diff --git a/apps/stealthbits_ad_ldap/README.txt b/apps/stealthbits_ad_ldap/README.txt new file mode 100644 index 00000000..60c23d1e --- /dev/null +++ b/apps/stealthbits_ad_ldap/README.txt @@ -0,0 +1,107 @@ +Netwrix (STEALTHbits) Active Directory Monitoring App for Splunk + +Netwrix (STEALTHbits')Threat Manager provides many valuable controls for your +IT infrastructure, and has many ways to utilize that data including real-time +blocking and alerting. But holistic data reporting requires a more broad +reaching platform such as Splunk. This app helps provide insight into the most +common activities happening around your Active Directory. + +-------------------------------------------------------------------------------- +Version Support +-------------------------------------------------------------------------------- + + v.2.0.0 + - Add app compatibility with Splunk Cloud environments + - Netwrix rebranding + - Add usage of Splunk "stealthData" macro + - Modify eventtype names to remove ':' character usage, and replaced + spaces with "_" + - Removed the "StealthINTERCEPT File System Activity" eventtype + - Update extractions to handle both "StealthINTERCEPT" and "STEALTHbits" + source types + - Added extra CIM compliance fields + - Changed the mapping of "Windows File System Access Rights Change" from + "modified" to "acl_modified" in the "action" field + - Removed "success" and "failure" as possible values in "action" field. + These are now part of the "status" field + - Changed the AD active users panel on the overview dashboard, to + break down the count by AD type + + v.1.1.1 + - Improved support for analytics on authentication attacks page + + v.1.1.0 + - Improved query efficiency + - Added CIM compliance + - Added LDAP monitoring page + + v.1.0.0 + - Initial Release of App + +-------------------------------------------------------------------------------- +System Requirements +-------------------------------------------------------------------------------- + + Splunk Console + StealthINTERCEPT + Machine Learning Toolkit for Splunk + +-------------------------------------------------------------------------------- +Installation +-------------------------------------------------------------------------------- + + 1. Log in to Splunk Web and navigate to Apps > Manage Apps. + 2. Click Install App from file. + 3. Upload the file and click Upload. + 4. Restart Splunk Web. + +-------------------------------------------------------------------------------- +Collecting Data +-------------------------------------------------------------------------------- + + Configure the StealthINTERCEPT server to send data to Splunk via Syslog. + + You may choose to use SC4S, a Syslog server with a Universal Forwarder or + direct Heavy Forwarder ingest. + + In all cases, you should configure your favoured approach to ingest the data + with the sourcetype "StealhINTERCEPT" + + You may also choose to create a dedicated index. You should recall the + specified index name for the next step + +-------------------------------------------------------------------------------- +Configuration +-------------------------------------------------------------------------------- + + To expedite search performance configure the "stalthData" macro. + + This can be configured by going to + Settings -> Advanced Search -> Search macros: + - stealthData. + + This is used to improve search performance and should be appropriately + modified to specify the index(es) you defined in the previous step. + + E.g. + index=[yourStealDataIndex] (sourcetype=STEALTHbits OR sourcetype= + StealthINTERCEPT) + + If left unmodified, this defaults to searching across all indexes in the + Splunk environment. + +-------------------------------------------------------------------------------- +Troubleshooting +-------------------------------------------------------------------------------- + + Data does not show up in the dashboard pages. + - Make sure that StealthINTERCEPT is configured to send data to Splunk. + - Make sure that StealthINTERCEPT as a UDP log source in Splunk and has + the correct sourcetype and index definition. + +-------------------------------------------------------------------------------- +Support +-------------------------------------------------------------------------------- + + Netwrix (STEALTHbits) Support: + splunk@netwrix.com# Binary File Declaration diff --git a/apps/stealthbits_ad_ldap/README/addon_builder.conf.spec b/apps/stealthbits_ad_ldap/README/addon_builder.conf.spec new file mode 100644 index 00000000..80d47eb4 --- /dev/null +++ b/apps/stealthbits_ad_ldap/README/addon_builder.conf.spec @@ -0,0 +1,4 @@ +[base] +builder_version = +builder_build = +is_edited = diff --git a/apps/stealthbits_ad_ldap/app.manifest b/apps/stealthbits_ad_ldap/app.manifest new file mode 100644 index 00000000..90ddcb66 --- /dev/null +++ b/apps/stealthbits_ad_ldap/app.manifest @@ -0,0 +1,53 @@ +{ + "schemaVersion": "1.0.0", + "info": { + "title": "Netwrix Active Directory and LDAP Monitoring", + "id": { + "group": null, + "name": "stealthbits_ad_ldap", + "version": "2.0.0" + }, + "author": [ + { + "name": "Netwrix Corporation", + "email": null, + "company": null + } + ], + "releaseDate": null, + "description": "Netwrix Threat Manager provides many valuable controls for your IT infrastructure, and has many ways to utilize that data including real-time blocking and alerting. But holistic data reporting requires a more broad reaching platform such as Splunk. This app helps provide insight into the most common activities happening around your Active Directory Learn more about Netwrix at https://www.Netwrix.com/.", + "classification": { + "intendedAudience": null, + "categories": [], + "developmentStatus": null + }, + "commonInformationModels": null, + "license": { + "name": null, + "text": null, + "uri": null + }, + "privacyPolicy": { + "name": null, + "text": null, + "uri": null + }, + "releaseNotes": { + "name": null, + "text": null, + "uri": null + } + }, + "dependencies": { + }, + "tasks": [], + "inputGroups": { + }, + "incompatibleApps": { + }, + "platformRequirements": { + "splunk": { + "Enterprise": "*" + } + } +} \ No newline at end of file diff --git a/apps/stealthbits_ad_ldap/default/addon_builder.conf b/apps/stealthbits_ad_ldap/default/addon_builder.conf new file mode 100644 index 00000000..fb736045 --- /dev/null +++ b/apps/stealthbits_ad_ldap/default/addon_builder.conf @@ -0,0 +1,7 @@ +# this file is generated by add-on builder automatically +# please do not edit it +[base] +builder_version = 4.1.3 +builder_build = 0 +is_edited = 1 + diff --git a/apps/stealthbits_ad_ldap/default/app.conf b/apps/stealthbits_ad_ldap/default/app.conf new file mode 100644 index 00000000..786e18b1 --- /dev/null +++ b/apps/stealthbits_ad_ldap/default/app.conf @@ -0,0 +1,30 @@ +# this add-on is powered by splunk Add-on builder +[install] +state_change_requires_restart = false +is_configured = 0 +state = enabled +build = 105 + +[launcher] +author = Netwrix Corporation +version = 2.0.0 +description = Netwrix Threat Manager provides many valuable controls for your IT infrastructure, and has many ways to utilize that data including real-time blocking and alerting. But holistic data reporting requires a more broad reaching platform such as Splunk. This app helps provide insight into the most common activities happening around your Active Directory Learn more about Netwrix at https://www.Netwrix.com/. + +[ui] +is_visible = 1 +label = Netwrix Active Directory and LDAP Monitoring +docs_section_override = AddOns:released + +[package] +id = stealthbits_ad_ldap + +[triggers] +reload.addon_builder = simple +reload.stealthbits_ad_ldap_account = simple +reload.stealthbits_ad_ldap_settings = simple +reload.passwords = simple + +[author=Netwrix] +email = splunk@netwrix.com +company = Netwrix Corporation + diff --git a/apps/stealthbits_ad_ldap/default/data/ui/nav/default.xml b/apps/stealthbits_ad_ldap/default/data/ui/nav/default.xml new file mode 100644 index 00000000..4402969a --- /dev/null +++ b/apps/stealthbits_ad_ldap/default/data/ui/nav/default.xml @@ -0,0 +1,6 @@ + \ No newline at end of file diff --git a/apps/stealthbits_ad_ldap/default/data/ui/views/README b/apps/stealthbits_ad_ldap/default/data/ui/views/README new file mode 100644 index 00000000..d518a88b --- /dev/null +++ b/apps/stealthbits_ad_ldap/default/data/ui/views/README @@ -0,0 +1 @@ +Add all the views that your app needs in this directory diff --git a/apps/stealthbits_ad_ldap/default/data/ui/views/page_ad_changes.xml b/apps/stealthbits_ad_ldap/default/data/ui/views/page_ad_changes.xml new file mode 100644 index 00000000..a67442ba --- /dev/null +++ b/apps/stealthbits_ad_ldap/default/data/ui/views/page_ad_changes.xml @@ -0,0 +1,623 @@ +
+ +
+ +
+ + + + + -7d@h + now + + + + + + + `stealthData` + | where not match(PolicyName, ".*%.*") + | stats sum(PolicyName) by PolicyName + | fields - sum(PolicyName) + | dedup PolicyName + + $eventTime.earliest$ + now + + PolicyName + PolicyName + All Policies + * + * + + + + * + + + `stealthData` + | where not match(event_id, ".*%.*") and like(event_id, "%Active Directory%") + | stats count by event_id + | eval eventID = replace(event_id, "Active Directory ", "") + | table eventID + + $eventTime.earliest$ + now + + eventID + eventID + All Actions + + + + * + + + `stealthData` + | where not match(SuccessfulChange, ".*%.*") and like(event_id, "%Active Directory%") + | stats count by SuccessfulChange + | eval newSuccessfulChange = case(SuccessfulChange="True", "Successful", SuccessfulChange="False", "Failed") + | table newSuccessfulChange, SuccessfulChange + + $eventTime.earliest$ + now + + newSuccessfulChange + SuccessfulChange + Successful & Failed + * + + + + * + + + `stealthData` + | where not match(BlockedEvent, ".*%.*") and like(event_id, "%Active Directory%") + | stats sum(BlockedEvent) as BlockedEvent_count by BlockedEvent + | eval translated_BlockedEvent=case(BlockedEvent="True", "Yes", BlockedEvent="False", "No") + | table translated_BlockedEvent, BlockedEvent + | dedup translated_BlockedEvent, BlockedEvent + | sort -translated_BlockedEvent, -BlockedEvent + + $eventTime.earliest$ + now + + translated_BlockedEvent + BlockedEvent + Yes or No + * + + +
+ + + + * + + + `stealthData` + | where not match(src_nt_domain, ".*%.*") and like(event_id, "%Active Directory%") + | stats sum(src_nt_domain) by src_nt_domain + | fields - sum(src_nt_domain) + | dedup src_nt_domain + + $eventTime.earliest$ + now + + src_nt_domain + src_nt_domain + All Domains + * + + + + * + + + `stealthData` + | where not match(Server, ".*%.*") and like(event_id, "%Active Directory%") + | stats sum(Server) by Server + | eval Server=case(!LIKE(Server, "%\\%"), Server, Server LIKE "%\\%", mvindex(split(Server, "\\"), 1)) + | fields - sum(Server) + | dedup Server + + $eventTime.earliest$ + now + + Server + Server + All Hosts + + + + * + + + `stealthData` + | where not match(Perpetrator, ".*%.*") and like(event_id, "%Active Directory%") + | stats sum(Perpetrator) as Perpetrator_count by Perpetrator + | eval Perpetrator=case(!LIKE(Perpetrator, "%\\%"), Perpetrator, Perpetrator LIKE "%\\%", mvindex(split(Perpetrator, "\\"), 1)) + | eval upper_Perpetrator=upper(substr(Perpetrator,1,1)).substr(Perpetrator,2) + | table upper_Perpetrator, Perpetrator + | dedup upper_Perpetrator, Perpetrator + + $eventTime.earliest$ + now + + upper_Perpetrator + Perpetrator + All Users + + + + * + + + `stealthData` + | where not match(Domain, ".*%.*") + | stats sum(Server) by Domain + | fields - sum(Server) + | dedup Domain + + $eventTime.earliest$ + now + + Domain + Domain + All Domains + + + + + + `stealthData` + | where not match(ObjectClass, ".*%.*") and like(event_id, "%Active Directory%") + | stats sum(ObjectClass) as ObjectClass_count by ObjectClass + | eval upper_ObjectClass=upper(substr(ObjectClass,1,1)).substr(ObjectClass,2) + | table upper_ObjectClass, ObjectClass + | dedup upper_ObjectClass, ObjectClass + + $eventTime.earliest$ + now + + upper_ObjectClass + ObjectClass + All Object Types + * + * + + + + * + + + `stealthData` + | where not match(ModifiedObject, ".*%.*") and like(event_id, "%Active Directory%") + | stats sum(Server) by ModifiedObject + | eval ModifiedObject=case(!LIKE(ModifiedObject, "%\\%"), ModifiedObject, ModifiedObject LIKE "%\\%", mvindex(split(ModifiedObject, "\\"), 1)) + | eval upper_ModifiedObject=upper(substr(ModifiedObject,1,1)).substr(ModifiedObject,2) + | table upper_ModifiedObject, ModifiedObject + | dedup upper_ModifiedObject, ModifiedObject + + $eventTime.earliest$ + now + + upper_ModifiedObject + ModifiedObject + All Objects + + + + +
+ + + + + + + + + + + + `stealthData` + | where like(event_id, "%Active Directory%") + | eval Time = strftime(_time,"%Y-%m-%d %H:%M%P") + | eval EventType = replace(event_id, "Active Directory ", "") + | eval InitiatedHost = case(!LIKE(Server, "%\\%"), Server, Server LIKE "%\\%", mvindex(split(Server, "\\"), 1)) + | eval InitiatedUser = case(!LIKE(Perpetrator, "%\\%"), Perpetrator, Perpetrator LIKE "%\\%", mvindex(split(Perpetrator, "\\"), 1)) + | eval TargetObject = case(!LIKE(ModifiedObject, "%\\%"), ModifiedObject, ModifiedObject LIKE "%\\%", mvindex(split(ModifiedObject, "\\"), 1)) + | eval ActionResult = case(SuccessfulChange == "True", "Success", SuccessfulChange == "False", "Failure") + | search + PolicyName = "$detectingPolicy$" + EventType = "$actionPerformed$" + SuccessfulChange = "$actionResult$" + BlockedEvent = "$actionBlocked$" + ```src_nt_domain = "$initiatedDomain$"``` + InitiatedHost = "$initiatedHost$" + InitiatedUser = "$initiatedUser$" + Domain="$targetDomain$" + ObjectClass = "$targetObjectType$" + TargetObject = "$targetObject$" + | rename + Time AS "Event Time" + PolicyName AS "Detecting Policy" + EventType AS "Action Performed" + ActionResult AS "Action Result" + BlockedEvent AS "Action Blocked" + src_nt_domain AS "Initiating (Domain)" + InitiatedHost AS "Initiating (Host)" + InitiatedUser AS "Initiating (User)" + Domain AS "Target Domain" + ObjectClass AS "Target Object Type" + TargetObject AS "Target Object" + AttributeName AS "Target Attribute" + Operation AS "Operation" + OldAttributeValue AS "Old Value" + NewAttributeValue AS "New Value" + | table + _time + "Event Time" + "Detecting Policy" + "Action Performed" + "Action Result" + "Action Blocked" + "Initiating (Domain)" + "Initiating (Host)" + "Initiating (User)" + "Target Domain" + "Target Object Type" + "Target Object" + "Target Attribute" + "Operation" + "Old Value" + "New Value" + + $eventTime.earliest$ + now + + + + + + + + $click.value$ + + +
+ + + + + + + Event Details + + + `stealthData` + | where _time=$timeValue$ + | eval EventTime=strftime(_time, "%Y-%m-%d %H:%M:%S") + | eval EventTimeUTC=strftime(_time + 18000, "%Y-%m-%d %H:%M:%S") + | eval ActionStatus = case(SuccessfulChange == "True", "Success", SuccessfulChange == "False", "Failure") + | eval ActionCategory = case(change_type == "AD", "Active Directory") + | eval ActionType = replace(event_id, "Active Directory ", "") + | rename + EventTime AS "Time Logged" + EventTimeUTC AS "Time Logged UTC" + BlockedEvent AS "Action Blocked" + ActionStatus AS "Action Status" + ActionCategory AS "Action Category" + ActionType AS "Message" + | table + "Time Logged" + "Action Type" + "Action Blocked" + "Action Status" + "Action Category" + "Message" + | transpose 1 + + $eventTime.earliest$ + now + + + +
+ + + + Perpetrator Details + + + `stealthData` + | where _time=$timeValue$ + | rename + Perpetrator AS "Account Name" + change_type AS "Protocol" + Server AS "Host" + ServerAddress AS "IP Address" + | table + "Account Name" + "Protocol" + "Host" + "IP Address" + | transpose 1 + + + + +
+ + + + Affected Object Details + + + `stealthData` + | where _time=$timeValue$ + | rename + DistinguishedName AS "Path" + ObjectClass AS "Type" + CN AS "Name" + TargetHost AS "Host" + TargetAddress AS "IP Address" + | table + "Path" + "Type" + "Name" + "Host" + "IP Address" + | transpose 1 + + + + +
+ + + + Agent Details + + + `stealthData` + | where _time=$timeValue$ + | rename + ClientHost AS "Host" + ClientAddress AS "IP Address" + | table + "Host" + "IP Address" + | transpose 1 + + + + +
+ + + + + + + + `stealthData` + | where _time=$timeValue$ + | eval EventType = replace(event_id, "Active Directory ", "") + | eval EventName = upper(substr(AttributeName, 1, 1)).substr(AttributeName, 2) + | rename + EventName AS "Attribute Name" + EventType AS "Event Type" + OldAttributeValue AS "Old Value" + NewAttributeValue AS "New Value" + | table + "Attribute Name" + "Event Type" + "Old Value" + "New Value" + | dedup + "Attribute Name" + "Event Type" + "Old Value" + "New Value" + + + + +
+ + +
\ No newline at end of file diff --git a/apps/stealthbits_ad_ldap/default/data/ui/views/page_gpo_changes.xml b/apps/stealthbits_ad_ldap/default/data/ui/views/page_gpo_changes.xml new file mode 100644 index 00000000..dff1e9b1 --- /dev/null +++ b/apps/stealthbits_ad_ldap/default/data/ui/views/page_gpo_changes.xml @@ -0,0 +1,620 @@ +
+ +
+ +
+ + + + + -7d@h + now + + + + + + + `stealthData` + | where not match(PolicyName, ".*%.*") + | stats sum(PolicyName) by PolicyName + | fields - sum(PolicyName) + | dedup PolicyName + + $eventTime.earliest$ + now + + PolicyName + PolicyName + All Policies + * + * + + + + * + + + `stealthData` + | where not match(event_id, ".*%.*") and like(event_id, "%GPO%") + | eval EventType = replace(event_id, "SI Events Log ", "") + | stats count by EventType + | table EventType + + $eventTime.earliest$ + now + + EventType + EventType + All Actions + + + + * + + + `stealthData` + | where not match(SuccessfulChange, ".*%.*") and like(event_id, "%GPO%") + | stats count by SuccessfulChange + | eval newSuccessfulChange = case(SuccessfulChange="True", "Successful", SuccessfulChange="False", "Failed") + | table newSuccessfulChange, SuccessfulChange + + $eventTime.earliest$ + now + + newSuccessfulChange + SuccessfulChange + Successful & Failed + * + + + + * + + + `stealthData` + | where not match(BlockedEvent, ".*%.*") and like(event_id, "%GPO%") + | stats sum(BlockedEvent) as BlockedEvent_count by BlockedEvent + | eval translated_BlockedEvent=case(BlockedEvent="True", "Yes", BlockedEvent="False", "No") + | table translated_BlockedEvent, BlockedEvent + | dedup translated_BlockedEvent, BlockedEvent + | sort -translated_BlockedEvent, -BlockedEvent + + $eventTime.earliest$ + now + + translated_BlockedEvent + BlockedEvent + Yes or No + * + + +
+ + + + * + + + `stealthData` + | where not match(src_nt_domain, ".*%.*") and like(event_id, "%GPO%") + | stats sum(src_nt_domain) by src_nt_domain + | fields - sum(src_nt_domain) + | dedup src_nt_domain + + $eventTime.earliest$ + now + + src_nt_domain + src_nt_domain + All Domains + * + + + + * + + + `stealthData` + | where not match(Server, ".*%.*") and like(event_id, "%GPO%") + | stats sum(Server) by Server + | eval Server=case(!LIKE(Server, "%\\%"), Server, Server LIKE "%\\%", mvindex(split(Server, "\\"), 1)) + | fields - sum(Server) + | dedup Server + + $eventTime.earliest$ + now + + Server + Server + All Hosts + + + + * + + + `stealthData` + | where not match(Perpetrator, ".*%.*") and like(event_id, "%GPO%") + | stats sum(Perpetrator) as Perpetrator_count by Perpetrator + | eval Perpetrator=case(!LIKE(Perpetrator, "%\\%"), Perpetrator, Perpetrator LIKE "%\\%", mvindex(split(Perpetrator, "\\"), 1)) + | eval upper_Perpetrator=upper(substr(Perpetrator,1,1)).substr(Perpetrator,2) + | table upper_Perpetrator, Perpetrator + | dedup upper_Perpetrator, Perpetrator + + $eventTime.earliest$ + now + + upper_Perpetrator + Perpetrator + All Users + + + + * + + + `stealthData` + | where not match(Domain, ".*%.*") + | stats sum(Server) by Domain + | fields - sum(Server) + | dedup Domain + + $eventTime.earliest$ + now + + Domain + Domain + All Domains + + + + + + `stealthData` + | where not match(object, ".*%.*") and like(event_id, "%GPO%") + | eval AffectedObject = mvindex(split(object, "\\"), -1) + | stats count by AffectedObject + | table AffectedObject + | dedup AffectedObject + + $eventTime.earliest$ + now + + AffectedObject + AffectedObject + All Object Types + * + * + + + + * + + + `stealthData` + | where not match(AttributeName, ".*%.*") and like(event_id, "%GPO%") + | stats count by AttributeName + | table AttributeName + | dedup AttributeName + + $eventTime.earliest$ + now + + AttributeName + AttributeName + All Objects + + + + +
+ + + + + + + + + + + + + `stealthData` + | where like(event_id, "%GPO%") + | eval Time = strftime(_time,"%Y-%m-%d %H:%M%P") + | eval EventType = replace(event_id, "SI Events Log ", "") + | eval InitiatedHost = case(!LIKE(Server, "%\\%"), Server, Server LIKE "%\\%", mvindex(split(Server, "\\"), 1)) + | eval InitiatedUser = case(!LIKE(Perpetrator, "%\\%"), Perpetrator, Perpetrator LIKE "%\\%", mvindex(split(Perpetrator, "\\"), 1)) + | eval ActionResult = case(SuccessfulChange == "True", "Success", SuccessfulChange == "False", "Failure") + | eval AffectedObject = mvindex(split(object, "\\"), -1) + | search + PolicyName = "$detectingPolicy$" + EventType = "$actionPerformed$" + SuccessfulChange = "$actionResult$" + BlockedEvent = "$actionBlocked$" + src_nt_domain = "$initiatedDomain$" + InitiatedHost = "$initiatedHost$" + InitiatedUser = "$initiatedUser$" + Domain = "$targetDomain$" + AffectedObject = "$targetObjectType$" + AttributeName = "$targetObject$" + | rename + Time AS "Event Time" + PolicyName AS "Detecting Policy" + EventType AS "Action Performed" + ActionResult AS "Action Result" + BlockedEvent AS "Action Blocked" + src_nt_domain AS "Initiating (Domain)" + InitiatedHost AS "Initiating (Host)" + InitiatedUser AS "Initiating (User)" + Domain AS "Target Domain" + AffectedObject AS "Target Object Type" + AttributeName AS "Target Object" + OldAttributeValue AS "Old Value" + NewAttributeValue AS "New Value" + | table + _time + "Event Time" + "Detecting Policy" + "Action Performed" + "Action Result" + "Action Blocked" + "Initiating (Domain)" + "Initiating (Host)" + "Initiating (User)" + "Target Domain" + "Target Object Type" + "Target Object" + "Old Value" + "New Value" + | dedup + _time + "Event Time" + "Detecting Policy" + "Action Performed" + "Action Result" + "Action Blocked" + "Initiating (Domain)" + "Initiating (Host)" + "Initiating (User)" + "Target Domain" + "Target Object Type" + "Target Object" + "Old Value" + "New Value" + + $eventTime.earliest$ + now + + + + + + + + $click.value$ + + +
+ + + + + + Event Details + + + `stealthData` + | where _time=$timeValue$ + | eval EventTime=strftime(_time, "%Y-%m-%d %H:%M:%S") + | eval EventTimeUTC=strftime(_time + 18000, "%Y-%m-%d %H:%M:%S") + | eval ActionStatus = case(SuccessfulChange == "True", "Success", SuccessfulChange == "False", "Failure") + | eval ActionCategory = case(event_id LIKE "%GPO%", "Group Policy") + | eval ActionType = replace(event_id, "SI Events Log ", "") + | rename + EventTime AS "Time Logged" + EventTimeUTC AS "Time Logged UTC" + BlockedEvent AS "Action Blocked" + ActionStatus AS "Action Status" + ActionCategory AS "Action Category" + ActionType AS "Message" + | table + "Time Logged" + "Time Logged UTC" + "Action Type" + "Action Blocked" + "Action Status" + "Action Category" + "Message" + | transpose 1 + + + + +
+ + + + Perpetrator Details + + + `stealthData` + | where _time=$timeValue$ + | rename + Perpetrator AS "Account Name" + change_type AS "Protocol" + Server AS "Host" + ServerAddress AS "IP Address" + src AS "Access URL" + | table + "Account Name" + "Protocol", + "Host", + "IP Address", + "Access URL" + | transpose 1 + + + + +
+ + + + Affected Object Details + + + `stealthData` + | where _time=$timeValue$ + | rename + ObjectClass AS "Type" + object AS "Object Path" + TargetHost AS "Host" + TargetAddress AS "IP Address" + | table + "Path" + "Type", + "Account Name", + "Object Path", + "Host", + "IP Address" + | transpose 1 + + + + +
+ + + + Agent Details + + + `stealthData` + | where _time=$timeValue$ + | rename + Server AS "Host" + ServerAddress AS "IP Address" + | table + "Host", + "IP Address" + | transpose 1 + + + + +
+ + + + + + + + `stealthData` + | where _time=$timeValue$ + | eval EventType = replace(event_id, "SI Events Log ", "") + | rename + AttributeName AS "Attribute Name" + EventType AS "Event Type" + OldAttributeValue AS "Old Value" + NewAttributeValue AS "New Value" + | table + "Attribute Name" + "Event Type" + "Old Value" + "New Value" + | dedup + "Attribute Name" + "Event Type" + "Old Value" + "New Value" + + + + + +
+ + +
\ No newline at end of file diff --git a/apps/stealthbits_ad_ldap/default/data/ui/views/page_ldap_monitoring.xml b/apps/stealthbits_ad_ldap/default/data/ui/views/page_ldap_monitoring.xml new file mode 100644 index 00000000..6ebb5bfd --- /dev/null +++ b/apps/stealthbits_ad_ldap/default/data/ui/views/page_ldap_monitoring.xml @@ -0,0 +1,619 @@ +
+ +
+ +
+ + + + + -7d@h + now + + + + + + + `stealthData` + Protocol = "LDAP" + | where not match(PolicyName, ".*%.*") + | stats sum(PolicyName) by PolicyName + | fields - sum(PolicyName) + | dedup PolicyName + + $eventTime.earliest$ + now + + PolicyName + PolicyName + All Policies + * + * + + + + * + + + `stealthData` + Protocol = "LDAP" + | where not match(EventName, ".*%.*") + | stats count by EventName + | table EventName + | dedup EventName + + $eventTime.earliest$ + now + + EventName + EventName + All Actions + + + + * + + + `stealthData` + Protocol = "LDAP" + | where not match(BlockedEvent, ".*%.*") + | stats count by BlockedEvent + | eval newBlockedEvent = case(BlockedEvent="True", "Failed", BlockedEvent="False", "Successful") + | table newBlockedEvent, BlockedEvent + | dedup newBlockedEvent, BlockedEvent + + $eventTime.earliest$ + now + + newBlockedEvent + BlockedEvent + Successful or Failed + * + + + + * + + + `stealthData` + Protocol = "LDAP" + | where not match(BlockedEvent, ".*%.*") + | stats count by BlockedEvent + | eval newBlockedEvent=case(BlockedEvent="True", "Yes", BlockedEvent="False", "No") + | table newBlockedEvent, BlockedEvent + | dedup newBlockedEvent, BlockedEvent + + $eventTime.earliest$ + now + + newBlockedEvent + BlockedEvent + Yes or No + * + + +
+ + + + * + + + `stealthData` + Protocol = "LDAP" + | where not match(DC, ".*%.*") + | stats count by DC + | fields - count + | dedup DC + + $eventTime.earliest$ + now + + src_nt_domain + src_nt_domain + All Domains + * + + + + * + + + `stealthData` + Protocol = "LDAP" + | where not match(Server, ".*%.*") + | eval Server = case(!LIKE(Server, "%\\%"), Server, Server LIKE "%\\%", mvindex(split(Server, "\\"), 1)) + | stats count by Server + | fields - count + | dedup Server + + $eventTime.earliest$ + now + + Server + Server + All Hosts + + + + * + + + `stealthData` + Protocol = "LDAP" + | where not match(Perpetrator, ".*%.*") + | stats sum(Perpetrator) as Perpetrator_count by Perpetrator + | eval Perpetrator=case(!LIKE(Perpetrator, "%\\%"), Perpetrator, Perpetrator LIKE "%\\%", mvindex(split(Perpetrator, "\\"), 1)) + | eval upper_Perpetrator=upper(substr(Perpetrator,1,1)).substr(Perpetrator,2) + | table upper_Perpetrator, Perpetrator + | dedup upper_Perpetrator, Perpetrator + + $eventTime.earliest$ + now + + upper_Perpetrator + Perpetrator + All Users + + + + * + + + `stealthData` + Protocol = "LDAP" + | where not match(AccessURL, ".*%.*") + | eval AccessURL = case(AccessURL LIKE "%LDAPS%", replace(AccessURL, "LDAPS:", ""), AccessURL LIKE "%LDAP%", replace(AccessURL, "LDAP:", "")) + | stats count by AccessURL + | fields - count + | dedup AccessURL + + $eventTime.earliest$ + now + + AccessURL + AccessURL + All Access URLs + * + + + + + + `stealthData` + Protocol = "LDAP" + | where not match(SecureQuery, ".*%.*") + | stats count by SecureQuery + | table SecureQuery + | dedup SecureQuery + + $eventTime.earliest$ + now + + SecureQuery + SecureQuery + Yes or No + * + + + + * + + + `stealthData` + Protocol = "LDAP" + | where not match(SecurityType, ".*%.*") + | stats count by SecurityType + | table SecurityType + | dedup SecurityType + + $eventTime.earliest$ + now + + SecurityType + SecurityType + All Types + * + + + + +
+ + + + + + + + + + + + + `stealthData` + Protocol = "LDAP" + | eval Time=strftime(_time,"%Y-%m-%d %H:%M%P") + | eval ActionResult = case(BlockedEvent="True", "Failed", BlockedEvent="False", "Successful") + | eval BlockedEvent=case(BlockedEvent="True", "Yes", BlockedEvent="False", "No") + | eval Server=case(Server LIKE "%\\%", mvindex(split(Server, "\\"), 1)) + | eval Perpetrator=case(Perpetrator LIKE "%\\%", mvindex(split(Perpetrator, "\\"), 1)) + | eval AccessURL = case(AccessURL LIKE "%LDAPS%", replace(AccessURL, "LDAPS:", ""), AccessURL LIKE "%LDAP%", replace(AccessURL, "LDAP:", "")) + | search + PolicyName = "$detectingPolicy$" + EventName = "$actionPerformed$" + ActionResult = "$actionResult$" + BlockedEvent = "$actionBlocked$" + DC = "$initiatedDomain$" + Server = "$initiatedHost$" + Perpetrator = "$initiatedUser$" + AccessURL = "$accessUrl$" + SecureQuery = "$searchSecure$" + SecurityType = "$searchSecurityType$" + | rename + Time AS "Event Time" + PolicyName AS "Detecting Policy" + EventName AS "Action Performed" + ActionResult AS "Action Result" + BlockedEvent AS "Action Blocked" + DC AS "Initiating (Domain)" + Server AS "Initiating (Host)" + Perpetrator AS "Initiating (User)" + AccessURL AS "Access URL" + SecureQuery AS "Secure Query" + SecurityType AS "Security Type" + QueryFilter AS "Query Filter" + | table + _time + "Event Time" + "Detecting Policy" + "Action Performed" + "Action Result" + "Action Blocked" + "Initiating (Domain)" + "Initiating (Host)" + "Initiating (User)" + "Access URL" + "Secure Query" + "Security Type" + "Query Filter" + | dedup + _time + "Event Time" + "Detecting Policy" + "Action Performed" + "Action Result" + "Action Blocked" + "Initiating (Domain)" + "Initiating (Host)" + "Initiating (User)" + "Access URL" + "Secure Query" + "Security Type" + "Query Filter" + + $eventTime.earliest$ + now + + + + + + + + $click.value$ + + +
+ + + + + + Event Details + + + `stealthData` + AND _time="$time_token$" + | eval EventTime=strftime(_time, "%Y-%m-%d %H:%M:%S") + | eval EventTimeUTC=strftime(_time+18000, "%Y-%m-%d %H:%M:%S") + | eval ActionStatus = case(BlockedEvent="True", "Failed", BlockedEvent="False", "Successful") + | rename + EventTime AS "Time Logged", + EventTimeUTC AS "Time Logged UTC", + EventName AS "Action Type", + BlockedEvent AS "Action Blocked", + actionStatus AS "Action Status", + event_id AS "Message" + | table + "Time Logged", + "Time Logged UTC" + "Action Type", + "Action Blocked", + "Action Status", + "Message" + | transpose 1 + + + + +
+ + + + Perpetrator Details + + + `stealthData` + AND _time="$time_token$" + | rename + Perpetrator AS "Account Name" + PerpetratorSID AS "Account SID" + DistinguishedName AS "Account DN" + Server AS "Host" + ServerAddress AS "IP Address" + AccessURL AS "Access URL" + | table + "Account Name" + "Account SID", + "Account DN" + "Protocol", + "Client Host", + "Client IP Address", + "Access URL" + | transpose 1 + + + + +
+ + + + Search Details + + + `stealthData` + AND _time="$time_token$" + | rename + QueryFilter AS "Query Filter" + QueryExecutionTimeAvg AS "Query Execute Time" + ObjectsReturned AS "Result Count" + SecurityQuery AS "Secure Query" + SecurityType AS "Security Type" + | table + "Query Filter" + "Query Execute Time" + "Result Count" + "Secure Query" + "Security Type" + | transpose 1 + + + + +
+ + + + Agent Details + + + `stealthData` + AND _time="$time_token$" + | rename + ClientHost AS "Host" + ClientAddress AS "IP Address" + | table + "Host", + "IP Address" + | transpose 1 + + + + +
+ + +
\ No newline at end of file diff --git a/apps/stealthbits_ad_ldap/default/data/ui/views/page_overview.xml b/apps/stealthbits_ad_ldap/default/data/ui/views/page_overview.xml new file mode 100644 index 00000000..6185f3b6 --- /dev/null +++ b/apps/stealthbits_ad_ldap/default/data/ui/views/page_overview.xml @@ -0,0 +1,689 @@ +
+ +
+ + + + -7d@h + now + + +
+ + + + + + + + + + +

+ Overview +

+ + + + + + Active Directory Events + + + + `stealthData` + | where like(event_id, "Active Directory%") + | stats count + + $eventTime.earliest$ + $eventTime.latest$ + + + + + + + + + + + + Group Policy Events + + + + `stealthData` + | where like(event_id, "%GPO%") + | stats count + + $eventTime.earliest$ + $eventTime.latest$ + + + + + + + + + + + + LDAP Events + + + `stealthData` Protocol = "LDAP" + | stats count + $eventTime.earliest$ + $eventTime.latest$ + + + + + + + + + + + + + + + Active Users + + + + `stealthData` + | where !like(Perpetrator, '*\%*') + | stats dc(Perpetrator) as count + + $eventTime.earliest$ + $eventTime.latest$ + + + + + Monitored Domains + + + + `stealthData` + | where not match(Domain, ".*%.*") + | stats dc(Domain) as count + + $eventTime.earliest$ + $eventTime.latest$ + + + + + + + Events Over Time + + + `stealthData` +| where like(event_id, "%GPO%") OR like(event_id, "Active Directory%") OR like(Protocol, "%LDAP%") +| eval eventID = replace(event_id, "Active Directory ", "") +| timechart sum(linecount) as "Event Count" by eventID + $eventTime.earliest$ + $eventTime.latest$ + + + + + + + + + + + + + +

+ Active Directory Events +

+ + + + +

+ Group Policy Events +

+ + + + + + AD Most Active Users + + + + `stealthData` + | where like(event_id, "Active Directory%") + | eval eventID = replace(event_id, "Active Directory ", "") + | chart count BY Perpetrator eventID + | addtotals + | sort -Total, +Perpetrator + | head 5 + | fields - Total + + $eventTime.earliest$ + $eventTime.latest$ + + + + + + + + + + + mvindex(split($click.value$, "\\"), 0) + mvindex(split($click.value$, "\\"), 1) + + + + + + + + GPO Most Active Users + + + + `stealthData` + | where like(event_id, "%GPO%") + | stats count BY Perpetrator + | rename count as "Event Count" + | sort -"Event Count" + | head 5 + + $eventTime.earliest$ + $eventTime.latest$ + + + + + + + + mvindex(split($click.value$, "\\"), 0) + mvindex(split($click.value$, "\\"), 1) + + + + + + + + + + AD Events By Type + + + + `stealthData` + | where not match(event_id, ".*%.*") and like(event_id, "%Active Directory%") + | eval eventID = replace(event_id, "Active Directory ", "") + | stats count by eventID + | eval percent=round(percent) + + $eventTime.earliest$ + $eventTime.latest$ + + + + + + + + + + + + + + + AD Successful/Failed Changes + + + + `stealthData` + | where like(event_id, "Active Directory%") + | stats count BY SuccessfulChange + | replace False WITH "Failed", True WITH "Successful" IN SuccessfulChange + | eval percent=round(percent) + + $eventTime.earliest$ + $eventTime.latest$ + + + + + + + + case($click.value$ == "Successful", "True", $click.value$ == "Failed", "False") + + + + + + + + AD Allowed/Blocked Changes + + + + `stealthData` + | where like(event_id, "Active Directory%") + | stats count BY BlockedEvent + | replace False WITH "Allowed", True WITH "Blocked" IN BlockedEvent + + $eventTime.earliest$ + $eventTime.latest$ + + + + + + + + case($click.value$ == "Allowed", "False", $click.value$ != "Allowed", "True") + + + + + + + + GPO Events By Type + + + + `stealthData` + | where not match(event_id, ".*%.*") and like(event_id, "%GPO%") + | eval eventID = replace(event_id, "SI Events Log ", "") + | stats count by eventID + | eval percent=round(percent) + + $eventTime.earliest$ + $eventTime.latest$ + + + + + + + + + + + + + + + GPO Successful/Failed Changes + + + + `stealthData` + | where like(event_id, "%GPO%") + | stats count BY SuccessfulChange + | replace False WITH "Failed", True WITH "Successful" IN SuccessfulChange + + $eventTime.earliest$ + $eventTime.latest$ + + + + + + + + case($click.value$ == "Successful", "True", $click.value$ == "Failed", "False") + + + + + + + + GPO Allowed/Blocked Changes + + + + `stealthData` + | where like(event_id, "%GPO%") + | stats count BY BlockedEvent + | replace False WITH "Allowed", True WITH "Blocked" IN BlockedEvent + + $eventTime.earliest$ + $eventTime.latest$ + + + + + + + + case($click.value$ == "Allowed", "False", $click.value$ != "Allowed", "True") + + + + + + + + + + +
+

+ LDAP Events +

+
+ + + + + + LDAP Most Active Source Hosts + + + + `stealthData` + Protocol = "LDAP" + | stats count BY Server + | rename count as "Event Count" + | sort -"Event Count" + | head 5 + + $eventTime.earliest$ + $eventTime.latest$ + + + + + + + + mvindex(split($click.value$, "\\"), 0) + mvindex(split($click.value$, "\\"), 1) + + + + + + + + LDAP Most Active Access URLs + + + + `stealthData` + Protocol = "LDAP" + | eval AccessURL = replace(AccessURL, "LDAP:", "") + | stats count BY AccessURL + | sort - count + | head 5 + + $eventTime.earliest$ + $eventTime.latest$ + + + + + + + + + + + + + + + LDAP Most Active Users + + + + `stealthData` + Protocol = "LDAP" + | stats count BY Perpetrator + | sort - count + | head 5 + + $eventTime.earliest$ + $eventTime.latest$ + + + + + + + + mvindex(split($click.value$, "\\"), 0) + mvindex(split($click.value$, "\\"), 1) + + + + + + + + + + LDAP Events By Type + + + + `stealthData` + Protocol = "LDAP" + | stats count BY EventName + | eval percent=round(percent) + + $eventTime.earliest$ + $eventTime.latest$ + + + + + + + + + + + + + + + LDAP Allowed/Blocked Queries + + + + `stealthData` + Protocol = "LDAP" + | stats count BY BlockedEvent + | replace False WITH "Allowed", True WITH "Blocked" IN BlockedEvent + + $eventTime.earliest$ + $eventTime.latest$ + + + + + + + + case($click.value$ == "Allowed", "No", $click.value$ != "Allowed", "Yes") + + + + + + + + LDAPS vs. LDAP + + + + `stealthData` + Protocol = "LDAP" + | stats count BY SecureQuery + | replace No WITH "LDAP", Yes WITH "LDAPS" IN SecureQuery + | eval percent=round(percent) + + $eventTime.earliest$ + $eventTime.latest$ + + + + + + + + case($click.value$ == "LDAPS", "Yes", $click.value$ == "LDAP", "No") + + + + + + + + Signed and Sealed vs. LDAP + + + + `stealthData` + Protocol = "LDAP" + | stats count BY SecurityType + | replace None WITH "LDAP", "Add Random Data" WITH "LDAP" IN SecurityType + | eval percent=round(percent) + + $eventTime.earliest$ + $eventTime.latest$ + + + + + + + + case($click.value$ == "LDAP", "None", $click.value$ != "LDAP", $click.value$) + + + + + + + + Secure vs. Insecure + + + + `stealthData` + Protocol = "LDAP" + | stats count BY SecureQuery + | replace No WITH "Unsecure", Yes WITH "Secure" IN SecureQuery + | eval percent=round(percent) + + $eventTime.earliest$ + $eventTime.latest$ + + + + + + + + case($click.value$ == "Secure", "Yes", $click.value$ == "Unsecure", "No") + + + + + + + +
\ No newline at end of file diff --git a/apps/stealthbits_ad_ldap/default/eventtypes.conf b/apps/stealthbits_ad_ldap/default/eventtypes.conf new file mode 100644 index 00000000..a012ccb3 --- /dev/null +++ b/apps/stealthbits_ad_ldap/default/eventtypes.conf @@ -0,0 +1,11 @@ +[StealthINTERCEPT_Authentication] +priority = 5 +search = `stealthData` event_id="Authentication Auth *" + +[StealthINTERCEPT_Active_Directory] +priority = 5 +search = `stealthData` event_id="Active Directory*" + +[StealthINTERCEPT_Group_Policy] +priority = 5 +search = `stealthData` event_id="*GPO*" diff --git a/apps/stealthbits_ad_ldap/default/macros.conf b/apps/stealthbits_ad_ldap/default/macros.conf new file mode 100644 index 00000000..a501f9a1 --- /dev/null +++ b/apps/stealthbits_ad_ldap/default/macros.conf @@ -0,0 +1,3 @@ +[stealthData] +definition = index=* (sourcetype=STEALTHbits OR sourcetype=StealthINTERCEPT) +iseval = 0 diff --git a/apps/stealthbits_ad_ldap/default/props.conf b/apps/stealthbits_ad_ldap/default/props.conf new file mode 100644 index 00000000..5004eb9c --- /dev/null +++ b/apps/stealthbits_ad_ldap/default/props.conf @@ -0,0 +1,21 @@ +[StealthINTERCEPT] +EVAL-action = case(like(event_id, "%Password _hanged"), "updated", like(event_id, "%Object _odified"), "modified", like(event_id, "%Object _dded"), "created", like(event_id, "%Group Members _dded"), "modified", like(event_id, "%Account _nabled"), "updated", like(event_id, "%Object _eleted"), "deleted", like(event_id, "%Group Members _emoved"), "modified", like(event_id, "%Account _nlocked"), "unlocked", like(event_id, "%Account _isabled"), "updated", like(event_id, "%_ock%"), "lockout") +EVAL-change_type = case(like(event_id, "Active Directory%"), "AD", like(event_id, "%File%"), "filesystem") +EVAL-dvc = coalesce(Server,ServerAddress) +EVAL-dest = coalesce(TargetHost, TargetHostIP, Server, ServerAddress) +EVAL-src = coalesce(ClientHost, ClientAddress) +EVAL-status = case(SuccessfulChange == "True", "success", SuccessfulChange == "False", "failure") +EVAL-vendor_product = "STEALTHbits StealthINTERCEPT" +EXTRACT-event_id = [STEALTHbits Activity Monitor|StealthINTERCEPT] - (?P[^\-]+)\s\- +FIELDALIAS-CIM: Authentication = AttributeName AS object_attrs DistinguishedName AS object Domain AS src_nt_domain ObjectClass AS object_category Perpetrator AS user _time AS file_access_time result AS status event_id AS EventName + +[STEALTHbits] +EVAL-action = case(like(event_id, "%Password _hanged"), "updated", like(event_id, "%Object _odified"), "modified", like(event_id, "%Object _dded"), "created", like(event_id, "%Group Members _dded"), "modified", like(event_id, "%Account _nabled"), "updated", like(event_id, "%Object _eleted"), "deleted", like(event_id, "%Group Members _emoved"), "modified", like(event_id, "%Account _nlocked"), "unlocked", like(event_id, "%Account _isabled"), "updated", like(event_id, "%_ock%"), "lockout") +EVAL-change_type = case(like(event_id, "Active Directory%"), "AD", like(event_id, "%File%"), "filesystem") +EVAL-dvc = coalesce(Server,ServerAddress) +EVAL-dest = coalesce(TargetHost, TargetHostIP, Server, ServerAddress) +EVAL-src = coalesce(ClientHost, ClientAddress) +EVAL-status = case(SuccessfulChange == "True", "success", SuccessfulChange == "False", "failure") +EVAL-vendor_product = "STEALTHbits StealthINTERCEPT" +EXTRACT-event_id = [STEALTHbits Activity Monitor|StealthINTERCEPT] - (?P[^\-]+)\s\- +FIELDALIAS-CIM: Authentication = AttributeName AS object_attrs DistinguishedName AS object Domain AS src_nt_domain ObjectClass AS object_category Perpetrator AS user _time AS file_access_time result AS status event_id AS EventName diff --git a/apps/stealthbits_ad_ldap/default/tags.conf b/apps/stealthbits_ad_ldap/default/tags.conf new file mode 100644 index 00000000..f822b8d0 --- /dev/null +++ b/apps/stealthbits_ad_ldap/default/tags.conf @@ -0,0 +1,9 @@ +[eventtype=StealthINTERCEPT%20Active%20Directory] +change = enabled + +[eventtype=StealthINTERCEPT%20Authentication] +change = enabled +authentication = enabled + +[eventtype=StealthINTERCEPT%20Group%20Policy] +change = enabled diff --git a/apps/stealthbits_ad_ldap/metadata/default.meta b/apps/stealthbits_ad_ldap/metadata/default.meta new file mode 100644 index 00000000..6b6b2983 --- /dev/null +++ b/apps/stealthbits_ad_ldap/metadata/default.meta @@ -0,0 +1,8 @@ + +[] +access = read : [ * ], write : [ admin ] +export = system + +[views] +access = read : [ * ], write : [ admin ] +export = none diff --git a/apps/stealthbits_ad_ldap/static/appIcon.png b/apps/stealthbits_ad_ldap/static/appIcon.png new file mode 100644 index 00000000..f813d9b9 Binary files /dev/null and b/apps/stealthbits_ad_ldap/static/appIcon.png differ diff --git a/apps/stealthbits_ad_ldap/static/appIconAlt.png b/apps/stealthbits_ad_ldap/static/appIconAlt.png new file mode 100644 index 00000000..c7a352f1 Binary files /dev/null and b/apps/stealthbits_ad_ldap/static/appIconAlt.png differ diff --git a/apps/stealthbits_ad_ldap/static/appIconAlt_2x.png b/apps/stealthbits_ad_ldap/static/appIconAlt_2x.png new file mode 100644 index 00000000..10cf1c4c Binary files /dev/null and b/apps/stealthbits_ad_ldap/static/appIconAlt_2x.png differ diff --git a/apps/stealthbits_ad_ldap/static/appIcon_2x.png b/apps/stealthbits_ad_ldap/static/appIcon_2x.png new file mode 100644 index 00000000..19e85ae6 Binary files /dev/null and b/apps/stealthbits_ad_ldap/static/appIcon_2x.png differ diff --git a/apps/stealthbits_ad_ldap/static/appLogo_2x_red.png b/apps/stealthbits_ad_ldap/static/appLogo_2x_red.png new file mode 100644 index 00000000..198a9932 Binary files /dev/null and b/apps/stealthbits_ad_ldap/static/appLogo_2x_red.png differ diff --git a/apps/stealthbits_ad_ldap/static/appLogo_red.png b/apps/stealthbits_ad_ldap/static/appLogo_red.png new file mode 100644 index 00000000..e579f06e Binary files /dev/null and b/apps/stealthbits_ad_ldap/static/appLogo_red.png differ diff --git a/apps/stealthbits_ad_ldap/static/screenshot.png b/apps/stealthbits_ad_ldap/static/screenshot.png new file mode 100644 index 00000000..7ea76526 Binary files /dev/null and b/apps/stealthbits_ad_ldap/static/screenshot.png differ diff --git a/apps/stealthbits_ad_ldap/stealthbits_ad_ldap.aob_meta b/apps/stealthbits_ad_ldap/stealthbits_ad_ldap.aob_meta new file mode 100644 index 00000000..841022fd --- /dev/null +++ b/apps/stealthbits_ad_ldap/stealthbits_ad_ldap.aob_meta @@ -0,0 +1 @@ +{"basic_builder": {"appname": "stealthbits_ad_ldap", "friendly_name": "Netwrix Active Directory and LDAP Monitoring", "version": "2.0.0", "author": "Netwrix Corporation", "description": "Netwrix Threat Manager provides many valuable controls for your IT infrastructure, and has many ways to utilize that data including real-time blocking and alerting. But holistic data reporting requires a more broad reaching platform such as Splunk. This app helps provide insight into the most common activities happening around your Active Directory\n \nLearn more about Netwrix at https://www.Netwrix.com/.", "theme": "#D9272D", "large_icon": "iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAYAAABV7bNHAAAIVklEQVR4Xu3cB4/cuBIEYK1zzjln+P//GsNwzjnneO/ju15wtdRIWo1mbZwIDDw74nDI6qrqJqW7pWpqMxFYmvCZjcAEUAtDJoAmgIaZyMSgtTLo2rVrv4dh/3d9++rVq0WyNDJoAuj/AZ4A+pfoE4NaFD8BNAE0LClMDPqbGbR169Zq165dK5bw/v376tu3b8No0ePbfzSDjh8/Xm3btm0ZEIB9+PChevbsWY8lDuu6rgAtLS1Ve/fuTYv+8ePHqpWcPXu2evv2bfXmzZt07eDBg9X27durBw8erOq7ZcuWaseOHan/79/zq2XXDaDdu3dXhw8frjZu3JgYcu/evQpDfA4E7wF4//796vPnzwkQcjtx4kQC4OvXr9WnT58qkvv+/XsFzE2bNiWgnz9/nkCfR1s4QAA5efJkAuDly5cp4mfOnEmLA4hFf/z4MQHw5cuX6tevXyvW6fu+S3o7d+5MYOoDJGDu37+/OnDgQAL14cOHg9m0cIAAceHChSQTYGjkYaGi/vPnz16BNx5m5TLFwmPHjlU3b95cBXCvwf/XeeEAmSAGkcLTp0/7zrdTfzLEqidPnnTqP6vTwgEij1OnTiUZlRZAZtjkhVkhPb6DXfyK9LCvLr9YaEiY5EhvSFsoQBYNnHfv3q1iz+bNm5N3kMeGDRuSB3lhGiAAByyg8R9/A/n169fLUg0gXCMxHkXKAF1rGxUghmqyFok5zPjVq1fJnKPpc+jQoZTuLURK5ydN7IjvWfyePXsSoAyZXOsF5JEjR1Kfu3fvJiYJAha2jZ2DOSpAABFtkfavhee+g1HhFz4P0+4TbYsGBMCkd4zKm/EFB0DqJHOR3bq20QCKTGIy3mNS7jkiSwYhNx6jj8XKSuSlf72AzPtgHGD12bdvX/qusiEPgv4qcn2Aw5/yDNoG1CgAmdT58+eTXEiq3gKcFy9erLgeNQwmWLBFPXr0aMXXZ/XBEIxRPDZlSMUptt25c6cNm3R9FIAszkRu3bq1qq4hNdLjQ7kXmQxGaZjDk2wtjJE3bMC26MPYb9++vdyFbE+fPl3VwY8OJCl4jx8/TkC2tVEAkm1QWTYisTDPYBZTNcF6yxePZcy7BBCTxZAmEENuzJlUo0WJYT6Y2aUoHQUgEwLGxYsXk3HyBc2CLRy9S5lkXgD5LVITKHu8aNgGvDros1g0GkAhJeW+SEnnthgiz5hLbZ4AxZYGg5mzRl7mAKCuBeRoAPEglI6jCdEjidwvxpJYjMvTAJUfj9j1855S8igFbTSAGLGJRF1y7ty59HduzCJqEYyVJDX9HYgpDcik1Ep9GDdWMO84HgnDxpgoF8hc4LrWQqMBdPny5TQJxZ8o8iPek5umbGJRFhye5Hq8t8BSK/UBsPopWBqAhA+GrAGvXiL9Lm2uAIkMKdkveX/jxo20WJM6evRo+jtaE2hdJj2rz6VLl5LPRQrHQh4YdVH4EJYJDkbPOuOeK0DqFlkKI0Q5qO5zxVmeUUQcy/pUtW3glcYkKUy0s4+moIxgAiiOdEf3IEDIXnV9o7TI1T/nS0qA+v6pDYim65E5g7n6qbzJrlQ580nSW3eAyEvRWC8OGbSol4rGtYCkxgFInimBU6+2Y+x1AciEsILE4uAczUW3fjeitKC1AJOn9TrgwGHeubx5Ip/0+wuVWPxo3IKJIlFU41wmB6AkiSEAlSSrHjOfkLf3sqfgRQadVTTO1aTzxeVpnkHLJrwhv2c1T6NuGssJJjbb8mhxu6nrdmM0gOhblFSs/Ef6ze9xBZiizii7VrZNDIuiMDdofQWKx4Xc64xqY+xoANXTK8Ck/Yhk7hsArJ/7tE28fr3kZ5jrVCEHrW/mHA0gdYZ9T5T5zFv0+FIuMwtjpF0p3wScja6WZ0TgKFTjs/qcugRhNICwws7ZwZU6I44/ZI287mHUgBTlLuczTYtivMaNmibAyGWtToutSNf796MAJFNE9GSP2BfJZiapaMvPmvlTfm7UJbJ5H2CQjvontg0kDfC8OG2a16zfGwWgOHIt3fotTRxowIvbM30AwkxjAjzAMBYPBFj90P+POHI16chO9XNnUYwKNp7z0d85sg0sv4g9XBtQcVziMI6UMCaeAGk6c7btkfEEo0sbhUF+2EQZp/OZuO0jU9F+3GHlF5HVeJYtib5konbxb/38iKEDFDjGUSIAOk4NbF/ym5PGjWcBnCy6Xio3msAaDSA/qEizCEcPdtD5YX3covEZEMOg+Yn0zLyBdf369eWsR7qkAxTgWXBUwWTqVb+bYQ6YCXDjmUufvd+oAIm0l+iKuGwVEQegz0TXAiLbRSRL2a20Mwc02RgD0PmDU9jiun0YLyJFc+mawcxlVIDqtLVoEXXKKIox0chuJg9Am924RZQfsJNX3BWRrjEK4/QHcLCQrGxt+J0N8pCHPhcKULAm9kd59Sy6Fu+lyUiOS/PUTUJk4nSQv5ELH6tvNhm+8YBTevaxizlHn4UDFN4kqrOeVsUC+yjZJh5fiRPLWXdGjF+qqvuAkvddOEBRh+T3q8KY44HMmOCVK1dWHMmWACKjMN+QUtz7j+OWtYKzcA/yg5ghwjJVbA3URfwIeNgSD3Ey2XwnHlsFpUE8xAkgMvJ96TvungKbafcx5BKQC2dQTCKyjwVK9RYHoHgMGAAyE7/Jn5OW5nlO/hgwc5YhjeVz0u1abLaxa90AiokBRFYrbVTrNx+bjm6NBcyoudoW3ef6ugM0a7KkiGmRpTCMdP4z/ylCWyTjbDvvl1fPbd+fx/U/mkHzWODQMSaAWhCcAJoAGiayiUETgyYGDUNg3gwadTZ/0eDT//2lJVgTQBNAw/Q8MWhi0DAG/QMmDs+jfOTp/gAAAABJRU5ErkJggg==", "small_icon": "iVBORw0KGgoAAAANSUhEUgAAACQAAAAkCAYAAADhAJiYAAADHUlEQVRYR+2YeU8qQRDEGxQVPFBBRVEBT77/p1HBC9TgfYGKQDS/zuvNqLDA+uIjL/Zf6u7MVFdV12wMyYBVaMDwyGAD2tnZefsXjOXzeY+YDwz9Avojx//N0NjYmPYZCoWk2WxKo9Ho24aBGQqHw7KxsSEvLy/y/PwsMzMzUq1W5ezsTEEsLS3JxMSE3NzcCECj0agUi0V5e/OflcCA4vG43N/f98wArAHw8fHRd01gQLCzv7/vdZxKpQSQMMDhrVZLLi4u5OHhwZNxbW1N1/hVX4CQaXJyUubm5pR+KpPJSK1Wk6urqy/nACyXyykw5KQAdXt7K3d3d23l6wvQ1taW7O3tKQMwYb9z0Obmphr58PDQ8xC+OTg4kPHxcZWrUql4a3m/UCh8aaIvQKurq1IqlXQTJDOWIpGIAuQ5AKjt7W3Z3d2VqakplQ1ANGIeymazcnR09D1ASHV5eakdM9Kvr6+6YS+AeA/5jMHZ2VmdwM/VF0MmkXXPZtPT0zIyMqKbw5CZOJFIKEPpdFqenp7UN/Y+/nH3cEH1DIgsoStyxphKJpNyfX3dNVs40OQ276ysrCjb5FhgQCzGB6Ojo7oR7NBtL0VQ0oxrZqRnQgMBYmJIZEYfz9TrdQXH35HEr9z33GHA6BYHtr5nyQCBVHTpprR17gfIZdK8g2TEwOf7rmdAHGimJtxsvN0s6gTKHXFMfnp6+iHDAknGIkxMIruskNTHx8e+khlomOL+I7O4jG3yAgNaXl6Wk5MTXW9dx2IxvbfwVLvCcwAhFtwcckM2MCAmxNKZ7CGFGV38gLHpnuuDGh4e1nTmHdLdWAIgDK2vr3t7BQZknxDz8/N6a5NNCwsLnmQAK5fLur8ZH2B4jjuQgiWyywL0M6t9mdpdzCFcA3QLkKGhIc0mJofiq2BxcVHOz8+VOZjBb3Z1dDJdYEDtTGmmN0DuxxjsArITMwYwMCAOIOTIEQ4ho/jZ4gBpyC48BhA8Z/7zG8nAgNptiqeQDrBM3Y9+5PsGzzce/lWGvoHDW/oLqBuLHRnqtvAnng/2/4d+goFuZ7wDz5AlQ39GFyAAAAAASUVORK5CYII=", "visible": true, "tab_version": "4.1.3", "tab_build_no": "0", "build_no": 3}, "validation": {"validators": ["best_practice_validation", "data_model_mapping_validation", "field_extract_validation", "app_cert_validation"], "status": "job_started", "validation_id": "v_1687532792_75"}} \ No newline at end of file