnt=mvcount(dn_hist_hold)\
| eval dn_hist=if(dn_hist_cnt>1,lower(dn_hist_hold),""),src_nt_domain=domain\
| fillnull value=0 badPwdCount,lastLogonTimestamp,logonCount,primaryGroupID,pwdLastSet,uSNChanged,uSNCreated,userAccountControl,whenChanged,whenCreated\
| fillnull value="" OU,accountExpires,badPasswordTime,c,cn,orig_cn,codePage,countryCode,dNSHostName,dSCorePropagationData,dcName,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,instanceType,isCriticalSystemObject,l,lastKnownParent,lastLogon,last_evt_flg,localPolicyFlags,managedBy,msDFSR-ComputerReferenceBL,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,operatingSystem,operatingSystemServicePack,operatingSystemVersion,orig_evt_dn,rIDSetReferences,sAMAccountName,sAMAccountType,serverReferenceBL,servicePrincipalName,sid_lookup,src_nt_domain,st\
| eval d_dn=if(dn_hist=="",dn,mvjoin(dn_hist,"|")),d_cn=if(orig_cn=="",cn,cn."|".orig_cn),d_sam=if(sAMAccountName=cn,"",lower(sAMAccountName))\
| eval key_val=objectGUID."#".DomainDNSName,lookup_cmp=lower(d_cn)."|".lower(d_dn)."|".d_sam\
| makemv delim="|" lookup_cmp\
| eventstats values(lookup_cmp) AS lookup_cmp by key_val\
| table key_val,DomainDNSName,OU,accountExpires,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dNSHostName,dSCorePropagationData,dcName,deletedDate,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,last_evt_flg,localPolicyFlags,logonCount,lookup_cmp,managedBy,msDFSR-ComputerReferenceBL,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,operatingSystem,operatingSystemServicePack,operatingSystemVersion,orig_evt_dn,primaryGroupID,pwdLastSet,rIDSetReferences,sAMAccountName,sAMAccountType,serverReferenceBL,servicePrincipalName,sid_lookup,src_nt_domain,st,uac_details,uSNChanged,uSNCreated,userAccountControl,whenChanged,whenCreated,time
iseval = 0

## - OU Base admon Lookup Formatting Output ##
[ms_obj_admon_base_out_ou]
definition = fields DomainDNSName,Linked_GPO,c,cn,orig_cn,dSCorePropagationData,deletedDate,description,displayName,distinguishedName,dn,dn_hist,domain,gPLink,gpo_link,guid_lookup,host,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,admonEventType,managedBy,name,objectCategory,objectClass,objectGUID,ou,revision,showInAdvancedViewOnly,st,systemFlags,uSNChanged,uSNCreated,versionNumber,whenChanged,whenCreated\
| rex max_match=0 field=distinguishedName "\,DC\=(?<DomainDNSName>[^(\,|$)]+)"\
| eval DomainDNSName=mvjoin(DomainDNSName,".")\
| stats max(_time) AS time,earliest(distinguishedName) AS orig_evt_dn,values(distinguishedName) AS dn_hist_hold,latest(*) AS * by objectGUID\
| rex field=distinguishedName "(?i)^(CN|OU)\=(?<cn>[^\,]+)"\
| rex field=name "(?i)(?<ou_del>[^\sDEL]+)\sDEL\:"\
| rex field=gPLink max_match=0 "(?msi)(?:\[LDAP\:\/\/cn\=\{)(?<gpo_link>[^\}]+)"\
| eval distinguishedName=lower(distinguishedName),OU=if(isnull(ou),if(isnull(ou_del),name,ou_del),name), displayName=if(isnull(displayName),if(isnull(cn),if(isnull(ou_del),name,ou_del),cn),displayName),dn=lower(distinguishedName),last_evt_flg=admonEventType,cn=lower(cn),orig_cn=if(isnull(ou_del),cn,ou_del),lastKnownParent=lower(lastKnownParent),objectGUID=lower(objectGUID),DomainDNSName=lower(DomainDNSName),orig_evt_dn=lower(orig_evt_dn),gpo_link=lower(gpo_link)\
| fillnull value="FALSE" isRecycled,isDeleted,isCriticalSystemObject,showInAdvancedViewOnly\
| eval deletedDate=if(match(lower(last_evt_flg), "deleted") OR match(lower(isDeleted), "true"), strptime(whenChanged, "%I:%M.%S %p, %a %m/%d/%Y"), 0),OU=if(isnull(OU),orig_ou,OU)\
| join type=left DomainDNSName [|inputlookup AD_Obj_Domain | stats count by DomainDNSName,domain | table DomainDNSName,domain]\
| eval dn_hist_cnt=mvcount(dn_hist_hold)\
| eval dn_hist=if(dn_hist_cnt>1,lower(dn_hist_hold),"")\
| fillnull value=0 uSNChanged,uSNCreated,whenChanged,whenCreated\
| fillnull value="" displayName,distinguishedName,dn,dn_hist,domain,DomainDNSName,dSCorePropagationData,flags,gpo_link,gPCFileSysPath,gPCFunctionalityVersion,gPCMachineExtensionNames,instanceType,lastKnownParent,lc,last_evt_flg,name,objectCategory,objectClass,objectGUID,orig_cn,systemFlags,uSNChanged,uSNCreated,versionNumber\
| eval d_dn=if(dn_hist=="",dn,mvjoin(dn_hist,"|")),d_cn=if(orig_cn="" OR isnull(orig_cn),if(cn="" OR isnull(cn),if(displayName="" OR isnull(displayName),"",lower(displayName)),lower(cn)),lower(orig_cn))\
| eval key_val=objectGUID."#".DomainDNSName,lookup_ou=lower(d_cn)."|".lower(d_dn)\
| makemv delim="|" lookup_ou\
| table key_val,c,cn,deletedDate,description,displayName,distinguishedName,dn,dn_hist,domain,DomainDNSName,dSCorePropagationData,gPLink,gpo_link,guid_lookup,host,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,last_evt_flg,Linked_GPO,lookup_ou,managedBy,name,objectCategory,objectClass,objectGUID,orig_cn,orig_evt_dn,OU,q,revision,showInAdvancedViewOnly,st,systemFlags,uSNChanged,uSNCreated,versionNumber,whenChanged,whenCreated,time
iseval = 0

## - GPO Base admon Lookup Formatting Output ##
[ms_obj_admon_base_out_gpo]
definition = fields admonEventType,cn,deletedDate,displayName,distinguishedName,dn,dn_hist,domain,DomainDNSName,dSCorePropagationData,flags,gpo_link,gPCFileSysPath,gPCFunctionalityVersion,gPCMachineExtensionNames,instanceType,isCriticalSystemObject,isRecycled,isDeleted,lastKnownParent,lc,last_evt_flg,name,objectCategory,objectClass,objectGUID,orig_cn,showInAdvancedViewOnly,systemFlags,uSNChanged,uSNCreated,versionNumber,whenChanged,whenCreated,_time\
| rex max_match=0 field=distinguishedName "\,DC\=(?<DomainDNSName>[^(\,|$)]+)"\
| eval DomainDNSName=mvjoin(DomainDNSName,".")\
| stats max(_time) AS time,earliest(distinguishedName) AS orig_evt_dn,values(distinguishedName) AS dn_hist_hold,latest(*) AS * by objectGUID\
| rex field=cn "(?<orig_cn>[a-zA-Z0-9._\-\s,\$(.+\x5C{1}.+)[^\sDEL:]+)\sDEL:"\
| rex field=distinguishedName "(?msi)(?:CN\=\{)(?<gpo_link>[^\}]+)\}\,CN\=Policies"\
| eval distinguishedName=lower(distinguishedName),displayName=if(isnull(displayName),if(isnull(cn),orig_cn,cn),displayName),dn=lower(distinguishedName),last_evt_flg=admonEventType,cn=lower(cn),orig_cn=lower(orig_cn),lastKnownParent=lower(lastKnownParent),objectGUID=lower(objectGUID),DomainDNSName=lower(DomainDNSName),orig_evt_dn=lower(orig_evt_dn),gpo_link=lower(gpo_link)\
| rex  field=distinguishedName "(?i)(?:\,(?<!\x5C{1}))(cn|ou|dc)\=(?<orig_ou>[^\,]+)"\
| fillnull value="FALSE" isRecycled,isDeleted,isCriticalSystemObject,showInAdvancedViewOnly\
| eval deletedDate=if(match(lower(last_evt_flg), "deleted") OR match(lower(isDeleted), "true"), strptime(whenChanged, "%I:%M.%S %p, %a %m/%d/%Y"), 0),OU=if(isnull(OU),orig_ou,OU)\
| join type=left DomainDNSName [|inputlookup AD_Obj_Domain | stats count by DomainDNSName,domain | table DomainDNSName,domain]\
| eval dn_hist_cnt=mvcount(dn_hist_hold)\
| eval dn_hist=if(dn_hist_cnt>1,lower(dn_hist_hold),"")\
| fillnull value=0 uSNChanged,uSNCreated,whenChanged,whenCreated\
| fillnull value="" displayName,distinguishedName,dn,dn_hist,domain,DomainDNSName,dSCorePropagationData,flags,gpo_link,gPCFileSysPath,gPCFunctionalityVersion,gPCMachineExtensionNames,instanceType,lastKnownParent,lc,last_evt_flg,name,objectCategory,objectClass,objectGUID,orig_cn,systemFlags,uSNChanged,uSNCreated,versionNumber\
| eval key_val=objectGUID."#".DomainDNSName\
| table key_val,cn,deletedDate,displayName,distinguishedName,dn,dn_hist,domain,DomainDNSName,dSCorePropagationData,flags,gpo_link,gPCFileSysPath,gPCFunctionalityVersion,gPCMachineExtensionNames,instanceType,isCriticalSystemObject,isRecycled,isDeleted,lastKnownParent,lc,last_evt_flg,name,objectCategory,objectClass,objectGUID,orig_cn,showInAdvancedViewOnly,systemFlags,uSNChanged,uSNCreated,versionNumber,whenChanged,whenCreated,time
iseval = 0

## - Admin Audit Lookup - Build and Update ##
[ms_obj_winevt_base_out_admin_audit]
definition = `ms_obj_changes_base_all`\
| fields src_user, _time, src_nt_domain,dest_nt_domain\
| eval admin_domain=if(isnull(src_nt_domain),if(isnull(dest_nt_domain),"",lower(dest_nt_domain)),lower(src_nt_domain))\
| eval admin_user=lower(src_user)\
| stats latest(_time) as last_time_utc by admin_user,admin_domain\
| eval last_time_string=strftime(last_time_utc,"%m/%d/%y %H:%M:%S")\
| stats values(*) AS * by admin_user,admin_domain\
| eval key_val=lower(admin_user)."#".lower(admin_domain)
iseval=0

## - Replaced for supporting MULTI-DOMAIN SPLIT KVS  removed lookup dn_path,dn,cn,userPrincipalName ##
##[ms_obj_winevt_base_out_admin_audit]
##definition = `ms_obj_changes_base_all`\
##| fields src_user, _time\
##| eval src_user=lower(src_user)\
##| stats latest(_time) as last_time_utc by src_user\
##| lookup AD_Obj_User sAMAccountName as src_user OUTPUT sAMAccountName as admin_user,domain as admin_domain,dn as admin_dn,dn_path as admin_dn_path,cn as admin_cn,objectGUID as admin_objectGUID,userPrincipalName AS admin_userPrincipalName\
##| eval last_time_string=strftime(last_time_utc,"%m/%d/%y %H:%M:%S")\
##| fillnull value="" admin_dn,admin_dn_hist,admin_dn_path,admin_cn,admin_userPrincipalName\
##| stats values(*) AS * by admin_objectGUID,admin_domain\
##| eval key_val=lower(admin_objectGUID)."#".lower(admin_domain)
##iseval = 0

[ms_obj_default_ugc_count]
definition = fields domain \
| join type=left domain [| inputlookup AD_Obj_User | fields domain | stats count as user_count by domain]\
| join type=left domain [| inputlookup AD_Obj_Group | fields domain | stats count as group_count by domain]\
| join type=left domain [| inputlookup AD_Obj_Computer | fields domain | stats count as user_computer by domain]\
| eval user_count=if(isnull(user_count),0,tostring(user_count,"commas")),group_count=if(isnull(group_count),0,tostring(group_count,"commas")),computer_count=if(isnull(computer_count),0,tostring(computer_count,"commas"))\
| table domain,user_count,group_count,computer_count
iseval = 0

## - UAC Output for Updating AD_Obj_UAC lookup ##
[ms_obj_admon_base_out_uac]
definition = `ms_obj_admon_base` ("objectClass=top|person|organizationalPerson|user" OR "objectClass=top|group") NOT [| inputlookup AD_Obj_UAC | fields userAccountControl | stats count by userAccountControl | table userAccountControl | format]\
| fields userAccountControl
iseval = 0

###----------------------------------------------###
#--- Optional User Lookup Update - Logon Times  ---#
#--- Macro that can be used for updating the User ---#
#--- lookup with lastLogon,lastLogonTimestamp  	---#
###----------------------------------------------###
[ms_obj_upd_user_last_logon(2)]
args = user_lookup,domain
definition = `ms_obj_success_logons_user` (dest_nt_domain="$domain$" OR src_nt_domain="$domain$"\
| fields _time, dest_nt_domain, user_obj_lkp\
| eval user_obj_lkp=lower(user_obj_lkp)\
| stats max(_time) as l_logon by dest_nt_domain,user_obj_lkp\
| lookup $user_lookup$ lookup_usr AS user_obj_lkp OUTPUT _key AS key_val,DomainDNSName,OU,accountExpires,adminCount,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dSCorePropagationData,dcName,deletedDate,department,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,givenName,guid_lookup,initials,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,last_evt_flg,lockoutTime,logonCount,logonHours,lookup_usr,managedBy,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,orig_evt_dn,physicalDeliveryOfficeName,postalCode,primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType,servicePrincipalName,showInAdvancedViewOnly,sid_lookup,sn,st,streetAddress,title,uac_details,uSNChanged,uSNCreated,userAccountControl,userPrincipalName,userWorkstations,whenChanged,whenCreated,user_type,time\
| where isnotnull(lastLogonTimestamp) AND l_logon>lastLogonTimestamp\
| eval lastLogon=strftime(l_logon,"%I:%M.%S %P, %a %m/%d/%Y"),lastLogonTimestamp=l_logon\
| table key_val,DomainDNSName, OU, accountExpires, adminCount, badPasswordTime, badPwdCount, c, cn, orig_cn, codePage, countryCode, dSCorePropagationData, dcName, deletedDate, department, description, displayName, distinguishedName, dn, dn_hist, dn_path, domain, givenName, guid_lookup, initials, instanceType, isCriticalSystemObject, isDeleted, isRecycled, l, lastKnownParent, lastLogon, lastLogonTimestamp, last_evt_flg, lockoutTime, logonCount, logonHours, lookup_usr, managedBy, "msDS-SupportedEncryptionTypes", name, objectCategory, objectClass, objectGUID, objectSid, orig_evt_dn, physicalDeliveryOfficeName, postalCode, primaryGroupID, pwdLastSet, sAMAccountName, sAMAccountType, servicePrincipalName, showInAdvancedViewOnly, sid_lookup, sn, st, streetAddress, title, uac_details, uSNChanged, uSNCreated, userAccountControl, userPrincipalName, userWorkstations, whenChanged, whenCreated, user_type, time\
| eval _key=objectGUID."#".DomainDNSName\
| outputlookup $user_lookup$ append=true
iseval = 0
###-----------------------------------------###
#--- Converting UserAccountControl Macros  ---#
#--- Also used for Multi-Domain Split KVs  ---#
###-----------------------------------------###
## User Access Control Bitmask Conversion Macros ##
[ms_obj_uac_to_details]
definition = eval octet = userAccountControl \
| eval rank = split("1", ",") \
| eval octet_rank = mvzip(rank, octet) \
| fields - octet, rank \
| mvexpand octet_rank \
| eval octet_rank_split = split(octet_rank, ",") \
| eval rank = mvindex(octet_rank_split, 0) \
| eval octet = mvindex(octet_rank_split, 1) \
| fields - octet_rank, octet_rank_split \
| eval power = mvrange(0,32) \
| mvexpand power \
| eval base2 = pow(2, power) \
| eval mydiv = floor(octet / base2) \
| eval octet_bin = mydiv % 2 \
| fields - mydiv, base2 \
| sort limit=0 IP, rank, octet, - power \
| stats list(octet_bin) as octet_bin by userAccountControl\
| eval uac_bin_map = mvjoin(octet_bin, "")\
| rex field=uac_bin_map "00000(?<uacf_dc_account>\d{1})(?<uacf_kerb_no_pac>\d{1})(?<uacf_trust_auth_for_delegation>\d{1})(?<uacf_pwd_expired>\d{1})(?<uacf_pwd_kerb_pre_auth>\d{1})(?<uacf_pwd_kerb_des>\d{1})(?<uacf_sensitive>\d{1})(?<uacf_trust_for_delegation>\d{1})(?<uacf_smartcard_req>\d{1})(?<uacf_mns_account>\d{1})(?<uacf_pwd_not_expire>\d{1})(?<uacf_na_5>\d{1})(?<uacf_na_4>\d{1})(?<uacf_srvr_trust_account>\d{1})(?<uacf_wkstn_trust_account>\d{1})(?<uacf_trust_account>\d{1})(?<uacf_na_3>\d{1})(?<uacf_normal_account>\d{1})(?<uacf_temp_dup_account>\d{1})(?<uacf_pwd_store_rev>\d{1})(?<uacf_pwd_cant_change>\d{1})(?<uacf_pwd_not_req>\d{1})(?<uacf_lockout>\d{1})(?<uacf_home_dir_req>\d{1})(?<uacf_na_1>\d{1})(?<uacf_account_state>\d{1})(?<uacf_script_account>\d{1})" \
| eval uac_details="" \
| eval uac_details=if(uacf_account_state=1,uac_details."Disabled",uac_details."Enabled") \
| eval uac_details=if(uacf_script_account=1,uac_details.":Logon script is executed",uac_details) \
| eval uac_details=if(uacf_temp_dup_account=1,uac_details.":Temp Duplicate Account",uac_details) \
| eval uac_details=if(uacf_home_dir_req=1,uac_details.":Home Directory Required",uac_details) \
| eval uac_details=if(uacf_pwd_not_req=1,uac_details.":Password Not Required",uac_details) \
| eval uac_details=if(uacf_pwd_cant_change=1,uac_details.":Cant Change Password",uac_details) \
| eval uac_details=if(uacf_pwd_store_rev=1,uac_details.":Store Password using reversible encryption",uac_details) \
| eval uac_details=if(uacf_normal_account=1,uac_details.":Normal User Account",uac_details) \
| eval uac_details=if(uacf_trust_account=1,uac_details.":InterDomain Trust Account",uac_details) \
| eval uac_details=if(uacf_wkstn_trust_account=1,uac_details.":Workstation Trust Account",uac_details) \
| eval uac_details=if(uacf_srvr_trust_account=1,uac_details.":Server Trust Account",uac_details) \
| eval uac_details=if(uacf_pwd_not_expire=1,uac_details.":Password Does Not Expire",uac_details) \
| eval uac_details=if(uacf_mns_account=1,uac_details.":Majority Node Set (MNS) account",uac_details) \
| eval uac_details=if(uacf_smartcard_req=1,uac_details.":Smart Card Required",uac_details) \
| eval uac_details=if(uacf_trust_for_delegation=1,uac_details.":Trusted for Delegation",uac_details) \
| eval uac_details=if(uacf_sensitive=1,uac_details.":Sensitive - Not Delegated",uac_details) \
| eval uac_details=if(uacf_pwd_kerb_des=1,uac_details.":Kerberos authentication DES only",uac_details) \
| eval uac_details=if(uacf_pwd_kerb_pre_auth=1,uac_details.":Kerberos Does Not Require Pre-Auth",uac_details) \
| eval uac_details=if(uacf_pwd_expired=1,uac_details.":Password has Expired",uac_details) \
| eval uac_details=if(uacf_trust_auth_for_delegation=1,uac_details.":Can request a Kerberos ticket on behalf of another user",uac_details) \
| eval uac_details=if(uacf_kerb_no_pac=1,uac_details.":Request Kerberos Ticket without PAC data",uac_details) \
| eval uac_details=if(uacf_dc_account=1,uac_details.":Read Only Domain Controller Account",uac_details) \
| fields - octet_bin, - uacf*
iseval = 0

## uac_details (bit flag definitions for uac binary) fields to a target lookup -##
[ms_obj_uac_to_binary(1)]
args = target_lookup
definition = join type=left userAccountControl [| inputlookup $target_lookup$\
| fields userAccountControl\
| dedup userAccountControl\
| eval octet = userAccountControl\
| eval rank = split("1", ",")\
| eval octet_rank = mvzip(rank, octet)\
| fields - octet, rank\
| mvexpand octet_rank\
| eval octet_rank_split = split(octet_rank, ",")\
| eval rank = mvindex(octet_rank_split, 0)\
| eval octet = mvindex(octet_rank_split, 1)\
| fields - octet_rank, octet_rank_split\
| eval power = mvrange(0,32)\
| mvexpand power\
| eval base2 = pow(2, power)\
| eval mydiv = floor(octet / base2)\
| eval octet_bin = mydiv % 2\
| fields - mydiv, base2\
| sort limit=0 IP, rank, octet, - power\
| stats list(octet_bin) as octet_bin by userAccountControl\
| eval uac_bin_map = mvjoin(octet_bin, "")\
| rex field=uac_bin_map "00000(?<uac_dc_account>\d{1})(?<uac_kerb_no_pac>\d{1})(?<uac_trust_auth_for_delegation>\d{1})(?<uac_pwd_expired>\d{1})(?<uac_pwd_kerb_pre_auth>\d{1})(?<uac_pwd_kerb_des>\d{1})(?<uac_sensitive>\d{1})(?<uac_trust_for_delegation>\d{1})(?<uac_smartcard_req>\d{1})(?<uac_mns_account>\d{1})(?<uac_pwd_not_expire>\d{1})(?<na_uac_5>\d{1})(?<na_uac_4>\d{1})(?<uac_srvr_trust_account>\d{1})(?<uac_wkstn_trust_account>\d{1})(?<uac_trust_account>\d{1})(?<na_uac_3>\d{1})(?<uac_normal_account>\d{1})(?<uac_temp_dup_account>\d{1})(?<uac_pwd_store_rev>\d{1})(?<uac_pwd_cant_change>\d{1})(?<uac_pwd_not_req>\d{1})(?<uac_lockout>\d{1})(?<uac_home_dir_req>\d{1})(?<na_uac_1>\d{1})(?<uac_account_state>\d{1})(?<uac_script_account>\d{1})"  \
| eval uac_details="" \
| eval uac_details=if(uac_account_state=1,uac_details."Disabled",uac_details."Enabled") \
| eval uac_details=if(uac_script_account=1,uac_details.":Logon script is executed",uac_details) \
| eval uac_details=if(uac_temp_dup_account=1,uac_details.":Temp Duplicate Account",uac_details) \
| eval uac_details=if(uac_home_dir_req=1,uac_details.":Home Directory Required",uac_details) \
| eval uac_details=if(uac_pwd_not_req=1,uac_details.":Password Not Required",uac_details) \
| eval uac_details=if(uac_pwd_cant_change=1,uac_details.":Cant Change Password",uac_details) \
| eval uac_details=if(uac_pwd_store_rev=1,uac_details.":Store Password using reversible encryption",uac_details) \
| eval uac_details=if(uac_normal_account=1,uac_details.":Normal User Account",uac_details) \
| eval uac_details=if(uac_trust_account=1,uac_details.":InterDomain Trust Account",uac_details) \
| eval uac_details=if(uac_wkstn_trust_account=1,uac_details.":Workstation Trust Account",uac_details) \
| eval uac_details=if(uac_srvr_trust_account=1,uac_details.":Server Trust Account",uac_details) \
| eval uac_details=if(uac_pwd_not_expire=1,uac_details.":Password Does Not Expire",uac_details) \
| eval uac_details=if(uac_mns_account=1,uac_details.":Majority Node Set (MNS) account",uac_details) \
| eval uac_details=if(uac_smartcard_req=1,uac_details.":Smart Card Required",uac_details) \
| eval uac_details=if(uac_trust_for_delegation=1,uac_details.":Trusted for Delegation",uac_details) \
| eval uac_details=if(uac_sensitive=1,uac_details.":Sensitive - Not Delegated",uac_details) \
| eval uac_details=if(uac_pwd_kerb_des=1,uac_details.":Kerberos authentication DES only",uac_details) \
| eval uac_details=if(uac_pwd_kerb_pre_auth=1,uac_details.":Kerberos Does Not Require Pre-Auth",uac_details) \
| eval uac_details=if(uac_pwd_expired=1,uac_details.":Password has Expired",uac_details) \
| eval uac_details=if(uac_trust_auth_for_delegation=1,uac_details.":Can request a Kerberos ticket on behalf of another user",uac_details) \
| eval uac_details=if(uac_kerb_no_pac=1,uac_details.":Request Kerberos Ticket without PAC data",uac_details) \
| eval uac_details=if(uac_dc_account=1,uac_details.":Read Only Domain Controller Account",uac_details) \
| table userAccountControl,uac_bin_map,uac_details]\
| outputlookup $target_lookup$
iseval = 0

##-	Extract UAC Binary Fields -##
[ms_obj_uac_bin_fields]
definition = rex field=uac_bin_map "00000(?<uac_dc_account>\d{1})(?<uac_kerb_no_pac>\d{1})(?<uac_trust_auth_for_delegation>\d{1})(?<uac_pwd_expired>\d{1})(?<uac_pwd_kerb_pre_auth>\d{1})(?<uac_pwd_kerb_des>\d{1})(?<uac_sensitive>\d{1})(?<uac_trust_for_delegation>\d{1})(?<uac_smartcard_req>\d{1})(?<uac_mns_account>\d{1})(?<uac_pwd_not_expire>\d{1})(?<na_uac_5>\d{1})(?<na_uac_4>\d{1})(?<uac_srvr_trust_account>\d{1})(?<uac_wkstn_trust_account>\d{1})(?<uac_trust_account>\d{1})(?<na_uac_3>\d{1})(?<uac_normal_account>\d{1})(?<uac_temp_dup_account>\d{1})(?<uac_pwd_store_rev>\d{1})(?<uac_pwd_cant_change>\d{1})(?<uac_pwd_not_req>\d{1})(?<uac_lockout>\d{1})(?<uac_home_dir_req>\d{1})(?<na_uac_1>\d{1})(?<uac_account_state>\d{1})(?<uac_script_account>\d{1})"
iseval = 0

[ms_obj_uac_details]
definition = join type=left userAccountControl [| inputlookup AD_Obj_UAC | fields userAccountControl | dedup userAccountControl | eval octet = userAccountControl | eval rank = split("1", ",") | eval octet_rank = mvzip(rank, octet) | fields - octet, rank | mvexpand octet_rank | eval octet_rank_split = split(octet_rank, ",") | eval rank = mvindex(octet_rank_split, 0) | eval octet = mvindex(octet_rank_split, 1) | fields - octet_rank, octet_rank_split | eval power = mvrange(0,32) | mvexpand power | eval base2 = pow(2, power) | eval mydiv = floor(octet / base2) | eval octet_bin = mydiv % 2 | fields - mydiv, base2 | sort limit=0 IP, rank, octet, - power | stats list(octet_bin) as octet_bin by userAccountControl | eval uac_bin_map = mvjoin(octet_bin, "") | rex field=uac_bin_map "00000(?<uac_dc_account>\d{1})(?<uac_kerb_no_pac>\d{1})(?<uac_trust_auth_for_delegation>\d{1})(?<uac_pwd_expired>\d{1})(?<uac_pwd_kerb_pre_auth>\d{1})(?<uac_pwd_kerb_des>\d{1})(?<uac_sensitive>\d{1})(?<uac_trust_for_delegation>\d{1})(?<uac_smartcard_req>\d{1})(?<uac_mns_account>\d{1})(?<uac_pwd_not_expire>\d{1})(?<na_uac_5>\d{1})(?<na_uac_4>\d{1})(?<uac_srvr_trust_account>\d{1})(?<uac_wkstn_trust_account>\d{1})(?<uac_trust_account>\d{1})(?<na_uac_3>\d{1})(?<uac_normal_account>\d{1})(?<uac_temp_dup_account>\d{1})(?<uac_pwd_store_rev>\d{1})(?<uac_pwd_cant_change>\d{1})(?<uac_pwd_not_req>\d{1})(?<uac_lockout>\d{1})(?<uac_home_dir_req>\d{1})(?<na_uac_1>\d{1})(?<uac_account_state>\d{1})(?<uac_script_account>\d{1})" | eval uac_details="" | eval uac_details=if(uac_account_state=1,uac_details."Disabled",uac_details."Enabled") | eval uac_details=if(uac_script_account=1,uac_details.":Logon script is executed",uac_details) | eval uac_details=if(uac_temp_dup_account=1,uac_details.":Temp Duplicate Account",uac_details) | eval uac_details=if(uac_home_dir_req=1,uac_details.":Home Directory Required",uac_details) | eval uac_details=if(uac_pwd_not_req=1,uac_details.":Password Not Required",uac_details) | eval uac_details=if(uac_pwd_cant_change=1,uac_details.":Cant Change Password",uac_details) | eval uac_details=if(uac_pwd_store_rev=1,uac_details.":Store Password using reversible encryption",uac_details) | eval uac_details=if(uac_normal_account=1,uac_details.":Normal User Account",uac_details) | eval uac_details=if(uac_trust_account=1,uac_details.":InterDomain Trust Account",uac_details) | eval uac_details=if(uac_wkstn_trust_account=1,uac_details.":Workstation Trust Account",uac_details) | eval uac_details=if(uac_srvr_trust_account=1,uac_details.":Server Trust Account",uac_details) | eval uac_details=if(uac_pwd_not_expire=1,uac_details.":Password Does Not Expire",uac_details) | eval uac_details=if(uac_mns_account=1,uac_details.":Majority Node Set (MNS) account",uac_details) | eval uac_details=if(uac_smartcard_req=1,uac_details.":Smart Card Required",uac_details) | eval uac_details=if(uac_trust_for_delegation=1,uac_details.":Trusted for Delegation",uac_details) | eval uac_details=if(uac_sensitive=1,uac_details.":Sensitive - Not Delegated",uac_details) | eval uac_details=if(uac_pwd_kerb_des=1,uac_details.":Kerberos authentication DES only",uac_details) | eval uac_details=if(uac_pwd_kerb_pre_auth=1,uac_details.":Kerberos Does Not Require Pre-Auth",uac_details) | eval uac_details=if(uac_pwd_expired=1,uac_details.":Password has Expired",uac_details) | eval uac_details=if(uac_trust_auth_for_delegation=1,uac_details.":Can request a Kerberos ticket on behalf of another user",uac_details) | eval uac_details=if(uac_kerb_no_pac=1,uac_details.":Request Kerberos Ticket without PAC data",uac_details) | eval uac_details=if(uac_dc_account=1,uac_details.":Read Only Domain Controller Account",uac_details) | table userAccountControl,uac_bin_map,uac_*]
iseval = 0

[ms_obj_uac_get_details_join]
definition = join userAccountControl [| inputlookup AD_Obj_UAC\
| fields userAccountControl,uac_bin_map,uac_details\
| stats count by userAccountControl,uac_bin_map,uac_details\
| table userAccountControl,uac_bin_map,uac_details]
iseval = 0

[ms_obj_uac_get_details_lkup]
definition = lookup AD_Obj_UAC userAccountControl OUTPUT uac_bin_map,uac_details
iseval = 0
###-------------------------------------------------------------------------------###
#--- 		Macro's Used for Basic Searching - Used Often    				     ---#
#--- 			Also used for Multi-Domain Split KVs   		 				     ---#
###-------------------------------------------------------------------------------###
##Basic AD Domain Selector
[ms_obj_domain-selector]
definition = inputlookup AD_Obj_Domain\
|table host,domain,DomainNetBIOSName,DomainDNSName,ForestName,Site,dc_val,kv_suffix,user_lookup,group_lookup,computer_lookup
iseval = 0

##Grouped AD Domain Selector
[ms_obj_domain_list]
definition = inputlookup AD_Obj_Domain\
| fields + domain, kv_suffix, user_lookup, group_lookup, computer_lookup, multi_lkps_enabled, dc_val, DomainDNSName \
| eval multi_lkps_enabled=if(isnull(multi_lkps_enabled),"f",multi_lkps_enabled), kv_suffix=if(isnull(kv_suffix),domain,kv_suffix), user_lookup=if(isnull(user_lookup),"AD_Obj_User",user_lookup), group_lookup=if(isnull(group_lookup),"AD_Obj_Group",group_lookup), computer_lookup=if(isnull(computer_lookup),"AD_Obj_Computer",computer_lookup), dc_val=if(isnull(dc_val),DomainDNSName,dc_val)  \
| stats count by domain,kv_suffix,user_lookup,group_lookup,computer_lookup,dc_val
iseval = 0
##Windows EventLog Specific Searches
[ms_obj_quick_wineventlog_list]
definition = `ms_obj_win_events_all`\
| fields _raw,host,_time\
| rex "(?msi)(?:(LogName(\=\s+|\=)|\<Channel\>))(?<LogName>[^(\r|\n|\<]+)"\
| rex "(?msi)(?:(EventCode(\=\s+|\=)|\<EventID(\>|\s+Qualifiers\=\'\d+\'\>)))(?<EventCode>[^\r|\n|\<]+)"\
| eval EventCode=if(isnull(EventCode),_raw,EventCode),LogName=if(isnull(LogName),_raw,LogName)\
| stats max(_time) AS last_time,dc(host) AS host_count,count by LogName,EventCode
iseval = 0

## Quick Computer Logins
[ms_ad_obj_qck_succ_comp_logins(1)]
args = domain
definition = (`ms_obj_win_events_security`) ("4624" "$" "$domain$")\
| fields _time,_raw\
| rex "(?msi)(?:EventID.*?\>(?<EventCode>[^\<]+))\<"\
| rex "(?msi)(?:EventCode\=)(?<EventCode>\d+)"\
| rex field=_raw "(?msi)(?:Account\s+Name\:.*?(Account\s+Name\:)|(?:Account\s+Name\:))\s+(?<comp_obj_sam>\S+\$)" \
| rex field=_raw "(?msi)(?:TargetUserName\'\>(?!\-)(?<comp_obj_sam>\S+\$))" \
| where EventCode="4624"\
| stats max(_time) as lastLogonTime by comp_obj_sam
iseval = 0

###-----------------------------------------###
#--- Windows Authentication Search Macros  ---#
#--- Also used for Multi-Domain Split KVs  ---#
###-----------------------------------------###
## Base Model - Authentication - Search with fields (_time,user,action,src,dest)
[ms_obj_srch_auth_model_basic(1)]
args = tok_ena_sum
definition = tstats summariesonly=$tok_ena_sum$ allow_old_summaries=true count from datamodel=Authentication.Authentication where Authentication.action=* Authentication.user=* (Authentication.src=* OR Authentication.dest=*) by _time,Authentication.src,Authentication.dest,Authentication.user,Authentication.action,Authentication.signature,Authentication.signature_id,Authentication.app,host\
| rename "Authentication.*" as "*"

## - Search - WinEventLog - Authentication - Failed and Successful
##		- Example - System Accounts - `ms_obj_failed_success_logons("user")`
##		- Example - System Accounts - `ms_obj_failed_success_logons("system")`
##		- Example - System Accounts - `ms_obj_failed_success_logons("computer")`
[ms_obj_failed_success_logons(1)]
args = tok_src_obj_type
definition = `ms_obj_win_events_security` EventCode=4624 OR (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) status="failure")) user_type="$tok_src_obj_type$"
iseval = 0

## - Search - WinEventLog - Authentication - Successful
[ms_obj_success_logons(1)]
args = tok_src_obj_type
definition = `ms_obj_win_events_security` EventCode=4624 user_type="$tok_src_obj_type$"
iseval = 0

## - Search - WinEventLog - Authentication - Failed
[ms_obj_failed_logons(1)]
args = tok_src_obj_type
definition = `ms_obj_win_events_security` (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) status="failure")) user_type="$tok_src_obj_type$"
iseval = 0

## - Search - WinEventLog - All Object Authentication - Failed
[ms_obj_failed_logons_all]
definition = `ms_obj_win_events_security` (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) status="failure"))
iseval = 0

## - Search - WinEventLog - User Authentication - Successful
[ms_obj_success_logons_user]
definition = `ms_obj_win_events_security` EventCode=4624 user_type="user"
iseval = 0

## - Search - WinEventLog - User Authentication - Failed
[ms_obj_failed_logons_user]
definition = `ms_obj_win_events_security` (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) status="failure")) user_type="user"
iseval = 0

## - Search - Wineventlog - User Authentications - Failed and Successful
[ms_obj_failed_success_logons_user]
definition = `ms_obj_win_events_security` EventCode=4624 OR (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) status="failure")) user_type="user"
iseval = 0

## - Search - WinEventLog - Computer Authentication - Successful
[ms_obj_success_logons_computer]
definition = `ms_obj_win_events_security` EventCode=4624 user_type="computer"
iseval = 0

## - Search - WinEventLog - Computer Authentication - Failed
[ms_obj_failed_logons_computer]
definition = `ms_obj_win_events_security` (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) status="failure")) user_type="computer"
iseval = 0

## - Search - Wineventlog - Computer Authentications - Failed and Successful
[ms_obj_failed_success_logons_computer]
definition = `ms_obj_win_events_security` EventCode=4624 OR (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) status="failure")) user_type="computer"
iseval = 0

## - Search - WinEventLog - System Authentication - Failed
[ms_obj_failed_logons_system]
definition = `ms_obj_win_events_security` (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) status="failure")) user_type="system"
iseval = 0

###-------------------------------------------------------------------------------###
#--- 		Macro's Used for Retrieving values from lookups    				     ---#
#--- 			NOT used for Multi-Domain Split KVs   		 				     ---#
###-------------------------------------------------------------------------------###
[ms_obj_get_full_group_membership(1)]
args = tok_member_dn
definition = join type=left dn [| inputlookup AD_Obj_Group where member="$tok_member_dn$"\
| fields + cn, displayName, dn, member\
| rename dn as memberOf, cn as Group_cn, displayName as Group_Name\
| rename member as dn\
| stats values(memberOf) AS memberOf,values(Group_cn) AS Group_cn,values(Group_Name) AS Group_Name by dn\
| table dn, Group_cn, Group_Name, memberOf]\
| lookup AD_Obj_Group primaryGroupToken AS primaryGroupID OUTPUT dn AS primaryGroupdn,cn AS primaryGroupcn,displayName AS primaryGroupName\
| eval memberOf=mvappend(memberOf,primaryGroupdn), Group_Name=mvappend(Group_Name,primaryGroupName),Group_cn=mvappend(Group_cn,primaryGroupcn)
iseval = 0

[ms_obj_get_full_group_membership_prev(1)]
args = tok_member_dn
definition = join type=left dn [| inputlookup AD_Obj_Group where member="$tok_member_dn$"\
| fields + cn, displayName, dn, member\
| rename dn as memberOf, cn as Group_cn, displayName as Group_Name\
| rename member as dn\
| stats values(memberOf) AS memberOf,values(Group_cn) AS Group_cn,values(Group_Name) AS Group_Name by dn\
| table dn, Group_cn, Group_Name, memberOf]\
| lookup AD_Obj_Group primaryGroupToken AS primaryGroupID OUTPUT dn AS primaryGroupdn,cn AS primaryGroupcn,displayName AS primaryGroupName\
| eval memberOf=mvappend(memberOf,primaryGroupdn), Group_Name=mvappend(Group_Name,primaryGroupName),Group_cn=mvappend(Group_cn,primaryGroupcn)
iseval = 0

## Full Group Membership - With passed Object Lookup Name, Attribute Value, Member Domain, and Member Attribute Value
## Example - | inputlookup AD_Object_User | `ms_obj_get_full_group_membership_attr(User,"sedemo",sAMAccountName,"Administrator")`
[ms_obj_get_full_group_membership_attr(4)]
args = tok_obj_lkp,tok_member_domain,tok_member_attr,tok_member_val
definition = join type=left dn [| inputlookup AD_Obj_Group where [| inputlookup AD_Obj_$tok_obj_lkp$ WHERE domain="$tok_member_domain$" AND $tok_member_attr$="$tok_member_val$" | fields dn | rename dn AS member | table member|format]\
| fields dn, displayName,cn,member\
| eval displayName=if(isnull(displayName),cn,displayName)\
| rename dn as memberOf\
| rename member as dn\
| stats values(memberOf) AS memberOf by dn\
| search [| inputlookup AD_Obj_$tok_obj_lkp$ WHERE domain="$tok_member_domain$" AND $tok_member_attr$="$tok_member_val$" | fields dn | table dn|format]\
| table dn, memberOf]\
| lookup AD_Obj_Group primaryGroupToken AS primaryGroupID OUTPUT dn AS primaryGroupdn\
| eval memberOf=mvappend(memberOf,primaryGroupdn)
iseval = 0

## Full Group Membership - With passed Object Lookup Name, Attribute Value, Member Domain, and Member Attribute Value
## Example - | inputlookup AD_Object_User | `ms_obj_get_full_group_membership_attr(User,"sedemo",sAMAccountName,"Administrator")`
[ms_obj_get_full_group_membership_attr_tmp(4)]
args = tok_obj_lkp,tok_member_domain,tok_member_attr,tok_member_val
definition = join dn type=left[| inputlookup AD_Obj_Group WHERE [| inputlookup AD_Obj_$tok_obj_lkp$ WHERE domain="$tok_member_domain$" AND $tok_member_attr$="$tok_member_val$" | fields dn | stats values(dn) AS member |format]\
| fields dn, member,displayName,cn\
| eval displayName=if(isnull(displayName),cn,displayName)\
| mvexpand member\
| search [| inputlookup AD_Obj_$tok_obj_lkp$ WHERE domain="$tok_member_domain$" AND $tok_member_attr$="$tok_member_val$" | fields dn | stats values(dn) AS member |format]\
| rename dn as memberOf\
| rename member as dn\
| eval memberOf=displayName."|".memberOf\
| stats values(memberOf) AS memberOf by dn\
| eval memberOf=mvjoin(memberOf,"####")]\
| lookup AD_Obj_Group primaryGroupToken AS primaryGroupID OUTPUT dn AS primarygroupDN,displayName AS primarygroupName\
| eval memberOf=if(isnull(memberOf),primarygroupName."|".primarygroupDN,primarygroupName."|".primarygroupDN."####".memberOf)
iseval = 0

##Macro to receive Group Membership for designated object
[ms_obj_get_group_membership(1)]
args = tok_member_dn
definition = inputlookup AD_Obj_Group WHERE member="$tok_member_dn$"\
| fields cn,displayName,dn,member\
| rename dn AS memberOf,cn AS Group_cn,displayName AS Group_Name\
| rename member AS dn\
| table dn,Group_cn,Group_Name,memberOf

##Get: INLINE - Specific Lookup Member by AD Group - Macro to receive inline the Group Membership for an object's specified field
## Example - | `ms_obj_get_l_group_membership("dn")`
##		= | lookup AD_Obj_Group member AS dn OUTPUT cn AS Group_cn,dn AS Group_dn
[ms_obj_get_l_group_membership(1)]
args = tok_field_data
definition = lookup AD_Obj_Group member AS $tok_field_data$ OUTPUT cn AS Group_cn,dn AS Group_dn

##Filter: Specific Lookup Member by AD Group - Macro to filter a lookup (ie. AD_Obj_User, AD_Obj_Group, AD_Obj_Computer) for a specific AD Group
##Note: Add the | before the macro, can't embed in the macro and Can't Be NULL.
## Example - | `ms_obj_filter_lkup_group_members("AD_Obj_User","TestDomain","CN=Administrators,CN=Builtin,DC=testdomain,DC=local")`
[ms_obj_filter_lkup_group_members(3)]
args = tok_tgt_lkup,tok_tgt_domain,tok_tgt_group_dn
definition = inputlookup $tok_tgt_lkup$ WHERE domain="$tok_tgt_domain$" AND [|inputlookup AD_Obj_Group WHERE dn="$tok_tgt_group_dn$" | fields member | rename member AS dn | table dn]

##Filter: Specific Lookup Object by OU Path - Macro to filter a lookup (ie. AD_Obj_User, AD_Obj_Group, AD_Obj_Computer, AD_Obj_OU, AD_Obj_GPO) for a specific AD OU Path
##Note: Add the | before the macro, can't embed in the macro.
## Example - | `ms_obj_filter_lkup_dn_path("AD_Obj_Computer","TestDomain","OU=vers_test_bed,OU=splunktel-users,DC=testdomain,DC=local")`
[ms_obj_filter_lkup_dn_path(3)]
args = tok_tgt_lkup,tok_tgt_domain,tok_tgt_dn_path
definition = inputlookup $tok_tgt_lkup$ WHERE domain="$tok_tgt_domain$"\
| where match(dn_path,"$tok_tgt_dn_path$")

##FUll OU-User Filter - Model: Specific Lookup Object by OU Path - Macro to filter a lookup (ie. AD_Obj_User, AD_Obj_Group, AD_Obj_Computer, AD_Obj_OU, AD_Obj_GPO) for a specific AD OU Path
##Note: Add the | before the macro, can't embed in the macro.
## Example - STANDARD INDEXED - sourcetype=WinEventLog `ms_obj_filter_user_by_dn_path("","*","OU=vers_test_bed,OU=splunktel-users,DC=testdomain,DC=local","search","|format")`
## EXAMPLE - DATA MODEL:
## | tstats summariesonly=true allow_old_summaries=true count from datamodel=Authentication.Authentication where Authentication.action=* Authentication.user=* (Authentication.src=* OR Authentication.dest=*) by _time,Authentication.src,Authentication.dest,Authentication.user,Authentication.action
## | rename "Authentication.*" as "*"
## | `ms_obj_filter_user_by_dn_path("join user","*","OU=vers_test_bed,OU=splunktel-users,DC=testdomain,DC=local","user","|table user")`
[ms_obj_filter_dn_path_fields(6)]
args = tok_lookup,tok_tgt_domain,tok_filt_ou,tok_link_field,tok_src_field,tok_part_post
definition = [| inputlookup AD_Obj_User WHERE domain="$tok_tgt_domain$"\
| fields sAMAccountName,domain,cn,userPrincipalName,dn_path\
| WHERE match(dn_path, "$tok_filt_ou$")\
| eval $tok_link_field$=$tok_src_field$\
$tok_part_post$]
iseval = 0

##Filter: Subsearch - Member by AD Group - Macro to filter a lookup (ie. AD_Obj_User, AD_Obj_Group, AD_Obj_Computer) for a specific AD Group
[ms_obj_filter_sub_group_members(2)]
args = tok_tgt_domain,tok_tgt_group_dn
definition = [| inputlookup AD_Obj_Group WHERE domain="$tok_tgt_domain$" AND dn="$tok_tgt_group_dn$" | fields member | rename member AS dn | table dn]

##Filter: Where Filter - Object by OU Path - Macro to filter a lookup (ie. AD_Obj_User, AD_Obj_Group, AD_Obj_Computer, AD_Obj_OU, AD_Obj_GPO) for a specific AD OU Path
##Note: Add the | before the macro, can't embed in the macro.
## Example - | inputlookup AD_Obj_user | `ms_obj_filter_part_dn_path("OU=vers_test_bed,OU=splunktel-users,DC=testdomain,DC=local")`
## Example - | inputlookup AD_Obj_user | `ms_obj_filter_part_dn_path("Sales")`
[ms_obj_filter_part_dn_path(1)]
args = tok_tgt_dn_path
definition = where match(dn_path,"$tok_tgt_dn_path$")

##	- Filter - Admin Audit
##		- By Group Membership
[ms_obj_filter_admin_field_group(4)]
args = tok_domain,tok_user_field,tok_admin_group,tok_format_option
definition = [| inputlookup AD_Obj_Admin_Audit WHERE admin_domain="$tok_domain$" \
| fields admin_user, admin_cn,admin_dn,admin_userPrincipalName\
| lookup AD_Obj_Group member AS admin_dn OUTPUT dn AS memberOf\
| WHERE match(memberOf,"$tok_admin_group$")\
| eval $tok_user_field$=admin_user\
| eval $tok_user_field$=mvappend($tok_user_field$,admin_userPrincipalName,admin_cn,admin_dn)\
| stats count by $tok_user_field$\
| fields $tok_user_field$\
| $tok_format_option$]
iseval = 0

##		- By Admin User
## - Updated for Multi-Domain Support
[ms_obj_filter_admin_field_user(4)]
args = tok_domain,tok_user_field,tok_admin_user,tok_format_option
definition = [| inputlookup AD_Obj_Admin_Audit WHERE admin_domain="$tok_domain$" AND admin_user="$tok_admin_user$"\
| fields admin_user, admin_cn,admin_dn,admin_userPrincipalName\
| eval $tok_user_field$=admin_user,admin_cn=if(admin_cn=="",NULL,admin_cn),admin_dn=if(admin_dn=="",NULL,admin_dn),admin_userPrincipalName=if(admin_userPrincipalName=="",NULL,admin_userPrincipalName)\
| eval $tok_user_field$=mvappend($tok_user_field$,admin_userPrincipalName,admin_cn,admin_dn)\
| stats count by $tok_user_field$\
| fields $tok_user_field$\
| $tok_format_option$]
iseval = 0

###-------------------------------------------------------------------------------###
#--- 		Future Use - Macros for retrieving Wizard Steps						 ---#
###-------------------------------------------------------------------------------###
# Configuration Wizard ##
[ms_obj_wiz_base_srch(1)]
args = tok_tut_id
definition = inputlookup ms_ad_obj_cfg_wiz_nav where tut_id="$tok_tut_id$"
iseval = 0

[ms_obj_wiz_part_details]
definition = eval cmb=((("part_" . part_id) . ":") . label_part) \
| stats values(cmb) AS cmb, values(uc_id) AS uc_id,values(pre_build_emb_vid) AS pre_build_emb_vid,values(pre_build_emb_view) AS pre_build_emb_view,values(pre_build_emb_srch) AS pre_build_emb_srch,values(pre_build_emb_dash) AS pre_build_emb_dash,,values(pre_build_emb_rpt) AS pre_build_emb_rpt,values(pre_build_show) AS pre_build_show\
| eval _raw=mvjoin(cmb,",")\
| extract pairdelim=",", kvdelim=":"\
| fillnull value="undefined" part_0,part_1,part_2,part_3,part_4,part_5,part_6,part_7,pre_build_emb_vid,pre_build_emb_view,pre_build_emb_srch,pre_build_emb_dash,pre_build_emb_rpt,pre_build_show\
| table uc_id,part_0,part_1,part_2,part_3,part_4,part_5,part_6,part_7,pre_build_emb_vid,pre_build_emb_view,pre_build_emb_srch,pre_build_emb_dash,pre_build_emb_rpt,pre_build_show
iseval = 0

[ms_obj_wiz_step_details(2)]
args = tok_part_current,tok_step_current
definition = search part_id=$tok_part_current$ step_id=$tok_step_current$\
| eval next_step=if(step_id=total_steps,0,step_id+1)\
| eval previous_step=if(step_id=0,0,step_id-1)\
| eval show_prev_button=if(showPreviousButton="T","enabled","disabled")\
| eval show_next_button=if(showNextButton="T","display: inline-block;","display:none;")\
| eval show_next_step_part_button=if(showNextPartButton="T","display: inline-block;","display:none;")\
| eval label_next_step_part_button=if(showNextPartButton="T" AND part_id=(total_parts-1),"Finish","Next Part")\
| fillnull value=0 next_step,previous_step,total_steps\
| fillnull value="undefined" next_step,previous_step,show_sub_panels,show_panel_left,show_panel_single,show_right_page,show_right_object,show_sub_steps,panel_left,panel_right,panel_single,emb_object_src,emb_object_type,emb_object_title,combo_right_object,show_next_step_part_button,show_next_button,show_prev_button,step_0_state,step_1_state,step_2_state,step_3_state,step_4_state,step_5_state,step_6_state,step_7_state,step_8_state,data_panels_only\
| table next_step,previous_step,show_sub_panels,show_panel_left,show_panel_single,show_right_page,show_right_object,show_sub_steps,panel_left,panel_right,panel_single,emb_object_src,emb_object_type,emb_object_title,combo_right_object,show_next_step_part_button,show_next_button,show_prev_button,step_0_state,step_1_state,step_2_state,step_3_state,step_4_state,step_5_state,step_6_state,step_7_state,step_8_state,data_panels_only
iseval = 0

###-----------------------------------------------------###
#--- Macro's Used for Security Reports for each Object ---#
###-----------------------------------------------------###
## Computer Search Macros that point to AD_Obj_Computer Lookup:
[ms_obj_secrpt-new-computers_raw(1)]
args = domain
definition = `ms_obj_changes_base_cat_act("Computer","created")` dest_nt_domain="$domain$"\
| table _time,src_user,src_nt_domain,dest_nt_domain,user\
| eval adminuser=src_nt_domain."\\".src_user\
| eval sAMAccountName=$user$ \
| join sAMAccountName [|inputlookup AD_Obj_Computer WHERE sAMAccountName=$user$ | table dNSHostName,operatingSystem,operatingSystemServicePack]\
| table _time,cn,dNSHostName,operatingSystem,operatingSystemServicePack,adminuser\
| rename cn as "Added Computer",operatingSystem as "Operating System",operatingSystemServicePack as "ServicePack",adminuser as "Added By"
iseval = 0

[ms_obj_secrpt-all-computers(1)]
args = domain
definition = inputlookup AD_Obj_Computer WHERE domain="$domain$"\
| `ms_obj_uac_get_details_lkup`\
| sort cn\
| table cn,dNSHostName,uac_details,operatingSystem,operatingSystemServicePack,whenChanged,whenCreated
iseval = 0

[ms_obj_secrpt-all-domain-controllers(1)]
args = domain
definition = inputlookup AD_Obj_Computer WHERE domain="$domain$" AND primaryGroupID=516\
| `ms_obj_uac_get_details_lkup`\
| sort cn\
| table cn,dNSHostName,uac_details,operatingSystem,operatingSystemServicePack,whenChanged,whenCreated
iseval = 0

[ms_obj_secrpt-disabled-computers(1)]
args = domain
definition = inputlookup AD_Obj_Computer WHERE domain="$domain$"\
| `ms_obj_uac_get_details_lkup`\
| eval uac_filter=mvfilter(match(uac_details, "Disabled"))\
| search uac_filter=*\
| sort sAMAccountName\
| makemv delim=":" uac_details\
| table cn,dNSHostName,uac_details,userAccountControl,whenChanged
iseval = 0

[ms_obj_secrpt-inactive-computers(1)]
args = domain
definition = inputlookup AD_Obj_Computer WHERE domain="$domain$"\
|  table sAMAccountName,cn,dNSHostName,operatingSystem,operatingSystemServicePack,userAccountControl \
|join type=outer sAMAccountName [search `ms_obj_success_logons("computer")` dest_nt_domain="$domain$"|stats max(_time) as lastLogonTime by user|rename user as sAMAccountName]\
| where isnull(lastLogonTime)\
| `ms_obj_uac_get_details_lkup`\
| table cn,dNSHostName,uac_details,operatingSystem,operatingSystemServicePack,userAccountControl\
| rename cn as Computer,operatingSystem as "Operating System",operatingSystemServicePack as "Service Pack"
iseval = 0

[ms_obj_secrpt-trusted-computers(1)]
args = domain
definition = inputlookup AD_Obj_Computer WHERE domain="$domain$" \
| `ms_obj_uac_get_details_lkup`\
| eval uac_filter=mvfilter(match(uac_details, "Server Trust Account|Workstation Trust Account")) \
| search uac_filter=* \
| makemv delim=":" uac_details\
| table cn,dNSHostName,uac_details,userAccountControl,operatingSystem,operatingSystemServicePack
iseval = 0

[ms_obj_secrpt-unmanaged-computers(1)]
args = domain
definition = inputlookup AD_Obj_Computer WHERE domain="$domain$" AND NOT managedBy="*" OR managedBy=""\
| sort sAMAccountName\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table cn,dNSHostName,uac_details, userAccountControl,operatingSystem,operatingSystemServicePack
iseval = 0

[ms_obj_secrpt-managed-computers(1)]
args = domain
definition = inputlookup AD_Obj_Computer WHERE domain="$domain$" AND managedBy="*" AND NOT managedBy=""\
| sort sAMAccountName\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table cn,dNSHostName,managedBy,uac_details, operatingSystem,operatingSystemServicePack
iseval = 0

[ms_obj_secrpt-unused-computers(1)]
args = domain
definition = inputlookup AD_Obj_Computer WHERE domain="$domain$" AND logonCount=0\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table cn,dNSHostName,uac_details, userAccountControl,operatingSystem,operatingSystemServicePack
iseval = 0

[ms_obj_secrpt-active-computers(1)]
args = domain
definition = `ms_obj_success_logons("computer")` dest_nt_domain="$domain$"\
| fields _time, dest_nt_domain, user\
| stats max(_time) as lastLogonTime by dest_nt_domain,user\
| rex field=user "^(?<cn>[^\$]+)"\
| join cn\
[| inputlookup AD_Obj_Computer\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table cn,dNSHostName,uac_details,operatingSystem,operatingSystemServicePack]\
| eval lastLogonTime=strftime(lastLogonTime,"%c")\
| table cn,dNSHostName,uac_details,operatingSystem,operatingSystemServicePack,lastLogonTime\
| rename cn as Computer,operatingSystem as "Operating System",operatingSystemServicePack as "Service Pack",lastLogonTime as "Last Logon Time"
iseval = 0

[ms_obj_secrpt-deleted-computers_raw(1)]
args = domain
definition = `ms_obj_changes_base_cat_act("Computer","deleted")` dest_nt_domain="$domain$"\
|eval adminuser=src_nt_domain."\\".src_user\
|table _time,user,adminuser\
|rename user as "Deleted Computer",adminuser as "Deleted By"
iseval = 0

[ms_obj_secrpt-new-computers(3)]
args = domain,starttime,endtime
definition = inputlookup AD_Obj_Computer WHERE domain="$domain$"\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenCreated_epoch=strptime(whenCreated, "%I:%M.%S %P, %a %m/%d/%Y")\
| where whenCreated_epoch>begintime AND whenCreated_epoch<finishtime\
| sort sAMAccountName\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table cn,whenCreated,dNSHostName,uac_details, userAccountControl,operatingSystem,operatingSystemServicePack
iseval = 0

[ms_obj_secrpt-deleted-computers(3)]
args = domain,starttime,endtime
definition = inputlookup AD_Obj_Computer WHERE domain="$domain$" AND isDeleted="TRUE"\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenDeleted=strftime(deletedDate, "%I:%M.%S %P, %a %m/%d/%Y")\
| where deletedDate>begintime AND deletedDate<finishtime\
| sort sAMAccountName\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table orig_cn,cn,whenDeleted,dNSHostName,uac_details, userAccountControl,operatingSystem,operatingSystemServicePack
iseval = 0

[ms_obj_secrpt-changed-computers(3)]
args = domain,starttime,endtime
definition = inputlookup AD_Obj_Computer WHERE domain="$domain$" AND NOT isDeleted="TRUE"\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenChanged_epoch=strptime(whenChanged, "%I:%M.%S %P, %a %m/%d/%Y")\
| where whenChanged_epoch>begintime AND whenChanged_epoch<finishtime\
| sort sAMAccountName\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table cn,whenChanged,dNSHostName,uac_details, userAccountControl,operatingSystem,operatingSystemServicePack
iseval = 0

## Groups Search Macros that point to AD_Obj_Group Lookup:
[ms_obj_secrpt-all-groups(1)]
args = domain
definition = inputlookup AD_Obj_Group WHERE domain="$domain$"\
| fields cn,groupType_Name,whenChanged,whenCreated,member,membercount\
| sort cn\
| makemv delim="|" member \
| eval membercount=mvcount(member)\
| eval membercount=if(membercount=="",0,membercount)\
| eval whenChanged=strftime(strptime(whenChanged,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\
| eval whenCreated=strftime(strptime(whenCreated,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\
| table cn,groupType_Name,membercount,whenChanged,whenCreated\
| rename cn as "Group Name",groupType_Name as "Type",membercount as "# Members"
iseval = 0

[ms_obj_secrpt-empty-groups(1)]
args = domain
definition = inputlookup AD_Obj_Group WHERE membercount=0 AND domain="$domain$"\
| sort cn\
| table cn,groupType,groupType_Name,whenChanged,whenCreated\
| rename cn as "Group Name",groupType_Name as "Type"
iseval = 0

[ms_obj_secrpt-large-groups(2)]
args = domain,minsize
definition = inputlookup AD_Obj_Group WHERE domain="$domain$"\
| search membercount>$minsize$ \
| sort -membercount, cn\
| table cn,groupType_Name,membercount,whenChanged,whenCreated\
| rename cn as "Group Name",groupType_Name as "Type",membercount as "# Members"
iseval = 0

[ms_obj_secrpt-nested-groups(1)]
args = domain
definition = inputlookup AD_Obj_Group WHERE domain="$domain$"\
| lookup AD_Obj_Group member AS dn OUTPUT dn AS memberOf\
| table distinguishedName,cn,groupType_Name,memberOf,whenChanged,whenCreated\
| search memberOf!=""\
| rename cn as "Group Name",groupType_Name as "Type"
iseval = 0

[ms_obj_secrpt-unmanaged-groups(1)]
args = domain
definition = inputlookup AD_Obj_Group WHERE domain="$domain$" NOT managedBy="*" OR managedBy=""\
| sort cn\
| eval membercount=if(membercount=="",0,membercount)\
| table cn,groupType_Name,membercount,whenChanged,whenCreated\
| rename cn as "Group Name",groupType_Name as "Type",membercount as "# Members"
iseval = 0

[ms_obj_secrpt-managed-groups(1)]
args = domain
definition = inputlookup AD_Obj_Group WHERE domain="$domain$" AND managedBy="*" AND NOT managedBy=""\
| sort cn\
| eval membercount=if(membercount=="",0,membercount)\
| table cn,managedBy,groupType_Name,membercount,whenChanged,whenCreated\
| rename cn as "Group Name",groupType_Name as "Type",membercount as "# Members"
iseval = 0

[ms_obj_secrpt-new-groups_raw(1)]
args = domain
definition = `ms_obj_changes_base_cat_act("Group","created")` dest_nt_domain="$domain$"\
|lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass\
| eval objectGUID=lower(objectGUID)\
| lookup AD_Obj_Group objectGUID OUTPUT cn AS user_group,MSADGroupType,MSADGroupClass\
|eval adminuser=src_nt_domain."\\".src_user\
|table _time,user_group,MSADGroupClass,MSADGroupType,adminuser\
|rename user_group as "Group Name",MSADGroupClass as "Class",MSADGroupType as "Type",adminuser as "Added By"
iseval = 0

[ms_obj_secrpt-new-groups(3)]
args = domain,starttime,endtime
definition = inputlookup AD_Obj_Group WHERE domain="$domain$"\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenCreated_epoch=strptime(whenCreated, "%I:%M.%S %P, %a %m/%d/%Y")\
| where whenCreated_epoch>begintime AND whenCreated_epoch<finishtime\
| sort sAMAccountName\
| lookup AD_Obj_Group member AS dn OUTPUT dn AS memberOf\
| table sAMAccountName,whenCreated,distinguishedName,groupType_Name,memberOf,whenChanged\
| rename sAMAccountName as "Group_Name",groupType_Name as "Type"
iseval = 0

[ms_obj_secrpt-deleted-groups(3)]
args = domain,starttime,endtime
definition = inputlookup AD_Obj_Group WHERE domain="$domain$" AND isDeleted="TRUE"\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenDeleted=strftime(deletedDate, "%I:%M.%S %P, %a %m/%d/%Y")\
| where deletedDate>begintime AND deletedDate<finishtime\
| sort sAMAccountName\
| lookup AD_Obj_Group member AS dn OUTPUT dn AS memberOf\
| table sAMAccountName,orig_cn,whenDeleted,distinguishedName,groupType_Name,memberOf,whenCreated,whenChanged\
| rename sAMAccountName as "Group_Name",groupType_Name as "Type"
iseval = 0

[ms_obj_secrpt-changed-groups(3)]
args = domain,starttime,endtime
definition = inputlookup AD_Obj_Group WHERE domain="$domain$" AND NOT isDeleted="TRUE"\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenChanged_epoch=strptime(whenChanged, "%I:%M.%S %P, %a %m/%d/%Y")\
| where whenChanged_epoch>begintime AND whenChanged_epoch<finishtime\
| sort sAMAccountName\
| lookup AD_Obj_Group member AS dn OUTPUT dn AS memberOf\
| table sAMAccountName,whenChanged,distinguishedName,groupType_Name,memberOf,whenCreated\
| rename sAMAccountName as "Group_Name",groupType_Name as "Type"
iseval = 0

[ms_obj_group_action_events(3)]
args = domain,group,action
definition = `ms_obj_group_all_changes_base` ([| inputlookup AD_Obj_Group WHERE lookup_grp="$group$" | fields lookup_grp | stats values(lookup_grp) AS search | eval search="\"".mvjoin(search,"\" OR \"")."\""]) (src_nt_domain="$domain$" OR dest_nt_domain="$domain$") ($action$)\
| fields _time,_raw,member_obj_dn,member_obj_id,member_obj_domain,member_obj_class,src_user,src_nt_domain,dest_nt_domain,group_obj_id,group_obj_dn,group_obj_nm,user_group,Group_Name,group_id,msad_action,MSADGroupClassID,MSADGroupType,MSADGroupClass,signature,Correlation_ID,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action,Old_DN,New_DN\
| eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user),member=if(isnull(member_obj_domain),replace(member_obj_id,"\x5C{1}",""),member_obj_domain."\\".replace(member_obj_id,"\x5C{1}",""))\
| eval member=if(isnull(member),if(isnull(member_obj_dn),"NA",member_obj_dn),member)\
| eval group_obj_lkp=if(isnull(group_obj_dn),if(isnull(New_DN),if(isnull(Old_DN),if(isnull(DN),if(isnull(user_group),if(isnull(Group_Name),if(isnull(group_obj_id),"NA",lower(replace(group_obj_id,"\x5C{1}",""))),lower(replace(Group_Name,"\x5C{1}",""))),lower(replace(user_group,"\x5C{1}",""))),lower(replace(DN,"\x5C{1}",""))),lower(replace(Old_DN,"\x5C{1}",""))),lower(replace(New_DN,"\x5C{1}",""))),lower(replace(group_obj_dn,"\x5C{1}","")))\
| lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass\
| lookup AD_Obj_Group lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\
| eval MSADGroupClass=if(isnull(MSADGroupClass),MSADGroupClass_u,MSADGroupClass),MSADGroupType=if(isnull(MSADGroupType),MSADGroupType_u,MSADGroupType)\
| eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\
| search group_obj_nm="$group$" OR group_obj_lkp="$group$"\
| `ms_obj_msad-changed-attributes`\
| stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,adminuser,msad_action,group_obj_nm,MSADGroupType,MSADGroupClass,member,signature\
| eval MSADChanges=mvjoin(MSADChanges, "########")\
| eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\
| makemv delim="########" MSADChanges\
| table _time,adminuser,msad_action,group_obj_nm,MSADGroupType,MSADGroupClass,member,MSADChanges
iseval = 0

## User Search Macros that point to AD_Obj_User Lookup:
## Filter search for critical objects
## Ex: `ms_obj_win_events_security` `ms_obj_critical_obj_filter(User,src_user)`
## Ex: `ms_obj_win_events_security` `ms_obj_critical_obj_filter(User,user)`
## Ex: `ms_obj_win_events_security` `ms_obj_critical_obj_filter(Computer,user)`
[ms_obj_critical_filter_field(2)]
args = obj_lookup,evt_field
definition = search $evt_field$ IN([| inputlookup AD_Audit_Default_Critical_Objects WHERE obj_type="group" | fields cn | lookup AD_Obj_Group cn OUTPUT member | lookup AD_Obj_$obj_lookup$ dn AS member OUTPUT sAMAccountName AS user, cn AS user_cn | eventstats values(user) AS users | eval users=if(users="" OR isnull(users),"NO_Obj_Found",users) | stats values(users) AS users\
| eval search="\"".mvjoin(users,"\",\"")."\"" | table search])
iseval = 0

[ms_obj_critical_filter_raw(1)]
args = obj_lookup
definition = [| inputlookup AD_Audit_Default_Critical_Objects WHERE obj_type="group"\
| fields cn\
| lookup AD_Obj_Group cn OUTPUT member\
| search member!=""\
| lookup AD_Obj_$obj_lookup$ dn AS member OUTPUT sAMAccountName AS user, cn AS user_cn\
| search user!=""\
| stats values(user) AS users\
| eval search="\"".mvjoin(users,"\" OR \"")."\""\
| table search]
iseval = 0

[ms_obj_critical_filter_raw(2)]
args = obj_lookup,evt_field
definition = [| inputlookup AD_Audit_Default_Critical_Objects WHERE obj_type="group"\
| fields cn\
| lookup AD_Obj_Group cn OUTPUT member\
| search member!=""\
| lookup AD_Obj_$obj_lookup$ dn AS member OUTPUT sAMAccountName AS user, cn AS user_cn\
| search user!=""\
| stats values(user) AS users\
| eval search="$evt_field$=\"".mvjoin(users,"\" OR $evt_field$=\"")."\""\
| table search]
iseval = 0

[ms_obj_secrpt-all-users(1)]
args = domain
definition = inputlookup AD_Obj_User append=true WHERE domain="$domain$"\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_secrpt-disabled-users(1)]
args = domain
definition = inputlookup AD_Obj_User append=true WHERE domain="$domain$" \
| `ms_obj_uac_get_details_lkup`\
| eval uac_filter=mvfilter(match(uac_details, "Disabled")) \
| search uac_filter=*\
| makemv delim=":" uac_details\
| table domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_secrpt-users-smartcard-required(1)]
args = domain
definition = inputlookup AD_Obj_User append=true WHERE domain="$domain$" \
| `ms_obj_uac_get_details_lkup`\
| eval uac_filter=mvfilter(match(uac_details, "Smart Card Required"))\
| search uac_filter=*\
| makemv delim=":" uac_details\
| table domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_secrpt-sensitive-users(1)]
args = domain
definition = inputlookup AD_Obj_User append=true WHERE domain="$domain$" \
| `ms_obj_uac_get_details_lkup`\
| eval uac_filter=mvfilter(match(uac_details, "Sensitive - Not Delegated"))\
| search uac_filter=*\
| makemv delim=":" uac_details\
| table domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_secrpt-expired-users(1)]
args = domain
definition = inputlookup AD_Obj_User WHERE NOT accountExpires="Never Expires" AND NOT accountExpires="0" AND domain="$domain$"\
| fields accountExpires,domain, sAMAccountName, userAccountControl,userPrincipalName,uac_details,distinguishedName,whenChanged,whenCreated,deletedDate\
| eval now_time=now()\
| eval accountExpires_utc=round(strptime(accountExpires,"%I:%M.%S %P, %a %m/%d/%Y"),0)\
| where accountExpires_utc<now_time\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| sort sAMAccountName\
| table domain, accountExpires,sAMAccountName, userPrincipalName,uac_details,domain, distinguishedName,whenChanged,whenCreated,whenDeleted\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_secrpt-users-that-dont-expire(1)]
args = domain
definition = inputlookup AD_Obj_User WHERE domain="*" AND accountExpires=0 OR accountExpires="Never Expires"\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table domain, accountExpires, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_secrpt-users-whose-password-doesnt-expire(1)]
args = domain
definition = inputlookup AD_Obj_User append=true WHERE domain="$domain$" \
| fields domain, sAMAccountName, userPrincipalName,userAccountControl, domain, distinguishedName,whenChanged,whenCreated\
| `ms_obj_uac_get_details_lkup`\
| eval uac_filter=mvfilter(match(uac_details, "Password Does Not Expire"))\
| search uac_filter=*\
| makemv delim=":" uac_details\
| table domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_secrpt-users-with-no-manager(1)]
args = domain
definition = inputlookup AD_Obj_User WHERE domain="$domain$" AND NOT manager="*"\
| fields domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_secrpt-users-with-manager(1)]
args = domain
definition = inputlookup AD_Obj_User WHERE domain="$domain$" AND manager="*" AND NOT manager=""\
| fields domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_secrpt-users-that-dont-require-password(1)]
args = domain
definition = inputlookup AD_Obj_User append=true WHERE domain="$domain$" \
| fields domain, sAMAccountName, userPrincipalName, userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| eval uac_filter=mvfilter(match(uac_details, "Password Not Required")) \
| search uac_filter=*\
| table domain, sAMAccountName, userPrincipalName, userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_secrpt-users-no-smartcard-required(1)]
args = domain
definition = inputlookup AD_Obj_User append=true WHERE domain="$domain$" \
| fields domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| eval uac_filter=mvfilter(match(uac_details, "Password Not Required"))\
| search NOT uac_filter=*\
| table domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_secrpt-unused-users(1)]
args = domain
definition = inputlookup AD_Obj_User append=true WHERE domain="$domain$" AND logonCount=0\
| fields domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_secrpt-active-users(1)]
args = domain
definition = `ms_obj_success_logons("user")` dest_nt_domain="$domain$"\
| fields _time, dest_nt_domain,user\
| stats  max(_time) as lastLogonTime by dest_nt_domain,user\
| join  user  [|inputlookup AD_Obj_User | search domain="$domain$" | rename sAMAccountName AS user | fields cn,user,userPrincipalName]\
| eval  lastLogonTime=strftime(lastLogonTime,"%c")\
| stats last(lastLogonTime) AS lastLogonTime by user,cn,userPrincipalName\
| rename  user as Username,cn as "Full Name", lastLogonTime as "Last Logon Time"
iseval = 0

[ms_obj_secrpt-inactive-users(1)]
args = domain
definition = inputlookup AD_Obj_User WHERE domain="$domain$"\
| fields domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated,deletedDate\
| join type=outer sAMAccountName [search `ms_obj_failed_success_logons("user")` dest_nt_domain="$domain$"| fields _time, user|stats max(_time) AS lastLogonTime by user|rename user as sAMAccountName | fields sAMAccountName, lastLogonTime]\
| where isnull(lastLogonTime)\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| sort sAMAccountName\
| eval whenDeleted=strftime(deletedDate, "%I:%M.%S %P, %a %m/%d/%Y")\
| table domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated,whenDeleted\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_secrpt-users-password-too-old(1)]
args = domain
definition = inputlookup AD_Obj_User WHERE domain="$domain$"\
| join type=outer sAMAccountName [search eventtype=msad-password-changes dest_nt_domain=$domain$|stats max(_time) as maxtime by user|rename user as sAMAccountName|where isnull(maxtime)]\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table sAMAccountName,cn,userPrincipalName,userAccountControl,uac_details,pwdLastSet
iseval = 0

[ms_obj_secrpt-users-password-too-old(3)]
args = domain,user_lookup,days_old
definition = inputlookup $user_lookup$ where domain="$domain$"\
| fields sAMAccountName,cn,uac_details,pwdLastSet\
| eval p_last_set=strptime(pwdLastSet,"%I:%M.%S %P,%a %m/%d/%Y")\
| eval days_since_password_set=if(pwdLastSet==0,0,round((now()-p_last_set)/86400,0))\
| sort -days_since_password_set\
| eval days_since_password_set=if(days_since_password_set==0,"Never",days_since_password_set)\
| where days_since_password_set>=$days_old$ OR days_since_password_set=="Never"\
| table sAMAccountName,cn,uac_details,pwdLastSet,days_since_password_set
iseval = 0

[ms_obj_secrpt-new-users(3)]
args = domain,starttime,endtime
definition = inputlookup AD_Obj_User WHERE domain="$domain$"\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenCreated_epoch=strptime(whenCreated, "%I:%M.%S %P, %a %m/%d/%Y")\
| where whenCreated_epoch>begintime AND whenCreated_epoch<finishtime\
| sort sAMAccountName\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table domain, sAMAccountName, whenCreated, whenChanged,userPrincipalName,userAccountControl, uac_details,domain, distinguishedName\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_secrpt-deleted-users(3)]
args = domain,starttime,endtime
definition = inputlookup AD_Obj_User WHERE domain="$domain$" AND isDeleted="TRUE"\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenDeleted=strftime(deletedDate, "%I:%M.%S %P, %a %m/%d/%Y")\
| where deletedDate>begintime AND deletedDate<finishtime\
| sort sAMAccountName\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table domain, sAMAccountName, orig_cn,whenDeleted, whenCreated,whenChanged,userPrincipalName,userAccountControl, uac_details,domain, distinguishedName\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_secrpt-changed-users(3)]
args = domain,starttime,endtime
definition = inputlookup AD_Obj_User WHERE domain="$domain$" AND NOT isDeleted="TRUE"\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenChanged_epoch=strptime(whenChanged, "%I:%M.%S %P, %a %m/%d/%Y")\
| where whenChanged_epoch>begintime AND whenChanged_epoch<finishtime\
| sort sAMAccountName\
| `ms_obj_uac_bin_fields`\
| makemv delim=":" uac_details\
| table domain, sAMAccountName, whenChanged, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName, whenCreated\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_md_secrpt_activity_users(3)]
args = user_lookup,domain,active_filter
definition = inputlookup $user_lookup$ WHERE domain="$domain$"\
| fields domain,sAMAccountName,cn,days_since,lastLogon,lastLogonTimestamp,uac_details\
| $active_filter$\
| eval days_since_last_logon=if(lastLogonTimestamp==0,"Never",round((now()-lastLogonTimestamp)/86400,0))\
| table domain,sAMAccountName,cn,uac_details,days_since_last_logon,lastLogon,lastLogonTimestamp
iseval = 0

## Group Policy Search Macros that point to AD_Obj_GPO Lookup:
[ms_obj_secrpt-all-group-policies(1)]
args = domain
definition = inputlookup AD_Obj_GPO WHERE domain="$domain$"\
| fields cn,displayName,versionNumber,lc,whenChanged\
| table cn,displayName,versionNumber,lc,whenChanged\
| sort cn\
| rename cn as "Group Policy ID",displayName as "Group Policy Name",versionNumber as "Version",lc as "Linked Containers"
iseval = 0

[ms_obj_secrpt-disabled-group-policies(1)]
args = domain
definition = inputlookup AD_Obj_GPO WHERE domain="$domain$" AND flags>0\
| fields cn,flags,displayName,versionNumber,lc,whenChanged\
| eval Status=case(flags==1,"User Settings Disabled",flags==2,"Computer Settings Disabled",flags==3,"All Settings Disabled",flags==0,"Enabled")\
| table cn,displayName,versionNumber,Status,whenChanged,lc\
| rename cn as "Group Policy ID",displayName as "Group Policy Name",versionNumber as "Version",lc as "Linked Containers"
iseval = 0

[ms_obj_secrpt-deleted-group-policies_raw(1)]
args = domain
definition = `ms_obj_admon_flt_obj_type(ms_obj_admon_gpo,ms_obj_admon_base_del_type)`\
| eval deletedDate=if(match(lower(admonEventType), "deleted") OR match(lower(isDeleted), "true"), strptime(whenChanged, "%I:%M.%S %p, %a %m/%d/%Y"), 0)\
| fillnull value=""\
| stats max(deletedDate) as deletedDate, first(cn) as cn,first(uSNChanged) as uSNChanged, first(instanceType) as instanceType, first(lastKnownParent) as lastKnownParent, first(whenChanged) as whenChanged by distinguishedName, objectGUID,isDeleted,isRecycled\
| join objectGUID [|inputlookup AD_Obj_GPO | table objectGUID,src_nt_domain,displayName,versionNumber]\
| eval When_Deleted=strftime(deletedDate,"%m/%d/%y %H:%M:%S")\
| table displayName,src_nt_domain,When_Deleted,cn\
| sort cn\
| rename cn as "Group Policy ID",displayName as "Group Policy Name",src_nt_domain AS "Group Policy Domain"
iseval = 0

[ms_obj_secrpt-gpo-not-linked(1)]
args = domain
definition = inputlookup AD_Obj_GPO WHERE domain="$domain$" AND NOT lc="*"\
| fields cn,displayName,versionNumber,lc,whenChanged\
| table cn,displayName,versionNumber,lc,whenChanged\
| sort cn\
| rename cn as "Group Policy ID",displayName as "Group Policy Name",versionNumber as "Version",lc as "Linked Containers"
iseval = 0

[ms_obj_secrpt-gpo-linked(1)]
args = domain
definition = inputlookup AD_Obj_GPO WHERE domain="$domain$" AND lc="*"\
| fields cn,displayName,versionNumber,lc,whenChanged\
| table cn,displayName,versionNumber,lc\
| sort cn\
| rename cn as "Group Policy ID",displayName as "Group Policy Name",versionNumber as "Version",lc as "Linked Containers"
iseval = 0

[ms_obj_secrpt-new-group-policies(3)]
args = domain,starttime,endtime
definition = `ms_obj_admon_gpo`\
| eval begintime=strptime("$starttime$","%m/%d/%y %I:%M %P"),finishtime=strptime("$endtime$","%m/%d/%y %I:%M %P"), when_cr=strptime(whenCreated,"%I:%M.%S %P, %a %m/%d/%Y")\
| where whenCreated==whenChanged AND when_cr>begintime AND when_cr<finishtime\
| stats latest(*) AS * by cn,whenCreated\
| table whenCreated,cn,displayName,distinguishedName\
| join type=outer cn [|inputlookup AD_Obj_GPO WHERE domain="$domain$"| rename versionNumber AS st_versionNumber | table cn,lc,st_versionNumber]\
| eval versionNumber=if(isnull(st_versionNumber) OR st_versionNumber<versionNumber,versionNumber,st_versionNumber)\
| eval linkedContainers=split(lc,"####")\
| table whenCreated,cn,displayName,versionNumber,linkedContainers\
| rename cn as "Group Policy ID",displayName as "Group Policy Name",versionNumber as "Version",linkedContainers as "Linked Containers"
iseval = 0

[ms_obj_secrpt-changed-group-policies(3)]
args = domain,starttime,endtime
definition = inputlookup AD_Obj_GPO WHERE domain="$domain$" AND NOT isDeleted="TRUE"\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenChanged_epoch=strptime(whenChanged, "%I:%M.%S %P, %a %m/%d/%Y")\
| where whenChanged_epoch>begintime AND whenChanged_epoch<finishtime\
| rex field=cn "(?<gpo>\{.*\})"\
| join type=left gpo [| inputlookup AD_Obj_OU\
| search domain="$domain$" gpo=* NOT gpo=""\
| makemv delim="####" gpo\
| mvexpand gpo\
| eval ou_linked="####".ou." (".distinguishedName.")"\
| stats values(ou_linked) AS ou_linked by gpo\
| table gpo,ou_linked]\
| makemv delim="####" ou_linked\
| fillnull value="Not Linked" ou_linked\
| stats count by displayName,whenChanged,gpo,versionNumber,ou_linked\
| table displayName,whenChanged,gpo,versionNumber,ou_linked\
| rename displayName AS "Group Policy", gpo as "GPO_ID",ou_linked as "Linked OU"
iseval = 0

[ms_obj_secrpt-deleted-group-policies(3)]
args = domain,starttime,endtime
definition = `ms_obj_admon_gpo` `ms_obj_admon_base_del_type`\
| eval deletedDate=if(match(lower(admonEventType), "Deleted") OR match(lower(isDeleted), "true"), strptime(whenChanged, "%I:%M.%S %p, %a %m/%d/%Y"), 0)\
| fillnull value=""\
| stats max(deletedDate) as deletedDate, first(cn) as cn,first(uSNChanged) as uSNChanged, first(instanceType) as instanceType, first(lastKnownParent) as lastKnownParent, first(whenChanged) as whenChanged by distinguishedName, objectGUID,isDeleted,isRecycled\
| join objectGUID [|inputlookup AD_Obj_GPO WHERE domain="$domain$"| table objectGUID,src_nt_domain,displayName,versionNumber]\
| eval When_Deleted=strftime(deletedDate,"%m/%d/%y %H:%M:%S")\
| table displayName,src_nt_domain,When_Deleted,cn\
| sort cn\
| rename cn as "Group Policy ID",displayName as "Group Policy Name",src_nt_domain AS "Group Policy Domain"
iseval = 0

[ms_obj_gpo_action_events(3)]
args = domain,gpo_guid,action
definition = `ms_obj_changes_base_cat("Group Policy")` msad_action="$action$" src_nt_domain="$domain$"\
| eval adminuser=src_user\
| eval Object_Lookup_Name="{" . upper(Object_Name_Guid) . "}"\
| search Object_Lookup_Name="$gpo_guid$"\
| join Object_Lookup_Name [|inputlookup AD_Obj_GPO | eval Object_Lookup_Name=upper(cn)| search Object_Lookup_Name="$gpo_guid$" | table Object_Lookup_Name,displayName] \
| transaction maxspan=10m Object_Lookup_Name,adminuser,session_id\
| table _time, displayName,msad_action,Object_Lookup_Name,src_nt_domain,adminuser, session_id\
| rename msad_action AS "Action", src_nt_domian as "Domain",adminuser as "Administrator", displayName as "Group Policy Name"
iseval = 0

[ms_obj_secrpt-deleted-lkp-gpo(3)]
args = domain,starttime,endtime
definition = inputlookup AD_Obj_GPO WHERE domain="$domain$" AND isDeleted="TRUE"\
| fields cn,Object_Lookup_Name,displayName,versionNumber,lc,distinguishedName,isDeleted,dateDeleted,whenChanged,description\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenChanged_epoch=strptime(whenChanged, "%I:%M.%S %P, %a %m/%d/%Y")\
| eval dateDeleted_epoch=strptime(dateDeleted, "%I:%M.%S %P, %a %m/%d/%Y")\
| where dateDeleted_epoch>begintime AND dateDeleted_epoch<finishtime\
| table dateDeleted,cn,displayName,isDeleted,whenChanged,versionNumber,lc\
| rename displayName as "GPO",versionNumber as "Version",lc as "Linked Containers"
iseval = 0

[ms_obj_secrpt-new-lkp-gpo(3)]
args = domain,starttime,endtime
definition = inputlookup AD_Obj_GPO WHERE domain="$domain$"\
| fields cn,displayName,versionNumber,lc,distinguishedName,isDeleted,whenCreated,whenChanged,versionNumber\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenCreated_epoch=strptime(whenCreated, "%I:%M.%S %P, %a %m/%d/%Y")\
| where whenCreated_epoch>begintime AND whenCreated_epoch<finishtime\
| table whenCreated,cn,Object_Lookup_Name,displayName,isDeleted,versionNumber,lc\
| rename displayName as "GPO",versionNumber as "Version",lc as "Linked Containers"
iseval = 0

[ms_obj_secrpt-changed-lkp-gpo(3)]
args = domain,starttime,endtime
definition = inputlookup AD_Obj_GPO WHERE domain="$domain$"\
| fields cn,displayName,versionNumber,lc,distinguishedName,isDeleted,whenCreated,whenChanged,versionNumber\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenChanged_epoch=strptime(whenChanged, "%I:%M.%S %P, %a %m/%d/%Y")\
| where whenChanged_epoch>begintime AND whenChanged_epoch<finishtime\
| table whenChanged,cn,displayName,isDeleted,whenCreated,versionNumber,lc\
| rename displayName as "GPO",versionNumber as "Version",lc as "Linked Containers"
iseval = 0

## Organizational Units Search Macros that point to AD_Obj_OU Lookup:
[ms_obj_secrpt-all-orgunits(1)]
args = domain
definition = inputlookup AD_Obj_OU WHERE domain="$domain$"\
| fields domain,OU,name,displayName,distinguishedName,description,whenCreated,whenChanged,isDeleted\
| eval OU=if(isnull(name) OR name=="",if(isnull(OU) OR OU=="",displayName,OU),name)\
| lookup AD_Obj_GPO lc AS distinguishedName,domain AS domain OUTPUT displayName AS Linked_GPO\
| table OU,distinguishedName,description,Linked_GPO,whenCreated,whenChanged,isDeleted\
| sort OU\
| rename ,Linked_GPO as "Linked GPO"
iseval = 0

[ms_obj_secrpt-gpolinked-orgunits(1)]
args = domain
definition = inputlookup AD_Obj_OU WHERE domain="$domain$" AND gPLink="[*"\
| fields domain,OU,name,displayName,distinguishedName,domain,description,isDeleted,whenCreated,whenChanged\
| eval OU=if(isnull(name) OR name=="",if(isnull(OU) OR OU=="",displayName,OU),name)\
| lookup AD_Obj_GPO lc AS distinguishedName,domain AS domain OUTPUT displayName AS Linked_GPO\
| table OU,distinguishedName,description,isDeleted,whenCreated,whenChanged,Linked_GPO\
| rename Linked_GPO as "Linked GPO"
iseval = 0

[ms_obj_secrpt-unmanaged-orgunits(1)]
args = domain
definition = inputlookup AD_Obj_OU WHERE domain="$domain$" AND NOT managedBy="CN*"\
| eval gpo_link=distinguishedName\
| lookup AD_Obj_GPO lc AS distinguishedName,domain AS domain OUTPUT displayName AS Linked_GPO\
| table name,dn,description,Linked_GPO\
| rename name as "Name",dn AS distinguishedName,Linked_GPO as "Linked GPO"
iseval = 0

[ms_obj_secrpt-managed-orgunits(1)]
args = domain
definition = inputlookup AD_Obj_OU WHERE domain="$domain$" AND managedBy="CN*"\
| fields OU,name,displayName,distinguishedName,domain,description,isDeleted,whenCreated,whenChanged\
| eval OU=if(isnull(name) OR name=="",if(isnull(OU) OR OU=="",displayName,OU),name)\
| lookup AD_Obj_GPO lc AS distinguishedName,domain AS domain OUTPUT displayName AS Linked_GPO\
| table OU,distinguishedName,managedBy,description,Linked_GPO\
| rename Linked_GPO as "Linked GPO"
iseval = 0

[ms_obj_secrpt-new-orgunits_raw(1)]
args = domain
definition = `ms_obj_admon_ou` `ms_obj_admon_base_upd_type` [| inputlookup AD_Obj_Domain WHERE domain="$domain$" | fields dc_val | table dc_val]\
| fields _time,whenCreated,OU,name,distinguishedName,displayName,domain,dc_val,uSNChanged,uSNCreated,description \
| where uSNChanged==uSNCreated\
| eval OU=if(isnull(name) OR name=="",if(isnull(OU) OR OU=="",if(isnull(ou),if(isnull(displayName),distinguishedName,displayName),ou),OU),name) \
| fillnull value="" OU,distinguishedName,description,dc_val,uSNChanged,uSNCreated \
| stats count by _time,whenCreated,OU,uSNChanged,uSNCreated,distinguishedName,description,dc_val \
| lookup AD_Obj_Domain dc_val AS dc_val OUTPUT domain AS domain \
| lookup AD_Obj_GPO lc AS distinguishedName,domain AS domain OUTPUT displayName AS Linked_GPO \
| table _time, whenCreated,domain, OU, description, distinguishedName, Linked_GPO,uSNChanged,uSNCreated \
| rename Linked_GPO as "Linked GPO"
iseval = 0

[ms_obj_secrpt-new-orgunits(3)]
args = domain,starttime,endtime
definition = `ms_obj_admon_ou` `ms_obj_admon_base_upd_type\
| fields objectGUID,name,dn,distinguishedName,uSNChanged,uSNCreated,whenCreated\
| rex field=distinguishedName max_match=0 "\\,DC\\=(?<DomainDNSName>[^(\\,|$)]+)" \
| eval DomainDNSName=mvjoin(lower(DomainDNSName),".") \
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenCreated_epoch=strptime(whenCreated, "%I:%M.%S %P, %a %m/%d/%Y")\
| lookup AD_Obj_Domain DomainDNSName AS DomainDNSName OUTPUT domain AS domain\
| sort -whenCreated_epoch\
| where domain="$domain$" AND ((whenCreated_epoch>begintime AND whenCreated_epoch<finishtime) OR (uSNChanged==uSNCreated))\
| dedup objectGUID\
| lookup AD_Obj_GPO lc AS distinguishedName,domain AS domain OUTPUT displayName AS Linked_GPO\
| table _time,name,dn,description,Linked_GPO\
| rename name as "Name",dn AS distinguishedName,Linked_GPO as "Linked GPO"
iseval = 0

[ms_obj_secrpt-deleted-orgunits(3)]
args = domain,starttime,endtime
definition = `ms_obj_admon_flt_obj_type(ms_obj_admon_ou,ms_obj_admon_base_del_type)` [| inputlookup AD_Obj_Domain WHERE domain="$domain$" \
    | fields dc_val \
    | table dc_val] \
| fields _time,name,objectGUID,name,dn,lastKnownParent,description\
| rex field=name "(?<Name>[^\sDEL]+)"\
| dedup objectGUID\
| table _time,Name,name,dn,lastKnownParent,description\
| rename name as Object_Name,dn AS distinguishedName
iseval = 0

[ms_obj_secrpt-changed-orgunits(3)]
args = domain,starttime,endtime
definition = inputlookup AD_Obj_OU WHERE domain="$domain$"\
| fields domain,OU,name,distinguishedName,displayName,isDeleted,whenChanged,description,gPLink\
| eval OU=if(isnull(name) OR name=="",if(isnull(OU) OR OU=="",displayName,OU),name)\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenChanged_epoch=strptime(whenChanged, "%I:%M.%S %P, %a %m/%d/%Y")\
| sort -whenChanged_epoch\
| where whenChanged_epoch>begintime AND whenChanged_epoch<finishtime\
| eval name=if(isnull(name) OR name=="",if(isnull(OU) OR OU=="",displayName,OU),name)\
| lookup AD_Obj_GPO lc AS distinguishedName,domain AS domain OUTPUT displayName AS Linked_GPO\
| table whenChanged,OU,description,Linked_GPO,isDeleted\
| rename Linked_GPO as "Linked GPO"
iseval = 0

[ms_obj_secrpt-deleted-lkp-orgunits(3)]
args = domain,starttime,endtime
definition = inputlookup AD_Obj_OU WHERE domain="$domain$" AND isDeleted="TRUE"\
| fields domain,OU,name,displayName,distinguishedName,isDeleted,dateDeleted,whenChanged,description,gPLink\
| eval OU=if(isnull(name) OR name=="",if(isnull(OU) OR OU=="",displayName,OU),name)\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenChanged_epoch=strptime(whenChanged, "%I:%M.%S %P, %a %m/%d/%Y")\
| eval dateDeleted_epoch=strptime(dateDeleted, "%I:%M.%S %P, %a %m/%d/%Y")\
| sort -dateDeleted_epoch\
| where dateDeleted_epoch>begintime AND dateDeleted_epoch<finishtime\
| lookup AD_Obj_GPO lc AS distinguishedName,domain AS domain OUTPUT displayName AS Linked_GPO\
| table dateDeleted,OU,distinguishedName,whenChanged,description,Linked_GPO\
| rename Linked_GPO as "Linked GPO"
iseval = 0

[ms_obj_secrpt-new-lkp-orgunits(3)]
args = domain,starttime,endtime
definition = inputlookup AD_Obj_OU WHERE domain="$domain$"\
| fields OU,domain,displayName,name,distinguishedName,whenCreated,isDeleted,description,gPLink\
| eval OU=if(isnull(name) OR name=="",if(isnull(OU) OR OU=="",displayName,OU),name)\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenCreated_epoch=strptime(whenCreated, "%I:%M.%S %P, %a %m/%d/%Y")\
| sort -whenCreated_epoch\
| where whenCreated_epoch>begintime AND whenCreated_epoch<finishtime\
| lookup AD_Obj_GPO lc AS distinguishedName,domain AS domain OUTPUT displayName AS Linked_GPO\
| table whenCreated,OU,distinguishedName,isDeleted,description,Linked_GPO\
| rename Linked_GPO as "Linked GPO"
iseval = 0

[ms_obj_secrpt-moved-orgunits(1)]
args = domain
definition = inputlookup AD_Obj_OU WHERE domain="$domain$"\
| fields domain,OU,name,distinguishedName,displayName,dn_hist,whenCreated,whenChanged,isDeleted\
| eval OU=if(isnull(name) OR name=="",if(isnull(OU) OR OU=="",displayName,OU),name)\
| eval dn_hist_cnt=mvcount(dn_hist)\
| WHERE dn_hist>0\
| lookup AD_Obj_GPO lc AS distinguishedName,domain AS domain OUTPUT displayName AS Linked_GPO\
| table OU,dn,dn_hist,Linked_GPO,whenCreated,whenChanged,isDeleted\
| sort OU\
| rename Linked_GPO as "Linked GPO",dn_hist AS "DN History"
iseval = 0

[ms_obj_secrpt-changed-lkp-orgunits(3)]
args = domain,starttime,endtime
definition = inputlookup AD_Obj_OU WHERE domain="$domain$"\
| fields domain,OU,name,displayName,distinguishedName,whenChanged,isDeleted,description,gPLink\
| eval OU=if(isnull(name) OR name=="",if(isnull(OU) OR OU=="",displayName,OU),name)\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenChanged_epoch=strptime(whenChanged, "%I:%M.%S %P, %a %m/%d/%Y")\
| where whenChanged_epoch>begintime AND whenChanged_epoch<finishtime\
| sort -whenChanged_epoch\
| lookup AD_Obj_GPO lc AS distinguishedName,domain AS domain OUTPUT displayName AS Linked_GPO\
| table whenChanged,OU,distinguishedName,description,Linked_GPO\
| rename Linked_GPO as "Linked GPO"
iseval = 0

## Pickup up Deletes - missing admon Delete values
[ms_obj_admon_group_base_deletes]
definition = `ms_obj_admon_flt_obj_type(ms_obj_admon_group,ms_obj_admon_base_del_type)`\
| stats latest(*) AS * by objectGUID\
| fields objectGUID,MSADGroupClass,MSADGroupType,adminCount,c,dSCorePropagationData,description,displayName,dn_hist,dn_path,domain,groupType,groupType_Name,isCriticalSystemObject,l,managedBy,member,memberOf,objectCategory,q_link_id,sAMAccountType,src_nt_domain,st,sync_dn_chg,systemFlags\
| rex field = member max_match=0 "(?<mb_cnt>(^CN|####CN))"\
| eval membercount=mvcount(mb_cnt)\
| fillnull value="0" membercount\
| lookup AD_Obj_Group member AS admin_dn OUTPUT dn AS memberOf\
| rename member AS member_hist,memberOf AS memberOf_hist\
| lookup AD_Audit_Group_Details groupType,sAMAccountType OUTPUT groupType_Name,MSADGroupType,MSADGroupClass\
| fillnull value="FALSE" isCriticalSystemObject\
| table objectGUID,MSADGroupClass,MSADGroupType,adminCount,c,dSCorePropagationData,description,displayName,dn_hist,dn_path,domain,groupType_Name,isCriticalSystemObject,l,managedBy,member_hist,memberOf_hist,membercount,objectCategory,q_link_id,sAMAccountType,src_nt_domain,st,sync_dn_chg,systemFlags
iseval = 0

[ms_obj_admon_user_base_deletes]
definition = `ms_obj_admon_flt_obj_type(ms_obj_admon_user,ms_obj_admon_base_del_type)`\
| stats latest(*) AS * by objectGUID\
| fields objectGUID,c,codePage,countryCode,department,description,displayName,dn_path,domain,givenName,initials,isCriticalSystemObject,l,lastLogon,lastLogonTimestamp,lockoutTime,logonCount,logonHours,managedBy,msDS-SupportedEncryptionTypes,objectCategory,physicalDeliveryOfficeName,postalCode,primaryGroupID,pwdLastSet,sAMAccountType,servicePrincipalName,showInAdvancedViewOnly,sn,st,streetAddress,title,userPrincipalName,userWorkstations\
| fillnull value = "FALSE" isCriticalSystemObject,showInAdvancedViewOnly\
| table objectGUID,c,codePage,countryCode,department,description,displayName,dn_path,domain,givenName,initials,isCriticalSystemObject,l,lastLogon,lastLogonTimestamp,lockoutTime,logonCount,logonHours,managedBy,msDS-SupportedEncryptionTypes,objectCategory,physicalDeliveryOfficeName,postalCode,primaryGroupID,pwdLastSet,sAMAccountType,servicePrincipalName,showInAdvancedViewOnly,sn,st,streetAddress,title,userPrincipalName,userWorkstations]\
| fillnull value="0" badPasswordTime,badPwdCount,codePage,countryCode,lastLogon,lockoutTime,logonCount,pwdLastSet
iseval = 0

[ms_obj_admon_computer_base_deletes]
definition = `ms_obj_admon_flt_obj_type(ms_obj_admon_computer,ms_obj_admon_base_del_type)`\
| stats latest(*) AS * by objectGUID\
| fields objectGUID,accountExpires,badPasswordTime,badPwdCount,c,codePage,countryCode,dNSHostName,dSCorePropagationData,description,displayName,dn_hist,dn_path,domain,isCriticalSystemObject,l,lastLogon,lastLogonTimestamp,localPolicyFlags,logonCount,managedBy,objectCategory,operatingSystem,operatingSystemServicePack,operatingSystemVersion,primaryGroupID,pwdLastSet,q_link_id,rIDSetReferences,sAMAccountType,serverReferenceBL,servicePrincipalName,src_nt_domain,st,sync_dn_chg\
| fillnull value="FALSE" isCriticalSystemObject\
| table objectGUID,accountExpires,badPasswordTime,badPwdCount,c,codePage,countryCode,dNSHostName,dSCorePropagationData,description,displayName,dn_hist,dn_path,domain,isCriticalSystemObject,l,lastLogon,lastLogonTimestamp,localPolicyFlags,logonCount,managedBy,objectCategory,operatingSystem,operatingSystemServicePack,operatingSystemVersion,primaryGroupID,pwdLastSet,q_link_id,rIDSetReferences,sAMAccountType,serverReferenceBL,servicePrincipalName,src_nt_domain,st,sync_dn_chg
iseval = 0

[ms_obj_admon_ou_base_deletes]
definition = `ms_obj_admon_flt_obj_type(ms_obj_admon_ou,ms_obj_admon_base_del_type)`\
| fields objectGUID,c,description,domain,isCriticalSystemObject,l,objectCategory,revision,showInAdvancedViewOnly,src_nt_domain,st,systemFlags,versionNumber\
| stats latest(*) AS * by objectGUID\
| fillnull value = "FALSE" isCriticalSystemObject,showInAdvancedViewOnly\
| table objectGUID,c,description,domain,isCriticalSystemObject,l,objectCategory,revision,showInAdvancedViewOnly,src_nt_domain,st,systemFlags,versionNumber
iseval = 0

[ms_obj_admon_gpo_base_deletes]
definition = `ms_obj_admon_flt_obj_type(ms_obj_admon_gpo,ms_obj_admon_base_del_type)`\
| fields objectGUID,cn_link,displayName,domain,flags,gPCFileSysPath,gPCFunctionalityVersion,gPCMachineExtensionNames,isCriticalSystemObject,lc,objectCategory,showInAdvancedViewOnly,src_nt_domain,systemFlags,versionNumber\
| stats latest(*) AS * by objectGUID\
| fillnull value = "FALSE" isCriticalSystemObject,showInAdvancedViewOnly\
| table objectGUID,cn_link,displayName,domain,flags,gPCFileSysPath,gPCFunctionalityVersion,gPCMachineExtensionNames,isCriticalSystemObject,lc,objectCategory,showInAdvancedViewOnly,src_nt_domain,systemFlags,versionNumber
iseval = 0
## | eval groupType_Name=case(groupType="2","Global distribution group",groupType="4","Domain local distribution group",groupType="8","Universal distribution group",groupType="-2147483646","Global security group",groupType="-2147483644","Domain local security group",groupType="-2147483640","Universal security group",groupType="2147483653","Built-In Domain Group",groupType="-2147483643","Built-In Domain Group") \

###-------------------------------------------###
### Misc Macros Used by MS Windows AD Objects ###
###-------------------------------------------###
[ms_obj_time_modifier(1)]
args = time_modifier
definition = tostring(relative_time(time(), "$time_modifier$"))
iseval = 1

[ms_obj_msad-changed-attributes]
definition = fillnull value="" signature,Correlation_IDs\
| eval f=replace(mvjoin(MSADChangedAttributes,"########"), "(?msi)\r\s+|\n\s+", "########")\
| makemv delim="########" f\
| eval MSADChangedAttributes=mvfilter(NOT match(f, ":(\s*\-\s*|)$"))\
| eval MSADChanges=if(isnull(MSADChangedAttributes),if(isnull(AttributeLDAPDisplayName),if(msad_action="moved","Moved:########--From: ".Old_DN."########--To: ".New_DN,""),if(isnull(AttributeValue) OR AttributeValue="-" OR AttributeValue="",NULL,dir_svcs_action." (".AttributeLDAPDisplayName.": ".AttributeValue.")")),MSADChangedAttributes)
iseval = 0

[ms_obj_msad_changed_attr_sum]
definition = eval change_action=if(isnull(msad_action),if(isnull(dir_svcs_action),"NA",dir_svcs_action),if(isnull(dir_svcs_action) OR dir_svcs_action=="Unknown",trim(msad_action),msad_action." (".dir_svcs_action.")"))\
| eval signature=if(isnull(change_signature),signature,change_signature)\
| eval Correlation_ID_sum=if(isnull(Correlation_ID),"",if(mvcount(Correlation_ID)>1,"Correlation IDs:########      - ".replace(mvjoin(Correlation_ID,"########      - "), "(?msi)\r\s+|\n\s+", "########      - "),"Correlation ID: ".Correlation_ID))\
| eval Signature=if(Correlation_ID_sum=="","######## - Signature: ".signature,"######## - Signature: ".signature."########   - ".Correlation_ID_sum)\
| eval Change_Summary="########(".strftime(_time,"%m/%d/%y %I:%M %P").") ".Signature\
| eval ad_chg=if(isnull(AttributeLDAPDisplayName),if(msad_action=="moved","mv",if(isnull(member_obj_lkp),0,"memb")),len(AttributeLDAPDisplayName)),ln_chg_attr=if(isnull(MSADChangedAttributes),0,len(MSADChangedAttributes))\
| eval mvd=if(ad_chg=="mv","########   - Action: Moved:########   - From: ".Old_DN."########   - To: ".New_DN,"")\
| eval MSADChanges=if(ad_chg=="0","",if(ad_chg=="mv",mvd,if(ad_chg=="memb","########   - Action: ".change_action."########   - Group: ".group_obj_lkp."########   - Member: ".member_obj_lkp,if(isnull(AttributeValue) OR AttributeValue="-" OR AttributeValue="","","########   - Action: ".change_action."########   - ".AttributeLDAPDisplayName.": ".AttributeValue))))\
| eval MSADChangedAttributes=if(ln_chg_attr=0,"",replace(replace(mvjoin(MSADChangedAttributes,"########   - "), "(?msi)\r\s+|\n\s+", "########   - "),"(?:\:)(\s\s+|\t)",": "))\
| eval Change_Details=if(ad_chg=0 AND ln_chg_attr=0,Change_Summary,if(ln_chg_attr=0,Change_Summary."########".MSADChanges,if(ad_chg=0,Change_Summary."########   - ".MSADChangedAttributes,"Signature: ".signature."########   - ".MSADChangedAttributes."########".MSADChanges)))\
| makemv delim="########" Change_Details\
| makemv delim="########" Change_Summary\
| eval Change_Details=mvfilter(NOT match(Change_Details, ":(\s*\-\s*|)$"))
iseval = 0

##########################################################################################################
## Splunk App for Windows Infrastructure/Microsoft Exchange App macros - since not shared globally in app:
##########################################################################################################
[group-changes-for-group(2)]
args = domain,group
definition = `ms_obj_group_all_changes_base` dest_nt_domain="$domain$" user_group="$group$"\
| fields _time, objectGUID, src_nt_domain, src_user, member_id, msad_action\
| eval objectGUID=lower(objectGUID)\
| lookup AD_Obj_Group objectGUID OUTPUT cn AS user_group\
| search user_group="$group$"\
| eval adminuser=src_nt_domain."\\".src_user\
| table _time,adminuser,msad_action,member_id\
| rename adminuser as "Administrator",msad_action as "Action", member_id as "User"
iseval = 0

[fix-localhost]
definition = eval src_host=if(src_ip=="127.0.0.1" OR src_ip=="-",upper(host),src_host)|eval src_host=src_nt_domain."\\".src_host
iseval = 0

[ip-to-host]
definition = lookup tHostInfo local=true src_ip OUTPUTNEW src_host,src_nt_domain
iseval = 0

##[lockouts-for-user(2)]
##args = domain,user
##definition = eventtype=ms_ad_obj_msad-failed-user-logons src_nt_domain="$domain$" user="$user$"|stats min(_time) as mintime,max(_time) as maxtime,count by src,src_ip,signature|eval mintime=strftime(mintime,"%F %T")|eval maxtime=strftime(maxtime,"%F %T")|lookup tHostInfo local=true src_ip OUTPUT src_host,src_nt_domain

[ms_obj_win_dir_acl]
definition = `ms__obj_win_api_index` sourcetype="WinDirAcl"
iseval = 0

[ms_obj_chk_macro_idx(5)]
definition = makeresults\
| eval macro_title="$all_idxs$"\
| makemv delim="|" macro_title\
| eval fnd_flg="0"\
| mvexpand macro_title\
| join type=left macro_title [| rest /servicesNS/-/-/data/indexes count=0 splunk_server=local\
| eval fnd_flg="1",macro_title=title\
| fields macro_title,title,TotalEvents,fnd_flg]\
| join type=left macro_title [|makeresults | eval winevt_idx="$winevt_idxs$" | makemv delim="," winevt_idx | mvexpand winevt_idx | eval macro_title=winevt_idx,type="winevt_idx" | table macro_title,type,winevt_idx]\
| join type=left macro_title [|makeresults | eval perfmon_idx="$perfmon_idxs$" | makemv delim="," perfmon_idx | mvexpand perfmon_idx | eval macro_title=perfmon_idx,type="perfmon_idx" | table macro_title,type,perfmon_idx]\
| join type=left macro_title [|makeresults | eval msad_idx="$msad_idxs$" | makemv delim="," msad_idx | mvexpand msad_idx | eval macro_title=msad_idx,type="msad_idx" | table macro_title,type,msad_idx]\
| join type=left macro_title [|makeresults | eval winapi_idx="$winapi_idxs$" | makemv delim="," winapi_idx | mvexpand winapi_idx | eval macro_title=winapi_idx,type="winapi_idx" | table macro_title,type,winapi_idx]\
| eval TotalEvents=if(isnull(TotalEvents),0,TotalEvents)\
| eval winevt_fnd=if(type="winevt_idx",if(fnd_flg="1",1,0),"NULL"),perfmon_fnd=if(type="perfmon_idx",if(fnd_flg="1",1,0),"NULL"),msad_fnd=if(type="msad_idx",if(fnd_flg="1",1,0),"NULL"),winapi_fnd=if(type="winapi_idx",if(fnd_flg="1",1,0),"NULL")\
| eval winevt_mb=if(type="winevt_idx",TotalEvents,0),perfmon_mb=if(type="perfmon_idx",TotalEvents,0),msad_mb=if(type="msad_idx",TotalEvents,0),winapi_mb=if(type="winapi_idx",TotalEvents,0)\
| stats dc(winevt_fnd) AS winevt_fnd_cnt,max(winevt_mb) AS winevt_mb,min(winevt_fnd) AS winevt_fnd,dc(perfmon_fnd) AS perfmon_fnd_cnt,max(perfmon_mb) AS perfmon_mb,min(perfmon_fnd) AS perfmon_fnd,dc(msad_fnd) AS msad_fnd_cnt,max(msad_mb) AS msad_mb,min(msad_fnd) AS msad_fnd,dc(winapi_fnd) AS winapi_fnd_cnt,max(winapi_mb) AS winapi_mb,min(winapi_fnd) AS winapi_fnd\
| eval all_index_check=if(winevt_fnd=1 AND perfmon_fnd=1 AND msad_fnd=1 AND winapi_fnd=1,"All Indexes Available",if(winevt_fnd!=1 AND perfmon_fnd!=1 AND msad_fnd!=1 AND winapi_fnd!=1,"None of the indexes are available","Not all of the indexes are available"))\
| eval all_index_check_flg=if(winevt_fnd=1 AND perfmon_fnd=1 AND msad_fnd=1 AND winapi_fnd=1,"0",if(winevt_fnd!=1 AND perfmon_fnd!=1 AND msad_fnd!=1 AND winapi_fnd!=1,"2","1"))\
| eval all_index_check_icon=case(all_index_check_flg="0","check",all_index_check_flg=2,"error",all_index_check_flg=1,"warning")\
| eval all_index_check_color=case(all_index_check_flg="0","#40A540",all_index_check_flg="2","#DC4E41;",all_index_check_flg="1","#f99d1c;")\
| eval winevt_mb=if(isnull(winevt_mb) OR winevt_mb=0,"Not Available",winevt_mb." MB"),perfmon_mb=if(isnull(perfmon_mb) OR perfmon_mb=0,"Not Available",perfmon_mb." MB"),msad_mb=if(isnull(msad_mb) OR msad_mb=0,"Not Available",msad_mb." MB"),winapi_mb=if(isnull(winapi_mb) OR winapi_mb=0,"Not Available",winapi_mb." MB")\
| eval winevt_fnd=if(winevt_fnd=1,"Available (".winevt_mb.")",if(winevt_fnd_cnt>1,"Not All Available","Not Available")),perfmon_fnd=if(perfmon_fnd=1,"Available (".perfmon_mb.")",if(perfmon_fnd_cnt>1,"Not All Available","Not Available")),msad_fnd=if(msad_fnd=1,"Available (".msad_mb.")",if(msad_fnd_cnt>1,"Not All Available","Not Available")),winapi_fnd=if(winapi_fnd=1,"Available (".winapi_mb.")",if(winapi_fnd_cnt>1,"Not All Available","Not Available"))\
| eval chk_auto_create_idx=if(all_index_check_flg=="0",if("$tok_obj_env_type_arch$"="dist","chk_auto_create_idx_na","chk_auto_create_idx_y"),"chk_auto_create_idx_n")\
| table all_index_check,all_index_check_icon,all_index_check_color,all_index_check_flg,winevt_fnd,perfmon_fnd,msad_fnd,winapi_fnd,chk_auto_create_idx

[ms_obj_cfg_macro_chk]
definition = `ms_ad_obj_cfg_idx_base` \
| mvexpand index \
| join type=left index \
    [|`ms_ad_obj_cfg_idx_avail`]\
| eval flag=if(isnull(index_flag),2,if(isnull(Total_Events),2,if(Total_Events>1,0,1)))\
| fillnull value=0 Total_Events\
| eval flag_msg=case(flag=2,"index Not Created: ".index,flag=1,"Missing Index Data: ".index,flag=0,"OK: ".index) \
| rename index as macro_index\
| eval missing_indexes=if(flag="2",macro_index,NULL),missing_data_indexes=if(flag="1",macro_index,NULL) \
| sort -flag macro_name \
| stats values(macro_index) AS macro_indexes,values(missing_indexes) AS missing_indexes,values(missing_data_indexes) AS missing_data_indexes,max(flag) AS flag,max(Total_Events) AS Total_Events by macro_name,macro_definition\
| eval flag_macro=flag,all_indexes=macro_indexes,macro_indexes=mvjoin(macro_indexes,","),missing_indexes=mvjoin(missing_indexes,","),missing_data_indexes=mvjoin(missing_data_indexes,",") \
| eval flag_macro_msg=case(flag_macro=="2","Warning: Missing Indexes (".missing_indexes.")",flag_macro=="1","Warning: Missing Data (".missing_data_indexes.")",flag_macro=="0","Ok: Indexes Created and have Data") \
| eval winevents_def=if(macro_name=="ms__obj_win_events_index",macro_definition,NULL),winevents_idxs=if(macro_name=="ms__obj_win_events_index",macro_indexes,NULL),winevents_mb=if(macro_name=="ms__obj_win_events_index",Total_Events,NULL),winevents_flag=if(macro_name=="ms__obj_win_events_index",flag_macro,NULL),winevents_flag_msg=if(macro_name=="ms__obj_win_events_index",flag_macro_msg,NULL) \
| eval winapi_def=if(macro_name=="ms__obj_win_api_index",macro_definition,NULL),winapi_idxs=if(macro_name=="ms__obj_win_api_index",macro_indexes,NULL),winapi_mb=if(macro_name=="ms__obj_win_api_index",Total_Events,NULL),winapi_flag=if(macro_name=="ms__obj_win_api_index",flag_macro,NULL),winapi_flag_msg=if(macro_name=="ms__obj_win_api_index",flag_macro_msg,NULL) \
| eval winad_def=if(macro_name=="ms__obj_win_ad_index",macro_definition,NULL),winad_idxs=if(macro_name=="ms__obj_win_ad_index",macro_indexes,NULL),winad_mb=if(macro_name=="ms__obj_win_ad_index",Total_Events,NULL),winad_flag=if(macro_name=="ms__obj_win_ad_index",flag_macro,NULL),winad_flag_msg=if(macro_name=="ms__obj_win_ad_index",flag_macro_msg,NULL) \
| eval winperf_def=if(macro_name=="ms__obj_win_perfmon_index",macro_definition,NULL),winperf_idxs=if(macro_name=="ms__obj_win_perfmon_index",macro_indexes,NULL),winperf_mb=if(macro_name=="ms__obj_win_perfmon_index",Total_Events,NULL),winperf_flag=if(macro_name=="ms__obj_win_perfmon_index",flag_macro,NULL),winperf_flag_msg=if(macro_name=="ms__obj_win_perfmon_index",flag_macro_msg,NULL) \
| stats values(all_indexes) AS all_indexes,values(winevents_*) AS winevents_*,values(winperf_*) AS winperf_*,values(winad_*) AS winad_*,values(winapi_*) AS winapi_*, max(flag_macro) AS flag_all \
| eval flag_all_msg=case(flag_all="2","Warning: Some or all indexes are missing",flag_all="1","Warning: Indexes created but some or all missing data",flag_all="0","OK: All Indexes Created and have some Data") \
| eval flag_chk_ko=if(flag_all="0","chk_d_ko_n","chk_d_ko_y") \
| eval flag_chk_idx=if(flag_all="0","chk_d_crt_idx_n","chk_d_crt_idx_y") \
| eval idx_filt="^".mvjoin(all_indexes,"$|^")."$" \
| table flag_all,flag_all_msg,flag_chk_ko,flag_chk_idx,winevents_*,winperf_*,winapi_*,winad_*,idx_filt
iseval = 0

[ms_ad_obj_cfg_idx_filter]
definition = `ms_ad_obj_cfg_idx_base`\
| stats values(index) AS index
iseval = 0

[ms_ad_obj_cfg_idx_base]
definition = rest /servicesNS/nobody/ms_windows_ad_objects/configs/conf-macros/ splunk_server=local \
| fields title,eai:acl.app,definition\
| search eai:acl.app="ms_windows_ad_objects" title IN("ms__obj_win_perfmon_index","ms__obj_win_ad_index","ms__obj_win_events_index","ms__obj_win_api_index")\
| rex field=definition max_match=0 "index(\\=|\\=\\s+|\\s+\\=|\\s+\\=\\s+)(\"|)(?<index>[^(\"|\s|$)]+)"\
| rename title AS macro_name,definition as macro_definition
iseval = 0

[ms_ad_obj_cfg_idx_avail]
definition = eventcount summarize=false index=[| `ms_ad_obj_cfg_idx_filter`] \
| eval link="link"\
| join type=left link [| rest /servicesNS/nobody/ splunk_server=local | search title="splunkclouduf" | eval link="link",cld="t"]\
| eval svr_filt=if(isnull(cld),".+","^(idx|si)"),index_flag=0\
| where match(server, svr_filt)\
| stats sum(count) AS Total_Events by index,index_flag
# Old - rest /servicesNS/-/-/data/indexes splunk_server=local \
##| fields title,currentDBSizeMB\
##| rename title AS index\
##| search [|`ms_ad_obj_cfg_idx_filter`|format| table search] \
##| eval index_flag="0"\
##| table index,currentDBSizeMB,index_flag
iseval = 0

[ms_ad_obj_cfg_idx_data]
definition = tstats count WHERE [|`ms_ad_obj_cfg_idx_filter`|format| table search] BY index, sourcetype \
| eval cmb=(((sourcetype . "(") . tostring(count,"commas")) . ")")\
| stats sum(count) AS Total_Events,values(cmb) AS cmb by index \
| eval cmb=mvjoin(cmb,"|"),data_flag="0"\
| table index,Total_Events,cmb,data_flag
iseval = 0

[ms_ad_obj_cfg_idx_data(1)]
args = ms_obj_indexes
definition = tstats count WHERE [|makeresults | eval index="$ms_obj_indexes$"| makemv delim="|" index | stats values(index) AS index | table index | format] BY index, sourcetype \
| eval cmb=(((sourcetype . "(") . tostring(count,"commas")) . ")")\
| stats sum(count) AS Total_Events,values(cmb) AS cmb by index \
| eval cmb=mvjoin(cmb,"|"),data_flag="0"\
| table index,Total_Events,cmb,data_flag
iseval = 0

[ms_ad_obj_cfg_idx_avail(1)]
args = ms_obj_indexes
definition = eventcount summarize=false index=[| `ms_ad_obj_cfg_idx_filter`]\
| eval link="link"\
| join type=left link [| rest /servicesNS/nobody/ splunk_server=local | search title="splunkclouduf" | eval link="link",cld="t"]\
| eval svr_filt=if(isnull(cld),".+","^(idx|si)"),index_flag=0\
| where match(server, svr_filt) AND match(index,"$ms_obj_indexes$")\
| stats sum(count) AS Total_Events by index,index_flag
iseval = 0

[ms_obj_cfg_macro_chk_filter(1)]
args = ms_obj_indexes
definition = join type=left index [| `ms_ad_obj_cfg_idx_avail("$ms_obj_indexes$")` ]\
| join type=left index [| `ms_ad_obj_cfg_idx_data("$ms_obj_indexes$")` ]\
| sort flag,-Total_Events\
| eval Total_Sourcetypes=if(isnull(cmb),0,mvcount(cmb))\
| eval flag=if(isnull(index_flag),2,if(isnull(Total_Events),2,if(Total_Events>1,if(isnull(data_flag),1,0),1)))\
| fillnull 0 Total_Events\
| eval flag_msg=case(flag=2,"index Not Created: ".index,flag=1,"Missing Index Data: ".index,flag=0,"OK: ".index)\
| rename index as macro_index, cmb as sourcetypes\
| fillnull value=0 Total_Events\
| eval sourcetypes=if(isnull(sourcetypes),flag_msg,sourcetypes)\
| makemv delim="|" sourcetypes\
| sort -flag macro_name\
| table macro_name,macro_definition,macro_index,flag,flag_msg,Total_Events,sourcetypes
iseval = 0

[ms_obj_cfg_macro_chk(1)]
args = idx_filt
definition = `ms_ad_obj_cfg_idx_base` \
| mvexpand index \
| join type=left index \
    [| `ms_ad_obj_cfg_idx_avail("$idx_filt$")` ]\
| eval flag=if(isnull(index_flag),2,if(isnull(Total_Events),2,if(Total_Events>1,0,1)))\
| fillnull value=0 Total_Events\
| eval flag_msg=case(flag=2,"index Not Created: ".index,flag=1,"Missing Index Data: ".index,flag=0,"OK: ".index) \
| rename index as macro_index\
| eval missing_indexes=if(flag="2",macro_index,NULL),missing_data_indexes=if(flag="1",macro_index,NULL)\
| sort -flag macro_name \
| stats values(macro_index) AS macro_indexes,values(missing_indexes) AS missing_indexes,values(missing_data_indexes) AS missing_data_indexes,max(flag) AS flag,max(Total_Events) AS Total_Events by macro_name,macro_definition\
| eval flag_macro=flag,all_indexes=macro_indexes,macro_indexes=mvjoin(macro_indexes,","),missing_indexes=mvjoin(missing_indexes,","),missing_data_indexes=mvjoin(missing_data_indexes,",")\
| eval flag_macro_msg=case(flag_macro=="2","Warning: Missing Indexes (".missing_indexes.")",flag_macro=="1","Warning: Missing Data (".missing_data_indexes.")",flag_macro=="0","Ok: Indexes Created and have Data")\
| eval winevents_def=if(macro_name=="ms__obj_win_events_index",macro_definition,NULL),winevents_idxs=if(macro_name=="ms__obj_win_events_index",macro_indexes,NULL),winevents_mb=if(macro_name=="ms__obj_win_events_index",Total_Events,NULL),winevents_flag=if(macro_name=="ms__obj_win_events_index",flag_macro,NULL),winevents_flag_msg=if(macro_name=="ms__obj_win_events_index",flag_macro_msg,NULL)\
| eval winapi_def=if(macro_name=="ms__obj_win_api_index",macro_definition,NULL),winapi_idxs=if(macro_name=="ms__obj_win_api_index",macro_indexes,NULL),winapi_mb=if(macro_name=="ms__obj_win_api_index",Total_Events,NULL),winapi_flag=if(macro_name=="ms__obj_win_api_index",flag_macro,NULL),winapi_flag_msg=if(macro_name=="ms__obj_win_api_index",flag_macro_msg,NULL)\
| eval winad_def=if(macro_name=="ms__obj_win_ad_index",macro_definition,NULL),winad_idxs=if(macro_name=="ms__obj_win_ad_index",macro_indexes,NULL),winad_mb=if(macro_name=="ms__obj_win_ad_index",Total_Events,NULL),winad_flag=if(macro_name=="ms__obj_win_ad_index",flag_macro,NULL),winad_flag_msg=if(macro_name=="ms__obj_win_ad_index",flag_macro_msg,NULL)\
| eval winperf_def=if(macro_name=="ms__obj_win_perfmon_index",macro_definition,NULL),winperf_idxs=if(macro_name=="ms__obj_win_perfmon_index",macro_indexes,NULL),winperf_mb=if(macro_name=="ms__obj_win_perfmon_index",Total_Events,NULL),winperf_flag=if(macro_name=="ms__obj_win_perfmon_index",flag_macro,NULL),winperf_flag_msg=if(macro_name=="ms__obj_win_perfmon_index",flag_macro_msg,NULL)\
| stats values(all_indexes) AS all_indexes,values(winevents_*) AS winevents_*,values(winperf_*) AS winperf_*,values(winad_*) AS winad_*,values(winapi_*) AS winapi_*, max(flag_macro) AS flag_all\
| eval flag_all_msg=case(flag_all="2","Warning: Some or all indexes are missing",flag_all="1","Warning: Indexes created but some or all missing data",flag_all="0","OK: All Indexes Created and have some Data")\
| eval flag_chk_ko=if(flag_all="0","chk_d_ko_n","chk_d_ko_y")\
| eval flag_chk_idx=if(flag_all="0","chk_d_crt_idx_n","chk_d_crt_idx_y")\
| eval idx_filt="^".mvjoin(all_indexes,"$|^")."$"\
| table flag_all,flag_all_msg,flag_chk_ko,flag_chk_idx,winevents_*,winperf_*,winapi_*,winad_*,idx_filt
iseval = 0

[ms_obj_cfg_macro_chk(2)]
args = idx_filt,srch_trigger
definition = `ms_ad_obj_cfg_idx_base` \
| mvexpand index \
| join type=left index \
    [| `ms_ad_obj_cfg_idx_avail("$idx_filt$")` ] \
| sort flag \
| eval srch_trigger="$srch_trigger$"\
| eval flag=if(isnull(index_flag),2,if(isnull(Total_Events),2,if(Total_Events>1,0,1)))\
| fillnull value=0 Total_Events\
| eval flag_msg=case(flag=2,"index Not Created: ".index,flag=1,"Missing Index Data: ".index,flag=0,"OK: ".index) \
| rename index as macro_index\
| eval missing_indexes=if(flag="2",macro_index,NULL),missing_data_indexes=if(flag="1",macro_index,NULL)\
| sort -flag macro_name \
| stats values(macro_index) AS macro_indexes,values(missing_indexes) AS missing_indexes,values(missing_data_indexes) AS missing_data_indexes,max(flag) AS flag,max(Total_Events) AS Total_Events by macro_name,macro_definition\
| eval flag_macro=flag,all_indexes=macro_indexes,macro_indexes=mvjoin(macro_indexes,","),missing_indexes=mvjoin(missing_indexes,","),missing_data_indexes=mvjoin(missing_data_indexes,",")\
| eval flag_macro_msg=case(flag_macro=="2","Warning: Missing Indexes (".missing_indexes.")",flag_macro=="1","Warning: Missing Data (".missing_data_indexes.")",flag_macro=="0","Ok: Indexes Created and have Data")\
| eval winevents_def=if(macro_name=="ms__obj_win_events_index",macro_definition,NULL),winevents_idxs=if(macro_name=="ms__obj_win_events_index",macro_indexes,NULL),winevents_mb=if(macro_name=="ms__obj_win_events_index",Total_Events,NULL),winevents_flag=if(macro_name=="ms__obj_win_events_index",flag_macro,NULL),winevents_flag_msg=if(macro_name=="ms__obj_win_events_index",flag_macro_msg,NULL)\
| eval winapi_def=if(macro_name=="ms__obj_win_api_index",macro_definition,NULL),winapi_idxs=if(macro_name=="ms__obj_win_api_index",macro_indexes,NULL),winapi_mb=if(macro_name=="ms__obj_win_api_index",Total_Events,NULL),winapi_flag=if(macro_name=="ms__obj_win_api_index",flag_macro,NULL),winapi_flag_msg=if(macro_name=="ms__obj_win_api_index",flag_macro_msg,NULL)\
| eval winad_def=if(macro_name=="ms__obj_win_ad_index",macro_definition,NULL),winad_idxs=if(macro_name=="ms__obj_win_ad_index",macro_indexes,NULL),winad_mb=if(macro_name=="ms__obj_win_ad_index",Total_Events,NULL),winad_flag=if(macro_name=="ms__obj_win_ad_index",flag_macro,NULL),winad_flag_msg=if(macro_name=="ms__obj_win_ad_index",flag_macro_msg,NULL)\
| eval winperf_def=if(macro_name=="ms__obj_win_perfmon_index",macro_definition,NULL),winperf_idxs=if(macro_name=="ms__obj_win_perfmon_index",macro_indexes,NULL),winperf_mb=if(macro_name=="ms__obj_win_perfmon_index",Total_Events,NULL),winperf_flag=if(macro_name=="ms__obj_win_perfmon_index",flag_macro,NULL),winperf_flag_msg=if(macro_name=="ms__obj_win_perfmon_index",flag_macro_msg,NULL)\
| stats values(all_indexes) AS all_indexes,values(winevents_*) AS winevents_*,values(winperf_*) AS winperf_*,values(winad_*) AS winad_*,values(winapi_*) AS winapi_*, max(flag_macro) AS flag_all\
| eval flag_all_msg=case(flag_all="2","Warning: Some or all indexes are missing",flag_all="1","Warning: Indexes created but some or all missing data",flag_all="0","OK: All Indexes Created and have some Data")\
| eval flag_chk_ko=if(flag_all="0","chk_d_ko_n","chk_d_ko_y")\
| eval flag_chk_idx=if(flag_all="0","chk_d_crt_idx_n","chk_d_crt_idx_y")\
| eval idx_filt="^".mvjoin(all_indexes,"$|^")."$"\
| table flag_all,flag_all_msg,flag_chk_ko,flag_chk_idx,winevents_*,winperf_*,winapi_*,winad_*,idx_filt
iseval = 0

[ms_obj_cfg_macro_chk_h]
definition = `ms_ad_obj_cfg_idx_base`\
| mvexpand index\
| join type=left index\
    [|`ms_ad_obj_cfg_idx_avail`]\
| fillnull value=0 Total_Events\
| fillnull value=1 index_flag\
| eval miss_idx=if(index_flag=0,NULL,index),nd_idx=if(Total_Events=0,index,NULL)\
| eval h_mac_flg=case(index_flag=0 AND Total_Events>0,"0",index_flag=0 AND Total_Events=0,"1",index_flag!=0,"2")\
| eval h_idx_val=case(h_mac_flg=0,index." (".tostring(Total_Events,"commas").")",h_mac_flg=1,index." (0)",h_mac_flg=2,index." (missing)")\
| stats values(miss_idx) AS miss_idx,values(nd_idx) AS nd_idx,max(h_mac_flg) AS h_mac_flg,max(index_flag) AS index_flag,sum(Total_Events) AS Total_Events,values(h_idx_val) AS h_idx_val,values(index) AS index by macro_name,macro_definition\
| eval h_mac_st=case(h_mac_flg=0,"idxs_ok",h_mac_flg=1,"idxs_nd",h_mac_flg==2,"idxs_m")\
| eval h_icon_st=case(h_mac_flg=0,"check-circle idxs_icon_ok",h_mac_flg!=0,"warning idxs_icon_warn")\
| eval h_mac_label=case(macro_name=="ms__obj_win_events_index","Eventlogs",macro_name=="ms__obj_win_perfmon_index","Performance",macro_name=="ms__obj_win_api_index","API/Scripts",macro_name=="ms__obj_win_ad_index","Active Directory")\
| eval h_mac_msg=case(h_mac_flg="0","Ok: Indexes Created and Have Data",h_mac_flg="1","Warning: Indexes Created but missing data (".mvjoin(nd_idx,", ").")",h_mac_flg="2","Warning: Missing Indexes (".mvjoin(miss_idx,", ").")")\
| eval h_res_row="<tr class=\"tblidxchk_res_row\"><td class=\"chkmac\"><i class=\"icon-".h_icon_st."\"></i><b class=\"m_st_c ".h_mac_st."\">".macro_name."</b></td><td class=\"chkmactype\"><b class=\"m_st_c ".h_mac_st."\">".h_mac_label."(".tostring(Total_Events,"commas").")</b></td><td class=\"chkmacother\"><code>".macro_definition."</code></td><td class=\"chkmacother\"><b class=\"m_st_c ".h_mac_st."\">".mvjoin(h_idx_val,", ")."</b></td><td class=\"chkmacother\"><b class=\"m_st_c ".h_mac_st."\">".h_mac_msg."</b></td></tr>"\
| eval h_mac_nts="<li class=\"mrk_arrow_r\"><div class=\"li_content\"><b class=\"m_st_c ".h_mac_st."\">Indexes: ".mvjoin(index,", ")."</b> - Stores Windows ".h_mac_label." Data (<i> AutoCheck: <b class=\"m_st_c ".h_mac_st."\">".h_mac_msg." </b></i>)</div></li>"\
| stats values(miss_idx) AS miss_idx,values(nd_idx) AS nd_idx,max(h_mac_flg) AS h_mac_flg,values(h_res_row) AS h_res_row,values(h_mac_nts) AS h_mac_nts\
| eval all_mac_st=case(h_mac_flg=0,"a_idxs_o",h_mac_flg=1,"idxs_nd",h_mac_flg=2,"idxs_m")\
| eval all_mac_msg=case(h_mac_flg=0,"Ok: All Indexes Created and Have Data",h_mac_flg=1,"Warning: Indexes missing data (".mvjoin(nd_idx,", ").")",h_mac_flg=2,"Warning: Missing Indexes (".mvjoin(miss_idx,", ").")")\
| eval h_all_msg="<i>Autocheck:</i> <b class=\"ma_st_ci ".all_mac_st."\"> ".all_mac_msg."</b>"\
| eval h_table="<center><h3 style=\"margin: 0px !important;\">Macro to Index Definitions: <i>( Autocheck: <b class=\"ma_st_ci ".all_mac_st."\"> ".all_mac_msg."</b> )</i></h3><h4> Use the below table for verifying the indexes defined in the following macros have been created and are receiving data. <i></i></h4></center><table class=\"tblidxchk\"><tr class=\"tblidxchk_hdr_row\"><th>Macro Name</th><th>Data Type</th><th>Definition</th><th>Indexes Defined</th><th>Indexes Status</th></tr>".mvjoin(h_res_row,"")."</table>"\
| eval h_nt_list="<ul class=\"note_lst\">".mvjoin(h_mac_nts,"")."</ul>"\
| table all_mac_st,h_all_msg,h_table,h_nt_list
iseval = 0

[ms_obj_cfg_macro_chk_h(1)]
args = srch_trigger
definition = `ms_ad_obj_cfg_idx_base`\
| mvexpand index\
| join type=left index\
    [|`ms_ad_obj_cfg_idx_avail`]\
| fillnull value=0 Total_Events\
| fillnull value=1 index_flag\
| eval srch_trigger="$srch_trigger$"\
| eval miss_idx=if(index_flag=0,NULL,index),nd_idx=if(Total_Events=0,index,NULL)\
| eval h_mac_flg=case(index_flag=0 AND Total_Events>0,"0",index_flag=0 AND Total_Events=0,"1",index_flag!=0,"2")\
| eval h_idx_val=case(h_mac_flg=0,index." (".tostring(Total_Events,"commas").")",h_mac_flg=1,index." (0)",h_mac_flg=2,index." (missing)")\
| stats values(miss_idx) AS miss_idx,values(nd_idx) AS nd_idx,max(h_mac_flg) AS h_mac_flg,max(index_flag) AS index_flag,sum(Total_Events) AS Total_Events,values(h_idx_val) AS h_idx_val,values(index) AS index by macro_name,macro_definition\
| eval h_mac_st=case(h_mac_flg=0,"idxs_ok",h_mac_flg=1,"idxs_nd",h_mac_flg==2,"idxs_m")\
| eval h_icon_st=case(h_mac_flg=0,"check-circle idxs_icon_ok",h_mac_flg!=0,"warning idxs_icon_warn")\
| eval h_mac_label=case(macro_name=="ms__obj_win_events_index","Eventlogs",macro_name=="ms__obj_win_perfmon_index","Performance",macro_name=="ms__obj_win_api_index","API/Scripts",macro_name=="ms__obj_win_ad_index","Active Directory")\
| eval h_mac_msg=case(h_mac_flg="0","Ok: Indexes Created and Have Data",h_mac_flg="1","Warning: Indexes Created but missing data (".mvjoin(nd_idx,", ").")",h_mac_flg="2","Warning: Missing Indexes (".mvjoin(miss_idx,", ").")")\
| eval h_res_row="<tr class=\"tblidxchk_res_row\"><td class=\"chkmac\"><i class=\"icon-".h_icon_st."\"></i><b class=\"m_st_c ".h_mac_st."\">".macro_name."</b></td><td class=\"chkmactype\"><b class=\"m_st_c ".h_mac_st."\">".h_mac_label."(".tostring(Total_Events,"commas").")</b></td><td class=\"chkmacother\"><code>".macro_definition."</code></td><td class=\"chkmacother\"><b class=\"m_st_c ".h_mac_st."\">".mvjoin(h_idx_val,", ")."</b></td><td class=\"chkmacother\"><b class=\"m_st_c ".h_mac_st."\">".h_mac_msg."</b></td></tr>"\
| eval h_mac_nts="<li class=\"mrk_arrow_r\"><div class=\"li_content\"><b class=\"m_st_c ".h_mac_st."\">Indexes: ".mvjoin(index,", ")."</b> - Stores Windows ".h_mac_label." Data (<i> AutoCheck: <b class=\"m_st_c ".h_mac_st."\">".h_mac_msg." </b></i>)</div></li>"\
| stats values(miss_idx) AS miss_idx,values(nd_idx) AS nd_idx,max(h_mac_flg) AS h_mac_flg,values(h_res_row) AS h_res_row,values(h_mac_nts) AS h_mac_nts\
| eval all_mac_st=case(h_mac_flg=0,"a_idxs_o",h_mac_flg=1,"idxs_nd",h_mac_flg=2,"idxs_m")\
| eval all_mac_msg=case(h_mac_flg=0,"Ok: All Indexes Created and Have Data",h_mac_flg=1,"Warning: Indexes missing data (".mvjoin(nd_idx,", ").")",h_mac_flg=2,"Warning: Missing Indexes (".mvjoin(miss_idx,", ").")")\
| eval h_all_msg="<i>Autocheck:</i> <b class=\"ma_st_ci ".all_mac_st."\"> ".all_mac_msg."</b>"\
| eval h_table="<center><h3 style=\"margin: 0px !important;\">Macro to Index Definitions: <i>( Autocheck: <b class=\"ma_st_ci ".all_mac_st."\"> ".all_mac_msg."</b> )</i></h3><h4> Use the below table for verifying the indexes defined in the following macros have been created and are receiving data. <i></i></h4></center><table class=\"tblidxchk\"><tr class=\"tblidxchk_hdr_row\"><th>Macro Name</th><th>Data Type</th><th>Definition</th><th>Indexes Defined</th><th>Indexes Status</th></tr>".mvjoin(h_res_row,"")."</table>"\
| eval h_nt_list="<ul class=\"note_lst\">".mvjoin(h_mac_nts,"")."</ul>"\
| table all_mac_st,h_all_msg,h_table,h_nt_list
iseval = 0

##============================================================##
##---------------- MULTI-DOMAIN - SPLIT KV Macros ------------##
##============================================================##
##--- Used for splitting User, Group, Computer Lookups out ---##
##--- by AD Domain 										   ---##
##============================================================##
##============================================================##
###-----------------------------------------###
#--- 	Initial Lookup Build Macros    	   ---#
#--- 		MULTI-DOMAIN - KV Split    	   ---#
#--- 	Only for User, Groups, Computers   ---#
###-----------------------------------------###
## 	- Initial Build and Output
## Arguments = Domain NetBIOS Name, Domain's DC Value (from objectCategory), target object lowercase,target Object uppercase
## 		- Example - Update User - Domain 1 = `ms_obj_md_admon_bld_init_out("sedemo","sedemo.local",user,User)`
## 			- Example - Update User - Domain 2 = `ms_obj_md_admon_bld_init_out("hdq_corp","hdq_corp.sedemo.local",user,User)`
## 		- Example - Update Group - Domain 1 = `ms_obj_md_admon_bld_init_out("sedemo","sedemo.local",group,Group)`
## 			- Example - Update Group - Domain 2 = `ms_obj_md_admon_bld_init_out("hdq_corp","hdq_corp.sedemo.local",group,Group)`
## 		- Example - Update Computer - Domain 1 = `ms_obj_md_admon_bld_init_out("sedemo","sedemo.local",computer,Computer)`
## 			- Example - Update Computer - Domain 2 = `ms_obj_md_admon_bld_init_out("hdq_corp","hdq_corp.sedemo.local",computer,Computer)`
[ms_obj_md_admon_bld_init_out_no_sync(4)]
args = tgt_kv_suffix,tgt_dc_val,tok_obj_l_abrv,tok_obj_u_abrv
definition = `ms_obj_admon_flt_obj_type(ms_obj_md_admon_$tok_obj_l_abrv$("$tgt_dc_val$"),ms_obj_admon_base_a_type)` \
| `ms_obj_admon_base_out_$tok_obj_l_abrv$`\
| stats values(*) AS * by key_val\
| eval _key=key_val\
| outputlookup AD_Obj_$tok_obj_u_abrv$_$tgt_kv_suffix$
iseval = 0

[ms_obj_admon_bld_init_out(4)]
args = tgt_kv_suffix,tgt_dc_val,tok_obj_l_abrv,tok_obj_u_abrv
definition = `ms_obj_admon_flt_obj_type(ms_obj_md_admon_$tok_obj_l_abrv$("$tgt_dc_val$"),ms_obj_admon_base_a_type)` [search `ms_obj_admon_get_begin_sync_t(ms_obj_admon_$tok_obj_l_abrv$("$tgt_dc_val$"),"build")`]\
| `ms_obj_admon_base_out_$tok_obj_l_abrv$`\
| stats values(*) AS * by key_val\
| eval _key=key_val\
| outputlookup AD_Obj_$tok_obj_u_abrv$_$tgt_kv_suffix$ append=true
iseval = 0

##		- Initial Admin Audit Lookup
##[ms_obj_md_winevt_init_admin_audit(2)]
##args = tgt_domain,tgt_kv_suffix
##definition = `ms_obj_md_winevt_base_out_admin_audit("$tgt_domain$","$tgt_kv_suffix$")`\
##| stats values(*) AS * by key_val\
##| eval _key=key_val\
##| outputlookup AD_Obj_Admin_Audit
##iseval = 0

###-----------------------------------------###
#--- 		Scheduled Update Macros    	   ---#
#--- 		MULTI-DOMAIN - KV Split    	   ---#
###-----------------------------------------###
##	- MULTI-DOMAIN SPLIT - Update Build and Output
## Arguments = Domain NetBIOS Name, Domain's DC Value (from objectCategory), target object lowercase,target Object uppercase
## 		- Example - Update User - Domain 1 = `ms_obj_md_admon_bld_upd_out("sedemo","sedemo.local",user,User)`
## 			- Example - Update User - Domain 2 = `ms_obj_md_admon_bld_upd_out("hdq_corp","hdq_corp.sedemo.local",user,User)`
## 		- Example - Update Group - Domain 1 = `ms_obj_md_admon_bld_upd_out("sedemo","sedemo.local",group,Group)`
## 			- Example - Update Group - Domain 2 = `ms_obj_md_admon_bld_upd_out("hdq_corp","hdq_corp.sedemo.local",group,Group)`
## 		- Example - Update Computer - Domain 1 = `ms_obj_md_admon_bld_upd_out("sedemo","sedemo.local",computer,Computer)`
## 			- Example - Update Computer - Domain 2 = `ms_obj_md_admon_bld_upd_out("hdq_corp","hdq_corp.sedemo.local",computer,Computer)`
[ms_obj_md_admon_bld_upd_out(4)]
args = tgt_kv_suffix,tgt_dc_val,tok_obj_l_abrv,tok_obj_u_abrv
definition = `ms_obj_admon_flt_obj_type(ms_obj_md_admon_$tok_obj_l_abrv$("$tgt_dc_val$"),ms_obj_admon_base_a_type)`\
| `ms_obj_admon_base_out_$tok_obj_l_abrv$`\
| `ms_obj_md_admon_base_hist_$tok_obj_l_abrv$("$tgt_kv_suffix$")`\
| eval _key=objectGUID."#".DomainDNSName\
| outputlookup AD_Obj_$tok_obj_u_abrv$_$tgt_kv_suffix$ append=true
iseval = 0
## - MULTI-DOMAIN SPLIT - Update Admin Audit Lookup
##[ms_obj_md_winevt_upd_admin_audit(2)]
##args = tgt_domain,tgt_kv_suffix
##definition = `ms_obj_md_winevt_base_out_admin_audit("$tgt_domain$","$tgt_kv_suffix$")`\
##| stats values(*) AS * by key_val\
##| eval _key=key_val\
##| outputlookup AD_Obj_Admin_Audit append=true
##iseval = 0

## - Multi-Domain Split - Admin Audit Lookup - Build and Update ##
##[ms_obj_md_winevt_base_out_admin_audit(2)]
##args = tgt_domain,tgt_kv_suffix
##definition = `ms_obj_changes_base_all` "$tgt_domain$"\
##| fields src_user, _time, src_nt_domain,dest_nt_domain\
##| eval domain=if(isnull(src_nt_domain),if(isnull(dest_nt_domain),"",lower(dest_nt_domain)),lower(src_nt_domain))\
##| search (domain="$tgt_domain$" OR domain="")
##| eval src_user=lower(src_user)\
##| stats latest(_time) as last_time_utc by src_user,domain\
##| lookup AD_Obj_User_$tgt_kv_suffix$ sAMAccountName as src_user OUTPUT sAMAccountName as admin_user,domain as admin_domain,dn as admin_dn,dn_path as admin_dn_path,cn as admin_cn,objectGUID as admin_objectGUID,userPrincipalName AS admin_userPrincipalName\
##| eval last_time_string=strftime(last_time_utc,"%m/%d/%y %H:%M:%S")\
##| fillnull value="" admin_dn,admin_dn_hist,admin_dn_path,admin_cn,admin_userPrincipalName\
##| stats values(*) AS * by admin_objectGUID,admin_domain\
##| eval key_val=lower(admin_objectGUID)."#".lower(admin_domain)
##iseval = 0

##- - MULTI-DOMAIN SPLIT - admon - Filter components - Object Type
[ms_obj_md_admon_base_a_obj(1)]
args = tgt_dc_val
definition = `ms_obj_admon_base` dc_val="$tgt_dc_val$" ("objectClass=top|person|organizationalPerson|user" OR "objectClass=top|group" OR "objectClass=top|container|groupPolicyContainer" OR (("objectClass=top|organizationalUnit") OR ("objectClass=top|container" NOT "CN=Policies," NOT "CN=DomainUpdates")))
iseval = 0

[ms_obj_md_admon_user(1)]
args = tgt_dc_val
definition = `ms_obj_admon_base` dc_val="$tgt_dc_val$" "objectClass=top|person|organizationalPerson|user" NOT "objectClass=top|person|organizationalPerson|user|computer"
iseval = 0

[ms_obj_md_admon_group(1)]
args = tgt_dc_val
definition = `ms_obj_admon_base` dc_val="$tgt_dc_val$" "objectClass=top|group"
iseval = 0

[ms_obj_md_admon_computer(1)]
args = tgt_dc_val
definition = `ms_obj_admon_base` dc_val="$tgt_dc_val$" "objectClass=top|person|organizationalPerson|user|computer"
iseval = 0

## MULTI-DOMAIN - History Update ##
[ms_obj_md_admon_base_hist_user(1)]
args = tgt_kv_suffix
definition = lookup AD_Obj_User_$tgt_kv_suffix$ domain,objectGUID OUTPUT lookup_usr AS p_lookup_usr\
| eval lookup_usr=if(isnull(p_lookup_usr),mvjoin(lookup_usr,"|"),mvjoin(lookup_usr,"|")."|".mvjoin(p_lookup_usr,"|"))\
| eval key_val=((objectGUID . "#") . DomainDNSName)\
| makemv delim="|" lookup_usr\
| fields - p_lookup_usr\
| stats values(*) AS * by key_val
iseval = 0

[ms_obj_md_admon_base_hist_group(1)]
args = tgt_kv_suffix
definition = lookup AD_Obj_Group_$tgt_kv_suffix$ domain,objectGUID OUTPUT lookup_grp AS p_lookup_grp\
| eval lookup_grp=if(isnull(p_lookup_grp),mvjoin(lookup_grp,"|"),mvjoin(lookup_grp,"|")."|".mvjoin(p_lookup_grp,"|"))\
| eval key_val=((objectGUID . "#") . DomainDNSName)\
| makemv delim="|" lookup_grp\
| fields - p_lookup_grp\
| stats values(*) AS * by key_val
iseval = 0

[ms_obj_md_admon_base_hist_computer(1)]
args = tgt_kv_suffix
definition = lookup AD_Obj_Computer_$tgt_kv_suffix$ domain objectGUID OUTPUT lookup_cmp AS p_lookup_cmp\
| eval lookup_cmp=if(isnull(p_lookup_cmp),mvjoin(lookup_cmp,"|"),mvjoin(lookup_cmp,"|")."|".mvjoin(p_lookup_cmp,"|"))\
| eval key_val=((objectGUID . "#") . DomainDNSName)\
| makemv delim="|" lookup_cmp\
| fields - p_lookup_cmp\
| stats values(*) AS * by key_val
iseval = 0

###-----------------------------------------###
#--- 	User,Group,Computer Changes Macros ---#
#--- 		MULTI-DOMAIN - KV Split    	   ---#
###-----------------------------------------###
[ms_obj_md_admin_chg_all(2)]
args = tgt_domain,tgt_user_lookup
definition = `ms_obj_changes_base_all` "$tgt_domain$"\
| fields src_user, _time, src_nt_domain,dest_nt_domain\
| eval domain=if(isnull(src_nt_domain),if(isnull(dest_nt_domain),"",lower(dest_nt_domain)),lower(src_nt_domain))\
| eval src_user=lower(src_user)\
| stats latest(_time) as last_time_utc by src_user,domain\
| lookup $tgt_user_lookup$ sAMAccountName as src_user OUTPUT sAMAccountName as admin_user,domain as admin_domain,dn as admin_dn,dn_path as admin_dn_path,cn as admin_cn,objectGUID as admin_objectGUID,userPrincipalName AS admin_userPrincipalName\
| eval last_time_string=strftime(last_time_utc,"%m/%d/%y %H:%M:%S")\
| fillnull value="" admin_dn,admin_dn_hist,admin_dn_path,admin_cn,admin_userPrincipalName\
| stats values(*) AS * by admin_objectGUID,admin_domain\
| eval key_val=lower(admin_objectGUID)."#".lower(admin_domain)
iseval = 0

[ms_obj_md_admin_chg_all(1)]
args = tgt_user_lookup
definition = `ms_obj_changes_base_all`\
| fields src_user, _time, src_nt_domain,dest_nt_domain\
| eval domain=if(isnull(src_nt_domain),if(isnull(dest_nt_domain),"",lower(dest_nt_domain)),lower(src_nt_domain))\
| eval src_user=lower(src_user)\
| stats latest(_time) as last_time_utc by src_user,domain\
| lookup $tgt_user_lookup$ sAMAccountName as src_user OUTPUT sAMAccountName as admin_user,domain as admin_domain,dn as admin_dn,dn_path as admin_dn_path,cn as admin_cn,objectGUID as admin_objectGUID,userPrincipalName AS admin_userPrincipalName\
| eval last_time_string=strftime(last_time_utc,"%m/%d/%y %H:%M:%S")\
| fillnull value="" admin_dn,admin_dn_hist,admin_dn_path,admin_cn,admin_userPrincipalName\
| stats values(*) AS * by admin_objectGUID,admin_domain\
| eval key_val=lower(admin_objectGUID)."#".lower(admin_domain)

[ms_obj_md_user_change_out(1)]
args = user_lookup
definition = fields _time,src_user,user,user_type,user_obj_lkp,msad_action,MSADChanges,src_nt_domain,dest_nt_domain,signature,change_signature,MSADChangedAttributes,Correlation_ID,AttributeLDAPDisplayName,AttributeValue,DN,Old_DN,New_DN,dir_svcs_action\
| eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\
| eval user_obj_lkp=if(user_type="computer",NULL,if(isnull(user_obj_lkp),if(isnull(DN),if(isnull(Old_DN),if(isnull(New_DN),lower(user),lower(New_DN)),lower(Old_DN)),lower(DN)),lower(user_obj_lkp)))\
| lookup $user_lookup$ lookup_usr AS user_obj_lkp OUTPUT sAMAccountName AS b_user_obj_sam,cn AS b_user_obj_cn\
| eval user=if(isnull(b_user_obj_sam),if(isnull(b_user_obj_cn),if(isnull(user_obj_lkp),if(isnull(user),"NA",lower(user)),lower(user_obj_lkp)),lower(b_user_obj_cn)),lower(b_user_obj_sam))\
| eval dest_user_subject=if(isnull(dest_nt_domain),user,dest_nt_domain."\\".lower(user))\
| `ms_obj_msad_changed_attr_sum`\
| stats count, list(Change_Summary) AS Change_Summary, list(Change_Details) AS Change_Details,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,msad_action,dest_user_subject,user\
| eval Change_Details=if(isnull(Change_Details),"Unknown Changes",Change_Details)\
| table _time,src_user,adminuser,msad_action,user,dest_user_subject,Correlation_IDs,Change_Summary,Change_Details
iseval = 0

[ms_obj_md_user_change_cmb(1)]
args = user_lookup
definition = fields _time,src_user,obj_type,user,user_type,user_obj_lkp,user_obj_dn,msad_action,MSADChanges,src_nt_domain,dest_nt_domain,signature,change_signature,MSADChangedAttributes,Correlation_ID,AttributeLDAPDisplayName,AttributeValue,DN,Old_DN,New_DN,dir_svcs_action,Old_Account_Name,New_Account_Name\
| eval time_group=strftime(_time,"%m/%d/%y %I:%M %P") \
| eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user) \
| eval user_obj_lkp=if(isnull(user_obj_lkp),if(isnull(DN),if(isnull(Old_DN),if(isnull(New_DN),lower(user),lower(New_DN)),lower(Old_DN)),lower(DN)),lower(user_obj_lkp))\
| lookup $user_lookup$ lookup_usr AS user_obj_lkp OUTPUT sAMAccountName AS b_user_obj_sam,cn AS b_user_obj_cn \
| eval user=if(isnull(b_user_obj_sam),if(isnull(b_user_obj_cn),if(isnull(user_obj_lkp),if(isnull(user),"NA",lower(user)),lower(mvindex(user_obj_lkp,0))),lower(mvindex(b_user_obj_cn,0))),lower(mvindex(b_user_obj_sam,0))) \
| eval dest_user_subject=if(isnull(dest_nt_domain),lower(user),lower(dest_nt_domain)."\\".lower(user)) \
| eval change_action=if(isnull(msad_action),if(isnull(dir_svcs_action),"NA",dir_svcs_action),if(isnull(dir_svcs_action) OR dir_svcs_action=="Unknown",trim(msad_action),msad_action." (".dir_svcs_action.")")) \
| eval signature=if(isnull(change_signature),signature,change_signature) \
| eval ad_chg=if(isnull(AttributeLDAPDisplayName),if(isnotnull(New_Account_Name),"renm",if(msad_action=="moved","mv",if(isnull(MSADChanges),0,"MSADChanges"))),len(AttributeLDAPDisplayName)),ln_chg_attr=if(isnull(MSADChangedAttributes),0,len(MSADChangedAttributes)) \
| eval mvd=if(ad_chg=="mv","From: ".Old_DN."########      - To:   ".New_DN,"") \
| eval renm=if(ad_chg=="renm","Account Rename:########          - From: ".Old_Account_Name."########          - To:   ".New_Account_Name,"") \
| eval MSADChanges=if(ad_chg=="0","",if(ad_chg=="renm",renm,if(ad_chg=="mv",mvd,if(ad_chg=="MSADChanges",MSADChanges,if(isnull(AttributeValue) OR AttributeValue="-" OR AttributeValue="","",AttributeLDAPDisplayName.": ".AttributeValue))))) \
| eval MSADChangedAttributes=if(ln_chg_attr=0,"",replace(replace("########      - ".mvjoin(MSADChangedAttributes,"########      - "), "(?msi)\r\s+|\n\s+", "########      - "),"(?:\:)(\s\s+|\t)",": ")) \
| eval MSADChanges=if(ad_chg=0 AND ln_chg_attr=0,"",if(ln_chg_attr=0,"########      - ".MSADChanges,if(ad_chg=0,MSADChangedAttributes,MSADChangedAttributes."########      - ".MSADChanges))) \
| eval MSADChanges=replace(MSADChanges,"\:(\s+|\t+|)########\s+\-",":########          -")\
| stats count, values(MSADChanges) AS MSADChanges,values(MSADChangedAttributes) AS MSADChangedAttributes,values(Correlation_ID) AS Correlation_IDs,values(msad_action) AS msad_action,values(signature) AS Signature by time_group,src_user,adminuser,dest_user_subject,user,change_action\
| eval Change_Details=if(len(MSADChanges)=0 OR mvcount(MSADChanges)=0 OR isnull(MSADChanges),NULL,"########   - Action: ".change_action."".mvjoin(MSADChanges,""))\
| stats count, values(Change_Details) AS Change_Details,values(msad_action) AS msad_action,values(change_action) AS change_action,values(Correlation_IDs) AS Correlation_IDs,values(Signature) AS Signature by time_group,src_user,adminuser,dest_user_subject,user \
| where src_user!=user \
| eval Correlation_ID_sum=if(isnull(Correlation_IDs),"",if(mvcount(Correlation_IDs)>1,"########   - Correlation IDs:########      - ".mvjoin(Correlation_IDs,"########      - "),"########   - Correlation IDs:########      - ".Correlation_IDs)) \
| eval Change_Actions=if(mvcount(msad_action)>1,"Actions:########   - ".mvjoin(msad_action,"########   - "),"Actions:########   - ".msad_action) \
| eval Change_Summary="########(".time_group.")########   - Signatures:########      - ".mvjoin(Signature,"########      - ")."".Correlation_ID_sum \
| eval Change_Details=if(isnull(Change_Details),Change_Summary,Change_Summary."########   Change_Details:########".mvjoin(Change_Details,"")) \
| makemv delim="########" Change_Details \
| eval Change_Details=mvfilter(NOT match(Change_Details, ":(\s*\-\s*)$"))\
| makemv delim="########" Change_Summary \
| makemv delim="########" Change_Actions \
| table time_group,src_user,adminuser,msad_action,user,dest_user_subject,Correlation_IDs,Change_Actions,Change_Summary,Change_Details
iseval = 0

[ms_obj_md_computer_change_out(1)]
args = computer_lookup
definition = fields _time,src_user,user,user_type,comp_obj_dn,comp_obj_sam,msad_action,src_nt_domain,dest_nt_domain,signature,change_signature,MSADChanges,MSADChangedAttributes,Correlation_ID,AttributeLDAPDisplayName,AttributeValue,DN,Old_DN,New_DN,dir_svcs_action\
| eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\
| eval comp_obj_lkp=if(isnull(comp_obj_dn),if(isnull(DN),if(isnull(Old_DN),if(isnull(New_DN),if(isnull(comp_obj_sam),lower(user),lower(comp_obj_sam)),lower(New_DN)),lower(Old_DN)),lower(DN)),lower(comp_obj_dn))\
| lookup $computer_lookup$ lookup_cmp AS comp_obj_lkp OUTPUT sAMAccountName AS c_comp_obj_sam\
| eval computer=if(isnull(c_comp_obj_sam),comp_obj_lkp,lower(c_comp_obj_sam))\
| eval dest_comp_subject=if(isnull(dest_nt_domain),computer,dest_nt_domain."\\".lower(computer))\
| `ms_obj_msad_changed_attr_sum`\
| stats count, list(Change_Summary) AS Change_Summary, list(Change_Details) AS Change_Details,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,change_action,dest_comp_subject,computer\
| eval Change_Details=if(isnull(Change_Details),"Unknown Changes",Change_Details)\
| table _time,src_user,adminuser,change_action,computer,dest_comp_subject,Correlation_IDs,Change_Summary,Change_Details
iseval = 0

[ms_obj_md_computer_change_cmb(1)]
args = computer_lookup
definition = fields _time,src_user,obj_type,user,comp_obj_lkp,ComputerName,comp_obj_dn,comp_obj_sam,comp_obj_id,ObjectGuid,msad_action,MSADChanges,src_nt_domain,dest_nt_domain,signature,change_signature,MSADChangedAttributes,Correlation_ID,AttributeLDAPDisplayName,AttributeValue,DN,Old_DN,New_DN,dir_svcs_action,Old_Account_Name,New_Account_Name\
| eval time_group=strftime(_time,"%m/%d/%y %I:%M %P")\
| eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\
| eval comp_obj_lkp=if(isnull(comp_obj_dn),if(isnull(comp_obj_sam),if(isnull(comp_obj_id),if(isnull(comp_obj_lkp),if(isnull(DN),if(isnull(Old_DN),if(isnull(New_DN),if(isnull(user),lower(ComputerName),lower(user)),lower(New_DN)),lower(Old_DN)),lower(DN)),lower(comp_obj_lkp)),lower(comp_obj_id)),lower(comp_obj_sam)),lower(comp_obj_dn))\
| lookup $computer_lookup$ lookup_cmp AS comp_obj_lkp OUTPUT sAMAccountName AS b_comp_obj_sam,cn AS b_comp_obj_cn \
| eval comp_obj_lkp=if(isnull(b_comp_obj_sam),if(isnull(b_comp_obj_cn),if(isnull(comp_obj_lkp),"NA",lower(comp_obj_lkp)),lower(b_comp_obj_cn)),lower(b_comp_obj_sam)) \
| eval change_action=if(isnull(msad_action),if(isnull(dir_svcs_action),"NA",dir_svcs_action),if(isnull(dir_svcs_action) OR dir_svcs_action=="Unknown",trim(msad_action),msad_action." (".dir_svcs_action.")")) \
| eval signature=if(isnull(change_signature),signature,change_signature) \
| eval ad_chg=if(isnull(AttributeLDAPDisplayName),if(isnotnull(New_Account_Name),"renm",if(msad_action=="moved","mv",if(isnull(MSADChanges),0,"MSADChanges"))),len(AttributeLDAPDisplayName)),ln_chg_attr=if(isnull(MSADChangedAttributes),0,len(MSADChangedAttributes)) \
| eval mvd=if(ad_chg=="mv","From: ".Old_DN."########      - To:   ".New_DN,"") \
| eval renm=if(ad_chg=="renm","Computer Rename:########          - From: ".Old_Account_Name."########          - To:   ".New_Account_Name,"") \
| eval MSADChanges=if(ad_chg=="0","",if(ad_chg=="renm",renm,if(ad_chg=="mv",mvd,if(ad_chg=="MSADChanges",MSADChanges,if(isnull(AttributeValue) OR AttributeValue="-" OR AttributeValue="","",AttributeLDAPDisplayName.": ".AttributeValue))))) \
| eval MSADChangedAttributes=if(ln_chg_attr=0,"",replace(replace("########      - ".mvjoin(MSADChangedAttributes,"########      - "), "(?msi)\r\s+|\n\s+", "########      - "),"(?:\:)(\s\s+|\t)",": ")) \
| eval MSADChanges=if(ad_chg=0 AND ln_chg_attr=0,"",if(ln_chg_attr=0,"########      - ".MSADChanges,if(ad_chg=0,MSADChangedAttributes,MSADChangedAttributes."########      - ".MSADChanges))) \
| eval MSADChanges=replace(MSADChanges,"\:(\s+|\t+|)########\s+\-",":########          -") \
| stats count, values(MSADChanges) AS MSADChanges,values(MSADChangedAttributes) AS MSADChangedAttributes,values(Correlation_ID) AS Correlation_IDs,values(msad_action) AS msad_action,values(signature) AS Signature by time_group,src_user,adminuser,comp_obj_lkp,change_action\
| eval Change_Details=if(len(MSADChanges)=0 OR mvcount(MSADChanges)=0 OR isnull(MSADChanges),NULL,"########   - Action: ".change_action."".mvjoin(MSADChanges,""))\
| stats count, values(Change_Details) AS Change_Details,values(msad_action) AS msad_action,values(change_action) AS change_action,values(Correlation_IDs) AS Correlation_IDs,values(Signature) AS Signature by time_group,src_user,adminuser,comp_obj_lkp\
| eval Correlation_ID_sum=if(isnull(Correlation_IDs),"",if(mvcount(Correlation_IDs)>1,"########   - Correlation IDs:########      - ".mvjoin(Correlation_IDs,"########      - "),"########   - Correlation IDs:########      - ".Correlation_IDs)) \
| eval Change_Actions=if(mvcount(msad_action)>1,"Actions:########   - ".mvjoin(msad_action,"########   - "),"Actions:########   - ".msad_action) \
| eval Change_Summary="########(".time_group.")########   - Signatures:########      - ".mvjoin(Signature,"########      - ")."".Correlation_ID_sum \
| eval Change_Details=if(isnull(Change_Details),Change_Summary,Change_Summary."########   Change_Details:########".mvjoin(Change_Details,"")) \
| makemv delim="########" Change_Details \
| eval Change_Details=mvfilter(NOT match(Change_Details, ":(\s*\-\s*)$"))\
| makemv delim="########" Change_Summary \
| makemv delim="########" Change_Actions \
| table time_group,src_user,adminuser,msad_action,comp_obj_lkp,Correlation_IDs,Change_Actions,Change_Summary,Change_Details
iseval = 0

[ms_obj_md_group_change_out(1)]
args = group_lookup
definition = fields _time,src_user,group_obj_lkp,member_obj_lkp,MSADGroupClass,MSADGroupClassID,MSADGroupType,msad_action,src_nt_domain,dest_nt_domain,signature,change_signature,MSADChanges,MSADChangedAttributes,Correlation_ID,AttributeLDAPDisplayName,AttributeValue,DN,Old_DN,New_DN,dir_svcs_action\
| eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\
| eval group_obj_lkp=trim(group_obj_lkp)\
| lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass\
| lookup $group_lookup$ lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\
| eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\
| eval MSADGroupClass=if(isnull(MSADGroupClass),if(isnull(MSADGroupClass_u),"NA",MSADGroupClass_u),MSADGroupClass)\
| eval MSADGroupType=if(isnull(MSADGroupType),if(isnull(MSADGroupType_u),"NA",MSADGroupType_u),MSADGroupType)\
| `ms_obj_msad_changed_attr_sum`\
| stats count, list(Change_Summary) AS Change_Summary, list(Change_Details) AS Change_Details,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,change_action,group_obj_nm,MSADGroupType,MSADGroupClass\
| eval Change_Details=if(isnull(Change_Details),"Unknown Changes",Change_Details)\
| table _time,src_user,adminuser,change_action,group_obj_nm,MSADGroupType,MSADGroupClass,Correlation_IDs,Change_Summary,Change_Details
iseval = 0

[ms_obj_md_group_change_cmb(1)]
args = group_lookup
definition = fields _time,src_user,obj_type,Group_Name,group_obj_lkp,group_obj_dn,msad_action,MSADChanges,src_nt_domain,dest_nt_domain,signature,change_signature,MSADChangedAttributes,Correlation_ID,AttributeLDAPDisplayName,AttributeValue,DN,Old_DN,New_DN,dir_svcs_action,Old_Account_Name,New_Account_Name,member_obj_lkp\
| eval time_group=strftime(_time,"%m/%d/%y %I:%M %P")\
| eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\
| eval group_obj_lkp=if(isnull(group_obj_lkp),if(isnull(DN),if(isnull(Old_DN),if(isnull(New_DN),lower(Group_Name),lower(New_DN)),lower(Old_DN)),lower(DN)),lower(group_obj_lkp))\
| eval member_obj_lkp=if(isnull(member_obj_lkp),"",member_obj_lkp)\
| lookup $group_lookup$ lookup_grp AS group_obj_lkp OUTPUT sAMAccountName AS b_group_obj_sam,cn AS b_group_obj_cn\
| eval group=if(isnull(b_user_obj_sam),if(isnull(b_group_obj_cn),if(isnull(group_obj_lkp),if(isnull(group_obj_lkp),"NA",lower(group_obj_lkp)),lower(mvindex(group_obj_lkp,0))),lower(mvindex(b_group_obj_cn,0))),lower(mvindex(b_group_obj_sam,0)))\
| eval change_action=if(isnull(msad_action),if(isnull(dir_svcs_action),"NA",dir_svcs_action),if(isnull(dir_svcs_action) OR dir_svcs_action=="Unknown",trim(msad_action),msad_action." (".dir_svcs_action.")"))\
| eval signature=if(isnull(change_signature),signature,change_signature)\
| eval ad_chg=if(isnull(AttributeLDAPDisplayName),if(isnotnull(New_Account_Name),"renm",if(msad_action=="moved","mv",if(isnull(MSADChanges),0,"MSADChanges"))),len(AttributeLDAPDisplayName)),ln_chg_attr=if(isnull(MSADChangedAttributes),0,len(MSADChangedAttributes))\
| eval mvd=if(ad_chg=="mv","From: ".Old_DN."########      - To:   ".New_DN,"")\
| eval renm=if(ad_chg=="renm","Group Rename:########          - From: ".Old_Account_Name."########          - To:   ".New_Account_Name,"")\
| eval MSADChanges=if(ad_chg=="0","",if(ad_chg=="renm",renm,if(ad_chg=="mv",mvd,if(ad_chg=="MSADChanges",MSADChanges,if(isnull(AttributeValue) OR AttributeValue="-" OR AttributeValue="","",AttributeLDAPDisplayName.": ".AttributeValue)))))\
| eval MSADChangedAttributes=if(ln_chg_attr=0,"",replace(replace("########      - ".mvjoin(MSADChangedAttributes,"########      - "), "(?msi)\r\s+|\n\s+", "########      - "),"(?:\:)(\s\s+|\t)",": "))\
| eval MSADChanges=if(ad_chg=0 AND ln_chg_attr=0,"",if(ln_chg_attr=0,"########      - ".MSADChanges,if(ad_chg=0,MSADChangedAttributes,MSADChangedAttributes."########      - ".MSADChanges)))\
| eval MSADChanges=replace(MSADChanges,"\:(\s+|\t+|)########\s+\-",":########          -")\
| stats count, values(MSADChanges) AS MSADChanges,values(MSADChangedAttributes) AS MSADChangedAttributes,values(Correlation_ID) AS Correlation_IDs,values(msad_action) AS msad_action,values(signature) AS Signature,values(member_obj_lkp) AS member_obj_lkp,values(group_obj_lkp) AS group_obj_lkp by time_group,src_user,adminuser,group,change_action\
| eval Change_Details=if(len(MSADChanges)=0 OR mvcount(MSADChanges)=0 OR isnull(MSADChanges),NULL,"########   - Action: ".change_action."".mvjoin(MSADChanges,""))\
| stats count, values(Change_Details) AS Change_Details,values(msad_action) AS msad_action,values(change_action) AS change_action,values(Correlation_IDs) AS Correlation_IDs,values(Signature) AS Signature,values(member_obj_lkp) AS member_obj_lkp,values(group_obj_lkp) AS group_obj_lkp by time_group,src_user,adminuser,group\
| eval Correlation_ID_sum=if(isnull(Correlation_IDs),"",if(mvcount(Correlation_IDs)>1,"########   - Correlation IDs:########      - ".mvjoin(Correlation_IDs,"########      - "),"########   - Correlation IDs:########      - ".Correlation_IDs))\
| eval Change_Actions=if(mvcount(msad_action)>1,"Actions:########   - ".mvjoin(msad_action,"########   - "),"Actions:########   - ".msad_action)\
| eval Change_Summary="########(".time_group.")########   - Signatures:########      - ".mvjoin(Signature,"########      - ")."".Correlation_ID_sum\
| eval Change_Details=if(isnull(Change_Details),Change_Summary,Change_Summary."########   Change_Details:########".mvjoin(Change_Details,""))\
| makemv delim="########" Change_Details\
| eval Change_Details=mvfilter(NOT match(Change_Details, ":(\s*\-\s*)$"))\
| makemv delim="########" Change_Summary\
| makemv delim="########" Change_Actions\
| table time_group,src_user,adminuser,msad_action,group,Correlation_IDs,Change_Actions,Change_Summary,Change_Details,group_obj_lkp,member_obj_lkp
iseval = 0

[ms_obj_md_group_change_det(1)]
args = group_lookup
definition = fields _time,src_user,adminuser,msad_action,signature,group_obj_lkp,member_obj_lkp,MSADGroupClass,MSADGroupClassID,MSADGroupType,MSADChanges,MSADChangedAttributes,Correlation_ID,Change_Actions\
| eval Correlation_ID_sum=if(isnull(Correlation_ID),"",if(mvcount(Correlation_ID)>1,"Correlation IDs:########      - ".replace(mvjoin(Correlation_ID,"########      - "), "(?msi)\r\s+|\n\s+", "########      - "),"Correlation ID: ".Correlation_ID))\
| lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass\
| lookup $group_lookup$ lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\
| eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\
| eval MSADGroupClass=if(isnull(MSADGroupClass),if(isnull(MSADGroupClass_u),"NA",MSADGroupClass_u),MSADGroupClass)\
| eval MSADGroupType=if(isnull(MSADGroupType),if(isnull(MSADGroupType_u),"NA",MSADGroupType_u),MSADGroupType)\
| eval Signature=if(Correlation_ID_sum=="","######## - Signature: ".signature,"######## - Signature: ".signature."########   - ".Correlation_ID_sum)\
| eval Change_Summary="########(".strftime(_time,"%m/%d/%y %I:%M %P").")".Signature\
| eval f=replace(mvjoin(replace(MSADChangedAttributes, "(?msi)\r\s+|\n\s+", "########      - "),"########      - "),"(\t|\s\s+)"," ")\
| makemv delim="########" f\
| eval MSADChangedAttributes=if(isnull(f),if(isnull(AttributeLDAPDisplayName) OR AttributeValue=="-" OR AttributeValue==" - ",if(isnull(member_obj_lkp),if(msad_action="moved","Moved:########      - From: ".Old_DN."########      - To: ".New_DN,NULL),"member: ".member_obj_lkp),mvzip(AttributeLDAPDisplayName,AttributeValue,": ")),mvfilter(NOT match(f, ":(\s*\-\s*|)$")))\
| eval Change_Details=if(isnull(MSADChangedAttributes) OR mvcount(MSADChangedAttributes)=0,"########(".strftime(_time,"%m/%d/%y %I:%M %P").")######## - Action: ".change_action.Signature,"########(".strftime(_time,"%m/%d/%y %I:%M %P").")######## - Action: ".Change_Actions.Signature."######## - Details:########      - ".mvjoin(MSADChangedAttributes,"########      - "))\
| stats list(MSADChangedAttributes) AS MSADChangedAttributes,list(Change_Details) AS Change_Details,values(Correlation_ID) AS Correlation_IDs,values(Change_Summary) AS Change_Summary,min(_time) AS First_Change_Time,values(msad_action) AS msad_actions,values(member_obj_lkp) AS member_obj_lkp by src_user,adminuser,group_obj_nm,MSADGroupType,MSADGroupClass\
| eval First_Change_Time=strftime(First_Change_Time,"%m/%d/%y %I:%M %P")\
| eval Change_Details=if(isnull(Change_Details),if(isnull(Change_Summary),"Unknown Changes",mvjoin(Change_Summary, "########")),mvjoin(Change_Details, "########"))\
| makemv delim="########" Change_Details\
| makemv delim="########" Change_Summary
iseval = 0

[ms_obj_md_group-changes-for-group(3)]
args = group_lookup,domain,group
definition = `ms_obj_group_all_changes_base` dest_nt_domain="$domain$" user_group="$group$"\
| fields _time, objectGUID, src_nt_domain, src_user, member_id, msad_action\
| eval objectGUID=lower(objectGUID)\
| lookup $group_lookup$ objectGUID OUTPUT cn AS user_group\
| search user_group="$group$"\
| eval adminuser=src_nt_domain."\\".src_user\
| table _time,adminuser,msad_action,member_id\
| rename adminuser as "Administrator",msad_action as "Action", member_id as "User"
iseval = 0

## Group Membership Changes - Output Part - Basic(User,Group,Computer - ie ugc) Group Membership Changes Output ##
[ms_obj_md_group_m_ugc_change_out(3)]
args = group_lookup,user_lookup,computer_lookup
definition = fields _time, _raw, src_user, src_nt_domain, dest_nt_domain, msad_action, signature,DN,New_DN,Old_DN,group_obj_lkp,member_obj_domain,member_obj_id,member_obj_lkp,MSADGroupClass,MSADGroupClassID,MSADGroupType,MSADChanges,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,dir_svcs_action,Correlation_ID,change_signature\
| eval msad_action=if(isnull(msad_action),if(isnull(dir_svcs_action),"NA",dir_svcs_action),if(isnull(dir_svcs_action) OR dir_svcs_action=="Unknown",msad_action,msad_action." (".dir_svcs_action.")"))\
| eval member_obj_lkp=if(isnull(member_obj_lkp),member_obj_id,member_obj_lkp)\
| eval signature=if(isnull(change_signature),signature,change_signature)\
| eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\
| fillnull value="N/A" Correlation_ID,MSADGroupType,MSADGroupClass,MSADGroupClassID\
| `ms_obj_msad-changed-attributes`\
| stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,msad_action,group_obj_lkp,member_obj_lkp,MSADGroupType,MSADGroupClass,MSADGroupClassID,signature\
| lookup $group_lookup$ lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\
| eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\
| eval MSADGroupClass=if(isnull(MSADGroupClass) OR MSADGroupClass="N/A",if(isnull(MSADGroupClass_u),"NA",MSADGroupClass_u),MSADGroupClass)\
| eval MSADGroupType=if(isnull(MSADGroupType) OR MSADGroupType="N/A",if(isnull(MSADGroupType_u),"NA",MSADGroupType_u),MSADGroupType)\
| eval MSADChanges=mvjoin(MSADChanges, "########")\
| eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\
| makemv delim="########" MSADChanges\
| lookup $user_lookup$ lookup_usr AS member_obj_lkp OUTPUT cn AS u_cn, dn AS u_dn,sAMAccountName AS u_sam,domain AS u_dom\
| lookup $group_lookup$ lookup_grp AS member_obj_lkp OUTPUT cn AS g_cn, dn AS g_dn,sAMAccountName AS g_sam,domain AS g_dom\
| lookup $computer_lookup$ lookup_cmp AS member_obj_lkp OUTPUT cn AS c_cn, dn AS c_dn,sAMAccountName AS c_sam,domain AS c_dom\
| eval member_obj_cn=if(isnull(u_cn),if(isnull(g_cn),if(isnull(c_cn),member_obj_lkp,c_cn),g_cn),u_cn)\
| eval member_obj_dn=if(isnull(u_dn),if(isnull(g_dn),if(isnull(c_dn),member_obj_lkp,c_dn),g_dn),u_dn)\
| eval member=if(isnull(u_sam),if(isnull(g_sam),if(isnull(c_sam),member_obj_lkp,c_dom."\\".c_sam),g_dom."\\".g_sam),u_dom."\\".u_sam)\
| eval Member_Type=if(isnull(u_cn),if(isnull(g_cn),"Computer","Group"),"User")\
| table _time,src_user,adminuser,group_obj_lkp,group_obj_nm,msad_action,MSADGroupType,MSADGroupClass,Member_Type,member_obj_lkp,member,member_obj_cn,member_obj_dn,MSADChanges,Correlation_IDs

## Group Membership Changes - Output Part - Basic(User Only - ie _u_) Changes Output ##
[ms_obj_md_group_m_u_change_out(2)]
args = group_lookup,user_lookup
definition = fields _time,src_user,group_obj_lkp,member_obj_lkp,MSADGroupClass,MSADGroupClassID,MSADGroupType,msad_action,src_nt_domain,dest_nt_domain,signature,change_signature,MSADChanges,MSADChangedAttributes,Correlation_ID,AttributeLDAPDisplayName,AttributeValue,DN,Old_DN,New_DN,dir_svcs_action\
| eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\
| eval group_obj_lkp=trim(group_obj_lkp)\
| lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass\
| lookup $group_lookup$ lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\
| eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\
| eval MSADGroupClass=if(isnull(MSADGroupClass),if(isnull(MSADGroupClass_u),"NA",MSADGroupClass_u),MSADGroupClass)\
| eval MSADGroupType=if(isnull(MSADGroupType),if(isnull(MSADGroupType_u),"NA",MSADGroupType_u),MSADGroupType)\
| `ms_obj_msad_changed_attr_sum`\
| stats count, list(Change_Summary) AS Change_Summary, list(Change_Details) AS Change_Details,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,change_action,group_obj_nm,member_obj_lkp,MSADGroupType,MSADGroupClass\
| lookup $user_lookup$ lookup_usr AS member_obj_lkp OUTPUT cn AS u_cn\
| eval member=if(isnull(u_cn),member_obj_lkp,u_cn)\
| eval Member_Type="User"\
| eval Change_Details=if(isnull(Change_Details),"Unknown Changes",Change_Details)\
| table _time,src_user,adminuser,change_action,group_obj_nm,member,Member_Type,MSADGroupType,MSADGroupClass,Correlation_IDs,Change_Summary,Change_Details
iseval = 0


[ms_obj_md_group_m_change_det(3)]
args = group_lookup,user_lookup,computer_lookup
definition = fields _time, _raw, adminuser,src_user, src_nt_domain, dest_nt_domain, msad_action, signature,DN,New_DN,Old_DN,group_obj_lkp,member_obj_domain,member_obj_secid,member_obj_cn,member_obj_dn,member_obj_lkp,member_obj_id,member_obj_sam,MSADGroupClass,MSADGroupClassID,MSADGroupType,MSADChanges,MSADChangedAttributes,Correlation_ID,Change_Actions\
| eval Correlation_ID_sum=if(isnull(Correlation_ID),"",if(mvcount(Correlation_ID)>1,"Correlation IDs:########      - ".replace(mvjoin(Correlation_ID,"########      - "), "(?msi)\r\s+|\n\s+", "########      - "),"Correlation ID: ".Correlation_ID))\
| lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass\
| lookup $group_lookup$ lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\
| eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\
| eval MSADGroupClass=if(isnull(MSADGroupClass),if(isnull(MSADGroupClass_u),"NA",MSADGroupClass_u),MSADGroupClass)\
| eval MSADGroupType=if(isnull(MSADGroupType),if(isnull(MSADGroupType_u),"NA",MSADGroupType_u),MSADGroupType)\
| eval Signature=if(Correlation_ID_sum=="","######## - Signature: ".signature,"######## - Signature: ".signature."########   - ".Correlation_ID_sum)\
| eval Change_Summary="########(".strftime(_time,"%m/%d/%y %I:%M %P").")".Signature\
| eval f=replace(mvjoin(replace(MSADChangedAttributes, "(?msi)\r\s+|\n\s+", "########      - "),"########      - "),"(\t|\s\s+)"," ")\
| makemv delim="########" f\
| eval MSADChangedAttributes=if(isnull(f),NULL,mvfilter(NOT match(f, ":(\s*\-\s*|)$")))\
| eval Change_Details=if(isnull(MSADChangedAttributes) OR mvcount(MSADChangedAttributes)=0,"########(".strftime(_time,"%m/%d/%y %I:%M %P").")######## - Action: ".Change_Actions.Signature,"########(".strftime(_time,"%m/%d/%y %I:%M %P").")######## - Action: ".Change_Actions.Signature."######## - Details:########      - ".mvjoin(MSADChangedAttributes,"########      - "))\
| stats list(MSADChangedAttributes) AS MSADChangedAttributes,list(Change_Details) AS Change_Details,values(Correlation_ID) AS Correlation_IDs,values(Change_Summary) AS Change_Summary,min(_time) AS First_Change_Time by src_user,adminuser,group_obj_nm,msad_action,member_obj_lkp,MSADGroupType,MSADGroupClass\
| lookup $user_lookup$ lookup_usr AS member_obj_lkp OUTPUT cn AS u_cn\
| lookup $group_lookup$ lookup_grp AS member_obj_lkp OUTPUT cn AS g_cn\
| lookup $computer_lookup$ lookup_cmp AS member_obj_lkp OUTPUT cn AS c_cn\
| eval member=if(isnull(u_cn),if(isnull(g_cn),if(isnull(c_cn),member_obj_lkp,c_cn),g_cn),u_cn)\
| eval Member_Type=if(isnull(u_cn),if(isnull(g_cn),"Computer","Group"),"User")\
| eval First_Change_Time=strftime(First_Change_Time,"%m/%d/%y %I:%M %P")\
| eval Change_Details=if(isnull(Change_Details),if(isnull(Change_Summary),"Unknown Changes",mvjoin(Change_Summary, "########")),mvjoin(Change_Details, "########"))\
| makemv delim="########" Change_Details\
| makemv delim="########" Change_Summary
iseval = 0

[ms_obj_md_group_m_change_out(3)]
args = group_lookup,user_lookup,computer_lookup
definition = fields _time,src_user,group_obj_lkp,member_obj_lkp,MSADGroupClass,MSADGroupClassID,MSADGroupType,msad_action,src_nt_domain,dest_nt_domain,signature,change_signature,MSADChanges,MSADChangedAttributes,Correlation_ID,AttributeLDAPDisplayName,AttributeValue,DN,Old_DN,New_DN,dir_svcs_action\
| eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\
| eval group_obj_lkp=trim(group_obj_lkp)\
| lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass\
| lookup $group_lookup$ lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\
| eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\
| eval MSADGroupClass=if(isnull(MSADGroupClass),if(isnull(MSADGroupClass_u),"NA",MSADGroupClass_u),MSADGroupClass)\
| eval MSADGroupType=if(isnull(MSADGroupType),if(isnull(MSADGroupType_u),"NA",MSADGroupType_u),MSADGroupType)\
| `ms_obj_msad_changed_attr_sum`\
| stats count, list(Change_Summary) AS Change_Summary, list(Change_Details) AS Change_Details,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,change_action,group_obj_nm,member_obj_lkp,MSADGroupType,MSADGroupClass\
| lookup $user_lookup$ lookup_usr AS member_obj_lkp OUTPUT cn AS u_cn\
| lookup $group_lookup$ lookup_grp AS member_obj_lkp OUTPUT cn AS g_cn\
| lookup $computer_lookup$ lookup_cmp AS member_obj_lkp OUTPUT cn AS c_cn\
| eval member=if(isnull(u_cn),if(isnull(g_cn),if(isnull(c_cn),member_obj_lkp,c_cn),g_cn),u_cn)\
| eval Member_Type=if(isnull(u_cn),if(isnull(g_cn),"Computer","Group"),"User")\
| eval Change_Details=if(isnull(Change_Details),"Unknown Changes",Change_Details)\
| table _time,src_user,adminuser,change_action,group_obj_nm,member,Member_Type,MSADGroupType,MSADGroupClass,Correlation_IDs,Change_Summary,Change_Details
iseval = 0

## Group Membership Changes - Output Part - Basic(Embedded Groups Only - ie _g_) Output ##
[ms_obj_md_group_m_g_change_out(1)]
args = group_lookup
definition = fields _time, _raw, src_user, src_nt_domain, dest_nt_domain, msad_action, signature,DN,New_DN,Old_DN,group_obj_lkp,member_obj_domain,member_obj_id,member_obj_lkp,MSADGroupClass,MSADGroupClassID,MSADGroupType,MSADChanges,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,dir_svcs_action,Correlation_ID,change_signature\
| eval msad_action=if(isnull(msad_action),if(isnull(dir_svcs_action),"NA",dir_svcs_action),if(isnull(dir_svcs_action) OR dir_svcs_action=="Unknown",msad_action,msad_action." (".dir_svcs_action.")"))\
| eval member_obj_lkp=if(isnull(member_obj_lkp),member_obj_id,member_obj_lkp)\
| eval signature=if(isnull(change_signature),signature,change_signature)\
| eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\
| fillnull value="N/A" Correlation_ID,MSADGroupType,MSADGroupClass,MSADGroupClassID\
| `ms_obj_msad-changed-attributes`\
| stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,msad_action,group_obj_lkp,member_obj_lkp,MSADGroupType,MSADGroupClass,MSADGroupClassID,signature\
| lookup $group_lookup$ lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\
| eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\
| eval MSADGroupClass=if(isnull(MSADGroupClass) OR MSADGroupClass="N/A",if(isnull(MSADGroupClass_u),"NA",MSADGroupClass_u),MSADGroupClass)\
| eval MSADGroupType=if(isnull(MSADGroupType) OR MSADGroupType="N/A",if(isnull(MSADGroupType_u),"NA",MSADGroupType_u),MSADGroupType)\
| eval MSADChanges=mvjoin(MSADChanges, "########")\
| eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\
| makemv delim="########" MSADChanges\
| lookup $group_lookup$ lookup_grp AS member_obj_lkp OUTPUT cn AS g_cn, dn AS g_dn,sAMAccountName AS g_sam,domain AS g_dom\
| eval member_obj_cn=if(isnull(g_cn),member_obj_lkp,g_cn)\
| eval member_obj_dn=if(isnull(g_dn),member_obj_lkp,g_dn)\
| eval member=if(isnull(g_sam),member_obj_lkp,g_dom."\\".g_sam)\
| eval Member_Type="Group"\
| table _time,src_user,adminuser,group_obj_lkp,group_obj_nm,msad_action,MSADGroupType,MSADGroupClass,Member_Type,member_obj_lkp,member,member_obj_cn,member_obj_dn,MSADChanges,Correlation_IDs

## Group Membership Changes - Output Part - Basic(Computer Only - ie _c_) Changes Output ##
[ms_obj_md_group_m_c_change_out(2)]
args = group_lookup,computer_lookup
definition = fields _time, _raw, src_user, src_nt_domain, dest_nt_domain, msad_action, signature,DN,New_DN,Old_DN,group_obj_lkp,member_obj_domain,member_obj_id,member_obj_lkp,MSADGroupClass,MSADGroupClassID,MSADGroupType,MSADChanges,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,dir_svcs_action,Correlation_ID,change_signature\
| eval msad_action=if(isnull(msad_action),if(isnull(dir_svcs_action),"NA",dir_svcs_action),if(isnull(dir_svcs_action) OR dir_svcs_action=="Unknown",msad_action,msad_action." (".dir_svcs_action.")"))\
| eval member_obj_lkp=if(isnull(member_obj_lkp),member_obj_id,member_obj_lkp)\
| eval signature=if(isnull(change_signature),signature,change_signature)\
| eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\
| fillnull value="N/A" Correlation_ID,MSADGroupType,MSADGroupClass,MSADGroupClassID\
| `ms_obj_msad-changed-attributes`\
| stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,msad_action,group_obj_lkp,member_obj_lkp,MSADGroupType,MSADGroupClass,MSADGroupClassID,signature\
| lookup $group_lookup$ lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\
| eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\
| eval MSADGroupClass=if(isnull(MSADGroupClass) OR MSADGroupClass="N/A",if(isnull(MSADGroupClass_u),"NA",MSADGroupClass_u),MSADGroupClass)\
| eval MSADGroupType=if(isnull(MSADGroupType) OR MSADGroupType="N/A",if(isnull(MSADGroupType_u),"NA",MSADGroupType_u),MSADGroupType)\
| eval MSADChanges=mvjoin(MSADChanges, "########")\
| eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\
| makemv delim="########" MSADChanges\
| lookup $computer_lookup$ lookup_cmp AS member_obj_lkp OUTPUT cn AS c_cn, dn AS c_dn,sAMAccountName AS c_sam,domain AS c_dom\
| eval member_obj_cn=if(isnull(c_cn),member_obj_lkp,c_cn)\
| eval member_obj_dn=if(isnull(c_dn),member_obj_lkp,c_dn)\
| eval member=if(isnull(c_sam),member_obj_lkp,c_dom."\\".c_sam)\
| eval Member_Type="User"\
| table _time,src_user,adminuser,group_obj_lkp,group_obj_nm,msad_action,MSADGroupType,MSADGroupClass,Member_Type,member_obj_lkp,member,member_obj_cn,member_obj_dn,MSADChanges,Correlation_IDs

[ms_obj_md_groupmembership_change_out(3)]
args = group_lookup,user_lookup,computer_lookup
definition = fields _time, _raw, src_user, src_nt_domain, dest_nt_domain, msad_action, signature,DN,New_DN,Old_DN,group_obj_lkp,member_obj_domain,member_obj_id,member_obj_lkp,MSADGroupClass,MSADGroupClassID,MSADGroupType,MSADChanges,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,dir_svcs_action\
| eval msad_action=if(isnull(msad_action),if(isnull(dir_svcs_action),"NA",dir_svcs_action),if(isnull(dir_svcs_action) OR dir_svcs_action=="Unknown",msad_action,msad_action." (".dir_svcs_action.")"))\
| eval member=if(isnull(member_obj_domain),member_obj_id,member_obj_domain."\\".member_obj_id) \
| eval member=if(isnull(member),if(isnull(member_obj_dn),"NA",member_obj_dn),member) \
| eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\
| lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass\
| lookup $group_lookup$ lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\
| eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\
| eval MSADGroupClass=if(isnull(MSADGroupClass),if(isnull(MSADGroupClass_u),"NA",MSADGroupClass_u),MSADGroupClass)\
| eval MSADGroupType=if(isnull(MSADGroupType),if(isnull(MSADGroupType_u),"NA",MSADGroupType_u),MSADGroupType)\
| fillnull value="N/A" Correlation_ID,member_obj_lkp\
| `ms_obj_msad-changed-attributes`\
| stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,msad_action,group_obj_nm,member,MSADGroupType,MSADGroupClass,member_obj_lkp,signature\
| eval MSADChanges=mvjoin(MSADChanges, "########")\
| eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\
| makemv delim="########" MSADChanges\
| lookup $user_lookup$ lookup_usr AS member_obj_lkp OUTPUT cn AS u_cn, dn AS u_dn \
| lookup $group_lookup$ lookup_grp AS member_obj_lkp OUTPUT cn AS g_cn, dn AS g_dn \
| lookup $computer_lookup$ lookup_cmp AS member_obj_lkp OUTPUT cn AS c_cn, dn AS c_dn \
| eval member_obj_dn=if(isnull(u_dn),if(isnull(g_dn),if(isnull(c_dn),member_obj_dn,c_dn),g_dn),u_dn) \
| eval Member_Type=if(isnull(u_cn),if(isnull(g_cn),"Computer","Group"),"User") \
| table _time,src_user,adminuser,group_obj_nm,msad_action,MSADGroupType,MSADGroupClass,Member_Type,member_obj_lkp,member,MSADChanges
iseval = 0

[ms_obj_md_groupmembership_change_events(3)]
args = domain,group,group_lookup
definition = `ms_obj_changes_base_cat("Group Membership")` "$group$"\
| fields _time,_raw,member_obj_dn,member_obj_id,member_obj_domain,member_obj_class,src_user,src_nt_domain,group_obj_id,group_obj_dn,group_obj_nm,user_group,group_id,Group_Name,msad_action,MSADGroupClassID,MSADGroupType,MSADGroupClass,signature,Correlation_ID,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action,Old_DN,New_DN\
| eval msad_action=if(isnull(msad_action),if(isnull(dir_svcs_action),"NA",dir_svcs_action),if(isnull(dir_svcs_action) OR dir_svcs_action=="Unknown",msad_action,msad_action." (".dir_svcs_action.")"))\
| search (group_obj_dn="$group$" OR user_group="$group$" OR group_id="$group$" OR Group_Name="$group$") (src_nt_domain="$domain$" OR dest_nt_domain="$domain$") \
| eval adminuser=if(isnull(src_nt_domain),lower(src_user),lower(src_nt_domain)."\\".lower(src_user)\
| eval group_obj_dn=if(isnull(group_obj_dn),if(isnull(user_group),if(isnull(group_id),"",lower(group_id)),lower(user_group)),lower(group_obj_dn))\
| eval group_obj_cn=if(isnull(Group_Name),"",lower(Group_Name))\
| eval member=if(isnull(member_obj_domain),replace(member_obj_id,"\x5C{1}",""),member_obj_domain."\\".lower(replace(member_obj_id,"\x5C{1}","")))\
| eval member=if(isnull(member),if(isnull(member_obj_dn),"NA",lower(member_obj_dn)),member)\
| lookup $group_lookup$ dn AS group_obj_dn OUTPUT cn AS group_obj_nm,MSADGroupType,MSADGroupClass\
| lookup $group_lookup$ cn AS group_obj_cn OUTPUT cn AS c_group_obj_nm,MSADGroupType AS c_MSADGroupType,MSADGroupClass AS c_MSADGroupClass\
| eval group_obj_nm=if(isnull(group_obj_nm),if(isnull(c_group_obj_nm),if(isnull(group_obj_id),if(isnull(user_group),lower(group_obj_dn),lower(user_group)),lower(group_obj_id)),lower(c_group_obj_nm)),lower(group_obj_nm)),MSADGroupType = if(isnull(MSADGroupType),c_MSADGroupType,MSADGroupType),MSADGroupClass=if(isnull(MSADGroupClass),c_MSADGroupClass,MSADGroupClass)\
| `ms_obj_msad-changed-attributes`\
| stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,src_user,msad_action,group_obj_nm,MSADGroupType,MSADGroupClass,member,signature\
| eval MSADChanges=mvjoin(MSADChanges, "########")\
| eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\
| makemv delim="########" MSADChanges\
| table _time,src_user,adminuser,msad_action,group_obj_nm,MSADGroupType,MSADGroupClass,member,MSADChanges, src_user
iseval = 0

[ms_obj_md_group_change_events(3)]
args = domain,group,group_lookup
definition = `ms_obj_changes_base_cat("Group")` "$group$"\
| fields _time,_raw,member_obj_dn,member_obj_id,member_obj_domain,member_obj_class,src_user,src_nt_domain,dest_nt_domain,group_obj_id,group_obj_dn,group_obj_nm,user_group,Group_Name,group_id,msad_action,MSADGroupClassID,MSADGroupType,MSADGroupClass,signature,change_signature,Correlation_ID,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action,Old_DN,New_DN \
| eval msad_action=if(isnull(msad_action),if(isnull(dir_svcs_action),"NA",dir_svcs_action),if(isnull(dir_svcs_action) OR dir_svcs_action=="Unknown",msad_action,msad_action." (".dir_svcs_action.")"))\
| search (group_obj_dn="$group$" OR user_group="$group$" OR group_id="$group$" OR Group_Name="$group$") (src_nt_domain="$domain$" OR dest_nt_domain="$domain$")  NOT AttributeLDAPDisplayName="member"\
| eval group_obj_dn=if(isnull(group_obj_dn),if(isnull(user_group),if(isnull(group_id),"",lower(group_id)),lower(user_group)),lower(group_obj_dn))\
| eval group_obj_cn=if(isnull(Group_Name),"",lower(Group_Name))\
| eval adminuser=if(isnull(src_nt_domain),lower(src_user),lower(src_nt_domain)."\\".lower(src_user)) \
| eval signature=if(isnull(change_signature),signature,change_signature)\
| eval member=if(isnull(member_obj_domain),replace(member_obj_id,"\x5C{1}",""),member_obj_domain."\\".lower(replace(member_obj_id,"\x5C{1}",""))) \
| eval member=if(isnull(member),"NA",member) \
| lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass \
| eval objectGUID=lower(objectGUID)\
| lookup $group_lookup$ dn AS group_obj_dn OUTPUT cn AS group_obj_nm,MSADGroupType,MSADGroupClass\
| lookup $group_lookup$ cn AS group_obj_cn OUTPUT cn AS c_group_obj_nm,MSADGroupType AS c_MSADGroupType,MSADGroupClass AS c_MSADGroupClass\
| eval group_obj_nm=if(isnull(group_obj_nm),c_group_obj_nm,group_obj_nm),MSADGroupType = if(isnull(MSADGroupType),c_MSADGroupType,MSADGroupType),MSADGroupClass=if(isnull(MSADGroupClass),c_MSADGroupClass,MSADGroupClass)\
| eval dir_svcs_action=if(isnull(dir_svcs_action) OR dir_svcs_action="Unknown","","Action: ".dir_svcs_action."########") \
| eval MSADChangedAttributes=mvfilter(NOT match(MSADChangedAttributes, ":(\s*\-\s*|)$")) \
| fillnull value="" signature,Correlation_IDs \
| eval MSADChanges=if(isnull(MSADChangedAttributes),if(isnull(AttributeLDAPDisplayName),if(msad_action="moved","Moved:########--From: ".Old_DN."########--To: ".New_DN,dir_svcs_action.""),if(isnull(AttributeValue) OR AttributeValue="-" OR AttributeValue="",NULL,dir_svcs_action."-- ".AttributeLDAPDisplayName.": ".AttributeValue)),dir_svcs_action."".MSADChangedAttributes) \
| stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,msad_action,group_obj_nm,MSADGroupType,MSADGroupClass,member,signature \
| eval MSADChanges=mvjoin(MSADChanges, "########") \
| eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges) \
| makemv delim="########" MSADChanges \
| table _time,src_user,adminuser,msad_action,group_obj_nm,MSADGroupType,MSADGroupClass,member,MSADChanges
iseval = 0

[ms_obj_md_group_members_list_all(3)]
args = domain,group,group_lookup
definition = inputlookup $group_lookup$ WHERE cn="$group$" AND domain="$domain$"\
| eval group_members="####".mvjoin(member,"####")\
| rex mode=sed field=group_members "s/####/####(Direct)/g"\
| makemv delim="####" member \
| mvexpand member\
| eval emb_group=member\
| fields cn, description, emb_group, emb_group_name, group_members_emb,member,group_members\
| join type=left emb_group [| inputlookup $group_lookup$| eval emb_group=distinguishedName | eval emb_group_name=cn | makemv delim="|" member | mvexpand member | eval group_members_emb="####(Embedded Group -".emb_group_name.")".member | stats values(group_members_emb) AS group_members_emb by emb_group, emb_group_name | mvcombine group_members_emb | table emb_group,emb_group_name,group_members_emb]\
| table cn, description,member,emb_group,emb_group_name,group_members,group_members_emb\
| eval group_members_comb=if(isnull(group_members_emb),group_members,group_members."".group_members_emb)\
| table cn, description, group_members,group_members_emb,group_members_comb\
| makemv delim="####" group_members_comb\
| mvexpand group_members_comb\
| table cn, description, group_members_comb\
| rex field=group_members_comb "\((?<member_assoc_type>Direct|Embedded Group)"\
| rex field=group_members_comb "\(Embedded Group\s\-(?<embedded_group>[^\)]+)"\
| rex field=group_members_comb "\)(?<member_dn>.*)"\
| rex field=member_dn "^CN\=(?<member_name>[^\,]+)\,(OU|DC|CN)"\
| eval member_emb_assoc_group=case(member_assoc_type="Embedded Group",member_assoc_type."( ".embedded_group." )")\
| eval member_dn=trim(member_dn)\
| table cn, description, member_assoc_type,embedded_group,member_dn,member_name,member_emb_assoc_group
iseval = 0

[ms_obj_md_member_groupmembership_change_events(4)]
args = domain,member,group_lookup,user_lookup
definition = `ms_obj_changes_base_cat("Group Membership")` (src_nt_domain="$domain$" OR dest_nt_domain="$domain$") [|inputlookup $user_lookup$ WHERE lookup_usr="$member$" | fields lookup_usr | stats values(lookup_usr) AS member_obj_lkp | format]\
| fields _raw,_time,member_obj_domain, member_obj_sam,member_obj_lkp,member_obj_dn,member_obj_cn,src_user, group_obj_id,src_nt_domain,MSADGroupClassID,msad_action,signature,group_obj_dn\
| eval member_obj_dn=lower(replace(member_obj_dn,"\x5C{1}",""))\
| eval adminuser=if(isnull(src_nt_domain),lower(src_user),lower(src_nt_domain)."\\".lower(src_user))\
| eval member=if(isnull(member_obj_domain),if(isnull(member_obj_sam),lower(member_obj_lkp),lower(member_obj_sam)),if(isnull(member_obj_sam),member_obj_domain."\\".lower(member_obj_lkp),member_obj_domain."\\".lower(member_obj_sam)))\
| lookup $group_lookup$ cn AS group_obj_id OUTPUT MSADGroupType,MSADGroupClass,dn AS group_obj_dn\
| eval group_obj_dn=lower(group_obj_dn)\
| join type=left group_obj_dn [|inputlookup $group_lookup$ | search NOT dn_hist="" |eval group_obj_dn=lower(dn_hist)| rename cn AS group_obj_nm| table group_obj_dn, group_obj_nm, MSADGroupClass, MSADGroupType,orig_cn]\
| eval group_obj_nm=if(isnull(group_obj_nm),if(isnull(group_obj_id),if(isnull(user_group),group_obj_dn,user_group),group_obj_id),group_obj_nm)\
| `ms_obj_msad-changed-attributes`\
| fillnull value="N/A" \
| stats values(MSADChanges) AS MSADChanges by _time,group_obj_nm,msad_action,src_user,adminuser,member, member_obj_dn, signature,MSADGroupClass,MSADGroupType\
| table _time,src_user,adminuser,msad_action,member,member_obj_dn,group_obj_nm,MSADGroupClass,MSADGroupType,MSADChanges\
| rename  group_obj_nm as "Group Name",MSADGroupClass as "Class",msad_action AS "Action",member AS "Target Member",member_obj_dn AS "Target MemberDN",MSADGroupType as "Type",adminuser as "Admin User"
iseval = 0

[ms_obj_md_user_action_events(4)]
args = domain,user,action,user_lookup
definition = `ms_obj_changes_base_cat("User")` ([| inputlookup $user_lookup$ WHERE lookup_usr="$user$" | fields lookup_usr | stats values(lookup_usr) AS search | eval search="\"".mvjoin(search,"\" OR \"")."\""]) (src_nt_domain="$domain$" OR dest_nt_domain="$domain$") ($action$)\
| `ms_obj_user_change_out`\
| rename adminuser as "Administrator",msad_action as "Action",dest_user_subject as "Target User ID",MSADChanges as "Changes"
iseval = 0

[ms_obj_md_user_change_events(4)]
args = domain,user,action,user_lookup
definition = `ms_obj_win_events_security` \
    [| inputlookup AD_Audit_Change_EventCodes WHERE change_category="User" \
    | stats values(EventCode) AS EventCode by obj_type \
    | format \
    | table search] src_user_type="user"  [|inputlookup $user_lookup$ WHERE sAMAccountName="$user$" | fields cn,sAMAccountName,userPrincipalName,distinguishedName | eval search="\"".cn."\" OR \"".sAMAccountName."\" OR \"".userPrincipalName."\" OR \"".distinguishedName."\"" | table search]\
| eval user_obj_dn=lower(user_obj_dn)\
| lookup $user_lookup$ distinguishedName AS user_obj_dn OUTPUTNEW cn AS user_cn sAMAccountName AS user\
| eval adminuser=if(isnull(src_nt_domain),lower(src_user),lower(src_nt_domain)."\\".lower(src_user))\
| eval signature=if(isnull(change_signature),signature,change_signature)\
| eval user=if(isnull(user),user_obj_dn,lower(user))\
| search (user="$user$" OR New_Account_Name="$user$" OR Old_Account_Name="$user$") (src_nt_domain="$domain$" OR dest_nt_domain="$domain$") msad_action=$action$\
| eval dest_user_subject=if(isnull(dest_nt_domain) OR match(user,"(?si)cn\="),user,upper(dest_nt_domain)."\\".user)\
| `ms_obj_msad-changed-attributes`\
| fillnull value="" adminuser,msad_action,dest_user_subject,Correlation_ID,signature,MSADChanges\
| stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,msad_action,dest_user_subject,signature,src_user\
| eval MSADChanges=mvjoin(MSADChanges, "########")\
| eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\
| makemv delim="########" MSADChanges\
| table _time,src_user,adminuser,msad_action,dest_user_subject,MSADChanges,src_user
iseval = 0

[ms_obj_md_user_change_summary(4)]
args = domain,user,action,user_lookup
definition = `ms_obj_changes_base_cat("User")` [|inputlookup $user_lookup$ WHERE sAMAccountName="$user$" | fields cn,sAMAccountName,userPrincipalName,distinguishedName | eval search="\"".cn."\" OR \"".sAMAccountName."\" OR \"".userPrincipalName."\" OR \"".distinguishedName."\"" | table search]\
| eval user_lkp=if(isnull(user_obj_lkp),if(isnull(member_obj_lkp),NULL,lower(member_obj_lkp)),lower(user_obj_lkp))\
| lookup $user_lookup$ lookup_usr AS user_lkp OUTPUTNEW cn AS user_cn sAMAccountName AS user\
| eval adminuser=if(isnull(src_nt_domain),lower(src_user),lower(src_nt_domain)."\\".lower(src_user))\
| eval signature=if(isnull(change_signature),signature,change_signature)\
| eval user=if(isnull(user),user_obj_lkp,lower(user))\
| search (user="$user$" OR New_Account_Name="$user$" OR Old_Account_Name="$user$") (src_nt_domain="$domain$" OR dest_nt_domain="$domain$") msad_action=$action$\
| eval dest_user_subject=if(isnull(dest_nt_domain) OR match(user,"(?si)cn\="),user,upper(dest_nt_domain)."\\".user)\
| `ms_obj_msad-changed-attributes`\
| fillnull value="" adminuser,msad_action,dest_user_subject,Correlation_ID,signature,MSADChanges\
| stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,msad_action,dest_user_subject,signature,src_user\
| eval MSADChanges=mvjoin(MSADChanges, "########")\
| eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\
| makemv delim="########" MSADChanges\
| table _time,src_user,adminuser,msad_action,dest_user_subject,MSADChanges,src_user
iseval = 0


[ms_obj_md_group_members_user_accounts(5)]
args = domain,group,user_lookup,group_lookup,computer_lookup
definition = inputlookup $group_lookup$ WHERE cn="$group$" AND domain="$domain$"\
| fields member\
| mvexpand member\
| eval emb_group=member\
| fields emb_group, group_members\
| join type=left emb_group [| inputlookup $group_lookup$ | fields distinguishedName,member| eval emb_group=distinguishedName | eval group_members_emb="####".mvjoin(member,"####") | table emb_group,group_members_emb]\
| eval group_members_comb=if(isnull(group_members_emb),group_members,group_members."".group_members_emb)\
| makemv delim="####" group_members_comb\
| mvexpand group_members_comb\
| eval member_dn=trim(group_members_comb)\
| table member_dn \
| join type=left member_dn[| inputlookup $group_lookup$ | fields distinguishedName | eval member_dn=distinguishedName | eval group_account="True" | table member_dn, group_account] \
| join type=left member_dn[| inputlookup $user_lookup$ | fields distinguishedName | eval member_dn=distinguishedName | eval user_account=sAMAccountName | table member_dn, user_account] \
| join type=left member_dn[| inputlookup $computer_lookup$ | fields distinguishedName | eval member_dn=distinguishedName | eval user_account=sAMAccountName | table member_dn, user_account] \
| search NOT group_account="True"            \
| table user_account\
| dedup user_account
iseval = 0

###-------------------------------------------------------------------------------###
#--- 		Macro's Used for Retrieving values from lookups    				     ---#
#--- 					MULTI-DOMAIN - KV Split   		 				     	 ---#
###-------------------------------------------------------------------------------###
[ms_obj_md_get_full_group_membership(2)]
args = group_lookup,tok_member_dn
definition = join type=left dn [| inputlookup $group_lookup$ where member="$tok_member_dn$"\
| fields + cn, displayName, dn, member\
| rename dn as memberOf, cn as Group_cn, displayName as Group_Name\
| rename member as dn\
| stats values(memberOf) AS memberOf,values(Group_cn) AS Group_cn,values(Group_Name) AS Group_Name by dn\
| table dn, Group_cn, Group_Name, memberOf]\
| lookup AD_Obj_Group_$tgt_kv_suffix$ primaryGroupToken AS primaryGroupID OUTPUT dn AS primaryGroupdn,cn AS primaryGroupcn,displayName AS primaryGroupName\
| eval memberOf=mvappend(memberOf,primaryGroupdn), Group_Name=mvappend(Group_Name,primaryGroupName),Group_cn=mvappend(Group_cn,primaryGroupcn)
iseval = 0

[ms_obj_md_get_full_group_membership_prev(2)]
args = group_lookup,tok_member_dn
definition = join type=left dn [| inputlookup $group_lookup$ where member="$tok_member_dn$"\
| fields + cn, displayName, dn, member\
| rename dn as memberOf, cn as Group_cn, displayName as Group_Name\
| rename member as dn\
| stats values(memberOf) AS memberOf,values(Group_cn) AS Group_cn,values(Group_Name) AS Group_Name by dn\
| table dn, Group_cn, Group_Name, memberOf]\
| lookup AD_Obj_Group_$tgt_kv_suffix$ primaryGroupToken AS primaryGroupID OUTPUT dn AS primaryGroupdn,cn AS primaryGroupcn,displayName AS primaryGroupName\
| eval memberOf=mvappend(memberOf,primaryGroupdn), Group_Name=mvappend(Group_Name,primaryGroupName),Group_cn=mvappend(Group_cn,primaryGroupcn)
iseval = 0

## Full Group Membership - With passed Object Lookup Name, Attribute Value, Member Domain, and Member Attribute Value
## Example - | inputlookup AD_Object_User | `ms_obj_md_get_full_group_membership_attr("sedemo",User,"sedemo",sAMAccountName,"Administrator")`
[ms_obj_md_get_full_group_membership_attr(5)]
args = group_lookup,tok_obj_lkp,tok_member_domain,tok_member_attr,tok_member_val
definition = join type=left dn [| inputlookup $group_lookup$ where [| inputlookup $tok_obj_lkp$ WHERE domain="$tok_member_domain$" AND $tok_member_attr$="$tok_member_val$" | fields dn | rename dn AS member | table member|format]\
| fields dn, displayName,cn,member\
| eval displayName=if(isnull(displayName),cn,displayName)\
| rename dn as memberOf\
| rename member as dn\
| stats values(memberOf) AS memberOf by dn\
| search [| inputlookup $tok_obj_lkp$ WHERE domain="$tok_member_domain$" AND $tok_member_attr$="$tok_member_val$" | fields dn | table dn|format]\
| table dn, memberOf]\
| lookup $group_lookup$ primaryGroupToken AS primaryGroupID OUTPUT dn AS primaryGroupdn\
| eval memberOf=mvappend(memberOf,primaryGroupdn)
iseval = 0

## Full Group Membership - With passed Object Lookup Name, Attribute Value, Member Domain, and Member Attribute Value
## Example - | inputlookup AD_Object_User | `ms_obj_md_get_full_group_membership_attr("sedemo",User,"sedemo",sAMAccountName,"Administrator")`
[ms_obj_md_get_full_group_membership_attr_tmp(5)]
args = group_lookup,tok_obj_lkp,tok_member_domain,tok_member_attr,tok_member_val
definition = join dn type=left[| inputlookup $group_lookup$ WHERE [| inputlookup $tok_obj_lkp$ WHERE domain="$tok_member_domain$" AND $tok_member_attr$="$tok_member_val$" | fields dn | stats values(dn) AS member |format]\
| fields dn, member,displayName,cn\
| eval displayName=if(isnull(displayName),cn,displayName)\
| mvexpand member\
| search [| inputlookup $tok_obj_lkp$ WHERE domain="$tok_member_domain$" AND $tok_member_attr$="$tok_member_val$" | fields dn | stats values(dn) AS member |format]\
| rename dn as memberOf\
| rename member as dn\
| eval memberOf=displayName."|".memberOf\
| stats values(memberOf) AS memberOf by dn\
| eval memberOf=mvjoin(memberOf,"####")]\
| lookup $group_lookup$ primaryGroupToken AS primaryGroupID OUTPUT dn AS primarygroupDN,displayName AS primarygroupName\
| eval memberOf=if(isnull(memberOf),primarygroupName."|".primarygroupDN,primarygroupName."|".primarygroupDN."####".memberOf)
iseval = 0

##Macro to receive Group Membership for designated object
[ms_obj_md_get_group_membership(2)]
args = group_lookup,tok_member_dn
definition = inputlookup $group_lookup$ WHERE member="$tok_member_dn$"\
| fields cn,displayName,dn,member\
| rename dn AS memberOf,cn AS Group_cn,displayName AS Group_Name\
| rename member AS dn\
| table dn,Group_cn,Group_Name,memberOf

##Get: INLINE - Specific Lookup Member by AD Group - Macro to receive inline the Group Membership for an object's specified field
## Example - | `ms_obj_md_get_l_group_membership("sedemo","dn")`
##		= | lookup AD_Obj_Group member AS dn OUTPUT cn AS Group_cn,dn AS Group_dn
[ms_obj_md_get_l_group_membership(2)]
args = group_lookup,tok_field_data
definition = lookup $group_lookup$ member AS $tok_field_data$ OUTPUT cn AS Group_cn,dn AS Group_dn

##Filter: Specific Lookup Member by AD Group - Macro to filter a lookup (ie. AD_Obj_User, AD_Obj_Group, AD_Obj_Computer) for a specific AD Group
##Note: Add the | before the macro, can't embed in the macro and Can't Be NULL.
## Example - | `ms_obj_md_filter_lkup_group_members("sedemo","AD_Obj_User","TestDomain","CN=Administrators,CN=Builtin,DC=testdomain,DC=local")`
[ms_obj_md_filter_lkup_group_members(4)]
args = group_lookup,tok_tgt_lkup,tok_tgt_domain,tok_tgt_group_dn
definition = inputlookup $tok_tgt_lkup$ WHERE domain="$tok_tgt_domain$" AND [|inputlookup $group_lookup$ WHERE dn="$tok_tgt_group_dn$" | fields member | rename member AS dn | table dn]

##Filter: Specific Lookup Object by OU Path - Macro to filter a lookup (ie. AD_Obj_User, AD_Obj_Group, AD_Obj_Computer, AD_Obj_OU, AD_Obj_GPO) for a specific AD OU Path
##Note: Add the | before the macro, can't embed in the macro.
## Example - | `ms_obj_md_filter_lkup_dn_path("sedemo","AD_Obj_Computer","TestDomain","OU=vers_test_bed,OU=splunktel-users,DC=testdomain,DC=local")`
[ms_obj_md_filter_lkup_dn_path(4)]
args =  tgt_kv_suffix,tok_tgt_lkup,tok_tgt_domain,tok_tgt_dn_path
definition = inputlookup $tok_tgt_lkup$ WHERE domain="$tok_tgt_domain$"\
| where match(dn_path,"$tok_tgt_dn_path$")

##FUll OU-User Filter - Model: Specific Lookup Object by OU Path - Macro to filter a lookup (ie. AD_Obj_User, AD_Obj_Group, AD_Obj_Computer, AD_Obj_OU, AD_Obj_GPO) for a specific AD OU Path
##Note: Add the | before the macro, can't embed in the macro.
## Example - STANDARD INDEXED - sourcetype=WinEventLog `ms_obj_filter_user_by_dn_path("sedemo","","*","OU=vers_test_bed,OU=splunktel-users,DC=testdomain,DC=local","search","|format")`
## EXAMPLE - DATA MODEL:
## | tstats summariesonly=true allow_old_summaries=true count from datamodel=Authentication.Authentication where Authentication.action=* Authentication.user=* (Authentication.src=* OR Authentication.dest=*) by _time,Authentication.src,Authentication.dest,Authentication.user,Authentication.action
## | rename "Authentication.*" as "*"
## | `ms_obj_md_filter_user_by_dn_path("sedemo","join user","*","OU=vers_test_bed,OU=splunktel-users,DC=testdomain,DC=local","user","|table user")`
[ms_obj_md_filter_dn_path_fields(7)]
args = user_lookup,tok_lookup,tok_tgt_domain,tok_filt_ou,tok_link_field,tok_src_field,tok_part_post
definition = [| inputlookup $user_lookup$ WHERE domain="$tok_tgt_domain$"\
| fields sAMAccountName,domain,cn,userPrincipalName,dn_path\
| WHERE match(dn_path, "$tok_filt_ou$")\
| eval $tok_link_field$=$tok_src_field$\
$tok_part_post$]
iseval = 0

##Filter: Subsearch - Member by AD Group - Macro to filter a lookup (ie. AD_Obj_User, AD_Obj_Group, AD_Obj_Computer) for a specific AD Group
[ms_obj_md_filter_sub_group_members(3)]
args = group_lookup,tok_tgt_domain,tok_tgt_group_dn
definition = [| inputlookup $group_lookup$ WHERE domain="$tok_tgt_domain$" AND dn="$tok_tgt_group_dn$" | fields member | rename member AS dn | table dn]

##	- Filter - Admin Audit
##		- By Group Membership
##[ms_obj_md_filter_admin_field_group(5)]
##args = group_lookup,tok_domain,tok_user_field,tok_admin_group,tok_format_option
##definition = [| inputlookup AD_Obj_Admin_Audit WHERE admin_domain="$tok_domain$" \
##| fields admin_user, admin_cn,admin_dn,admin_userPrincipalName\
##| lookup $group_lookup$ member AS admin_dn OUTPUT dn AS memberOf\
##| WHERE match(memberOf,"$tok_admin_group$")\
##| eval $tok_user_field$=admin_user\
##| eval $tok_user_field$=mvappend($tok_user_field$,admin_userPrincipalName,admin_cn,admin_dn)\
##| stats count by $tok_user_field$\
##| fields $tok_user_field$\
##| $tok_format_option$]
##iseval = 0

###-----------------------------------------------------###
#--- Macro's Used for Security Reports for each Object ---#
#--- 					MULTI-DOMAIN - KV Split   	   ---#
###-----------------------------------------------------###
## Computer Search Macros that point to AD_Obj_Computer Lookup:
[ms_obj_md_secrpt-new-computers_raw(2)]
args = computer_lookup,domain
definition = `ms_obj_changes_base_cat_act("Computer","created")` dest_nt_domain="$domain$"\
| table _time,src_user,src_nt_domain,dest_nt_domain,user\
| eval adminuser=src_nt_domain."\\".src_user\
| eval sAMAccountName=$user$ \
| join sAMAccountName [|inputlookup $computer_lookup$ WHERE sAMAccountName=$user$ | table dNSHostName,operatingSystem,operatingSystemServicePack]\
| table _time,cn,dNSHostName,sAMAccountName,operatingSystem,operatingSystemServicePack,adminuser
iseval = 0

[ms_obj_md_secrpt-all-computers(2)]
args = computer_lookup,domain
definition = inputlookup $computer_lookup$ WHERE domain="$domain$"\
| fields sAMAccountName,cn,dNSHostName,whenChanged,whenCreated,isDeleted,deletedDate,userAccountControl,operatingSystem,operatingSystemServicePack\
| eval whenDeleted=if(isDeleted=="TRUE",strftime(deletedDate, "%m/%d/%Y %a, %I:%M %P"),"")\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| sort cn\
| table cn,dNSHostName,sAMAccountName,uac_details,operatingSystem,operatingSystemServicePack,whenChanged,whenCreated,whenDeleted
iseval = 0

[ms_obj_md_secrpt-all-domain-controllers(2)]
args = computer_lookup,domain
definition = inputlookup $computer_lookup$ WHERE domain="$domain$"\
| fields sAMAccountName,cn,dNSHostName,whenChanged,whenCreated,userAccountControl,operatingSystem,operatingSystemServicePack,dn,primaryGroupID\
| where (primaryGroupID=516 OR match(dn,"(?si)ou\=domain\scontrollers"))\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| sort sAMAccountName\
| table cn,dNSHostName,sAMAccountName,uac_details,operatingSystem,operatingSystemServicePack,whenChanged,whenCreated
iseval = 0

[ms_obj_md_secrpt-disabled-computers(2)]
args = computer_lookup,domain
definition = inputlookup $computer_lookup$ WHERE domain="$domain$"\
| fields sAMAccountName,cn,dNSHostName,whenChanged,userAccountControl,operatingSystem,operatingSystemServicePack,dn\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| eval uac_filter=mvfilter(match(uac_details, "Disabled"))\
| search uac_filter=*\
| sort sAMAccountName\
| table cn,dNSHostName,sAMAccountName,uac_details,whenChanged,operatingSystem,operatingSystemServicePack,dn
iseval = 0

[ms_obj_md_secrpt-inactive-computers(2)]
args = computer_lookup,domain
definition = inputlookup $computer_lookup$ WHERE domain="$domain$"\
| fields sAMAccountName,cn,dNSHostName,userAccountControl,operatingSystem,operatingSystemServicePack,dn\
| table sAMAccountName,cn,dNSHostName,userAccountControl,operatingSystem,operatingSystemServicePack \
|join type=left sAMAccountName [search `ms_ad_obj_qck_succ_comp_logins(1)`|eval sAMAccountName=lower(comp_obj_sam) | table sAMAccountName,lastLogonTime]\
| where isnull(lastLogonTime)\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table cn,dNSHostName,sAMAccountName,uac_details,operatingSystem,operatingSystemServicePack,userAccountControl,dn
iseval = 0

[ms_obj_md_secrpt-trusted-computers(2)]
args = computer_lookup,domain
definition = inputlookup $computer_lookup$ WHERE domain="$domain$" \
| fields sAMAccountName,cn,managedBy,dNSHostName,uac_details,userAccountControl,operatingSystem,operatingSystemServicePack,dn\
| `ms_obj_uac_get_details_lkup`\
| eval uac_filter=mvfilter(match(uac_details, "Server Trust Account|Workstation Trust Account")) \
| search uac_filter=* \
| makemv delim=":" uac_details\
| table cn,dNSHostName,sAMAccountName,uac_details,operatingSystem,operatingSystemServicePack,dn
iseval = 0

[ms_obj_md_secrpt-unmanaged-computers(2)]
args = computer_lookup,domain
definition = inputlookup $computer_lookup$ WHERE domain="$domain$" AND NOT managedBy="*" OR managedBy=""\
| fields sAMAccountName,cn,dNSHostName,uac_details,userAccountControl,operatingSystem,operatingSystemServicePack,dn\
| sort sAMAccountName\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table cn,dNSHostName,sAMAccountName,uac_details,operatingSystem,operatingSystemServicePack,dn
iseval = 0

[ms_obj_md_secrpt-managed-computers(2)]
args = computer_lookup,domain
definition = inputlookup $computer_lookup$ WHERE domain="$domain$" AND managedBy="*" AND NOT managedBy=""\
| fields sAMAccountName,cn,managedBy,dNSHostName,uac_details,userAccountControl,operatingSystem,operatingSystemServicePack\
| sort sAMAccountName\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table cn,dNSHostName,sAMAccountName,managedBy,uac_details,operatingSystem,operatingSystemServicePack
iseval = 0

[ms_obj_md_secrpt-unused-computers(2)]
args = computer_lookup,domain
definition = inputlookup $computer_lookup$ WHERE (domain="$domain$" AND logonCount="0")\
| fields sAMAccountName,cn,dNSHostName,uac_details,userAccountControl,operatingSystem,operatingSystemServicePack,dn\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table cn,sAMAccountName,dNSHostName,uac_details,operatingSystem,operatingSystemServicePack,dn
iseval = 0

[ms_obj_md_secrpt-active-computers(2)]
args = computer_lookup,domain
definition = `ms_ad_obj_qck_succ_comp_logins("$domain$")`\
| search comp_obj_sam="*"\
| eval sAMAccountName=lower(comp_obj_sam)\
| fields sAMAccountName,lastLogonTime\
| join sAMAccountName\
[| inputlookup $computer_lookup$\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table cn,sAMAccountName,dNSHostName,uac_details,operatingSystem,operatingSystemServicePack]\
| eval lastLogonTime=strftime(lastLogonTime,"%c")\
| table cn,dNSHostName,uac_details,operatingSystem,operatingSystemServicePack,lastLogonTime
iseval = 0

[ms_obj_md_secrpt-deleted-computers_raw(2)]
args = computer_lookup,domain
definition = `ms_obj_changes_base_cat_act("Computer","deleted")` dest_nt_domain="$domain$"\
| fields _time,_raw,user,src_nt_domain,src_user\
| eval adminuser=src_nt_domain."\\".src_user\
| table _time,user,adminuser,_raw\
| rename user as "Deleted Computer",adminuser as "Deleted By"
iseval = 0

[ms_obj_md_secrpt-new-computers(4)]
args = computer_lookup,domain,starttime,endtime
definition = inputlookup $computer_lookup$ WHERE domain="$domain$"\
| fields sAMAccountName,cn,whenCreated,dNSHostName,uac_details,userAccountControl,operatingSystem,operatingSystemServicePack,dn\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenCreated_epoch=strptime(whenCreated, "%I:%M.%S %P, %a %m/%d/%Y")\
| where whenCreated_epoch>begintime AND whenCreated_epoch<finishtime\
| sort dNSHostName\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table cn,dNSHostName,sAMAccountName,whenCreated,uac_details,operatingSystem,operatingSystemServicePack,dn
iseval = 0

[ms_obj_md_secrpt-deleted-computers(4)]
args = computer_lookup,domain,starttime,endtime
definition = inputlookup $computer_lookup$ WHERE domain="$domain$" AND isDeleted="TRUE"\
| fields sAMAccountName,cn,orig_cn,deletedDate,dNSHostName,uac_details,userAccountControl,operatingSystem,operatingSystemServicePack,dn\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenDeleted=strftime(deletedDate, "%m/%d/%Y %a, %I:%M %P")\
| where deletedDate>begintime AND deletedDate<finishtime\
| sort dNSHostName\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table orig_cn,cn,sAMAccountName,dNSHostName,whenDeleted,uac_details,operatingSystem,operatingSystemServicePack,dn
iseval = 0

[ms_obj_md_secrpt-changed-computers(4)]
args = computer_lookup,domain,starttime,endtime
definition = inputlookup $computer_lookup$ where domain="$domain$"\
| fields + sAMAccountName, cn, orig_cn, whenCreated,whenChanged,isDeleted,deletedDate, dNSHostName, uac_details, userAccountControl, operatingSystem, operatingSystemServicePack, dn \
| eval begintime=strptime("$starttime$","%m/%d/%y %I:%M %P"), finishtime=strptime("$endtime$","%m/%d/%y %I:%M %P"),whenChanged_epoch=strptime(whenChanged,"%I:%M.%S %P, %a %m/%d/%Y"),whenCreated_epoch=strptime(whenCreated,"%I:%M.%S %P, %a %m/%d/%Y")\
| where ((((deletedDate < finishtime) AND (deletedDate > begintime)) OR ((whenChanged_epoch < finishtime) AND (whenChanged_epoch > begintime))) OR ((whenCreated_epoch < finishtime) AND (whenCreated_epoch > begintime))) \
| eval whenDeleted=if(isDeleted="FALSE","",strftime(deletedDate,"%m/%d/%Y %a, %I:%M %P"))\
| sort dNSHostName \
| lookup AD_Obj_UAC userAccountControl OUTPUT uac_bin_map,uac_details \
| makemv delim=":" uac_details \
| table cn, sAMAccountName, dNSHostName,uac_details,operatingSystem,operatingSystemServicePack,whenCreated,whenChanged,whenDeleted,dn
iseval = 0

## Groups Search Macros that point to AD_Obj_Group Lookup:
[ms_obj_md_secrpt-all-groups(2)]
args = group_lookup,domain
definition = inputlookup $group_lookup$ WHERE domain="$domain$"\
| fields sAMAccountName,cn,groupType_Name,membercount,whenChanged,whenCreated,member,dn\
| eval group=if(isnull(cn) OR cn=="",sAMAccountName,cn) \
| sort group\
| makemv delim="|" member\
| eval membercount=if(isnull(membercount) OR membercount=="",mvcount(member),membercount)\
| eval whenChanged=strftime(strptime(whenChanged,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\
| eval whenCreated=strftime(strptime(whenCreated,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\
| table group,groupType_Name,dn,membercount,whenChanged,whenCreated\
| rename group as "Group Name",groupType_Name as "Type",dn AS distinguishedName,membercount as "# Members"
iseval = 0

[ms_obj_md_secrpt-empty-groups(2)]
args = group_lookup,domain
definition = inputlookup $group_lookup$ where membercount="0" AND domain="$domain$"\
| fields sAMAccountName,dn,cn,groupType,groupType_Name,member,membercount,whenChanged,whenCreated\
| eval group=if(isnull(cn) OR cn=="",sAMAccountName,cn)\
| sort group\
| lookup $group_lookup$ member AS dn OUTPUT sAMAccountName AS memberOf\
| eval whenChanged=strftime(strptime(whenChanged,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\
| eval whenCreated=strftime(strptime(whenCreated,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\
| table group,groupType,groupType_Name,membercount,memberOf,whenChanged,whenCreated\
| rename group as "Group_Name",groupType_Name as "Type",membercount as "# Members"
iseval = 0

[ms_obj_md_secrpt-large-groups(3)]
args = group_lookup,domain,minsize
definition = inputlookup $group_lookup$ WHERE domain="$domain$"\
| fields sAMAccountName,cn,groupType_Name,membercount,whenChanged,whenCreated,member\
| eval group=if(isnull(cn),sAMAccountName,cn)\
| eval membercount=if(isnull(membercount) OR membercount=="",mvcount(member),membercount)\
| search membercount>$minsize$ \
| sort -membercount, group\
| eval whenChanged=strftime(strptime(whenChanged,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\
| eval whenCreated=strftime(strptime(whenCreated,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\
| table group,groupType_Name,membercount,whenChanged,whenCreated\
| rename group as "Group_Name",groupType_Name as "Type",membercount as "# Members"
iseval = 0

[ms_obj_md_secrpt-nested-groups(2)]
args = group_lookup,domain
definition = inputlookup $group_lookup$ where domain="$domain$" \
| fields + distinguishedName,cn,dn, sAMAccountName, groupType_Name, memberOf, whenChanged, whenCreated\
| eval group=if(isnull(cn),sAMAccountName,cn)\
| lookup $group_lookup$ member AS dn OUTPUT sAMAccountName AS memberOf \
| search memberOf!="" \
| eval nested_group_count=mvcount(memberOf)\
| eval whenChanged=strftime(strptime(whenChanged,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\
| eval whenCreated=strftime(strptime(whenCreated,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\
| table group,distinguishedName,groupType_Name,memberOf,nested_group_count,whenChanged,whenCreated\
| sort -nested_group_count\
| rename group as "Group_Name", groupType_Name as Type
iseval = 0

[ms_obj_md_secrpt-unmanaged-groups(2)]
args = group_lookup,domain
definition = inputlookup $group_lookup$ WHERE domain="$domain$" NOT managedBy="*" OR managedBy=""\
| fields sAMAccountName,cn,groupType_Name,membercount,whenChanged,whenCreated,member\
| eval group=if(isnull(cn),sAMAccountName,cn)\
| eval membercount=if(isnull(membercount) OR membercount=="",mvcount(member),membercount)\
| sort group\
| eval whenChanged=strftime(strptime(whenChanged,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\
| eval whenCreated=strftime(strptime(whenCreated,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\
| table group,groupType_Name,membercount,whenChanged,whenCreated\
| rename group as "Group_Name",groupType_Name as "Type",membercount as "# Members"
iseval = 0

[ms_obj_md_secrpt-managed-groups(2)]
args = group_lookup,domain
definition = inputlookup $group_lookup$ WHERE domain="$domain$" AND managedBy="*" AND NOT managedBy=""\
| fields sAMAccountName,cn,groupType_Name,membercount,whenChanged,whenCreated,member,managedBy\
| eval group=if(isnull(cn),sAMAccountName,cn)\
| sort group\
| eval membercount=if(isnull(membercount) OR membercount=="",mvcount(member),membercount)\
| eval whenChanged=strftime(strptime(whenChanged,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\
| eval whenCreated=strftime(strptime(whenCreated,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\
| table group,managedBy,groupType_Name,membercount,whenChanged,whenCreated\
| rename group as "Group_Name",groupType_Name as "Type",membercount as "# Members"
iseval = 0

[ms_obj_md_secrpt-new-groups_raw(2)]
args = group_lookup,domain
definition = `ms_obj_changes_base_cat_act("Group","created")` dest_nt_domain="$domain$"\
| lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass\
| eval objectGUID=lower(objectGUID)\
| lookup $group_lookup$ objectGUID OUTPUT cn AS user_group,MSADGroupType,MSADGroupClass\
| eval adminuser=src_nt_domain."\\".src_user\
| table _time,user_group,MSADGroupClass,MSADGroupType,adminuser\
| rename user_group as "Group Name",MSADGroupClass as "Class",MSADGroupType as "Type",adminuser as "Added By"
iseval = 0

[ms_obj_md_secrpt-new-groups(4)]
args = group_lookup,domain,starttime,endtime
definition = inputlookup $group_lookup$ WHERE domain="$domain$"\
| fields sAMAccountName,cn,whenCreated,distinguishedName,groupType_Name,memberOf,whenChanged,member,membercount\
| eval group=if(isnull(cn),sAMAccountName,cn)\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenCreated_epoch=strptime(whenCreated, "%I:%M.%S %P, %a %m/%d/%Y")\
| where whenCreated_epoch>begintime AND whenCreated_epoch<finishtime\
| eval membercount=if(isnull(membercount) OR membercount=="",mvcount(member),membercount)\
| sort group\
| eval whenChanged=strftime(strptime(whenChanged,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\
| eval whenCreated=strftime(strptime(whenCreated,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\
| lookup $group_lookup$ member AS dn OUTPUT sAMAccountName AS memberOf\
| table group,whenCreated,distinguishedName,groupType_Name,membercount,whenChanged\
| rename group as "Group_Name",groupType_Name as "Type",membercount as "# Members"
iseval = 0

[ms_obj_md_secrpt-deleted-groups(4)]
args = group_lookup,domain,starttime,endtime
definition = inputlookup $group_lookup$ WHERE domain="$domain$" AND isDeleted="TRUE"\
| fields sAMAccountName,cn,orig_cn,dn,deletedDate,distinguishedName,groupType_Name,member,membercount,whenCreated,whenChanged\
| eval group=if(isnull(cn),sAMAccountName,cn)\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenDeleted=strftime(deletedDate, "%m/%d/%y %a %I:%M %P")\
| where deletedDate>begintime AND deletedDate<finishtime\
| eval membercount=if(isnull(membercount) OR membercount=="",mvcount(member),membercount)\
| sort group\
| lookup $group_lookup$ member AS dn OUTPUT sAMAccountName AS memberOf\
| table group,orig_cn,whenDeleted,distinguishedName,groupType_Name,membercount,memberOf,whenCreated,whenChanged\
| rename group as "Group_Name",groupType_Name as "Type",membercount AS "Last Member Count"
iseval = 0

[ms_obj_md_secrpt-changed-groups(4)]
args = group_lookup,domain,starttime,endtime
definition = inputlookup $group_lookup$ where (domain="$domain$") \
| fields + sAMAccountName,cn,orig_cn,whenCreated,whenChanged,isDeleted,deletedDate,distinguishedName,groupType_Name,membercount,member \
| eval group=if(isnull(orig_cn) OR orig_cn=="",if(isnull(cn) OR (cn == ""),lower(sAMAccountName),lower(cn)),lower(orig_cn)), begintime=strptime("$starttime$","%m/%d/%y %I:%M %P"), finishtime=strptime("$endtime$","%m/%d/%y %I:%M %P"), whenChanged_epoch=strptime(whenChanged,"%I:%M.%S %P, %a %m/%d/%Y"), whenCreated_epoch=strptime(whenCreated,"%I:%M.%S %P, %a %m/%d/%Y"), deletedDate_epoch=strptime(deletedDate,"%I:%M.%S %P, %a %m/%d/%Y") \
| eval whenDeleted=if(isDeleted="FALSE","",strftime(deletedDate,"%m/%d/%Y %a, %I:%M %P"))\
| where ((whenChanged_epoch < finishtime) AND (whenChanged_epoch > begintime) OR (whenCreated_epoch < finishtime) AND (whenCreated_epoch > begintime) OR (deletedDate_epoch < finishtime) AND (deletedDate_epoch > begintime)) \
| sort group \
| eval membercount=if((isnull(membercount) OR (membercount == "")),mvcount(member),membercount) \
| table group,sAMAccountName,groupType_Name,distinguishedName,membercount,whenCreated,whenChanged, whenDeleted,\
| rename group as Group_Name, groupType_Name as Type,membercount as "# Members"
iseval = 0

[ms_obj_md_group_action_events(4)]
args = group_lookup,domain,group,action
definition = `ms_obj_group_all_changes_base` ([| inputlookup $group_lookup$ WHERE lookup_grp="$group$" | fields lookup_grp | stats values(lookup_grp) AS search | eval search="\"".mvjoin(search,"\" OR \"")."\""]) (src_nt_domain="$domain$" OR dest_nt_domain="$domain$") ($action$)\
| fields _time,_raw,member_obj_dn,member_obj_id,member_obj_domain,member_obj_class,src_user,src_nt_domain,dest_nt_domain,group_obj_id,group_obj_dn,group_obj_nm,user_group,Group_Name,group_id,msad_action,MSADGroupClassID,MSADGroupType,MSADGroupClass,signature,Correlation_ID,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action,Old_DN,New_DN\
| eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user),member=if(isnull(member_obj_domain),replace(member_obj_id,"\x5C{1}",""),member_obj_domain."\\".replace(member_obj_id,"\x5C{1}",""))\
| eval member=if(isnull(member),if(isnull(member_obj_dn),"NA",member_obj_dn),member)\
| eval group_obj_lkp=if(isnull(group_obj_dn),if(isnull(New_DN),if(isnull(Old_DN),if(isnull(DN),if(isnull(user_group),if(isnull(Group_Name),if(isnull(group_obj_id),"NA",lower(replace(group_obj_id,"\x5C{1}",""))),lower(replace(Group_Name,"\x5C{1}",""))),lower(replace(user_group,"\x5C{1}",""))),lower(replace(DN,"\x5C{1}",""))),lower(replace(Old_DN,"\x5C{1}",""))),lower(replace(New_DN,"\x5C{1}",""))),lower(replace(group_obj_dn,"\x5C{1}","")))\
| lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass\
| lookup $group_lookup$ lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\
| eval MSADGroupClass=if(isnull(MSADGroupClass),MSADGroupClass_u,MSADGroupClass),MSADGroupType=if(isnull(MSADGroupType),MSADGroupType_u,MSADGroupType)\
| eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\
| search group_obj_nm="$group$" OR group_obj_lkp="$group$"\
| `ms_obj_msad-changed-attributes`\
| stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,adminuser,msad_action,group_obj_nm,MSADGroupType,MSADGroupClass,member,signature\
| eval MSADChanges=mvjoin(MSADChanges, "########")\
| eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\
| makemv delim="########" MSADChanges\
| table _time,adminuser,msad_action,group_obj_nm,MSADGroupType,MSADGroupClass,member,MSADChanges
iseval = 0

## User Search Macros that point to AD_Obj_User Lookup:
## Filter search for critical objects
## Ex: `ms_obj_win_events_security` `ms_obj_md_critical_obj_filter("sedemo",User,src_user)`
## Ex: `ms_obj_win_events_security` `ms_obj_md_critical_obj_filter("sedemo",User,user)`
## Ex: `ms_obj_win_events_security` `ms_obj_md_critical_obj_filter("sedemo",Computer,user)`
[ms_obj_md_critical_filter_field(3)]
args = tgt_kv_suffix,obj_lookup,evt_field
definition = search $evt_field$ IN([| inputlookup AD_Audit_Default_Critical_Objects WHERE obj_type="group" | fields cn | lookup AD_Obj_Group_$tgt_kv_suffix$ cn OUTPUT member | lookup AD_Obj_$obj_lookup$ dn AS member OUTPUT sAMAccountName AS user, cn AS user_cn | eventstats values(user) AS users | eval users=if(users="" OR isnull(users),"NO_Obj_Found",users) | stats values(users) AS users\
| eval search="\"".mvjoin(users,"\",\"")."\"" | table search])
iseval = 0

[ms_obj_md_critical_filter_raw(2)]
args = group_lookup,tgt_obj_lookup
definition = [| inputlookup AD_Audit_Default_Critical_Objects WHERE obj_type="group"\
| fields cn\
| lookup $group_lookup$ cn OUTPUT member\
| search member!=""\
| lookup $tgt_obj_lookup$ dn AS member OUTPUT sAMAccountName AS user, cn AS user_cn\
| search user!=""\
| stats values(user) AS users\
| eval search="\"".mvjoin(users,"\" OR \"")."\""\
| table search]
iseval = 0

[ms_obj_md_critical_filter_raw(3)]
args = group_lookup,obj_lookup,evt_field
definition = [| inputlookup AD_Audit_Default_Critical_Objects WHERE obj_type="group"\
| fields cn\
| lookup $group_lookup$ cn OUTPUT member\
| search member!=""\
| lookup $tgt_obj_lookup$ dn AS member OUTPUT sAMAccountName AS user, cn AS user_cn\
| search user!=""\
| stats values(user) AS users\
| eval search="$evt_field$=\"".mvjoin(users,"\" OR $evt_field$=\"")."\""\
| table search]
iseval = 0

[ms_obj_md_secrpt-all-users(2)]
args = user_lookup,domain
definition = inputlookup $user_lookup$ append=true WHERE domain="$domain$"\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_md_secrpt-disabled-users(2)]
args = user_lookup,domain
definition = inputlookup $user_lookup$ append=true WHERE domain="$domain$" \
| `ms_obj_uac_get_details_lkup`\
| eval uac_filter=mvfilter(match(uac_details, "Disabled")) \
| search uac_filter=*\
| makemv delim=":" uac_details\
| table domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_md_secrpt-disabled-users(4)]
args = user_lookup,domain,starttime,endtime
definition = inputlookup $user_lookup$ WHERE domain="$domain$" AND uac_details="Disabled"\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenChanged_epoch=strptime(whenChanged, "%I:%M.%S %P, %a %m/%d/%Y")\
| where whenChanged_epoch>begintime AND whenChanged_epoch<finishtime\
| sort sAMAccountName\
| makemv delim=":" uac_details\
| table domain, sAMAccountName, whenChanged,userPrincipalName,userAccountControl, uac_details,domain, distinguishedName\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_md_secrpt-users-smartcard-required(2)]
args = user_lookup,domain
definition = inputlookup $user_lookup$ append=true WHERE domain="$domain$" \
| `ms_obj_uac_get_details_lkup`\
| eval uac_filter=mvfilter(match(uac_details, "Smart Card Required"))\
| search uac_filter=*\
| makemv delim=":" uac_details\
| table domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_md_secrpt-sensitive-users(2)]
args = user_lookup,domain
definition = inputlookup $user_lookup$ append=true WHERE domain="$domain$" \
| `ms_obj_uac_get_details_lkup`\
| eval uac_filter=mvfilter(match(uac_details, "Sensitive - Not Delegated"))\
| search uac_filter=*\
| makemv delim=":" uac_details\
| table domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_md_secrpt-expired-users(2)]
args = user_lookup,domain
definition = inputlookup $user_lookup$ WHERE NOT accountExpires="Never Expires" AND NOT accountExpires="0" AND domain="$domain$"\
| fields accountExpires,domain, sAMAccountName, userAccountControl,userPrincipalName,uac_details,distinguishedName,whenChanged,whenCreated,deletedDate\
| eval now_time=now()\
| eval accountExpires_utc=round(strptime(accountExpires,"%I:%M.%S %P, %a %m/%d/%Y"),0)\
| where accountExpires_utc<now_time\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| sort sAMAccountName\
| table domain, accountExpires,sAMAccountName, userPrincipalName,uac_details,domain, distinguishedName,whenChanged,whenCreated,whenDeleted\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_md_secrpt-users-that-dont-expire(2)]
args = user_lookup,domain
definition = inputlookup $user_lookup$ WHERE domain="*" AND accountExpires=0 OR accountExpires="Never Expires"\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table domain, accountExpires, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_md_secrpt-users-whose-password-doesnt-expire(2)]
args = user_lookup,domain
definition = inputlookup $user_lookup$ append=true WHERE domain="$domain$" \
| fields domain, sAMAccountName, userPrincipalName,userAccountControl, domain, distinguishedName,whenChanged,whenCreated\
| `ms_obj_uac_get_details_lkup`\
| eval uac_filter=mvfilter(match(uac_details, "Password Does Not Expire"))\
| search uac_filter=*\
| makemv delim=":" uac_details\
| table domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_md_secrpt-users-with-no-manager(2)]
args = user_lookup,domain
definition = inputlookup $user_lookup$ WHERE domain="$domain$" AND NOT manager="*"\
| fields domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_md_secrpt-users-with-manager(2)]
args = user_lookup,domain
definition = inputlookup $user_lookup$ WHERE domain="$domain$" AND manager="*" AND NOT manager=""\
| fields domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_md_secrpt-users-that-dont-require-password(2)]
args = user_lookup,domain
definition = inputlookup $user_lookup$ append=true WHERE domain="$domain$" \
| fields domain, sAMAccountName, userPrincipalName, userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| eval uac_filter=mvfilter(match(uac_details, "Password Not Required")) \
| search uac_filter=*\
| table domain, sAMAccountName, userPrincipalName, userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_md_secrpt-users-no-smartcard-required(2)]
args = user_lookup,domain
definition = inputlookup $user_lookup$ append=true WHERE domain="$domain$" \
| fields domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| eval uac_filter=mvfilter(match(uac_details, "Password Not Required"))\
| search NOT uac_filter=*\
| table domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_md_secrpt-unused-users(2)]
args = user_lookup,domain
definition = inputlookup $user_lookup$ append=true WHERE domain="$domain$"\
| where logonCount=0 OR isnull(logonCount)\
| fields domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_md_secrpt-active-users(2)]
args = user_lookup,domain
definition = `ms_obj_success_logons("user")` dest_nt_domain="$domain$"\
| fields _time, dest_nt_domain,user\
| stats  max(_time) as lastLogonTime by dest_nt_domain,user\
| join  user  [|inputlookup $user_lookup$ | search domain="$domain$" | rename sAMAccountName AS user | fields cn,user,userPrincipalName]\
| eval  lastLogonTime=strftime(lastLogonTime,"%c")\
| stats last(lastLogonTime) AS lastLogonTime by user,cn,userPrincipalName\
| rename  user as Username,cn as "Full Name", lastLogonTime as "Last Logon Time"
iseval = 0

[ms_obj_md_secrpt-inactive-users(2)]
args = user_lookup,domain
definition = inputlookup $user_lookup$ WHERE domain="$domain$"\
| fields domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated,deletedDate\
| join type=outer sAMAccountName [search `ms_obj_failed_success_logons("user")` dest_nt_domain="$domain$"| fields _time, user|stats max(_time) AS lastLogonTime by user|rename user as sAMAccountName | fields sAMAccountName, lastLogonTime]\
| where isnull(lastLogonTime)\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| sort sAMAccountName\
| eval whenDeleted=strftime(deletedDate, "%I:%M.%S %P, %a %m/%d/%Y")\
| table domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated,whenDeleted\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_md_secrpt-users-password-too-old(2)]
args = user_lookup,domain
definition = inputlookup $user_lookup$ WHERE domain="$domain$"\
| join type=outer sAMAccountName [search eventtype=msad-password-changes dest_nt_domain=$domain$|stats max(_time) as maxtime by user|rename user as sAMAccountName|where isnull(maxtime)]\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table sAMAccountName,cn,userPrincipalName,userAccountControl,uac_details,pwdLastSet
iseval = 0

[ms_obj_md_secrpt-new-users(4)]
args = user_lookup,domain,starttime,endtime
definition = inputlookup $user_lookup$ WHERE domain="$domain$"\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenCreated_epoch=strptime(whenCreated, "%I:%M.%S %P, %a %m/%d/%Y")\
| where whenCreated_epoch>begintime AND whenCreated_epoch<finishtime\
| sort sAMAccountName\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table domain, sAMAccountName, whenCreated, whenChanged,userPrincipalName,userAccountControl, uac_details,domain, distinguishedName\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_md_secrpt-deleted-users(4)]
args = user_lookup,domain,starttime,endtime
definition = inputlookup $user_lookup$ WHERE domain="$domain$" AND isDeleted="TRUE"\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenDeleted=strftime(deletedDate, "%m/%d/%Y %a, %I:%M.%S %P")\
| where deletedDate>begintime AND deletedDate<finishtime\
| sort sAMAccountName\
| `ms_obj_uac_get_details_lkup`\
| makemv delim=":" uac_details\
| table domain, sAMAccountName, orig_cn,whenDeleted, whenCreated,whenChanged,userPrincipalName,userAccountControl, uac_details,domain, distinguishedName\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

[ms_obj_md_secrpt-changed-users(4)]
args = user_lookup,domain,starttime,endtime
definition = inputlookup $user_lookup$ WHERE domain="$domain$" AND NOT isDeleted="TRUE"\
| eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\
| eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\
| eval whenChanged_epoch=strptime(whenChanged, "%I:%M.%S %P, %a %m/%d/%Y")\
| where whenChanged_epoch>begintime AND whenChanged_epoch<finishtime\
| sort sAMAccountName\
| `ms_obj_uac_bin_fields`\
| makemv delim=":" uac_details\
| table domain, sAMAccountName, whenChanged, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName, whenCreated\
| sort sAMAccountName\
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details
iseval = 0

## Pickup up Deletes - missing admon Delete values
[ms_obj_md_admon_group_base_deletes(2)]
args = tgt_kv_suffix,tgt_dc_val
definition = `ms_obj_admon_flt_obj_type(ms_obj_admon_group("$tgt_dc_val$"),ms_obj_admon_base_del_type)`\
| stats latest(*) AS * by objectGUID\
| fields objectGUID,MSADGroupClass,MSADGroupType,adminCount,c,dSCorePropagationData,description,displayName,dn_hist,dn_path,domain,groupType,groupType_Name,isCriticalSystemObject,l,managedBy,member,memberOf,objectCategory,q_link_id,sAMAccountType,src_nt_domain,st,sync_dn_chg,systemFlags\
| rex field = member max_match=0 "(?<mb_cnt>(^CN|####CN))"\
| eval membercount=mvcount(mb_cnt)\
| fillnull value="0" membercount\
| lookup AD_Obj_Group_$tgt_kv_suffix$ member_$tgt_kv_suffix$ AS admin_dn OUTPUT dn AS memberOf\
| rename member AS member_hist,memberOf AS memberOf_hist\
| lookup AD_Audit_Group_Details groupType,sAMAccountType OUTPUT groupType_Name,MSADGroupType,MSADGroupClass\
| fillnull value="FALSE" isCriticalSystemObject\
| table objectGUID,MSADGroupClass,MSADGroupType,adminCount,c,dSCorePropagationData,description,displayName,dn_hist,dn_path,domain,groupType_Name,isCriticalSystemObject,l,managedBy,member_hist,memberOf_hist,membercount,objectCategory,q_link_id,sAMAccountType,src_nt_domain,st,sync_dn_chg,systemFlags
iseval = 0

[ms_obj_md_admon_user_base_deletes(1)]
args = tgt_dc_val
definition = `ms_obj_admon_flt_obj_type(ms_obj_admon_user("$tgt_dc_val$"),ms_obj_admon_base_del_type)`\
| stats latest(*) AS * by objectGUID\
| fields objectGUID,c,codePage,countryCode,department,description,displayName,dn_path,domain,givenName,initials,isCriticalSystemObject,l,lastLogon,lastLogonTimestamp,lockoutTime,logonCount,logonHours,managedBy,msDS-SupportedEncryptionTypes,objectCategory,physicalDeliveryOfficeName,postalCode,primaryGroupID,pwdLastSet,sAMAccountType,servicePrincipalName,showInAdvancedViewOnly,sn,st,streetAddress,title,userPrincipalName,userWorkstations\
| fillnull value = "FALSE" isCriticalSystemObject,showInAdvancedViewOnly\
| table objectGUID,c,codePage,countryCode,department,description,displayName,dn_path,domain,givenName,initials,isCriticalSystemObject,l,lastLogon,lastLogonTimestamp,lockoutTime,logonCount,logonHours,managedBy,msDS-SupportedEncryptionTypes,objectCategory,physicalDeliveryOfficeName,postalCode,primaryGroupID,pwdLastSet,sAMAccountType,servicePrincipalName,showInAdvancedViewOnly,sn,st,streetAddress,title,userPrincipalName,userWorkstations]\
| fillnull value="0" badPasswordTime,badPwdCount,codePage,countryCode,lastLogon,lockoutTime,logonCount,pwdLastSet
iseval = 0

[ms_obj_md_admon_computer_base_deletes(1)]
args = tgt_dc_val
definition = `ms_obj_admon_flt_obj_type(ms_obj_md_admon_computer("$tgt_dc_val$"),ms_obj_admon_base_del_type)`\
| stats latest(*) AS * by objectGUID\
| fields objectGUID,accountExpires,badPasswordTime,badPwdCount,c,codePage,countryCode,dNSHostName,dSCorePropagationData,description,displayName,dn_hist,dn_path,domain,isCriticalSystemObject,l,lastLogon,lastLogonTimestamp,localPolicyFlags,logonCount,managedBy,objectCategory,operatingSystem,operatingSystemServicePack,operatingSystemVersion,primaryGroupID,pwdLastSet,q_link_id,rIDSetReferences,sAMAccountType,serverReferenceBL,servicePrincipalName,src_nt_domain,st,sync_dn_chg\
| fillnull value="FALSE" isCriticalSystemObject\
| table objectGUID,accountExpires,badPasswordTime,badPwdCount,c,codePage,countryCode,dNSHostName,dSCorePropagationData,description,displayName,dn_hist,dn_path,domain,isCriticalSystemObject,l,lastLogon,lastLogonTimestamp,localPolicyFlags,logonCount,managedBy,objectCategory,operatingSystem,operatingSystemServicePack,operatingSystemVersion,primaryGroupID,pwdLastSet,q_link_id,rIDSetReferences,sAMAccountType,serverReferenceBL,servicePrincipalName,src_nt_domain,st,sync_dn_chg
iseval = 0

##########################################################################################################
## HTML Building Macros:
##########################################################################################################
[ms_obj_cfg_kv_split_h]
definition = inputlookup AD_Obj_Domain\
| fields domain,DomainDNSName,Site,multi_lkps_enabled,kv_suffix,dc_val,user_lookup,group_lookup,computer_lookup\
| stats count by domain,DomainDNSName,Site,multi_lkps_enabled,kv_suffix,dc_val,user_lookup,group_lookup,computer_lookup\
| join type=left domain [| inputlookup AD_Obj_User | fields domain | stats count as user_count by domain]\
| join type=left domain [| inputlookup AD_Obj_Group | fields domain | stats count as group_count by domain]\
| join type=left domain [| inputlookup AD_Obj_Computer | fields domain | stats count as computer_count by domain]\
| eval user_count=if(isnull(user_count),0,tostring(user_count,"commas")),group_count=if(isnull(group_count),0,tostring(group_count,"commas")),computer_count=if(isnull(computer_count),0,tostring(computer_count,"commas"))\
| eval ena_lst=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),NULL,domain)\
| eventstats values(ena_lst) AS ena_lst\
| eval ena_lst=mvjoin(ena_lst,",")\
| eval kv_suff_cls_inp=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"hidden",""),kv_suff_cls_def=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"","hidden")\
| eval dc_val_cls_inp=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"hidden",""),dc_val_cls_def=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"","hidden")\
| eval lkp_cls_ena=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"hidden",""),lkp_cls_def=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"","hidden")\
| eval dom_btn_state=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"btn-danger off","btn-success")\
| eval h_enable="<div id=\"chk-dom-".domain."\" name=\"chk_dom_".domain."\" value=\"".domain."\" data-toggle=\"toggle\" data-toggle-tgt=\"".domain."\" style=\"width: 31.2333px; height: 16.7333px;\" class=\"toggle btn ".dom_btn_state."\"><input id=\"dm_".domain."\" name=\"dm_".domain."\" data-toggle=\"toggle\" data-onstyle=\"success\" data-offstyle=\"danger\" type=\"checkbox\"><div class=\"toggle-group\"><label class=\"btn b-tog btn-success toggle-on\"><b>Yes</b></label><label class=\"btn b-tog btn-danger active toggle-off\">No</label><span class=\"toggle-handle btn b-tog btn-default\"></span></div></div>"\
| eval h_suff="<div class=\"inpkvsuffix chk-dom-".domain."inp ".kv_suff_cls_inp."\"><input type=\"text\" class=\"multidominp multidominptxt\" data-inp-set-typ=\"text\" data-inp-md-set=\"kv_suffix\" data-inp-md-dom=\"".domain."\" value=\"".kv_suffix."\" style=\"width:98%;margin-top: 10px;\"></div><div class=\"defkvsuff chk-dom-".domain."def ".kv_suff_cls_def." \"><h4>Not Enabled</h4></div>"\
| eval h_lkp="<div class=\"listlkp chk-dom-".domain."def ".lkp_cls_def."\"><div><b><i>Default</i></b></div><div><b>AD_Obj_User</b>  <i>(".user_count.")</i></div><div><b>AD_Obj_Group</b>  <i>(".group_count.")</i></div><div><b>AD_Obj_Computer</b>  <i>(".computer_count.")</i></div></div><div class=\"listlkp chk-dom-".domain."inp ".lkp_cls_ena."\"><div class=\"chk-dom-".domain."-userlkp\">AD_Obj_User_".kv_suffix."</div><div class=\"chk-dom-".domain."-grouplkp\">AD_Obj_Group_".kv_suffix."</div><div class=\"chk-dom-".domain."-computerlkp\">AD_Obj_Computer_".kv_suffix."</div></div>"\
| eval h_dc="<div class=\"inpdcval chk-dom-".domain."inp ".dc_val_cls_inp."\"><input type=\"text\" id=\"dcvalinp".domain."\" class=\"multidominp multidominptxt\" data-inp-set-typ=\"text\" data-inp-md-set=\"dc_val\" data-inp-md-dom=\"".domain."\" value=\"".dc_val."\" style=\"width:95%;margin-top: 10px;margin-bottom:2px !important;\"><div><img class=\"chk_verify \
chk_dc_run_spin_".domain." hidden\" style=\"height:30px;width:30px;\" src=\"/static/app/ms_windows_ad_objects/loader_green_on_grey.gif\"/><button class=\"btn btn-small sp-btn-gradient chk_verify chk_dc_verify_".domain."\" data-inp-chk-dc=\"".domain."\" style=\"width:15%;padding-left:5px !important;padding-right:5px !important;\"><i class=\"icon-search\"> Verify</i></button></div></div><div class=\"defdcval chk-dom-".domain."def ".dc_val_cls_def." \"><h4>Not Enabled</h4></div>"\
| eval rws="<tr class=\"domsetvrw\"><td class=\"domsetvcol\">".h_enable."</td><td class=\"domsetvcol\"><b>".domain."</b><div><i>".DomainDNSName."</i></div></td><td class=\"domsetleftcol\" style=\"vertical-align:middle;\">".h_suff."</td><td class=\"domsetleftcol\" style=\"vertical-align:middle;text-align:left;\">".h_lkp."</td><td class=\"appselvcol\" style=\"vertical-align:middle;\">".h_dc."</td></tr>"\
| stats values(rws) AS rws\
| eval table_vl="<table class=\"mddominpsettoptbl\" style=\"width:99% !important;\"><tr class=\"mddomsinpsettoprow\"><th style=\"width:10% !important;background-color: #FDE6D9;\"><center>Enable</center></th><th style=\"width:10%;background-color: #FDE6D9;\"><b>Domain</b></th><th style=\"width:20%;background-color: #FDE6D9;\"><b>Lookup Suffix</b></th><th style=\"width:20%;background-color: #FDE6D9;\"><b>Lookup Names (Count)</b></th><th style=\"width:40%;background-color: #FDE6D9;\"><b>admon Domain filter (field: <i>dc_val</i>)</b></th></tr>".mvjoin(rws," ")."</table>"\
| table table_vl,ena_lst
iseval = 0

[ms_obj_cfg_kv_split_ha]
definition = join type=left domain [| inputlookup AD_Obj_User | fields domain | stats count as user_count by domain]\
| join type=left domain [| inputlookup AD_Obj_Group | fields domain | stats count as group_count by domain]\
| join type=left domain [| inputlookup AD_Obj_Computer | fields domain | stats count as user_computer by domain]\
| eval user_count=if(isnull(user_count),0,tostring(user_count,"commas")),group_count=if(isnull(group_count),0,tostring(group_count,"commas")),computer_count=if(isnull(computer_count),0,tostring(computer_count,"commas"))\
| eval ena_lst=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),NULL,domain)\
| eventstats values(ena_lst) AS ena_lst\
| eval ena_lst=mvjoin(ena_lst,",")\
| eval kv_suff_cls_inp=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"hidden",""),kv_suff_cls_def=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"","hidden")\
| eval dc_val_cls_inp=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"hidden",""),dc_val_cls_def=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"","hidden")\
| eval lkp_cls_ena=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"hidden",""),lkp_cls_def=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"","hidden")\
| eval dom_btn_state=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"btn-danger off","btn-success")\
| eval h_enable="<div id=\"chk-dom-".domain."\" name=\"chk_dom_".domain."\" value=\"".domain."\" data-toggle=\"toggle\" data-toggle-tgt=\"".domain."\" style=\"width: 31.2333px; height: 16.7333px;\" class=\"toggle btn ".dom_btn_state."\"><input id=\"dm_".domain."\" name=\"dm_".domain."\" data-toggle=\"toggle\" data-onstyle=\"success\" data-offstyle=\"danger\" type=\"checkbox\"><div class=\"toggle-group\"><label class=\"btn b-tog btn-success toggle-on\"><b>Yes</b></label><label class=\"btn b-tog btn-danger active toggle-off\">No</label><span class=\"toggle-handle btn b-tog btn-default\"></span></div></div>"\
| eval h_suff="<div class=\"inpkvsuffix chk-dom-".domain."inp ".kv_suff_cls_inp."\"><input type=\"text\" class=\"multidominp multidominptxt\" data-inp-set-typ=\"text\" data-inp-md-set=\"kv_suffix\" data-inp-md-dom=\"".domain."\" value=\"".kv_suffix."\" style=\"width:98%;margin-top: 10px;\"></div><div class=\"defkvsuff chk-dom-".domain."def ".kv_suff_cls_def." \"><h4>Not Enabled</h4></div>"\
| eval h_lkp="<div class=\"listlkp chk-dom-".domain."def ".lkp_cls_def."\"><div><b><i>Default</i></b></div><div><b>AD_Obj_User</b>  <i>(".user_count.")</i></div><div><b>AD_Obj_Group</b>  <i>(".group_count.")</i></div><div><b>AD_Obj_Computer</b>  <i>(".computer_count.")</i></div></div><div class=\"listlkp chk-dom-".domain."inp ".lkp_cls_ena."\"><div class=\"chk-dom-".domain."-userlkp\">AD_Obj_User_".kv_suffix."</div><div class=\"chk-dom-".domain."-grouplkp\">AD_Obj_Group_".kv_suffix."</div><div class=\"chk-dom-".domain."-computerlkp\">AD_Obj_Computer_".kv_suffix."</div></div>"\
| eval h_dc="<div class=\"inpdcval chk-dom-".domain."inp ".dc_val_cls_inp."\"><input type=\"text\" id=\"dcvalinp".domain."\" class=\"multidominp multidominptxt\" data-inp-set-typ=\"text\" data-inp-md-set=\"dc_val\" data-inp-md-dom=\"".domain."\" value=\"".dc_val."\" style=\"width:95%;margin-top: 10px;margin-bottom:2px !important;\"><div><img class=\"chk_verify \
chk_dc_run_spin_".domain." hidden\" style=\"height:30px;width:30px;\" src=\"/static/app/ms_windows_ad_objects/loader_green_on_grey.gif\"/><button class=\"btn btn-small sp-btn-gradient chk_verify chk_dc_verify_".domain."\" data-inp-chk-dc=\"".domain."\" style=\"width:15%;padding-left:5px !important;padding-right:5px !important;\"><i class=\"icon-search\"> Verify</i></button></div></div><div class=\"defdcval chk-dom-".domain."def ".dc_val_cls_def." \"><h4>Not Enabled</h4></div>"\
| eval rws="<tr class=\"domsetvrw\"><td class=\"domsetvcol\">".h_enable."</td><td class=\"domsetvcol\"><b>".domain."</b><div><i>".DomainDNSName."</i></div></td><td class=\"domsetleftcol\" style=\"vertical-align:middle;\">".h_suff."</td><td class=\"domsetleftcol\" style=\"vertical-align:middle;text-align:left;\">".h_lkp."</td><td class=\"appselvcol\" style=\"vertical-align:middle;\">".h_dc."</td></tr>"\
| stats values(rws) AS rws\
| eval table_vl="<table class=\"mddominpsettoptbl\" style=\"width:99% !important;\"><tr class=\"mddomsinpsettoprow\"><th style=\"width:10% !important;background-color: #FDE6D9;\"><center>Enable</center></th><th style=\"width:10%;background-color: #FDE6D9;\"><b>Domain</b></th><th style=\"width:20%;background-color: #FDE6D9;\"><b>Lookup Suffix</b></th><th style=\"width:20%;background-color: #FDE6D9;\"><b>Lookup Names (Count)</b></th><th style=\"width:40%;background-color: #FDE6D9;\"><b>admon Domain filter (field: <i>dc_val</i>)</b></th></tr>".mvjoin(rws," ")."</table>"\
| table table_vl,ena_lst
iseval = 0

[ms_obj_cfg_filter_md_inp(3)]
args = ena_array,kv_suffix_array,dc_val_array
definition = makeresults\
| eval kv_suffix="n_a",dc_val="n_a",user_lookup="n_a",group_lookup="n_a",computer_lookup="n_a"\
| eval ena_array="$ena_array$"\
| makemv delim="," ena_array\
| eval domain=mvfilter(match(ena_array,"^\S+"))\
| mvexpand domain\
| eval kv_suff_array="$kv_suffix_array$"\
| eval kv_suff_array=if(kv_suff_array=="",kv_suffix,kv_suff_array)\
| makemv delim="|" kv_suff_array\
| mvexpand kv_suff_array\
| rex field=kv_suff_array "(?<kvsuff_dom>[^\:]+)\:kv_suffix\=(?<kvsuff_val>.+)"\
| eval n_kv_suffix=if(isnull(kv_suff_array) OR kv_suff_array="","n_a",if(kvsuff_dom==domain,kvsuff_val,NULL))\
| eval dc_val_array="$dc_val_array$"\
| eval dc_val_array=if(dc_val_array=="",dc_val,dc_val_array)\
| makemv delim="|" dc_val_array\
| mvexpand dc_val_array\
| rex field=dc_val_array "(?<dcval_dom>[^\:]+)\:dc_val\=(?<dcval_val>.+)"\
| eval n_dc_val=if(isnull(dc_val_array) OR dc_val_array="","n_a",if(dcval_dom==domain,dcval_val,NULL))\
| stats values(n_dc_val) AS n_dc_val, values(n_kv_suffix) AS n_kv_suffix by domain\
| eval multi_lkps_enabled="t",updated="1"\
| fillnull value="n_a" n_dc_val,n_kv_suffix
iseval = 0

[ms_obj_cfg_filter_md_h_tbls]
definition = eval collections_conf="\
##-----------------------------------------------------------##\
## Domain: ".domain." - KVStores\
##-----------------------------------------------------------##\
## Domain - ".domain." - User KVStore ##\
[".user_lookup."_kv]\
enforceTypes = false\
accelerated_fields.dn = { \"dn\" : 1 }\
## Domain - ".domain." - Group KVStore ##\
[".group_lookup."_kv]\
enforceTypes = false\
accelerated_fields.dn = { \"dn\" : 1 }\
accelerated_fields.member = { \"member\" : 1 }\
## Domain - ".domain." - Computer KVStore ##\
[".computer_lookup."_kv]\
enforceTypes = false\
accelerated_fields.dn = { \"dn\" : 1 }"\
| eval transforms_conf="\
##---------------------------------------------------##\
## Domain: ".domain." - Lookup Definition\
##---------------------------------------------------##\
## Domain - ".domain." - User Definition ##\
[".user_lookup."]\
external_type = kvstore\
collection = ".user_lookup."_kv\
fields_list = _key,accountExpires,adminCount,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dSCorePropagationData,dcName,deletedDate,department,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,DomainDNSName,givenName,guid_lookup,initials,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,last_evt_flg,location,lockoutTime,logonCount,logonHours,lookup_usr,managedBy,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,orig_evt_dn,OU,physicalDeliveryOfficeName,postalCode,primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType,servicePrincipalName,showInAdvancedViewOnly,sid_lookup,sn,st,streetAddress,title,uac_details,uac_bin_map,uSNChanged,uSNCreated,userAccountControl,userPrincipalName,userWorkstations,whenChanged,whenCreated,user_type,time\
case_sensitive_match = false\
## Domain - ".domain." - Group Definition ##\
[".group_lookup."]\
external_type = kvstore\
collection = ".group_lookup."_kv\
fields_list = _key,adminCount,c,cn,orig_cn,dSCorePropagationData,dcName,deletedDate,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,DomainDNSName,groupType,groupType_Name,guid_lookup,instanceType,isCriticalSystemObject,isDeleted,isDistributionList,isRecycled,l,lastKnownParent,last_evt_flg,lookup_grp,managedBy,member,membercount,MSADGroupType,MSADGroupClass,name,objectCategory,objectClass,objectGUID,objectSid,orig_evt_dn,OU,primaryGroupToken,sAMAccountName,sAMAccountType,showInAdvancedViewOnly,sid_lookup,src_nt_domain,st,systemFlags,uSNChanged,uSNCreated,whenChanged,whenCreated,time\
case_sensitive_match = false\
## Domain - ".domain." - Computer Definition ##\
[".computer_lookup."]\
external_type = kvstore\
collection = ".computer_lookup."_kv\
fields_list = _key,accountExpires,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dNSHostName,dSCorePropagationData,dcName,deletedDate,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,DomainDNSName,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,last_evt_flg,localPolicyFlags,logonCount,lookup_cmp,managedBy,msDFSR-ComputerReferenceBL,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,operatingSystem,operatingSystemServicePack,operatingSystemVersion,orig_evt_dn,OU,primaryGroupID,pwdLastSet,rIDSetReferences,sAMAccountName,sAMAccountType,serverReferenceBL,servicePrincipalName,sid_lookup,src_nt_domain,st,uSNChanged,uSNCreated,userAccountControl,whenChanged,whenCreated,time\
case_sensitive_match = false"\
| eval new_sched_search_list="<h4>Domain (<i>".domain."</i>)</h4><ul><li><h4>User Scheduled Sync Search:</h4><ul><li><b>New Report Settings</b><ul><li><i>Title</i>: AD_Obj_User_".domain."_Update</li><li><i>Search</i>: <code>`ms_obj_md_admon_bld_upd_out(\"".kv_suffix."\",\"".dc_val."\",user,User)`</code></li><li><i>Earliest</i>: -15m@m</li><li><i>Latest</i>: now</li><li><i>App</i>: MS Windows AD Objects</li></ul></li><li><b>Scheduling Settings</b><ul><li><i>Cron Expression</i>: <code>09,19,29,39,49,59 * * * *</code></li></ul></li></ul></li><li><h4>Group Scheduled Sync Search:</h4><ul><li><b>New Report Settings</b><ul><li><i>Title</i>: AD_Obj_Group_".domain."_Update</li><li><i>Search</i>: <code>`ms_obj_md_admon_bld_upd_out(\"".kv_suffix."\",\"".dc_val."\",group,Group)`</code></li><li><i>Earliest</i>: -15m@m</li><li><i>Latest</i>: now</li><li><i>App</i>: MS Windows AD Objects</li></ul></li><li><b>Scheduling Settings</b><ul><li><i>Cron Expression</i>: <code>05,18,28,38,48,58 * * * *</code></li></ul></li></ul></li><li><h4>Computer Scheduled Sync Search:</h4><ul><li><b>New Report Settings</b><ul><li><i>Title</i>: AD_Obj_Computer_".domain."_Update</li><li><i>Search</i>: <code>`ms_obj_md_admon_bld_upd_out(\"".kv_suffix."\",\"".dc_val."\",computer,Computer)`</code></li><li><i>Earliest</i>: -15m@m</li><li><i>Latest</i>: now</li><li><i>App</i>: MS Windows AD Objects</li></ul></li><li><b>Scheduling Settings</b><ul><li><i>Cron Expression</i>: <code>07,17,27,37,47,57 * * * *</code></li></ul></li></ul></li></ul>"\
| stats values(new_sched_search_list) AS new_sched_search_list,values(collections_conf) AS collections_conf,values(transforms_conf) AS transforms_conf,max(dis_def_srch_flg) AS dis_def_srch_flg\
| eval default_searches="<ul><li><b>Name:</b> AD_Obj_User_Update</li><li><b>Name:</b> AD_Obj_Group_Update</li><li><b>Name:</b> AD_Obj_Computer_Update</li></ul>"\
| eval disable_default_searches=if(dis_def_srch_flg==1,"<td class=\"domsetleftcol\" style=\"width:50%;vertical-align:top !important;\"><center><h3>Configuration Steps:</h3></center><h4><i class=\"icon-infocircle\"></i> NO ACTION NEEDED</h4><ul><li>Do <i>NOT</i> Disable the Searches in the right column</li><li>Some domains are still using default lookups, so they need these scheduled searches enabled</li></ul></td><td class=\"domsetleftcol\" style=\"width:50%;\">".default_searches."</td>","<td class=\"domsetleftcol\" style=\"width:50%;vertical-align:top !important;\"><center><h3>Configuration Steps:</h3></center><h4><i class=\"icon-warning\"></i> <i>DISABLE Default Scheduled Searches</i></h4><ol><li><a href=\"/manager/ms_windows_ad_objects/saved/searches?sort_dir=desc&amp;sort_key=next_scheduled_time&amp;ns=ms_windows_ad_objects&amp;pwnr=-&amp;search=_Update&amp;app_only=1&amp;count=25\" target=\"_blank\">Click Here</a> to open the Scheduled Search Views</li><li><b>Disable</b> the scheduled searches listed in the right column<ul><li>Since no domains will be using the default lookups, these default Scheduled Searches are no longer needed.</li></ul></li></ol></td><td class=\"domsetleftcol\" style=\"width:50%;\">".default_searches."</td>")\
| eval def_sched_searches="<table class=\"mddominpsettoptbl\"><tr class=\"mddomsinpsettoprow\"><th colspan=\"2\"><b>5.</b> <i>Default Scheduled Search Actions</i></th></tr><tr class=\"domsetvrw\">".disable_default_searches."</tr></table>"\
| eval new_sched_searches="<table class=\"mddominpsettoptbl\"><tr class=\"mddomsinpsettoprow\"><th colspan=\"2\"><b>4.</b> <i>Create New Scheduled Searches</i></th></tr><tr class=\"domsetvrw\"><td class=\"domsetleftcol\" style=\"width:50%;vertical-align:top !important;\"><center><h3>Configuration Steps:</h3></center><h4><i class=\"icon-warning\"></i> Make sure the Kv Store and Lookup Definition steps have been completed before creating the New Saved Searches</h4><br /><h4>Create New Scheduled Searches</h4><ol><li><a href=\"/manager/ms_windows_ad_objects/saved/searches?app=ms_windows_ad_objects&amp;count=10&amp;offset=0&amp;itemType=&amp;owner=admin&amp;search=\" target=\"_blank\">Click Here</a> to open the <i>Search Management</i> view in a separate tab.</li><li>Click on the <b>New Report</b> in the top right corner.</li><li>Use the list to the right for putting in the <b>New Report Settings</b> <ul><li><b>Note:</b> Repeat steps 2 and 3 for each of the <b>New Report</b> listed before proceeding to the next step</li></ul></li><li>Now that all of the reports have been created, you need to enable and configure the scheduling by selecting <b>Edit Scheduling</b> from the <b>Edit</b> dropdown for the newly created reports</li><li>Click the option box <b>Schedule Report</b> to enable scheduling.</li><li>From the <b>Schedule</b> dropdown, select <b>Run on Cron Schedule</b></li><li>Use the <b>Scheduling Settings</b> <i>Cron Expression</i> value for the report listed in the right panel.<ul><li><b>Note:</b> You might need to adjust the cron schedules initiation <b>Minute Value</b> to best stagger the scheduled searches for your environment</li></ul></li><li>Click <b>Save</b></li></ol></td><td class=\"domsetleftcol\" style=\"width:50%;\">".mvjoin(new_sched_search_list,"")."</td></tr></table>"\
| eval transforms_conf="<table class=\"mddominpsettoptbl\"><tr class=\"mddomsinpsettoprow\"><th colspan=\"2\"><b>3.</b> <i>Create New Lookup Definitions (<b>transforms.conf</b>)</i></th></tr><tr class=\"domsetvrw\"><td class=\"domsetleftcol\" style=\"width:15%;vertical-align:top !important;\"><center><h3>Configuration Steps:</h3></center><ol><li>Add the <b>transforms.conf</b> settings in the right column into the <b>$SPLUNK_HOME/etc/apps/ms_windows_ad_objects/local/transforms.conf</b> file</li></ol><hr /><ul><li><b>Note:</b> <i>Click <a href=\"https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/DefineaKVStorelookupinSplunkWeb#Define_a_KV_Store_lookup\" class=\"btn btn-mini sp-btn-gradient\" target=\"_blank\">More Info </a> for more information on creating a KV Store</i></li><li><b>Important Splunk Cloud Note:</b> <i>Splunk Web currently does not support the creation of KV Store collections. <b>If you use Splunk Cloud you need to file a support ticket to add a unique KV Store collection to your Splunk deployment.</b></i></li></ul></td><td class=\"domsetleftcol\" style=\"width:85%;\"><pre>".mvjoin(transforms_conf,"")."</pre></td></tr></table>"\
| eval collections_conf="<table class=\"mddominpsettoptbl\"><tr class=\"mddomsinpsettoprow\"><th colspan=\"2\"><b>2.</b> <i>Create New KV Stores  (<b>collections.conf</b>)</i></th></tr><tr class=\"domsetvrw\"><td class=\"domsetleftcol\" style=\"width:15%;vertical-align:top !important;\"><center><h3>Configuration Steps:</h3></center><ol><li>Add the <b>collections.conf</b> settings in the right column into the <b>$SPLUNK_HOME/etc/apps/ms_windows_ad_objects/local/collections.conf</b> file</li></ol><hr /><ul><li><b>Note:</b> <i>Click <a href=\"https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/DefineaKVStorelookupinSplunkWeb#Define_a_KV_Store_lookup\" class=\"btn btn-mini sp-btn-gradient\" target=\"_blank\">More Info </a> for more information on creating a KV Store</i></li><li><b>Important Splunk Cloud Note:</b> <i>Splunk Web currently does not support the creation of KV Store collections. <b>If you use Splunk Cloud you need to file a support ticket to add a unique KV Store collection to your Splunk deployment.</b></i></li></ul></td><td class=\"domsetleftcol\" style=\"width:85%;\"><pre>".mvjoin(collections_conf,"")."</pre></td></tr></table>"\
| table collections_conf,transforms_conf,new_sched_searches,def_sched_searches
iseval = 0

[ms_obj_kv_cfg_ppl_h]
definition = eval user_mgt_srch="<tr class=\"domsetvrw\"><td class=\"domsetvcol\"><div class=\"ppl_lkp_st ppl_mgt_user_".domain."_st Pending\"> <b>Migrate Users</b></div></td><td class=\"domsetvcol\" style=\"text-align:left !important;\"><pre>| inputlookup AD_Obj_User WHERE domain=\"".domain."\" \
| eval _key=objectGUID.\"#\".DomainDNSName\
| outputlookup ".user_lookup." append=true</pre></td><td class=\"domsetvcol\"><img class=\"ppl_lkp_spin ppl_mgt_spin_user_".domain." hidden\" style=\"height:30px;width:30px;\" src=\"/static/app/ms_windows_ad_objects/loader_green_on_grey.gif\"/><button class=\"btn btn-small sp-btn-gradient ppl_lkp_btn ppl_mgt_btn_user_".domain."\" data-ppl-mgt-dom=\"".domain."\" data-ppl-mgt-src=\"AD_Obj_User\" data-ppl-mgt-dest=\"".user_lookup."\" data-ppl-mgt-type=\"user\"><i class=\"icon-search\"> Run Search</i></button><div class=\"ppl_mgt_user_".domain."_st_cnt hidden\"></div></td></tr>"\
| eval group_mgt_srch="<tr class=\"domsetvrw\"><td class=\"domsetvcol\"><div class=\"ppl_lkp_st ppl_mgt_group_".domain."_st Pending\"> <b>Migrate Groups</b></div></td><td class=\"domsetvcol\" style=\"text-align:left !important;\"><pre>| inputlookup AD_Obj_Group WHERE domain=\"".domain."\" \
| eval _key=objectGUID.\"#\".DomainDNSName\
| outputlookup ".group_lookup." append=true</pre></td><td class=\"domsetvcol\"><img class=\"ppl_lkp_spin ppl_mgt_spin_group_".domain." hidden\" style=\"height:30px;width:30px;\" src=\"/static/app/ms_windows_ad_objects/loader_green_on_grey.gif\"/><button class=\"btn btn-small sp-btn-gradient ppl_lkp_btn ppl_mgt_btn_group_".domain."\" data-ppl-mgt-dom=\"".domain."\" data-ppl-mgt-src=\"AD_Obj_Group\" data-ppl-mgt-dest=\"".group_lookup."\" data-ppl-mgt-type=\"group\"><i class=\"icon-search\"> Run Search</i></button><div class=\"ppl_mgt_group_".domain."_st_cnt hidden\"></div></td></tr>"\
| eval computer_mgt_srch="<tr class=\"domsetvrw\"><td class=\"domsetvcol\"><div class=\"ppl_lkp_st ppl_mgt_computer_".domain."_st Pending\"> <b>Migrate Computers</b></div></td><td class=\"domsetvcol\" style=\"text-align:left !important;\"><pre>| inputlookup AD_Obj_Computer WHERE domain=\"".domain."\" \
| eval _key=objectGUID.\"#\".DomainDNSName \
| outputlookup ".computer_lookup." append=true</pre></td><td class=\"domsetvcol\"><img class=\"ppl_lkp_spin ppl_mgt_spin_computer_".domain." hidden\" style=\"height:30px;width:30px;\" src=\"/static/app/ms_windows_ad_objects/loader_green_on_grey.gif\"/><button class=\"btn btn-small sp-btn-gradient ppl_lkp_btn ppl_mgt_btn_computer_".domain."\" data-ppl-mgt-dom=\"".domain."\" data-ppl-mgt-src=\"AD_Obj_Computer\" data-ppl-mgt-dest=\"".computer_lookup."\" data-ppl-mgt-type=\"computer\"><i class=\"icon-search\"> Run Search</i></button><div class=\"ppl_mgt_computer_".domain."_st_cnt hidden\"></div></td></tr>"\
| eval user_bld_srch="<tr class=\"domsetvrw\"><td class=\"domsetvcol\"><div class=\"ppl_lkp_bld ppl_bld_user_".domain."_st Pending\"> <b>Build Users</b></div></td><td class=\"domsetvcol\" style=\"text-align:left !important;\"><pre>`ms_obj_md_admon_bld_upd_out(\"".domain."\",\"".dc_val."\",user,User)`</pre></td><td class=\"domsetvcol\"><img class=\"ppl_lkp_bld ppl_bld_user_".domain."_spin_".domain." hidden\" style=\"height:30px;width:30px;\" src=\"/static/app/ms_windows_ad_objects/loader_green_on_grey.gif\"/><button class=\"btn btn-small sp-btn-gradient ppl_lkp_bld ppl_bld_".domain."\" data-ppl-bld-dom=\"".domain."\" data-ppl-bld-dcval=\"".dc_val."\" data-ppl-bld-suff=\"".kv_suffix."\" data-ppl-bld-type=\"user\"><i class=\"icon-search\"> Run Search</i></button></td></tr>"\
| eval group_bld_srch="<tr class=\"domsetvrw\"><td class=\"domsetvcol\"><div class=\"ppl_lkp_bld ppl_bld_group_".domain."_st Pending\"> <b>Build Groups</b></div></td><td class=\"domsetvcol\" style=\"text-align:left !important;\"><pre>`ms_obj_md_admon_bld_upd_out(\"".domain."\",\"".dc_val."\",group,Group)`</pre></td><td class=\"domsetvcol\"><img class=\"ppl_lkp_bld ppl_bld_group_".domain."_spin_".domain." hidden\" style=\"height:30px;width:30px;\" src=\"/static/app/ms_windows_ad_objects/loader_green_on_grey.gif\"/><button class=\"btn btn-small sp-btn-gradient ppl_lkp_bld ppl_bld_".domain."\" data-ppl-bld-dom=\"".domain."\" data-ppl-bld-dcval=\"".dc_val."\" data-ppl-bld-suff=\"".kv_suffix."\" data-ppl-bld-type=\"group\"><i class=\"icon-search\"> Run Search</i></button></td></tr>"\
| eval computer_bld_srch="<tr class=\"domsetvrw\"><td class=\"domsetvcol\"><div class=\"ppl_lkp_bld ppl_bld_computer_".domain."_st Pending\"> <b>Build Computers</b></div></td><td class=\"domsetvcol\" style=\"text-align:left !important;\"><pre>`ms_obj_md_admon_bld_upd_out(\"".domain."\",\"".dc_val."\",computer,Computer)`</pre></td><td class=\"domsetvcol\"><img class=\"ppl_lkp_bld ppl_bld_computer_".domain."_spin_".domain." hidden\" style=\"height:30px;width:30px;\" src=\"/static/app/ms_windows_ad_objects/loader_green_on_grey.gif\"/><button class=\"btn btn-small sp-btn-gradient ppl_lkp_bld ppl_bld_".domain."\" data-ppl-bld-dom=\"".domain."\" data-ppl-bld-dcval=\"".dc_val."\" data-ppl-bld-suff=\"".kv_suffix."\" data-ppl-bld-type=\"computer\"><i class=\"icon-search\"> Run Search</i></button></td></tr>"\
| eval migrate_tbl="<table class=\"mddominpsettoptbl\" style=\"width:98% !important;padding: 4px;\"><tr class=\"mddomsinpsettoprow\"><td colspan=\"3\" class=\"domsetvcol\" style=\"text-align:center !important;\"><h2 style=\"text-align:center;font-family:proxima_nova;margin: 0;padding: 0;\">Domain <b>".domain."</b> - Populate User, Groups and Computers from data from old lookup to new one.</h2></td></tr>".user_mgt_srch."".group_mgt_srch."".computer_mgt_srch."</table>"\
| eval build_tbl="<table class=\"mddominpsettoptbl\" style=\"width:98% !important;padding: 4px;\"><tr class=\"mddomsinpsettoprow\"><td colspan=\"3\" class=\"domsetvcol\" style=\"text-align:center !important;\"><h2 style=\"text-align:center;font-family:proxima_nova;margin: 0;padding: 0;\">Domain <b>".domain."</b> - Populate User, Groups and Computers New Lookups using admon data.</h2></td></tr>".user_bld_srch."".group_bld_srch."".computer_bld_srch."</table>"\
| stats values(migrate_tbl) AS migrate_tbl,values(build_tbl) AS build_tbl\
| eval populate_tbls="<center><h1>Populating Searches</h1><h4>Choose one of the below options, <b>Migrate <i>Recommended</i></b> <i>Or</i> <b>Build</b> to populate the new lookups with data.</h4><h4><i class=\"icon-warning\" style=\"height:25px !important;color:#DC4E41 !important;\"> Make Sure all of the Configuration Steps have been completed before Saving</i></h4><table class=\"mddominpsettoptbl\" style=\"width:98% !important;padding: 4px;\"><tr class=\"mddomsinpsettoprow\"><th><center><h1>Migrate Searches <i>Recommended</i></h1></center></th><th><center><h1><i>OR</i> admon Build Searches</h1></center></th></tr><tr class=\"mddomsinpsettoprow\"><td class=\"domsetvcol\" style=\"border: 2px solid #f99d1c !important;\">".mvjoin(migrate_tbl,"")."</td><td class=\"domsetvcol\" style=\"border: 2px solid #f99d1c !important;\">".mvjoin(build_tbl,"")."</td></tr></table></center>"\
| table populate_tbls
iseval = 0

[ms_obj_kv_cfg_ppl_rem_h]
definition = eval link="link"\
| join type=left link [| rest /servicesNS/-/-/data/transforms/lookups/\
| search eai:acl.app="ms_windows_ad_objects" type=kvstore (title="AD_Obj_User*" OR title="AD_Obj_Group*" OR title="AD_Obj_Computer*")\
| stats values(title) AS title\
| eval kvstore_chk="(^".mvjoin(title,"$|^")."$)",link="link"\
| table link,kvstore_chk]\
| eval kv_chk_u=if(match(user_lookup,kvstore_chk),"t","f"),kv_chk_g=if(match(group_lookup,kvstore_chk),"t","f"),kv_chk_c=if(match(computer_lookup,kvstore_chk),"t","f")\
| eval ppl_btn_h_u=if(kv_chk_u=="f","<td class=\"mdpplcol\" style=\"text-align:center !important;width:50% !important;\" colspan=\"2\"><h2>Warning: <b>Populate Users Searches:</b> <i>Unavailable</i></h2><h4><i class=\"icon-warning kv_chk_warn\"> Warning: Lookup (".user_lookup.") has not been created.</h4><h4> The KV Store Collection and Lookup Definition has to be created before you can migrate or add User Objects to it.</i></h4></td>","<td class=\"mdpplcol\" style=\"text-align:center !important;width:30% !important;\"><div class=\"ppl_lkp_st ppl_user_".domain."_st Pending\"> <b>Populate Users Searches:</b> (<i>Click Only 1</i>)</div><div class=\"ppl_lkp_spin ppl_user_".domain."_spin hidden\"><img src=\"/static/app/ms_windows_ad_objects/loader_green_on_grey.gif\"><i><div class=\"ppl_run_st\"></div>... Please Wait.</i></img></div><div class=\"ppl_lkp_btn ppl_user_".domain."_btn\" ><button class=\"btn btn-small sp-btn-gradient ppl_lkp_btn\" data-ppl-dom=\"".domain."\" data-ppl-src=\"AD_Obj_User\" data-ppl-dest=\"AD_Obj_User_".kv_suffix."\" data-ppl-type=\"mgt\" data-ppl-tgt=\"user\" data-ppl-tgt-up=\"User\"><i class=\"icon-search\"> Migrate from Default</i></button> <b>OR</b> <button class=\"btn btn-small sp-btn-gradient ppl_lkp_btn ppl_user_".domain."_btn ppl_bld_".domain."\" data-ppl-dom=\"".domain."\" data-ppl-dcval=\"".dc_val."\" data-ppl-suff=\"".kv_suffix."\" data-ppl-type=\"ad\" data-ppl-tgt=\"user\" data-ppl-tgt-up=\"User\"><i class=\"icon-search\"> Use admon Data</i></button></div><div class=\"ppl_st_cnt ppl_user_".domain."_st_msg hidden\"></div></td><td class=\"mdpplcol\" style=\"text-align:center !important;width:20% !important;\"><div class=\"ppl_lkp_st rem_user_".domain."_st Pending\"> <b>Remove Users Search:</b></div><div class=\"ppl_lkp_spin rem_user_".domain."_spin hidden\"><img src=\"/static/app/ms_windows_ad_objects/loader_green_on_grey.gif\"><i><div class=\"rem_user_".domain."_run_st\"></div><span class=\"ppl_run_st_msg\"></span>... Please Wait.</i></img></div><button class=\"btn btn-small sp-btn-gradient ppl_lkp_btn rem_user_".domain."_btn\" data-ppl-dom=\"".domain."\" data-ppl-dest=\"AD_Obj_User\" data-ppl-type=\"rem\" data-ppl-tgt=\"user\"><i class=\"icon-search\"> Remove Users from Default</i></button><div class=\"ppl_st_cnt rem_user_".domain."_st_msg hidden\"></div></td>")\
| eval ppl_btn_h_g=if(kv_chk_g=="f","<td class=\"mdpplcol\" style=\"text-align:center !important;width:50% !important;\" colspan=\"2\"><h2>Warning: <b>Populate Groups Searches:</b> <i>Unavailable</i></h2><h4><i class=\"icon-warning kv_chk_warn\"> Warning: Lookup (".group_lookup.") has not been created.</h4><h4>The KV Store Collection and Lookup Definition has to be created before you can migrate or add Group Objects to it.</i></h4></td>","<td class=\"mdpplcol\" style=\"text-align:center !important;width:30% !important;\"><div class=\"ppl_lkp_st ppl_group_".domain."_st Pending\"> <b>Populate Groups Searches:</b> (<i>Click Only 1</i>) </div><div class=\"ppl_lkp_spin ppl_group_".domain."_spin hidden\"><img src=\"/static/app/ms_windows_ad_objects/loader_green_on_grey.gif\"><i><div class=\"ppl_group_run_st\"></div><span class=\"ppl_run_st_msg\"></span>... Please Wait.</i></img></div><div class=\"ppl_lkp_btn ppl_group_".domain."_btn\" ><button class=\"btn btn-small sp-btn-gradient ppl_lkp_btn ppl_btn_group_".domain." ppl_btn_group_".domain."\" data-ppl-dom=\"".domain."\" data-ppl-src=\"AD_Obj_Group\" data-ppl-dest=\"AD_Obj_Group_".kv_suffix."\" data-ppl-type=\"mgt\" data-ppl-tgt=\"group\" data-ppl-tgt-up=\"Group\"><i class=\"icon-search\"> Migrate from default</i></button><b>OR</b> <img class=\"ppl_lkp_bld ppl_bld_group_".domain."_spin_".domain." hidden\" src=\"/static/app/ms_windows_ad_objects/loader_green_on_grey.gif\"/><button class=\"btn btn-small sp-btn-gradient ppl_lkp_btn ppl_btn_group_".domain." ppl_bld_".domain."\" data-ppl-dom=\"".domain."\" data-ppl-dcval=\"".dc_val."\" data-ppl-suff=\"".kv_suffix."\" data-ppl-type=\"ad\" data-ppl-tgt=\"group\" data-ppl-tgt-up=\"Group\"><i class=\"icon-search\"> Use admon Data</i></button></div><div class=\"ppl_st_cnt ppl_group_".domain."_st_msg hidden\"></div></td><td class=\"mdpplcol\" style=\"text-align:center !important;width:20% !important;\"><div class=\"ppl_lkp_st rem_group_".domain."_st Pending\"> <b>Remove Groups Search</b>:</div><div class=\"ppl_lkp_spin rem_group_".domain."_spin hidden\"><img src=\"/static/app/ms_windows_ad_objects/loader_green_on_grey.gif\"><i>Running... Please Wait.</i></img></div><button class=\"btn btn-small sp-btn-gradient ppl_lkp_btn rem_group_".domain."_btn\" data-ppl-dom=\"".domain."\" data-ppl-dest=\"AD_Obj_Group\" data-ppl-type=\"rem\" data-ppl-tgt=\"group\"><i class=\"icon-search\"> Remove Group Search</i></button><div class=\"ppl_st_cnt rem_group_".domain."_st_msg hidden\"></div></td>")\
| eval ppl_btn_h_c=if(kv_chk_c=="f","<td class=\"mdpplcol\" style=\"text-align:center !important;width:50% !important;\" colspan=\"2\"><h2>Warning: <b>Populate Computers Searches:</b> <i>Unavailable</i></h2><h4><i class=\"icon-warning kv_chk_warn\"> Warning: Lookup (".computer_lookup.") has not been created.</h4><h4>The KV Store Collection and Lookup Definition has to be created before you can migrate or add Computer Objects to it.</i></h4></td>","<td class=\"mdpplcol\" style=\"text-align:center !important;width:30% !important;\"><div class=\"ppl_lkp_st ppl_computer_".domain."_st Pending\"> <b>Populate Computer Searches:</b> ( <i>Click Only 1</i> )</div><div class=\"ppl_lkp_spin ppl_computer_".domain."_spin hidden\"><img src=\"/static/app/ms_windows_ad_objects/loader_green_on_grey.gif\"><i><div class=\"ppl_computer_run_st\"></div><span class=\"ppl_run_st_msg\"></span>... Please Wait.</i></img></div><div class=\"ppl_lkp_btn ppl_computer_".domain."_btn\" ><button class=\"btn btn-small sp-btn-gradient ppl_lkp_btn ppl_btn_computer_".domain." ppl_btn_computer_".domain."\" data-ppl-dom=\"".domain."\" data-ppl-src=\"AD_Obj_Computer\" data-ppl-dest=\"AD_Obj_Computer_".kv_suffix."\" data-ppl-type=\"mgt\" data-ppl-tgt=\"computer\" data-ppl-tgt-up=\"Computer\"><i class=\"icon-search\"> Migrate from default</i></button> <b>OR </b> <img class=\"ppl_lkp_bld ppl_bld_computer_".domain."_spin_".domain." hidden\" src=\"/static/app/ms_windows_ad_objects/loader_green_on_grey.gif\"/><button class=\"btn btn-small sp-btn-gradient ppl_lkp_btn ppl_btn_computer_".domain." ppl_bld_".domain."\" data-ppl-dom=\"".domain."\" data-ppl-dcval=\"".dc_val."\" data-ppl-suff=\"".kv_suffix."\" data-ppl-type=\"ad\" data-ppl-tgt=\"computer\" data-ppl-tgt-up=\"Computer\"><i class=\"icon-search\">  Use admon Data</i></button></div><div class=\"ppl_st_cnt ppl_computer_".domain."_st_msg hidden\"></div></td><td class=\"mdpplcol\" style=\"text-align:center !important;width:20% !important;\"><div class=\"ppl_lkp_st rem_computer_".domain."_st Pending\"> <b>Remove Computers Search:</b></div><div class=\"ppl_lkp_spin rem_computer_".domain."_spin hidden\"><img src=\"/static/app/ms_windows_ad_objects/loader_green_on_grey.gif\"><i>Running... Please Wait.</i></img></div><button class=\"btn btn-small sp-btn-gradient ppl_lkp_btn rem_computer_".domain."_btn\" data-ppl-dom=\"".domain."\" data-ppl-dest=\"AD_Obj_Computer\" data-ppl-type=\"rem\" data-ppl-tgt=\"computer\"><i class=\"icon-search\"> Remove Computer Search</i></button><div class=\"ppl_st_cnt rem_computer_".domain."_st_msg hidden\"></div></td>")\
| eval dis_def_srch_flg=if(multi_lkps_enabled="f",1,0)\
| eval dom_srchs="<tr class=\"mdppltoprow\"><td class=\"mdppltopcol\"><table class=\"mdppltbl\"><tr class=\"mdpplrow\"><td colspan=\"3\" class=\"mdpplcol\" style=\"text-align:center !important;\"><center><h2 style=\"text-align:center;font-family:proxima_nova;margin: 0;padding: 0;\"><b>Domain: ".domain."</b></h2></center></td></tr><tr class=\"mdpplrow\"><td class=\"mdpplcol\" style=\"text-align:left !important;width:50% !important;\" rowspan=\"3\"><ol><li>Click on <i>ONE</i> of the <b>Populate User Searches</b> options: <ul><li><b>Migrate from default(<i>Recommended</i>):</b> <i>This search will copy the ".domain." Users values from the default AD_Obj_User lookup and paste them into the new AD_Obj_User_".kv_suffix." lookup.<i></li><li><i> OR </i><b>Use admon Data:</b> <i>This search will search through the <i>sourcetype=ActiveDirectory</i> data to find the <b>last admon sync time</b>, admon <code>admonEventType=\"Sync\"</code>, for user objects in the ".domain." domain.  It then uses this data to populate the AD_Obj_User_".kv_suffix." lookup with the admon event data from that starting sync point till now.<i></li></ul></li><li>After the selected <b>Populate User Search</b> has completed, click the <b>Remove User Search</b> button to remove the ".domain." domain's User values from the default AD_Obj_User lookup.</li><li>Repeat Steps 1 and 2 for <b>Groups</b> and <b>Computers</b></li></ol><details style=\"padding:0px !important;margin:0px !important;\"><summary class=\"ms_ppl_search_txt\"><b>Click to View the Search Text:</b></summary><ul><li><h4>Users:</h4><ul><li><h4>Populate <b>".domain." Users</b>:</h4><ul><li>Migrate from default - AD_Obj_User:<ul><li><pre>| inputlookup AD_Obj_User WHERE domain=\"".domain."\" \
| eval _key=objectGUID.\"#\".DomainDNSName\
| outputlookup AD_Obj_User_".domain." append=true</pre></li></ul></li>\
							    <li>OR Use admon Data - Users:\
								   <ul>\
									  <li><pre>`ms_obj_md_admon_bld_upd_out(\"".domain."\",\"".domain.".local\",user,User)`</pre></li>\
								   </ul>\
							    </li>\
							  </ul>\
							 </li>\
						   <li><h4>Remove <b>".domain." Users</b> from AD_Obj_User lookup:</h4>\
						      <pre>| inputlookup AD_Obj_User WHERE domain!=\"".domain."\" \
| eval _key=objectGUID.\"#\".DomainDNSName \
| outputlookup AD_Obj_User</pre>\
						   </li>\
						  </ul>\
						  </li>\
						  <li><h4>Groups</b>:</h4>\
						    <ul>\
						    <li><h4>Populate Groups:</h4>\
						       <ul>\
							     <li>Migrate from default - AD_Obj_Group: \
								   <ul>\
									  <li><pre>| inputlookup AD_Obj_Group WHERE domain=\"".domain."\" \
| eval _key=objectGUID.\"#\".DomainDNSName \
| outputlookup AD_Obj_Group_".domain." append=true</pre></li>\
								   </ul>\
							    </li>\
							    <li>OR Use admon Data - Groups:\
								   <ul>\
									  <li><pre>`ms_obj_md_admon_bld_upd_out(\"".domain."\",\"".domain.".local\",group,Group)`</pre></li>\
								   </ul>\
							    </li>\
							  </ul>\
							 </li>\
						   <li><h4>Remove Groups from AD_Obj_Group lookup:</h4>\
						      <pre>| inputlookup AD_Obj_Group WHERE domain!=\"".domain."\" \
| eval _key=objectGUID.\"#\".DomainDNSName \
| outputlookup AD_Obj_Group</pre>\
						   </li>\
						    </ul>\
						  </li>\
						  <li><h4>Computers</b>:</h4>\
						   <ul>\
						    <li><h4>Populate Computers:</h4>\
						       <ul>\
							     <li>Migrate from default - AD_Obj_Computers: \
								   <ul>\
									  <li><pre>| inputlookup AD_Obj_Computer WHERE domain=\"".domain."\" \
| eval _key=objectGUID.\"#\".DomainDNSName \
| outputlookup AD_Obj_Computer_".domain." append=true</pre></li>\
								   </ul>\
							    </li>\
							    <li>OR Use admon Data - Computers:\
								   <ul>\
									  <li><pre>`ms_obj_md_admon_bld_upd_out(\"".domain."\",\"".domain.".local\",computer,Computer)`</pre></li>\
								   </ul>\
							    </li>\
							  </ul>\
							 </li>\
						   <li><h4>Remove Computers from AD_Obj_Computer lookup:</h4>\
						      <pre>| inputlookup AD_Obj_Computer WHERE domain!=\"".domain."\" \
| eval _key=objectGUID.\"#\".DomainDNSName\
| outputlookup AD_Obj_Computer</pre>\
						   </li>						   \
						   </ul>\
						  </li>\
						</ul>\
						</details>\
					</td>\
					".ppl_btn_h_u."\
				</tr>\
				<tr class=\"mdpplrow\">\
					".ppl_btn_h_g."\
				</tr>\
				<tr class=\"mdpplrow\">\
					".ppl_btn_h_c."\
				</tr>\
			</table>\
			</td>\
			</tr>"\
| stats values(dom_srchs) AS dom_srchs\
| eval populate_tbls="<center><h4><i class=\"icon-warning\" style=\"height:25px !important;color:#DC4E41 !important;\"> Make Sure all of the Configuration Steps have been completed before Saving</i></h4>\
<table class=\"mdppltoptbl\">\
	<tr class=\"mdppltoprow\">\
		<th><h4>Complete the following steps for each of the selected AD Domains.</h4></th>\
	</tr>".mvjoin(dom_srchs,"")."</table>"\
| table populate_tbls
iseval = 0

[ms_obj_kvs_split_rem(2)]
args = ppl_src,ppl_dom
definition = inputlookup $ppl_src$ WHERE domain!="$ppl_dom$" \
| eval _key=objectGUID."#".DomainDNSName \
| outputlookup $ppl_src$
iseval = 0

[ms_obj_config_st_upd(1)]
args = cfg_st
definition = inputlookup AD_Obj_Config_State\
| eval key_val=_key\
| append [\
| makeresults\
| eval version="4.1.1", state="$cfg_st$",last_run=now()\
| table state,version,last_run]\
| stats max(last_run) AS last_run by state,version\
| table state,version,last_run\
| eval _key=version\
| outputlookup AD_Obj_Config_State
iseval = 0

##============================================================##
##--- 			Raw Text and Search In Filters			   ---##
##============================================================##
[ms_obj_ss_filt_pre_base(2)]
args = pre_filt_val,pre_filt_fields
definition = makeresults \
| eval filt="$pre_filt_val$",filt_flds="$pre_filt_fields$"\
| eval search="(".replace(filt_flds,",","=\"".filt."\" OR ")."=\"".filt."\")"\
| table search
iseval = 0

[ms_obj_ss_filt_pre_lkp(5)]
args = tgt_lookup,tgt_domain,pre_filt_val,pre_filt_fields,out_fields
definition = inputlookup $tgt_lookup$ WHERE domain="$tgt_domain$" AND [| `ms_obj_ss_filt_pre_base("$pre_filt_val$","$pre_filt_fields$")`]\
| fields $out_fields$
iseval = 0

[ms_obj_ss_filt_pre_cnt_chk(2)]
args = bypass_limit,max_limit
definition = stats count\
| eval show_bypass_option=if(count>$bypass_limit$ AND count<$max_limit$,"true","false")\
| eval show_lg_message=if(count>$bypass_limit$ AND count<$max_limit$,"true","false")\
| eval show_too_lg_message=if(count>$max_limit$,"true","false")\
| eval exec_srch_trigger=if(count>$bypass_limit$,"false","true")\
| table count,show_bypass_option,show_lg_message,show_too_lg_message,exec_srch_trigger
iseval = 0

[ms_obj_ss_filt_raw_txt_lkp_key(3)]
args = tgt_lookup,tgt_key,filt_fields
definition = inputlookup AD_Obj_$tgt_lookup$ WHERE _key="$tgt_key$"\
| `ms_obj_md_admin_lkp_info($filt_fields$)`
iseval = 0

[ms_obj_ss_filt_link_lkp_key(4)]
args = tgt_lookup,tgt_key,filt_fields,link_field
definition = search $link_field$ IN([|inputlookup AD_Obj_$tgt_lookup$ WHERE _key="$tgt_key$"\
| `ms_obj_ss_filt_flds_in($filt_fields$)``])
iseval = 0

[ms_obj_ss_filt_raw_link(5)]
args = tgt_lookup,tgt_domain,src_filt_val,tgt_filt_fields,filt_type
definition = inputlookup $tgt_lookup$ WHERE domain="$tgt_domain$" AND [| `ms_obj_ss_filt_pre_base("$src_filt_val$","$tgt_filt_fields$")`]\
| fields $tgt_filt_fields$\
| eval filt_vals=mvappend($tgt_filt_fields$)\
| stats values(filt_vals) AS filt_vals\
| eval filt_vals=mvfilter(match(filt_vals,"^\S+"))\
| eval raw_txt_filt=if(mvcount(filt_vals)==1,"\"".filt_vals."\"","\"".mvjoin(filt_vals,"\" OR \"")."\"") \
| eval link_in_filt=if(mvcount(filt_vals)==1,"\"".filt_vals."\"",replace("\"".mvjoin(filt_vals,"\",\"")."\"","(^\"\",|,\"\"$)",""))\
| eval search=if("$filt_type$"=="raw_txt",raw_txt_filt,link_in_filt)\
| table search
iseval = 0

[ms_obj_md_admin_lkp_info(1)]
args = tgt_lkp
definition = lookup $tgt_lkp$ sAMAccountName as src_user OUTPUT sAMAccountName as admin_user,domain as admin_domain,dn as admin_dn,dn_path as admin_dn_path,cn as admin_cn,objectGUID as admin_objectGUID,userPrincipalName AS admin_userPrincipalName
iseval = 0

[ms_obj_ss_filt_raw_link(7)]
args = pre_filt_val,pre_filt_fields,tgt_lookup,tgt_domain,src_filt_val,tgt_filt_fields,filt_type
definition = inputlookup $tgt_lookup$ WHERE domain="$tgt_domain$" AND [| `ms_obj_ss_filt_pre_base("$pre_filt_val$","$pre_filt_fields$")`]\
| fields $tgt_filt_fields$\
| eval filt_vals=mvappend($tgt_filt_fields$)\
| stats values(filt_vals) AS filt_vals\
| eval filt_vals=mvfilter(match(filt_vals,"^\S+"))\
| eval raw_txt_filt=if(mvcount(filt_vals)==1,"\"".filt_vals."\"","\"".mvjoin(filt_vals,"\" OR \"")."\"") \
| eval link_in_filt=if(mvcount(filt_vals)==1,"\"".filt_vals."\"",replace("\"".mvjoin(filt_vals,"\",\"")."\"","(^\"\",|,\"\"$)",""))\
| eval search=if("$filt_type$"=="raw_txt",raw_txt_filt,link_in_filt)\
| table search
iseval = 0

[ms_obj_ss_filt_flds_raw(1)]
args = filt_fields
definition = fields $filt_fields$\
| eval search=mvappend($filt_fields$)\
| stats values(search) AS search\
| eval search=mvfilter(match(search,"^\S"))\
| eval search=if(mvcount(search)==1,"\"".search."\"","\"".mvjoin(search,"\" OR \"")."\"") \
| table search
iseval = 0

[ms_obj_ss_filt_flds_in(1)]
args = filt_fields
definition = fields $filt_fields$\
| eval search=mvappend($filt_fields$)\
| stats values(search) AS search\
| eval search=mvfilter(match(search,"^\S"))\
| eval search=if(mvcount(search)==1,"\"".search."\"","\"".mvjoin(search,"\",\"")."\"") \
| table search
iseval = 0

[ms_ad_obj_lkp_filt_cnts(1)]
args = sel_field
definition = fields $sel_field$\
| eval $sel_field$=if(isnull($sel_field$) OR $sel_field$="","#Empty#",$sel_field$)\
| stats count by $sel_field$\
| sort -count\
| eval label=$sel_field$." (".count.")"\
| table $sel_field$,count,label
iseval = 0

[ms_obj_fldsum_list]
definition = fieldsummary\
| rex max_match=2 field=values "\{\"value\"\:\"(?<Example_Values>[^\"]+)"\
| search count>0 Example_Values!=""\
| rename field as fldid\
| table fldid
iseval = 0

## Saving Main Configuration Wizard - Configured Values
[ms_obj_cfg_gs_update(70)]
args = form_tok_build_type,tok_h_load_details,tok_h_state_completed,tok_h_state_input_1,tok_h_state_input_10,tok_h_state_input_10_s,tok_h_state_input_11,tok_h_state_input_12,tok_h_state_input_2,tok_h_state_input_2_s,tok_h_state_input_3,tok_h_state_input_4,tok_h_state_input_4_s,tok_h_state_input_5,tok_h_state_input_6,tok_h_state_input_6_s,tok_h_state_input_7,tok_h_state_input_7_hold,tok_h_state_input_8,tok_h_state_input_8_hold,tok_h_state_input_9,tok_h_state_input_9_hold,tok_h_state_input_9_s,tok_inp_hold_diff_sys,tok_inp_splk_hf_label,tok_input_10_a_i,tok_input_10_b_i,tok_input_11_a_i,tok_input_11_b_i,tok_input_12_a_i,tok_input_12_b_i,tok_input_1_a_i,tok_input_1_b_i,tok_input_2_a_i,tok_input_2_b_i,tok_input_3_a_i,tok_input_3_b_i,tok_input_4_a_i,tok_input_4_b_i,tok_input_5_a_i,tok_input_5_b_i,tok_input_6_a_i,tok_input_6_b_i,tok_input_7_a_i,tok_input_7_b_i,tok_input_8_a_i,tok_input_8_b_i,tok_input_9_a_i,tok_input_9_b_i,tok_obj_depl_msg,tok_obj_dl_soft_uf,tok_obj_dl_ta_cc,tok_obj_env_type,tok_obj_env_type_arch,tok_obj_inp_core_ds_same,tok_obj_inp_ds_hf_same,tok_obj_inst_ds,tok_obj_inst_ds_wta,tok_obj_inst_hf,tok_obj_inst_hf_cc,tok_obj_inst_hf_wta,tok_obj_inst_uf,tok_obj_inst_uf_wta,tok_obj_upg_app,tok_obj_use_ds,tok_obj_use_hf,tok_state_completed,tok_state_lbl,tok_macro_base_url,last_config
definition = makeresults\
| fields form_tok_build_type,tok_h_load_details,tok_h_state_completed,tok_h_state_input_1,tok_h_state_input_10,tok_h_state_input_10_s,tok_h_state_input_11,tok_h_state_input_12,tok_h_state_input_2,tok_h_state_input_2_s,tok_h_state_input_3,tok_h_state_input_4,tok_h_state_input_4_s,tok_h_state_input_5,tok_h_state_input_6,tok_h_state_input_6_s,tok_h_state_input_7,tok_h_state_input_7_hold,tok_h_state_input_8,tok_h_state_input_8_hold,tok_h_state_input_9,tok_h_state_input_9_hold,tok_h_state_input_9_s,tok_inp_hold_diff_sys,tok_inp_splk_hf_label,tok_input_10_a_i,tok_input_10_b_i,tok_input_11_a_i,tok_input_11_b_i,tok_input_12_a_i,tok_input_12_b_i,tok_input_1_a_i,tok_input_1_b_i,tok_input_2_a_i,tok_input_2_b_i,tok_input_3_a_i,tok_input_3_b_i,tok_input_4_a_i,tok_input_4_b_i,tok_input_5_a_i,tok_input_5_b_i,tok_input_6_a_i,tok_input_6_b_i,tok_input_7_a_i,tok_input_7_b_i,tok_input_8_a_i,tok_input_8_b_i,tok_input_9_a_i,tok_input_9_b_i,tok_t_nav_1_btn_next_st,tok_obj_depl_msg,tok_obj_dl_soft_uf,tok_obj_dl_ta_cc,tok_obj_env_type,tok_obj_env_type_arch,tok_obj_inp_core_ds_same,tok_obj_inp_ds_hf_same,tok_obj_inst_ds,tok_obj_inst_ds_wta,tok_obj_inst_hf,tok_obj_inst_hf_cc,tok_obj_inst_hf_wta,tok_obj_inst_uf,tok_obj_inst_uf_wta,tok_obj_upg_app,tok_obj_use_ds,tok_obj_use_hf,tok_state_completed,tok_state_lbl\
| eval form_tok_build_type="$form_tok_build_type$"\
| eval tok_h_load_details="$tok_h_load_details$"\
| eval tok_h_state_completed="$tok_h_state_completed$"\
| eval tok_h_state_input_10="$tok_h_state_input_10$"\
| eval tok_h_state_input_10_s="$tok_h_state_input_10_s$"\
| eval tok_h_state_input_11="$tok_h_state_input_11$"\
| eval tok_h_state_input_12="$tok_h_state_input_12$"\
| eval tok_h_state_input_1="$tok_h_state_input_1$"\
| eval tok_h_state_input_2="$tok_h_state_input_2$"\
| eval tok_h_state_input_2_s="$tok_h_state_input_2_s$"\
| eval tok_h_state_input_3="$tok_h_state_input_3$"\
| eval tok_h_state_input_4="$tok_h_state_input_4$"\
| eval tok_h_state_input_4_s="$tok_h_state_input_4_s$"\
| eval tok_h_state_input_5="$tok_h_state_input_5$"\
| eval tok_h_state_input_6="$tok_h_state_input_6$"\
| eval tok_h_state_input_6_s="$tok_h_state_input_6_s$"\
| eval tok_h_state_input_7="$tok_h_state_input_7$"\
| eval tok_h_state_input_7_hold="$tok_h_state_input_7_hold$"\
| eval tok_h_state_input_8="$tok_h_state_input_8$"\
| eval tok_h_state_input_8_hold="$tok_h_state_input_8_hold$"\
| eval tok_h_state_input_9="$tok_h_state_input_9$"\
| eval tok_h_state_input_9_hold="$tok_h_state_input_9_hold$"\
| eval tok_h_state_input_9_s="$tok_h_state_input_9_s$"\
| eval tok_inp_hold_diff_sys="$tok_inp_hold_diff_sys$"\
| eval tok_inp_splk_hf_label="$tok_inp_splk_hf_label$"\
| eval tok_input_10_a_i="$tok_input_10_a_i$"\
| eval tok_input_10_b_i="$tok_input_10_b_i$"\
| eval tok_input_11_a_i="$tok_input_11_a_i$"\
| eval tok_input_11_b_i="$tok_input_11_b_i$"\
| eval tok_input_12_a_i="$tok_input_12_a_i$"\
| eval tok_input_12_b_i="$tok_input_12_b_i$"\
| eval tok_input_1_a_i="$tok_input_1_a_i$"\
| eval tok_input_1_b_i="$tok_input_1_b_i$"\
| eval tok_input_2_a_i="$tok_input_2_a_i$"\
| eval tok_input_2_b_i="$tok_input_2_b_i$"\
| eval tok_input_3_a_i="$tok_input_3_a_i$"\
| eval tok_input_3_b_i="$tok_input_3_b_i$"\
| eval tok_input_4_a_i="$tok_input_4_a_i$"\
| eval tok_input_4_b_i="$tok_input_4_b_i$"\
| eval tok_input_5_a_i="$tok_input_5_a_i$"\
| eval tok_input_5_b_i="$tok_input_5_b_i$"\
| eval tok_input_6_a_i="$tok_input_6_a_i$"\
| eval tok_input_6_b_i="$tok_input_6_b_i$"\
| eval tok_input_7_a_i="$tok_input_7_a_i$"\
| eval tok_input_7_b_i="$tok_input_7_b_i$"\
| eval tok_input_8_a_i="$tok_input_8_a_i$"\
| eval tok_input_8_b_i="$tok_input_8_b_i$"\
| eval tok_input_9_a_i="$tok_input_9_a_i$"\
| eval tok_input_9_b_i="$tok_input_9_b_i$"\
| eval tok_obj_depl_msg="$tok_obj_depl_msg$"\
| eval tok_obj_dl_soft_uf="$tok_obj_dl_soft_uf$"\
| eval tok_obj_dl_ta_cc="$tok_obj_dl_ta_cc$"\
| eval tok_obj_env_type="$tok_obj_env_type$"\
| eval tok_obj_env_type_arch="$tok_obj_env_type_arch$"\
| eval tok_obj_inp_core_ds_same="$tok_obj_inp_core_ds_same$"\
| eval tok_obj_inp_ds_hf_same="$tok_obj_inp_ds_hf_same$"\
| eval tok_obj_inst_ds="$tok_obj_inst_ds$"\
| eval tok_obj_inst_ds_wta="$tok_obj_inst_ds_wta$"\
| eval tok_obj_inst_hf="$tok_obj_inst_hf$"\
| eval tok_obj_inst_hf_cc="$tok_obj_inst_hf_cc$"\
| eval tok_obj_inst_hf_wta="$tok_obj_inst_hf_wta$"\
| eval tok_obj_inst_uf="$tok_obj_inst_uf$"\
| eval tok_obj_inst_uf_wta="$tok_obj_inst_uf_wta$"\
| eval tok_obj_upg_app="$tok_obj_upg_app$"\
| eval tok_obj_use_ds="$tok_obj_use_ds$"\
| eval tok_obj_use_hf="$tok_obj_use_hf$"\
| eval tok_state_completed="$tok_state_completed$"\
| eval tok_state_lbl="$tok_state_lbl$"\
| eval tok_t_nav_1_btn_next_st=if(tok_state_lbl=="Completed","enabled","disabled")\
| eval tok_auto_chk_lbl="Defined Scope"\
| eval tok_state_lbl_icon=if(tok_state_lbl=="Completed","check","clock")\
| eval tok_state_lbl_color=if(tok_state_lbl=="Completed","#49B849","#F1813F")\
| eval tok_macro_base_url="$tok_macro_base_url$"\
| eval last_config="$last_config$"\
| fillnull value="Skip" tok_h_state_input_1,tok_h_state_input_10,tok_h_state_input_10_s,tok_h_state_input_11,tok_h_state_input_12,tok_h_state_input_2,tok_h_state_input_2_s,tok_h_state_input_3,tok_h_state_input_4,tok_h_state_input_4_s,tok_h_state_input_5,tok_h_state_input_6,tok_h_state_input_6_s,tok_h_state_input_7,tok_h_state_input_7_hold,tok_h_state_input_8,tok_h_state_input_8_hold,tok_h_state_input_9,tok_h_state_input_9_hold,tok_h_state_input_9_s,last_config\
| table form_tok_build_type,tok_h_load_details,tok_h_state_completed,tok_h_state_input_1,tok_h_state_input_10,tok_h_state_input_10_s,tok_h_state_input_11,tok_h_state_input_12,tok_h_state_input_2,tok_h_state_input_2_s,tok_h_state_input_3,tok_h_state_input_4,tok_h_state_input_4_s,tok_h_state_input_5,tok_h_state_input_6,tok_h_state_input_6_s,tok_h_state_input_7,tok_h_state_input_7_hold,tok_h_state_input_8,tok_h_state_input_8_hold,tok_h_state_input_9,tok_h_state_input_9_hold,tok_h_state_input_9_s,tok_inp_hold_diff_sys,tok_inp_splk_hf_label,tok_input_10_a_i,tok_input_10_b_i,tok_input_11_a_i,tok_input_11_b_i,tok_input_12_a_i,tok_input_12_b_i,tok_input_1_a_i,tok_input_1_b_i,tok_input_2_a_i,tok_input_2_b_i,tok_input_3_a_i,tok_input_3_b_i,tok_input_4_a_i,tok_input_4_b_i,tok_input_5_a_i,tok_input_5_b_i,tok_input_6_a_i,tok_input_6_b_i,tok_input_7_a_i,tok_input_7_b_i,tok_input_8_a_i,tok_input_8_b_i,tok_input_9_a_i,tok_input_9_b_i,tok_t_nav_1_btn_next_st,tok_obj_depl_msg,tok_obj_dl_soft_uf,tok_obj_dl_ta_cc,tok_obj_env_type,tok_obj_env_type_arch,tok_obj_inp_core_ds_same,tok_obj_inp_ds_hf_same,tok_obj_inst_ds,tok_obj_inst_ds_wta,tok_obj_inst_hf,tok_obj_inst_hf_cc,tok_obj_inst_hf_wta,tok_obj_inst_uf,tok_obj_inst_uf_wta,tok_obj_upg_app,tok_obj_use_ds,tok_obj_use_hf,tok_state_completed,tok_state_lbl,tok_auto_chk_lbl,tok_state_lbl_icon,tok_state_lbl_color,tok_macro_base_url,last_config\
| outputlookup ms_ad_obj_cfg_gs
iseval = 0

[ms_obj_cfg_gs_reset]
definition = makeresults\
| eval tok_h_load_details="Pending Scope Definition:",tok_obj_inst_ds_wta="obj_inst_ds_wta_n",form_tok_build_type="build_all",tok_dom_health_trigger="0",tok_dom_lkup_trigger="0",tok_ad_sync_trigger="0",tok_state_lbl="Pending",tok_state_completed="Pending",tok_h_state_completed="pending",tok_h_state_input_1="Next",tok_h_state_input_2="Pending",tok_h_state_input_2_s="Pending",tok_h_state_input_3="Skip",tok_h_state_input_4="Pending",tok_h_state_input_4_s="Pending",tok_h_state_input_5="Skip",tok_h_state_input_6="Pending",tok_h_state_input_6_s="Pending",tok_h_state_input_7="Skip",tok_h_state_input_7_hold="Skip",tok_h_state_input_8="Skip",tok_h_state_input_8_hold="Skip",tok_h_state_input_9="Skip",tok_h_state_input_9_s="Skip",tok_h_state_input_9_hold="Skip",tok_h_state_input_10="Pending",tok_h_state_input_10_s="Pending",tok_h_state_input_11="Skip",tok_h_state_input_12="Skip",ms_ad_obj_ta_ex="ms_ad_obj_ta_ex_y",tok_obj_inst_core_ta_wta="obj_inst_core_ta_wta_y",tok_chk_auto_create_idx="chk_auto_create_idx_y",tok_obj_inst_ds_cc="obj_inst_ds_cc_y",tok_obj_inst_hf_cc="obj_inst_ds_hf_y",tok_inp_hold_diff_sys="",tok_inp_splk_hf_label="Heavy/Gateway",tok_auto_chk_lbl="Defined Scope",tok_input_10_a_i="",tok_input_10_b_i="",tok_input_11_a_i="",tok_input_11_b_i="",tok_input_12_a_i="",tok_input_12_b_i="",tok_input_1_a_i="",tok_input_1_b_i="",tok_input_2_a_i="",tok_input_2_b_i="",tok_input_3_a_i="",tok_input_3_b_i="",tok_input_4_a_i="",tok_input_4_b_i="",tok_input_5_a_i="",tok_input_5_b_i="",tok_input_6_a_i="",tok_input_6_b_i="",tok_input_7_a_i="",tok_input_7_b_i="",tok_input_8_a_i="",tok_input_8_b_i="",tok_input_9_a_i="",tok_input_9_b_i="",tok_t_nav_1_btn_next_st="disabled",tok_auto_chk_lbl="Pending Scope Selections",tok_obj_depl_msg="empty",tok_obj_dl_soft_uf="",tok_obj_dl_ta_cc="",tok_obj_env_type="",tok_obj_env_type_arch="",tok_obj_inp_core_ds_same="",tok_obj_inp_ds_hf_same="",tok_obj_inst_ds="",tok_obj_inst_ds_wta="",tok_obj_inst_hf="",tok_obj_inst_hf_cc="",tok_obj_inst_hf_wta="",tok_obj_inst_uf="",tok_obj_inst_uf_wta="",tok_obj_upg_app="",tok_obj_use_ds="",tok_obj_use_hf="",tok_state_lbl_icon="clock",tok_state_lbl_color="#F1813F",tok_macro_base_url="/manager/ms_windows_ad_objects/admin/macros",last_config="Skip"\
| table form_tok_build_type,tok_h_load_details,tok_h_state_completed,tok_h_state_input_1,tok_h_state_input_10,tok_h_state_input_10_s,tok_h_state_input_11,tok_h_state_input_12,tok_h_state_input_2,tok_h_state_input_2_s,tok_h_state_input_3,tok_h_state_input_4,tok_h_state_input_4_s,tok_h_state_input_5,tok_h_state_input_6,tok_h_state_input_6_s,tok_h_state_input_7,tok_h_state_input_7_hold,tok_h_state_input_8,tok_h_state_input_8_hold,tok_h_state_input_9,tok_h_state_input_9_hold,tok_h_state_input_9_s,tok_inp_hold_diff_sys,tok_inp_splk_hf_label,tok_input_10_a_i,tok_input_10_b_i,tok_input_11_a_i,tok_input_11_b_i,tok_input_12_a_i,tok_input_12_b_i,tok_input_1_a_i,tok_input_1_b_i,tok_input_2_a_i,tok_input_2_b_i,tok_input_3_a_i,tok_input_3_b_i,tok_input_4_a_i,tok_input_4_b_i,tok_input_5_a_i,tok_input_5_b_i,tok_input_6_a_i,tok_input_6_b_i,tok_input_7_a_i,tok_input_7_b_i,tok_input_8_a_i,tok_input_8_b_i,tok_input_9_a_i,tok_input_9_b_i,tok_t_nav_1_btn_next_st,tok_obj_depl_msg,tok_obj_dl_soft_uf,tok_obj_dl_ta_cc,tok_obj_env_type,tok_obj_env_type_arch,tok_obj_inp_core_ds_same,tok_obj_inp_ds_hf_same,tok_obj_inst_ds,tok_obj_inst_ds_wta,tok_obj_inst_hf,tok_obj_inst_hf_cc,tok_obj_inst_hf_wta,tok_obj_inst_uf,tok_obj_inst_uf_wta,tok_obj_upg_app,tok_obj_use_ds,tok_obj_use_hf,tok_state_completed,tok_state_lbl,tok_auto_chk_lbl,tok_state_lbl_icon,tok_state_lbl_color,tok_macro_base_url,last_config\
| outputlookup ms_ad_obj_cfg_gs
iseval = 0