admingit
/
SH-Deployer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

app_windows

Browse Source
master
admingit 1 year ago
parent 2e8319b469
commit 4347051769
24 changed files with 2812 additions and 0 deletions
Show Stats Download Patch File Download Diff File

107
apps/stealthbits_ad_ldap/README.txt
Unescape View File

@ -0,0 +1,107 @@
Netwrix (STEALTHbits) Active Directory Monitoring App for Splunk
Netwrix (STEALTHbits')Threat Manager provides many valuable controls for your
IT infrastructure, and has many ways to utilize that data including real-time
blocking and alerting. But holistic data reporting requires a more broad
reaching platform such as Splunk. This app helps provide insight into the most
common activities happening around your Active Directory.
--------------------------------------------------------------------------------
Version Support
--------------------------------------------------------------------------------
v.2.0.0
- Add app compatibility with Splunk Cloud environments
- Netwrix rebranding
- Add usage of Splunk "stealthData" macro
- Modify eventtype names to remove ':' character usage, and replaced
spaces with "_"
- Removed the "StealthINTERCEPT File System Activity" eventtype
- Update extractions to handle both "StealthINTERCEPT" and "STEALTHbits"
source types
- Added extra CIM compliance fields
- Changed the mapping of "Windows File System Access Rights Change" from
"modified" to "acl_modified" in the "action" field
- Removed "success" and "failure" as possible values in "action" field.
These are now part of the "status" field
- Changed the AD active users panel on the overview dashboard, to
break down the count by AD type
v.1.1.1
- Improved support for analytics on authentication attacks page
v.1.1.0
- Improved query efficiency
- Added CIM compliance
- Added LDAP monitoring page
v.1.0.0
- Initial Release of App
--------------------------------------------------------------------------------
System Requirements
--------------------------------------------------------------------------------
Splunk Console
StealthINTERCEPT
Machine Learning Toolkit for Splunk
--------------------------------------------------------------------------------
Installation
--------------------------------------------------------------------------------
1. Log in to Splunk Web and navigate to Apps > Manage Apps.
2. Click Install App from file.
3. Upload the file and click Upload.
4. Restart Splunk Web.
--------------------------------------------------------------------------------
Collecting Data
--------------------------------------------------------------------------------
Configure the StealthINTERCEPT server to send data to Splunk via Syslog.
You may choose to use SC4S, a Syslog server with a Universal Forwarder or
direct Heavy Forwarder ingest.
In all cases, you should configure your favoured approach to ingest the data
with the sourcetype "StealhINTERCEPT"
You may also choose to create a dedicated index. You should recall the
specified index name for the next step
--------------------------------------------------------------------------------
Configuration
--------------------------------------------------------------------------------
To expedite search performance configure the "stalthData" macro.
This can be configured by going to
Settings -> Advanced Search -> Search macros:
- stealthData.
This is used to improve search performance and should be appropriately
modified to specify the index(es) you defined in the previous step.
E.g.
index=[yourStealDataIndex] (sourcetype=STEALTHbits OR sourcetype=
StealthINTERCEPT)
If left unmodified, this defaults to searching across all indexes in the
Splunk environment.
--------------------------------------------------------------------------------
Troubleshooting
--------------------------------------------------------------------------------
Data does not show up in the dashboard pages.
- Make sure that StealthINTERCEPT is configured to send data to Splunk.
- Make sure that StealthINTERCEPT as a UDP log source in Splunk and has
the correct sourcetype and index definition.
--------------------------------------------------------------------------------
Support
--------------------------------------------------------------------------------
Netwrix (STEALTHbits) Support:
splunk@netwrix.com# Binary File Declaration

4
apps/stealthbits_ad_ldap/README/addon_builder.conf.spec
Unescape View File

@ -0,0 +1,4 @@
[base]
builder_version = <string>
builder_build = <string>
is_edited = <bool>

53
apps/stealthbits_ad_ldap/app.manifest
Unescape View File

@ -0,0 +1,53 @@
{
"schemaVersion": "1.0.0",
"info": {
"title": "Netwrix Active Directory and LDAP Monitoring",
"id": {
"group": null,
"name": "stealthbits_ad_ldap",
"version": "2.0.0"
},
"author": [
{
"name": "Netwrix Corporation",
"email": null,
"company": null
}
],
"releaseDate": null,
"description": "Netwrix Threat Manager provides many valuable controls for your IT infrastructure, and has many ways to utilize that data including real-time blocking and alerting. But holistic data reporting requires a more broad reaching platform such as Splunk. This app helps provide insight into the most common activities happening around your Active Directory Learn more about Netwrix at https://www.Netwrix.com/.",
"classification": {
"intendedAudience": null,
"categories": [],
"developmentStatus": null
},
"commonInformationModels": null,
"license": {
"name": null,
"text": null,
"uri": null
},
"privacyPolicy": {
"name": null,
"text": null,
"uri": null
},
"releaseNotes": {
"name": null,
"text": null,
"uri": null
}
},
"dependencies": {
},
"tasks": [],
"inputGroups": {
},
"incompatibleApps": {
},
"platformRequirements": {
"splunk": {
"Enterprise": "*"
}
}
}

7
apps/stealthbits_ad_ldap/default/addon_builder.conf
Unescape View File

@ -0,0 +1,7 @@
# this file is generated by add-on builder automatically
# please do not edit it
[base]
builder_version = 4.1.3
builder_build = 0
is_edited = 1

30
apps/stealthbits_ad_ldap/default/app.conf
Unescape View File

@ -0,0 +1,30 @@
# this add-on is powered by splunk Add-on builder
[install]
state_change_requires_restart = false
is_configured = 0
state = enabled
build = 105
[launcher]
author = Netwrix Corporation
version = 2.0.0
description = Netwrix Threat Manager provides many valuable controls for your IT infrastructure, and has many ways to utilize that data including real-time blocking and alerting. But holistic data reporting requires a more broad reaching platform such as Splunk. This app helps provide insight into the most common activities happening around your Active Directory Learn more about Netwrix at https://www.Netwrix.com/.
[ui]
is_visible = 1
label = Netwrix Active Directory and LDAP Monitoring
docs_section_override = AddOns:released
[package]
id = stealthbits_ad_ldap
[triggers]
reload.addon_builder = simple
reload.stealthbits_ad_ldap_account = simple
reload.stealthbits_ad_ldap_settings = simple
reload.passwords = simple
[author=Netwrix]
email = splunk@netwrix.com
company = Netwrix Corporation

6
apps/stealthbits_ad_ldap/default/data/ui/nav/default.xml
Unescape View File

@ -0,0 +1,6 @@
<nav color="#D9272D">
<view name="page_overview" default="true"/>
<view name="page_ad_changes"/>
<view name="page_gpo_changes"/>
<view name="page_ldap_monitoring"/>
</nav>

1
apps/stealthbits_ad_ldap/default/data/ui/views/README
Unescape View File

@ -0,0 +1 @@
Add all the views that your app needs in this directory

623
apps/stealthbits_ad_ldap/default/data/ui/views/page_ad_changes.xml
Unescape View File

@ -0,0 +1,623 @@
<form script="changes.js" stylesheet="changes.css" hideFilters="false" version="1.1">
<label>Active Directory Changes</label>
<fieldset submitButton="true" autoRun="true">
<html>
<br/>
</html>
<input id="eventTime" type="time" token="eventTime" searchWhenChanged="true">
<label>Time</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="detectingPolicy" searchWhenChanged="false">
<label>Detecting Policy</label>
<search>
<query>
`stealthData`
| where not match(PolicyName, ".*%.*")
| stats sum(PolicyName) by PolicyName
| fields - sum(PolicyName)
| dedup PolicyName
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>PolicyName</fieldForLabel>
<fieldForValue>PolicyName</fieldForValue>
<choice value="*">All Policies</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="actionPerformed" searchWhenChanged="false">
<label>Action Performed</label>
<default>*</default>
<search>
<query>
`stealthData`
| where not match(event_id, ".*%.*") and like(event_id, "%Active Directory%")
| stats count by event_id
| eval eventID = replace(event_id, "Active Directory ", "")
| table eventID
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>eventID</fieldForLabel>
<fieldForValue>eventID</fieldForValue>
<choice value="*">All Actions</choice>
</input>
<input type="dropdown" token="actionResult" searchWhenChanged="false">
<label>Action Result</label>
<default>*</default>
<search>
<query>
`stealthData`
| where not match(SuccessfulChange, ".*%.*") and like(event_id, "%Active Directory%")
| stats count by SuccessfulChange
| eval newSuccessfulChange = case(SuccessfulChange="True", "Successful", SuccessfulChange="False", "Failed")
| table newSuccessfulChange, SuccessfulChange
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>newSuccessfulChange</fieldForLabel>
<fieldForValue>SuccessfulChange</fieldForValue>
<choice value="*">Successful &amp; Failed</choice>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="actionBlocked" searchWhenChanged="false">
<label>Action Blocked</label>
<default>*</default>
<search>
<query>
`stealthData`
| where not match(BlockedEvent, ".*%.*") and like(event_id, "%Active Directory%")
| stats sum(BlockedEvent) as BlockedEvent_count by BlockedEvent
| eval translated_BlockedEvent=case(BlockedEvent="True", "Yes", BlockedEvent="False", "No")
| table translated_BlockedEvent, BlockedEvent
| dedup translated_BlockedEvent, BlockedEvent
| sort -translated_BlockedEvent, -BlockedEvent
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>translated_BlockedEvent</fieldForLabel>
<fieldForValue>BlockedEvent</fieldForValue>
<choice value="*">Yes or No</choice>
<initialValue>*</initialValue>
</input>
<html>
<br/>
</html>
<input type="dropdown" token="initiatedDomain" searchWhenChanged="false">
<label>Initiated From (Domain)</label>
<default>*</default>
<search>
<query>
`stealthData`
| where not match(src_nt_domain, ".*%.*") and like(event_id, "%Active Directory%")
| stats sum(src_nt_domain) by src_nt_domain
| fields - sum(src_nt_domain)
| dedup src_nt_domain
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>src_nt_domain</fieldForLabel>
<fieldForValue>src_nt_domain</fieldForValue>
<choice value="*">All Domains</choice>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="initiatedHost" searchWhenChanged="false">
<label>Initiated From (Hostname)</label>
<default>*</default>
<search>
<query>
`stealthData`
| where not match(Server, ".*%.*") and like(event_id, "%Active Directory%")
| stats sum(Server) by Server
| eval Server=case(!LIKE(Server, "%\\%"), Server, Server LIKE "%\\%", mvindex(split(Server, "\\"), 1))
| fields - sum(Server)
| dedup Server
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>Server</fieldForLabel>
<fieldForValue>Server</fieldForValue>
<choice value="*">All Hosts</choice>
</input>
<input type="dropdown" token="initiatedUser" searchWhenChanged="false">
<label>Initiated By (User)</label>
<default>*</default>
<search>
<query>
`stealthData`
| where not match(Perpetrator, ".*%.*") and like(event_id, "%Active Directory%")
| stats sum(Perpetrator) as Perpetrator_count by Perpetrator
| eval Perpetrator=case(!LIKE(Perpetrator, "%\\%"), Perpetrator, Perpetrator LIKE "%\\%", mvindex(split(Perpetrator, "\\"), 1))
| eval upper_Perpetrator=upper(substr(Perpetrator,1,1)).substr(Perpetrator,2)
| table upper_Perpetrator, Perpetrator
| dedup upper_Perpetrator, Perpetrator
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>upper_Perpetrator</fieldForLabel>
<fieldForValue>Perpetrator</fieldForValue>
<choice value="*">All Users</choice>
</input>
<input type="dropdown" token="targetDomain" searchWhenChanged="false">
<label>Target Domain</label>
<default>*</default>
<search>
<query>
`stealthData`
| where not match(Domain, ".*%.*")
| stats sum(Server) by Domain
| fields - sum(Server)
| dedup Domain
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>Domain</fieldForLabel>
<fieldForValue>Domain</fieldForValue>
<choice value="*">All Domains</choice>
</input>
<input type="dropdown" token="targetObjectType" searchWhenChanged="false">
<label>Target Object Type</label>
<search>
<query>
`stealthData`
| where not match(ObjectClass, ".*%.*") and like(event_id, "%Active Directory%")
| stats sum(ObjectClass) as ObjectClass_count by ObjectClass
| eval upper_ObjectClass=upper(substr(ObjectClass,1,1)).substr(ObjectClass,2)
| table upper_ObjectClass, ObjectClass
| dedup upper_ObjectClass, ObjectClass
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>upper_ObjectClass</fieldForLabel>
<fieldForValue>ObjectClass</fieldForValue>
<choice value="*">All Object Types</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="targetObject" searchWhenChanged="false">
<label>Target Object</label>
<default>*</default>
<search>
<query>
`stealthData`
| where not match(ModifiedObject, ".*%.*") and like(event_id, "%Active Directory%")
| stats sum(Server) by ModifiedObject
| eval ModifiedObject=case(!LIKE(ModifiedObject, "%\\%"), ModifiedObject, ModifiedObject LIKE "%\\%", mvindex(split(ModifiedObject, "\\"), 1))
| eval upper_ModifiedObject=upper(substr(ModifiedObject,1,1)).substr(ModifiedObject,2)
| table upper_ModifiedObject, ModifiedObject
| dedup upper_ModifiedObject, ModifiedObject
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>upper_ModifiedObject</fieldForLabel>
<fieldForValue>ModifiedObject</fieldForValue>
<choice value="*">All Objects</choice>
</input>
<html>
<div id="options">
<a id="hideFilters" data-action="hide-filters" style="margin-left:0">Hide Filters</a>
<br/>
<a href="../sb_ad_ldap/page_ad_adchanges" style="margin-left:0">Reset Filters</a>
</div>
</html>
</fieldset>
<row>
<panel>
<html>
<style>
#eventTime {
width:200px !important;
margin-right:30px !important;
}
.alert {
display:none !important;
}
.splunk-table {
margin:0 !important;
}
.sorts a {
color:#FFFFFF !important;
}
.input {
margin-top:-23px !important;
}
#submit {
display:none;
}
#options {
display:none;
}
.hide-global-filters {
display:none;
}
#adChangesRow {
max-width:100% !important;
margin-top:-2px !important;
margin-bottom:10px !important;
}
display:none;
background:#FFFFFF !important;
}
.timestamp {
display:none !important;
}
#adChangesTable th[data-sort-key*='time'],
#adChangesTable td[data-cell-index='1'] {
display:none !important;
}
#adChangesTable th[data-sort-key='New Value'] {
max-width:150px !important;;
overflow:hidden !important;
}
#adChangesTable th {
background:#364A6F !important;
color:#FFFFFF !important;
font-size:14px !important;
}
#adChangesTable td{
white-space:nowrap !important;
}
#adChangesRow {
margin-top:-8px !important;
}
#adTransposedRow {
margin-top:10px;
}
#adAttributeRow {
margin-top:10px;
width:100% !important;
max-width:100% !important;
}
#transEventDetails,
#transPerpDetails,
#transAffectedObject,
#transAgentDetails {
height:225px !important;
}
#transEventDetails table,
#transPerpDetails table,
#transAffectedObject table,
#transAgentDetails table {
border:none !important;
}
#transEventDetails tr,
#transPerpDetails tr,
#transAffectedObject tr,
#transAgentDetails tr {
border:none !important;
}
#transEventDetails td,
#transPerpDetails td,
#transAffectedObject td,
#transAgentDetails td {
border:none !important;
padding:5px !important;
}
div[id^="transEventDetails"].dashboard-element-header,
div[id^="transPerpDetails"].dashboard-element-header,
div[id^="transAffectedObject"].dashboard-element-header,
div[id^="transAgentDetails"].dashboard-element-header {
background:#364A6F !important;
}
div[id^="transEventDetails"].dashboard-element-header h3,
div[id^="transPerpDetails"].dashboard-element-header h3,
div[id^="transAffectedObject"].dashboard-element-header h3,
div[id^="transAgentDetails"].dashboard-element-header h3{
color:#FFFFFF !important;
}
#transEventDetails thead,
#transPerpDetails thead,
#transAffectedObject thead,
#transAgentDetails thead {
display:none !important;
}
#transEventDetails td[data-cell-index="0"],
#transPerpDetails td[data-cell-index="0"],
#transAffectedObject td[data-cell-index="0"],
#transAgentDetails td[data-cell-index="0"] {
width:75px !important;
min-width:75px !important;
max-width:85px !important;
background-color:#FFFFFF !important;
font-weight:600 !important;
}
#transEventDetails td[data-cell-index="1"],
#transPerpDetails td[data-cell-index="1"],
#transAffectedObject td[data-cell-index="1"],
#transAgentDetails td[data-cell-index="1"] {
background-color:#FFFFFF !important;
width:200px !important;
min-width:200px !important;
max-width:200px !important;
word-wrap: break-word !important;
}
#attributeTable th{
margin:0 !important;
padding:5px 0 !important;
border:1px solid #364A6F !important;
font-weight:bold;
text-align:center !important;
background:#364A6F !important;
color:#FFF !important;
width:25% !important;
max-width:200px !important;
}
#attributeTable td{
margin:0 !important;
padding:15px 15px !important;
border:1px solid #364A6F !important;
font-size:16px !important;
font-weight:400 !important;
text-align:center !important;
width:25% !important;
max-width:200px !important;
}
#attributeTable td[data-cell-index="0"],
#attributeTable td[data-cell-index="1"] {
padding-top:25px !important;
}
#attributeTable td[data-cell-index="2"],
#attributeTable td[data-cell-index="3"] {
overflow-x:scroll !important;
overflow-y:hidden !important;
}
</style>
</html>
</panel>
</row>
<row id="adChangesRow">
<panel>
<table id="adChangesTable">
<search>
<query>`stealthData`
| where like(event_id, "%Active Directory%")
| eval Time = strftime(_time,"%Y-%m-%d %H:%M%P")
| eval EventType = replace(event_id, "Active Directory ", "")
| eval InitiatedHost = case(!LIKE(Server, "%\\%"), Server, Server LIKE "%\\%", mvindex(split(Server, "\\"), 1))
| eval InitiatedUser = case(!LIKE(Perpetrator, "%\\%"), Perpetrator, Perpetrator LIKE "%\\%", mvindex(split(Perpetrator, "\\"), 1))
| eval TargetObject = case(!LIKE(ModifiedObject, "%\\%"), ModifiedObject, ModifiedObject LIKE "%\\%", mvindex(split(ModifiedObject, "\\"), 1))
| eval ActionResult = case(SuccessfulChange == "True", "Success", SuccessfulChange == "False", "Failure")
| search
PolicyName = "$detectingPolicy$"
EventType = "$actionPerformed$"
SuccessfulChange = "$actionResult$"
BlockedEvent = "$actionBlocked$"
```src_nt_domain = "$initiatedDomain$"```
InitiatedHost = "$initiatedHost$"
InitiatedUser = "$initiatedUser$"
Domain="$targetDomain$"
ObjectClass = "$targetObjectType$"
TargetObject = "$targetObject$"
| rename
Time AS "Event Time"
PolicyName AS "Detecting Policy"
EventType AS "Action Performed"
ActionResult AS "Action Result"
BlockedEvent AS "Action Blocked"
src_nt_domain AS "Initiating (Domain)"
InitiatedHost AS "Initiating (Host)"
InitiatedUser AS "Initiating (User)"
Domain AS "Target Domain"
ObjectClass AS "Target Object Type"
TargetObject AS "Target Object"
AttributeName AS "Target Attribute"
Operation AS "Operation"
OldAttributeValue AS "Old Value"
NewAttributeValue AS "New Value"
| table
_time
"Event Time"
"Detecting Policy"
"Action Performed"
"Action Result"
"Action Blocked"
"Initiating (Domain)"
"Initiating (Host)"
"Initiating (User)"
"Target Domain"
"Target Object Type"
"Target Object"
"Target Attribute"
"Operation"
"Old Value"
"New Value"
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<option name="drilldown">row</option>
<option name="count">18</option>
<option name="showPager">true</option>
<option name="wrap">false</option>
<drilldown>
<condition field="*">
<set token="timeValue">$click.value$</set>
</condition>
</drilldown>
</table>
</panel>
</row>
<row id="adTransposedRow">
<panel>
<table id="transEventDetails">
<title>Event Details</title>
<search>
<query>
`stealthData`
| where _time=$timeValue$
| eval EventTime=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval EventTimeUTC=strftime(_time + 18000, "%Y-%m-%d %H:%M:%S")
| eval ActionStatus = case(SuccessfulChange == "True", "Success", SuccessfulChange == "False", "Failure")
| eval ActionCategory = case(change_type == "AD", "Active Directory")
| eval ActionType = replace(event_id, "Active Directory ", "")
| rename
EventTime AS "Time Logged"
EventTimeUTC AS "Time Logged UTC"
BlockedEvent AS "Action Blocked"
ActionStatus AS "Action Status"
ActionCategory AS "Action Category"
ActionType AS "Message"
| table
"Time Logged"
"Action Type"
"Action Blocked"
"Action Status"
"Action Category"
"Message"
| transpose 1
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="showPager">false</option>
</table>
</panel>
<panel>
<table id="transPerpDetails" depends="timeValue">
<title>Perpetrator Details</title>
<search>
<query>
`stealthData`
| where _time=$timeValue$
| rename
Perpetrator AS "Account Name"
change_type AS "Protocol"
Server AS "Host"
ServerAddress AS "IP Address"
| table
"Account Name"
"Protocol"
"Host"
"IP Address"
| transpose 1
</query>
</search>
<option name="drilldown">none</option>
<option name="showPager">false</option>
</table>
</panel>
<panel>
<table id="transAffectedObject" depends="timeValue">
<title>Affected Object Details</title>
<search>
<query>
`stealthData`
| where _time=$timeValue$
| rename
DistinguishedName AS "Path"
ObjectClass AS "Type"
CN AS "Name"
TargetHost AS "Host"
TargetAddress AS "IP Address"
| table
"Path"
"Type"
"Name"
"Host"
"IP Address"
| transpose 1
</query>
</search>
<option name="drilldown">none</option>
<option name="showPager">false</option>
</table>
</panel>
<panel>
<table id="transAgentDetails" depends="timeValue">
<title>Agent Details</title>
<search>
<query>
`stealthData`
| where _time=$timeValue$
| rename
ClientHost AS "Host"
ClientAddress AS "IP Address"
| table
"Host"
"IP Address"
| transpose 1
</query>
</search>
<option name="drilldown">none</option>
<option name="showPager">false</option>
</table>
</panel>
</row>
<row id="adAttributeRow">
<panel>
<table id="attributeTable" depends="timeValue">
<search>
<query>
`stealthData`
| where _time=$timeValue$
| eval EventType = replace(event_id, "Active Directory ", "")
| eval EventName = upper(substr(AttributeName, 1, 1)).substr(AttributeName, 2)
| rename
EventName AS "Attribute Name"
EventType AS "Event Type"
OldAttributeValue AS "Old Value"
NewAttributeValue AS "New Value"
| table
"Attribute Name"
"Event Type"
"Old Value"
"New Value"
| dedup
"Attribute Name"
"Event Type"
"Old Value"
"New Value"
</query>
</search>
<option name="drilldown">none</option>
<option name="showPager">false</option>
</table>
</panel>
</row>
</form>

620
apps/stealthbits_ad_ldap/default/data/ui/views/page_gpo_changes.xml
Unescape View File

@ -0,0 +1,620 @@
<form script="changes.js" stylesheet="changes.css" hideFilters="false" version="1.1">
<label>Group Policy Changes</label>
<fieldset submitButton="true" autoRun="true">
<html>
<br/>
</html>
<input id="eventTime" type="time" token="eventTime" searchWhenChanged="true">
<label>Time</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="detectingPolicy" searchWhenChanged="false">
<label>Detecting Policy</label>
<search>
<query>
`stealthData`
| where not match(PolicyName, ".*%.*")
| stats sum(PolicyName) by PolicyName
| fields - sum(PolicyName)
| dedup PolicyName
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>PolicyName</fieldForLabel>
<fieldForValue>PolicyName</fieldForValue>
<choice value="*">All Policies</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="actionPerformed" searchWhenChanged="false">
<label>Action Performed</label>
<default>*</default>
<search>
<query>
`stealthData`
| where not match(event_id, ".*%.*") and like(event_id, "%GPO%")
| eval EventType = replace(event_id, "SI Events Log ", "")
| stats count by EventType
| table EventType
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>EventType</fieldForLabel>
<fieldForValue>EventType</fieldForValue>
<choice value="*">All Actions</choice>
</input>
<input type="dropdown" token="actionResult" searchWhenChanged="false">
<label>Action Result</label>
<default>*</default>
<search>
<query>
`stealthData`
| where not match(SuccessfulChange, ".*%.*") and like(event_id, "%GPO%")
| stats count by SuccessfulChange
| eval newSuccessfulChange = case(SuccessfulChange="True", "Successful", SuccessfulChange="False", "Failed")
| table newSuccessfulChange, SuccessfulChange
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>newSuccessfulChange</fieldForLabel>
<fieldForValue>SuccessfulChange</fieldForValue>
<choice value="*">Successful &amp; Failed</choice>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="actionBlocked" searchWhenChanged="false">
<label>Action Blocked</label>
<default>*</default>
<search>
<query>
`stealthData`
| where not match(BlockedEvent, ".*%.*") and like(event_id, "%GPO%")
| stats sum(BlockedEvent) as BlockedEvent_count by BlockedEvent
| eval translated_BlockedEvent=case(BlockedEvent="True", "Yes", BlockedEvent="False", "No")
| table translated_BlockedEvent, BlockedEvent
| dedup translated_BlockedEvent, BlockedEvent
| sort -translated_BlockedEvent, -BlockedEvent
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>translated_BlockedEvent</fieldForLabel>
<fieldForValue>BlockedEvent</fieldForValue>
<choice value="*">Yes or No</choice>
<initialValue>*</initialValue>
</input>
<html>
<br/>
</html>
<input type="dropdown" token="initiatedDomain" searchWhenChanged="false">
<label>Initiated From (Domain)</label>
<default>*</default>
<search>
<query>
`stealthData`
| where not match(src_nt_domain, ".*%.*") and like(event_id, "%GPO%")
| stats sum(src_nt_domain) by src_nt_domain
| fields - sum(src_nt_domain)
| dedup src_nt_domain
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>src_nt_domain</fieldForLabel>
<fieldForValue>src_nt_domain</fieldForValue>
<choice value="*">All Domains</choice>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="initiatedHost" searchWhenChanged="false">
<label>Initiated From (Hostname)</label>
<default>*</default>
<search>
<query>
`stealthData`
| where not match(Server, ".*%.*") and like(event_id, "%GPO%")
| stats sum(Server) by Server
| eval Server=case(!LIKE(Server, "%\\%"), Server, Server LIKE "%\\%", mvindex(split(Server, "\\"), 1))
| fields - sum(Server)
| dedup Server
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>Server</fieldForLabel>
<fieldForValue>Server</fieldForValue>
<choice value="*">All Hosts</choice>
</input>
<input type="dropdown" token="initiatedUser" searchWhenChanged="false">
<label>Initiated By (User)</label>
<default>*</default>
<search>
<query>
`stealthData`
| where not match(Perpetrator, ".*%.*") and like(event_id, "%GPO%")
| stats sum(Perpetrator) as Perpetrator_count by Perpetrator
| eval Perpetrator=case(!LIKE(Perpetrator, "%\\%"), Perpetrator, Perpetrator LIKE "%\\%", mvindex(split(Perpetrator, "\\"), 1))
| eval upper_Perpetrator=upper(substr(Perpetrator,1,1)).substr(Perpetrator,2)
| table upper_Perpetrator, Perpetrator
| dedup upper_Perpetrator, Perpetrator
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>upper_Perpetrator</fieldForLabel>
<fieldForValue>Perpetrator</fieldForValue>
<choice value="*">All Users</choice>
</input>
<input type="dropdown" token="targetDomain" searchWhenChanged="false">
<label>Target Domain</label>
<default>*</default>
<search>
<query>
`stealthData`
| where not match(Domain, ".*%.*")
| stats sum(Server) by Domain
| fields - sum(Server)
| dedup Domain
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>Domain</fieldForLabel>
<fieldForValue>Domain</fieldForValue>
<choice value="*">All Domains</choice>
</input>
<input type="dropdown" token="targetObjectType" searchWhenChanged="false">
<label>Target Object Type</label>
<search>
<query>
`stealthData`
| where not match(object, ".*%.*") and like(event_id, "%GPO%")
| eval AffectedObject = mvindex(split(object, "\\"), -1)
| stats count by AffectedObject
| table AffectedObject
| dedup AffectedObject
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>AffectedObject</fieldForLabel>
<fieldForValue>AffectedObject</fieldForValue>
<choice value="*">All Object Types</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="targetObject" searchWhenChanged="false">
<label>Target Object</label>
<default>*</default>
<search>
<query>
`stealthData`
| where not match(AttributeName, ".*%.*") and like(event_id, "%GPO%")
| stats count by AttributeName
| table AttributeName
| dedup AttributeName
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>AttributeName</fieldForLabel>
<fieldForValue>AttributeName</fieldForValue>
<choice value="*">All Objects</choice>
</input>
<html>
<div id="options">
<a id="hideFilters" data-action="hide-filters" style="margin-left:0">Hide Filters</a>
<br/>
<a href="../sb_ad_ldap/page_ad_adchanges" style="margin-left:0">Reset Filters</a>
</div>
</html>
</fieldset>
<row>
<panel depends="$alwaysHideCSS$">
<html>
<style>
#eventTime {
width:200px !important;
margin-right:30px !important;
}
.alert {
display:none !important;
}
.splunk-table {
margin:0 !important;
}
.sorts a {
color:#FFFFFF !important;
}
.input {
margin-top:-23px !important;
}
#submit {
display:none;
}
#options {
display:none;
}
.hide-global-filters {
display:none;
}
#adChangesRow {
max-width:100% !important;
margin-top:-2px !important;
margin-bottom:10px !important;
}
display:none;
background:#FFFFFF !important;
}
.timestamp {
display:none !important;
}
#adChangesTable th[data-sort-key*='time'],
#adChangesTable td[data-cell-index='1'] {
display:none !important;
}
#adChangesTable th[data-sort-key='New Value'] {
max-width:150px !important;;
overflow:hidden !important;
}
#adChangesTable th {
background:#364A6F !important;
color:#FFFFFF !important;
font-size:14px !important;
}
#adChangesTable td{
white-space:nowrap !important;
}
#adChangesRow {
margin-top:-8px !important;
}
#adTransposedRow {
margin-top:10px;
}
#adAttributeRow {
margin-top:10px;
width:100% !important;
max-width:100% !important;
}
#transEventDetails,
#transPerpDetails,
#transAffectedObject,
#transAgentDetails {
height:225px !important;
}
#transEventDetails table,
#transPerpDetails table,
#transAffectedObject table,
#transAgentDetails table {
border:none !important;
}
#transEventDetails tr,
#transPerpDetails tr,
#transAffectedObject tr,
#transAgentDetails tr {
border:none !important;
}
#transEventDetails td,
#transPerpDetails td,
#transAffectedObject td,
#transAgentDetails td {
border:none !important;
padding:5px !important;
}
div[id^="transEventDetails"].dashboard-element-header,
div[id^="transPerpDetails"].dashboard-element-header,
div[id^="transAffectedObject"].dashboard-element-header,
div[id^="transAgentDetails"].dashboard-element-header {
background:#364A6F !important;
}
div[id^="transEventDetails"].dashboard-element-header h3,
div[id^="transPerpDetails"].dashboard-element-header h3,
div[id^="transAffectedObject"].dashboard-element-header h3,
div[id^="transAgentDetails"].dashboard-element-header h3{
color:#FFFFFF !important;
}
#transEventDetails thead,
#transPerpDetails thead,
#transAffectedObject thead,
#transAgentDetails thead {
display:none !important;
}
#transEventDetails td[data-cell-index="0"],
#transPerpDetails td[data-cell-index="0"],
#transAffectedObject td[data-cell-index="0"],
#transAgentDetails td[data-cell-index="0"] {
width:75px !important;
min-width:75px !important;
max-width:85px !important;
background-color:#FFFFFF !important;
font-weight:600 !important;
}
#transEventDetails td[data-cell-index="1"],
#transPerpDetails td[data-cell-index="1"],
#transAffectedObject td[data-cell-index="1"],
#transAgentDetails td[data-cell-index="1"] {
background-color:#FFFFFF !important;
width:200px !important;
min-width:200px !important;
max-width:200px !important;
word-wrap: break-word !important;
}
#attributeTable th{
margin:0 !important;
padding:5px 0 !important;
border:1px solid #364A6F !important;
font-weight:bold;
text-align:center !important;
background:#364A6F !important;
color:#FFF !important;
width:25% !important;
}
#attributeTable td{
margin:0 !important;
padding:15px 15px !important;
border:1px solid #364A6F !important;
font-size:16px !important;
font-weight:400 !important;
text-align:center !important;
width:25% !important;
}
</style>
</html>
</panel>
</row>
<row id="adChangesRow">
<panel>
<table id="adChangesTable">
<search>
<query>
`stealthData`
| where like(event_id, "%GPO%")
| eval Time = strftime(_time,"%Y-%m-%d %H:%M%P")
| eval EventType = replace(event_id, "SI Events Log ", "")
| eval InitiatedHost = case(!LIKE(Server, "%\\%"), Server, Server LIKE "%\\%", mvindex(split(Server, "\\"), 1))
| eval InitiatedUser = case(!LIKE(Perpetrator, "%\\%"), Perpetrator, Perpetrator LIKE "%\\%", mvindex(split(Perpetrator, "\\"), 1))
| eval ActionResult = case(SuccessfulChange == "True", "Success", SuccessfulChange == "False", "Failure")
| eval AffectedObject = mvindex(split(object, "\\"), -1)
| search
PolicyName = "$detectingPolicy$"
EventType = "$actionPerformed$"
SuccessfulChange = "$actionResult$"
BlockedEvent = "$actionBlocked$"
src_nt_domain = "$initiatedDomain$"
InitiatedHost = "$initiatedHost$"
InitiatedUser = "$initiatedUser$"
Domain = "$targetDomain$"
AffectedObject = "$targetObjectType$"
AttributeName = "$targetObject$"
| rename
Time AS "Event Time"
PolicyName AS "Detecting Policy"
EventType AS "Action Performed"
ActionResult AS "Action Result"
BlockedEvent AS "Action Blocked"
src_nt_domain AS "Initiating (Domain)"
InitiatedHost AS "Initiating (Host)"
InitiatedUser AS "Initiating (User)"
Domain AS "Target Domain"
AffectedObject AS "Target Object Type"
AttributeName AS "Target Object"
OldAttributeValue AS "Old Value"
NewAttributeValue AS "New Value"
| table
_time
"Event Time"
"Detecting Policy"
"Action Performed"
"Action Result"
"Action Blocked"
"Initiating (Domain)"
"Initiating (Host)"
"Initiating (User)"
"Target Domain"
"Target Object Type"
"Target Object"
"Old Value"
"New Value"
| dedup
_time
"Event Time"
"Detecting Policy"
"Action Performed"
"Action Result"
"Action Blocked"
"Initiating (Domain)"
"Initiating (Host)"
"Initiating (User)"
"Target Domain"
"Target Object Type"
"Target Object"
"Old Value"
"New Value"
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<option name="drilldown">row</option>
<option name="count">18</option>
<option name="showPager">true</option>
<option name="wrap">false</option>
<drilldown>
<condition field="*">
<set token="timeValue">$click.value$</set>
</condition>
</drilldown>
</table>
</panel>
</row>
<row id="adTransposedRow">
<panel>
<table id="transEventDetails" depends="timeValue">
<title>Event Details</title>
<search>
<query>
`stealthData`
| where _time=$timeValue$
| eval EventTime=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval EventTimeUTC=strftime(_time + 18000, "%Y-%m-%d %H:%M:%S")
| eval ActionStatus = case(SuccessfulChange == "True", "Success", SuccessfulChange == "False", "Failure")
| eval ActionCategory = case(event_id LIKE "%GPO%", "Group Policy")
| eval ActionType = replace(event_id, "SI Events Log ", "")
| rename
EventTime AS "Time Logged"
EventTimeUTC AS "Time Logged UTC"
BlockedEvent AS "Action Blocked"
ActionStatus AS "Action Status"
ActionCategory AS "Action Category"
ActionType AS "Message"
| table
"Time Logged"
"Time Logged UTC"
"Action Type"
"Action Blocked"
"Action Status"
"Action Category"
"Message"
| transpose 1
</query>
</search>
<option name="drilldown">none</option>
<option name="showPager">false</option>
</table>
</panel>
<panel>
<table id="transPerpDetails" depends="timeValue">
<title>Perpetrator Details</title>
<search>
<query>
`stealthData`
| where _time=$timeValue$
| rename
Perpetrator AS "Account Name"
change_type AS "Protocol"
Server AS "Host"
ServerAddress AS "IP Address"
src AS "Access URL"
| table
"Account Name"
"Protocol",
"Host",
"IP Address",
"Access URL"
| transpose 1
</query>
</search>
<option name="drilldown">none</option>
<option name="showPager">false</option>
</table>
</panel>
<panel>
<table id="transAffectedObject" depends="timeValue">
<title>Affected Object Details</title>
<search>
<query>
`stealthData`
| where _time=$timeValue$
| rename
ObjectClass AS "Type"
object AS "Object Path"
TargetHost AS "Host"
TargetAddress AS "IP Address"
| table
"Path"
"Type",
"Account Name",
"Object Path",
"Host",
"IP Address"
| transpose 1
</query>
</search>
<option name="drilldown">none</option>
<option name="showPager">false</option>
</table>
</panel>
<panel>
<table id="transAgentDetails" depends="timeValue">
<title>Agent Details</title>
<search>
<query>
`stealthData`
| where _time=$timeValue$
| rename
Server AS "Host"
ServerAddress AS "IP Address"
| table
"Host",
"IP Address"
| transpose 1
</query>
</search>
<option name="drilldown">none</option>
<option name="showPager">false</option>
</table>
</panel>
</row>
<row id="adAttributeRow">
<panel>
<table id="attributeTable" depends="timeValue">
<search>
<query>
`stealthData`
| where _time=$timeValue$
| eval EventType = replace(event_id, "SI Events Log ", "")
| rename
AttributeName AS "Attribute Name"
EventType AS "Event Type"
OldAttributeValue AS "Old Value"
NewAttributeValue AS "New Value"
| table
"Attribute Name"
"Event Type"
"Old Value"
"New Value"
| dedup
"Attribute Name"
"Event Type"
"Old Value"
"New Value"
</query>
</search>
<option name="drilldown">none</option>
<option name="count">1</option>
<option name="showPager">true</option>
</table>
</panel>
</row>
</form>

619
apps/stealthbits_ad_ldap/default/data/ui/views/page_ldap_monitoring.xml
Unescape View File

@ -0,0 +1,619 @@
<form script="changes.js" stylesheet="changes.css" hideFilters="false" version="1.1">
<label>LDAP Monitoring</label>
<fieldset submitButton="true" autoRun="true">
<html>
<br/>
</html>
<input id="eventTime" type="time" token="eventTime" searchWhenChanged="true">
<label>Time</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="dropdown" token="detectingPolicy" searchWhenChanged="false">
<label>Detecting Policy</label>
<search>
<query>
`stealthData`
Protocol = "LDAP"
| where not match(PolicyName, ".*%.*")
| stats sum(PolicyName) by PolicyName
| fields - sum(PolicyName)
| dedup PolicyName
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>PolicyName</fieldForLabel>
<fieldForValue>PolicyName</fieldForValue>
<choice value="*">All Policies</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="actionPerformed" searchWhenChanged="false">
<label>Action Performed</label>
<default>*</default>
<search>
<query>
`stealthData`
Protocol = "LDAP"
| where not match(EventName, ".*%.*")
| stats count by EventName
| table EventName
| dedup EventName
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>EventName</fieldForLabel>
<fieldForValue>EventName</fieldForValue>
<choice value="*">All Actions</choice>
</input>
<input type="dropdown" token="actionResult" searchWhenChanged="false">
<label>Action Result</label>
<default>*</default>
<search>
<query>
`stealthData`
Protocol = "LDAP"
| where not match(BlockedEvent, ".*%.*")
| stats count by BlockedEvent
| eval newBlockedEvent = case(BlockedEvent="True", "Failed", BlockedEvent="False", "Successful")
| table newBlockedEvent, BlockedEvent
| dedup newBlockedEvent, BlockedEvent
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>newBlockedEvent</fieldForLabel>
<fieldForValue>BlockedEvent</fieldForValue>
<choice value="*">Successful or Failed</choice>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="actionBlocked" searchWhenChanged="false">
<label>Action Blocked</label>
<default>*</default>
<search>
<query>
`stealthData`
Protocol = "LDAP"
| where not match(BlockedEvent, ".*%.*")
| stats count by BlockedEvent
| eval newBlockedEvent=case(BlockedEvent="True", "Yes", BlockedEvent="False", "No")
| table newBlockedEvent, BlockedEvent
| dedup newBlockedEvent, BlockedEvent
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>newBlockedEvent</fieldForLabel>
<fieldForValue>BlockedEvent</fieldForValue>
<choice value="*">Yes or No</choice>
<initialValue>*</initialValue>
</input>
<html>
<br/>
</html>
<input type="dropdown" token="initiatedDomain" searchWhenChanged="false">
<label>Initiated From (Domain)</label>
<default>*</default>
<search>
<query>
`stealthData`
Protocol = "LDAP"
| where not match(DC, ".*%.*")
| stats count by DC
| fields - count
| dedup DC
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>src_nt_domain</fieldForLabel>
<fieldForValue>src_nt_domain</fieldForValue>
<choice value="*">All Domains</choice>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="initiatedHost" searchWhenChanged="false">
<label>Initiated From (Hostname)</label>
<default>*</default>
<search>
<query>
`stealthData`
Protocol = "LDAP"
| where not match(Server, ".*%.*")
| eval Server = case(!LIKE(Server, "%\\%"), Server, Server LIKE "%\\%", mvindex(split(Server, "\\"), 1))
| stats count by Server
| fields - count
| dedup Server
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>Server</fieldForLabel>
<fieldForValue>Server</fieldForValue>
<choice value="*">All Hosts</choice>
</input>
<input type="dropdown" token="initiatedUser" searchWhenChanged="false">
<label>Initiated By (User)</label>
<default>*</default>
<search>
<query>
`stealthData`
Protocol = "LDAP"
| where not match(Perpetrator, ".*%.*")
| stats sum(Perpetrator) as Perpetrator_count by Perpetrator
| eval Perpetrator=case(!LIKE(Perpetrator, "%\\%"), Perpetrator, Perpetrator LIKE "%\\%", mvindex(split(Perpetrator, "\\"), 1))
| eval upper_Perpetrator=upper(substr(Perpetrator,1,1)).substr(Perpetrator,2)
| table upper_Perpetrator, Perpetrator
| dedup upper_Perpetrator, Perpetrator
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>upper_Perpetrator</fieldForLabel>
<fieldForValue>Perpetrator</fieldForValue>
<choice value="*">All Users</choice>
</input>
<input type="dropdown" token="accessUrl" searchWhenChanged="false">
<label>Access URL</label>
<default>*</default>
<search>
<query>
`stealthData`
Protocol = "LDAP"
| where not match(AccessURL, ".*%.*")
| eval AccessURL = case(AccessURL LIKE "%LDAPS%", replace(AccessURL, "LDAPS:", ""), AccessURL LIKE "%LDAP%", replace(AccessURL, "LDAP:", ""))
| stats count by AccessURL
| fields - count
| dedup AccessURL
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>AccessURL</fieldForLabel>
<fieldForValue>AccessURL</fieldForValue>
<choice value="*">All Access URLs</choice>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="searchSecure" searchWhenChanged="false">
<label>Secure Search</label>
<search>
<query>
`stealthData`
Protocol = "LDAP"
| where not match(SecureQuery, ".*%.*")
| stats count by SecureQuery
| table SecureQuery
| dedup SecureQuery
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>SecureQuery</fieldForLabel>
<fieldForValue>SecureQuery</fieldForValue>
<choice value="*">Yes or No</choice>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="searchSecurityType" searchWhenChanged="false">
<label>Search Security Type</label>
<default>*</default>
<search>
<query>
`stealthData`
Protocol = "LDAP"
| where not match(SecurityType, ".*%.*")
| stats count by SecurityType
| table SecurityType
| dedup SecurityType
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<fieldForLabel>SecurityType</fieldForLabel>
<fieldForValue>SecurityType</fieldForValue>
<choice value="*">All Types</choice>
<initialValue>*</initialValue>
</input>
<html>
<div id="options">
<a id="hideFilters" data-action="hide-filters" style="margin-left:0">Hide Filters</a>
<br/>
<a href="../sb_ad_ldap/page_ad_adchanges" style="margin-left:0">Reset Filters</a>
</div>
</html>
</fieldset>
<row>
<panel depends="$alwaysHideCSS$">
<html>
<style>
#eventTime {
width:200px !important;
margin-right:30px !important;
}
.alert {
display:none !important;
}
.splunk-table {
margin:0 !important;
}
.sorts a {
color:#FFFFFF !important;
}
.timestamp {
disply:none !important;
}
.input {
margin-top:-23px !important;
}
#submit {
display:none;
}
#options {
display:none;
}
.hide-global-filters {
display:none;
}
#adChangesTable th[data-sort-key*='time'],
#adChangesTable td[data-cell-index='1'] {
display:none !important;
}
#adChangesRow {
width:100% !important;
max-width:100% !important;
margin-top:-2px !important;
margin-bottom:10px !important;
}
#adChangesTable {
width:100% !important;
}
display:none;
background:#FFFFFF !important;
}
.timestamp {
display:none !important;
}
#adChangesTable th[data-sort-key='New Value'] {
max-width:150px !important;;
overflow:hidden !important;
}
#adChangesTable th {
background:#364A6F !important;
color:#FFFFFF !important;
font-size:14px !important;
}
#adChangesTable td{
white-space:nowrap !important;
}
#adChangesRow {
margin-top:-8px !important;
}
#adTransposedRow {
margin-top:10px;
}
#adAttributeRow {
margin-top:10px;
width:100% !important;
max-width:100% !important;
}
#transEventDetails,
#transPerpDetails,
#transAffectedObject,
#transAgentDetails {
height:225px !important;
}
#transEventDetails table,
#transPerpDetails table,
#transAffectedObject table,
#transAgentDetails table {
border:none !important;
}
#transEventDetails tr,
#transPerpDetails tr,
#transAffectedObject tr,
#transAgentDetails tr {
border:none !important;
}
#transEventDetails td,
#transPerpDetails td,
#transAffectedObject td,
#transAgentDetails td {
border:none !important;
padding:5px !important;
}
div[id^="transEventDetails"].dashboard-element-header,
div[id^="transPerpDetails"].dashboard-element-header,
div[id^="transAffectedObject"].dashboard-element-header,
div[id^="transAgentDetails"].dashboard-element-header {
background:#364A6F !important;
}
div[id^="transEventDetails"].dashboard-element-header h3,
div[id^="transPerpDetails"].dashboard-element-header h3,
div[id^="transAffectedObject"].dashboard-element-header h3,
div[id^="transAgentDetails"].dashboard-element-header h3{
color:#FFFFFF !important;
}
#transEventDetails thead,
#transPerpDetails thead,
#transAffectedObject thead,
#transAgentDetails thead {
display:none !important;
}
#transEventDetails td[data-cell-index="0"],
#transPerpDetails td[data-cell-index="0"],
#transAffectedObject td[data-cell-index="0"],
#transAgentDetails td[data-cell-index="0"] {
width:75px !important;
min-width:75px !important;
max-width:85px !important;
background-color:#FFFFFF !important;
font-weight:600 !important;
}
#transEventDetails td[data-cell-index="1"],
#transPerpDetails td[data-cell-index="1"],
#transAffectedObject td[data-cell-index="1"],
#transAgentDetails td[data-cell-index="1"] {
background-color:#FFFFFF !important;
width:200px !important;
min-width:200px !important;
max-width:200px !important;
word-wrap: break-word !important;
}
#attributeTable th{
margin:0 !important;
padding:5px 0 !important;
border:1px solid #364A6F !important;
font-weight:bold;
text-align:center !important;
background:#364A6F !important;
color:#FFF !important;
width:25% !important;
max-width:200px !important;
}
#attributeTable td{
margin:0 !important;
padding:15px 15px !important;
border:1px solid #364A6F !important;
font-size:16px !important;
font-weight:400 !important;
text-align:center !important;
width:25% !important;
max-width:200px !important;
}
#attributeTable td[data-cell-index="0"],
#attributeTable td[data-cell-index="1"] {
padding-top:25px !important;
}
#attributeTable td[data-cell-index="2"],
#attributeTable td[data-cell-index="3"] {
overflow-x:scroll !important;
overflow-y:hidden !important;
}
</style>
</html>
</panel>
</row>
<row id="adChangesRow">
<panel>
<table id="adChangesTable">
<search>
<query>
`stealthData`
Protocol = "LDAP"
| eval Time=strftime(_time,"%Y-%m-%d %H:%M%P")
| eval ActionResult = case(BlockedEvent="True", "Failed", BlockedEvent="False", "Successful")
| eval BlockedEvent=case(BlockedEvent="True", "Yes", BlockedEvent="False", "No")
| eval Server=case(Server LIKE "%\\%", mvindex(split(Server, "\\"), 1))
| eval Perpetrator=case(Perpetrator LIKE "%\\%", mvindex(split(Perpetrator, "\\"), 1))
| eval AccessURL = case(AccessURL LIKE "%LDAPS%", replace(AccessURL, "LDAPS:", ""), AccessURL LIKE "%LDAP%", replace(AccessURL, "LDAP:", ""))
| search
PolicyName = "$detectingPolicy$"
EventName = "$actionPerformed$"
ActionResult = "$actionResult$"
BlockedEvent = "$actionBlocked$"
DC = "$initiatedDomain$"
Server = "$initiatedHost$"
Perpetrator = "$initiatedUser$"
AccessURL = "$accessUrl$"
SecureQuery = "$searchSecure$"
SecurityType = "$searchSecurityType$"
| rename
Time AS "Event Time"
PolicyName AS "Detecting Policy"
EventName AS "Action Performed"
ActionResult AS "Action Result"
BlockedEvent AS "Action Blocked"
DC AS "Initiating (Domain)"
Server AS "Initiating (Host)"
Perpetrator AS "Initiating (User)"
AccessURL AS "Access URL"
SecureQuery AS "Secure Query"
SecurityType AS "Security Type"
QueryFilter AS "Query Filter"
| table
_time
"Event Time"
"Detecting Policy"
"Action Performed"
"Action Result"
"Action Blocked"
"Initiating (Domain)"
"Initiating (Host)"
"Initiating (User)"
"Access URL"
"Secure Query"
"Security Type"
"Query Filter"
| dedup
_time
"Event Time"
"Detecting Policy"
"Action Performed"
"Action Result"
"Action Blocked"
"Initiating (Domain)"
"Initiating (Host)"
"Initiating (User)"
"Access URL"
"Secure Query"
"Security Type"
"Query Filter"
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>now</latest>
</search>
<option name="drilldown">row</option>
<option name="count">18</option>
<option name="showPager">true</option>
<option name="wrap">false</option>
<drilldown>
<condition field="*">
<set token="time_token">$click.value$</set>
</condition>
</drilldown>
</table>
</panel>
</row>
<row id="adTransposedRow">
<panel>
<table id="transEventDetails" depends="time_token">
<title>Event Details</title>
<search>
<query>
`stealthData`
AND _time="$time_token$"
| eval EventTime=strftime(_time, "%Y-%m-%d %H:%M:%S")
| eval EventTimeUTC=strftime(_time+18000, "%Y-%m-%d %H:%M:%S")
| eval ActionStatus = case(BlockedEvent="True", "Failed", BlockedEvent="False", "Successful")
| rename
EventTime AS "Time Logged",
EventTimeUTC AS "Time Logged UTC",
EventName AS "Action Type",
BlockedEvent AS "Action Blocked",
actionStatus AS "Action Status",
event_id AS "Message"
| table
"Time Logged",
"Time Logged UTC"
"Action Type",
"Action Blocked",
"Action Status",
"Message"
| transpose 1
</query>
</search>
<option name="drilldown">none</option>
<option name="showPager">false</option>
</table>
</panel>
<panel>
<table id="transPerpDetails" depends="time_token">
<title>Perpetrator Details</title>
<search>
<query>
`stealthData`
AND _time="$time_token$"
| rename
Perpetrator AS "Account Name"
PerpetratorSID AS "Account SID"
DistinguishedName AS "Account DN"
Server AS "Host"
ServerAddress AS "IP Address"
AccessURL AS "Access URL"
| table
"Account Name"
"Account SID",
"Account DN"
"Protocol",
"Client Host",
"Client IP Address",
"Access URL"
| transpose 1
</query>
</search>
<option name="drilldown">none</option>
<option name="showPager">false</option>
</table>
</panel>
<panel>
<table id="transAffectedObject" depends="time_token">
<title>Search Details</title>
<search>
<query>
`stealthData`
AND _time="$time_token$"
| rename
QueryFilter AS "Query Filter"
QueryExecutionTimeAvg AS "Query Execute Time"
ObjectsReturned AS "Result Count"
SecurityQuery AS "Secure Query"
SecurityType AS "Security Type"
| table
"Query Filter"
"Query Execute Time"
"Result Count"
"Secure Query"
"Security Type"
| transpose 1
</query>
</search>
<option name="drilldown">none</option>
<option name="showPager">false</option>
</table>
</panel>
<panel>
<table id="transAgentDetails" depends="time_token">
<title>Agent Details</title>
<search>
<query>
`stealthData`
AND _time="$time_token$"
| rename
ClientHost AS "Host"
ClientAddress AS "IP Address"
| table
"Host",
"IP Address"
| transpose 1
</query>
</search>
<option name="drilldown">none</option>
<option name="showPager">false</option>
</table>
</panel>
</row>
</form>

689
apps/stealthbits_ad_ldap/default/data/ui/views/page_overview.xml
Unescape View File

@ -0,0 +1,689 @@
<form stylesheet="overview.css" version="1.1">
<label>Dashboard</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="eventTime" searchWhenChanged="true">
<label></label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel depends="$alwaysHideCSS$">
<html>
<style>
body div.main-section-body.dashboard-body {
background:#F2F4F5 !important;
}
.dashboard-layout-panel {
cursor:pointer !important;
}
#adMostActiveUsers {
width:48.50% !important;
padding-right:1.50%;
}
#gpoMostActiveUsers {
width:48.50% !important;
padding-left:1.50%;
}
#adChangesValue{
position:relative !important;
margin-top:20% !important;
}
#adEventTypes {
width:15.50% !important;
padding-right:1% !important;
}
#adEventResult {
width:15.50% !important;
padding-right:1% !important;
}
#adEventBlocked {
width:15.50% !important;
}
#gpoEventTypes {
width:15.50% !important;
padding-right:1% !important;
padding-left:3% !important;
}
#gpoEventResult {
width:15.50% !important;
padding-right:1% !important;
}
#gpoEventBlocked {
width:15.50% !important;
}
#overview {
background:#F2F4F5 !important;
padding:0 !important;
margin-bottom:-20px !important;
}
#adtitle {
background:#F2F4F5 !important;
padding:0 !important;
margin-bottom:-20px !important;
}
#gpotitle {
background:#F2F4F5 !important;
padding:0 !important;
margin-bottom:-20px !important;
}
#ldaptitle {
background:#F2F4F5 !important;
padding:0 !important;
margin-bottom:-25px !important;
}
</style>
</html>
</panel>
</row>
<row>
<panel>
<html id="overview">
<h2 style="position:relative; left:-5px;">
<b>Overview</b>
</h2>
</html>
</panel>
</row>
<row>
<panel id="adEvents">
<title>Active Directory Events</title>
<single>
<search depends="eventTime">
<query>
`stealthData`
| where like(event_id, "Active Directory%")
| stats count
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>$eventTime.latest$</latest>
</search>
<drilldown>
<condition>
<link>
<![CDATA[/app/sb_ad_ldap/page_ad_changes?form.eventTime.earliest=$eventTime.earliest$&form.eventTime.latest=$eventTime.latest$]]>
</link>
</condition>
</drilldown>
</single>
</panel>
<panel id="gpoEvents">
<title>Group Policy Events</title>
<single depends="eventTime">
<search>
<query>
`stealthData`
| where like(event_id, "%GPO%")
| stats count
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>$eventTime.latest$</latest>
</search>
<drilldown>
<condition>
<link>
<![CDATA[/app/sb_ad_ldap/page_gpo_changes?form.eventTime.earliest=$eventTime.earliest$&form.eventTime.latest=$eventTime.latest$]]>
</link>
</condition>
</drilldown>
</single>
</panel>
<panel id="ldapEvents">
<title>LDAP Events</title>
<single depends="eventTime">
<search>
<query>`stealthData` Protocol = "LDAP"
| stats count</query>
<earliest>$eventTime.earliest$</earliest>
<latest>$eventTime.latest$</latest>
</search>
<option name="drilldown">all</option>
<option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<condition>
<link>
<![CDATA[/app/sb_ad_ldap/page_ldap_monitoring?form.eventTime.earliest=$eventTime.earliest$&form.eventTime.latest=$eventTime.latest$]]>
</link>
</condition>
</drilldown>
</single>
</panel>
<panel>
<title>Active Users</title>
<single depends="eventTime">
<search>
<query>
`stealthData`
| where !like(Perpetrator, '*\%*')
| stats dc(Perpetrator) as count
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>$eventTime.latest$</latest>
</search>
</single>
</panel>
<panel>
<title>Monitored Domains</title>
<single depends="eventTime">
<search>
<query>
`stealthData`
| where not match(Domain, ".*%.*")
| stats dc(Domain) as count
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>$eventTime.latest$</latest>
</search>
</single>
</panel>
</row>
<row>
<panel>
<title>Events Over Time</title>
<chart depends="eventTime">
<search>
<query>`stealthData`
| where like(event_id, "%GPO%") OR like(event_id, "Active Directory%") OR like(Protocol, "%LDAP%")
| eval eventID = replace(event_id, "Active Directory ", "")
| timechart sum(linecount) as "Event Count" by eventID</query>
<earliest>$eventTime.earliest$</earliest>
<latest>$eventTime.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.chart">line</option>
<option name="charting.chart.nullValueMode">zero</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<html id="adtitle">
<h2 style="position:relative; left:-5px;">
<b>Active Directory Events</b>
</h2>
</html>
</panel>
<panel>
<html id="gpotitle">
<h2 style="position:relative; left:2.50%;">
<b>Group Policy Events</b>
</h2>
</html>
</panel>
</row>
<row>
<panel id="adMostActiveUsers">
<title>AD Most Active Users</title>
<chart>
<search>
<query>
`stealthData`
| where like(event_id, "Active Directory%")
| eval eventID = replace(event_id, "Active Directory ", "")
| chart count BY Perpetrator eventID
| addtotals
| sort -Total, +Perpetrator
| head 5
| fields - Total
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>$eventTime.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.chart">bar</option>
<option name="charting.chart.nullValueMode">zero</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<eval token="clickedDomain">mvindex(split($click.value$, "\\"), 0)</eval>
<eval token="clickedUser">mvindex(split($click.value$, "\\"), 1)</eval>
<link>
<![CDATA[/app/sb_ad_ldap/page_ad_changes?form.eventTime.earliest=$eventTime.earliest$&form.eventTime.latest=$eventTime.latest$&form.initiatedDomain=$clickedDomain$&form.initiatedUser=$clickedUser$]]>
</link>
</drilldown>
</chart>
</panel>
<panel id="gpoMostActiveUsers">
<title>GPO Most Active Users</title>
<chart>
<search>
<query>
`stealthData`
| where like(event_id, "%GPO%")
| stats count BY Perpetrator
| rename count as "Event Count"
| sort -"Event Count"
| head 5
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>$eventTime.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.chart">bar</option>
<option name="charting.chart.nullValueMode">zero</option>
<option name="charting.legend.placement">none</option>
<drilldown>
<eval token="clickedDomain">mvindex(split($click.value$, "\\"), 0)</eval>
<eval token="clickedUser">mvindex(split($click.value$, "\\"), 1)</eval>
<link>
<![CDATA[/app/sb_ad_ldap/page_gpo_changes?form.eventTime.earliest=$eventTime.earliest$&form.eventTime.latest=$eventTime.latest$&form.initiatedDomain=$clickedDomain$&form.initiatedUser=$clickedUser$]]>
</link>
</drilldown>
</chart>
</panel>
</row>
<row>
<panel id="adEventTypes">
<title>AD Events By Type</title>
<chart>
<search>
<query>
`stealthData`
| where not match(event_id, ".*%.*") and like(event_id, "%Active Directory%")
| eval eventID = replace(event_id, "Active Directory ", "")
| stats count by eventID
| eval percent=round(percent)
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>$eventTime.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">zero</option>
<option name="charting.legend.placement">none</option>
<drilldown>
<link>
<![CDATA[/app/sb_ad_ldap/page_ad_changes?form.eventTime.earliest=$eventTime.earliest$&form.eventTime.latest=$eventTime.latest$&form.actionPerformed=$click.value$]]>
</link>
</drilldown>
</chart>
</panel>
<panel id="adEventResult">
<title>AD Successful/Failed Changes</title>
<chart>
<search>
<query>
`stealthData`
| where like(event_id, "Active Directory%")
| stats count BY SuccessfulChange
| replace False WITH "Failed", True WITH "Successful" IN SuccessfulChange
| eval percent=round(percent)
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>$eventTime.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">zero</option>
<option name="charting.legend.placement">none</option>
<drilldown>
<eval token="clickedResult">case($click.value$ == "Successful", "True", $click.value$ == "Failed", "False")</eval>
<link>
<![CDATA[/app/sb_ad_ldap/page_ad_changes?form.eventTime.earliest=$eventTime.earliest$&form.eventTime.latest=$eventTime.latest$&form.actionResult=$clickedResult$]]>
</link>
</drilldown>
</chart>
</panel>
<panel id="adEventBlocked">
<title>AD Allowed/Blocked Changes</title>
<chart>
<search>
<query>
`stealthData`
| where like(event_id, "Active Directory%")
| stats count BY BlockedEvent
| replace False WITH "Allowed", True WITH "Blocked" IN BlockedEvent
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>$eventTime.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">zero</option>
<option name="charting.legend.placement">none</option>
<drilldown>
<eval token="clickedBlocked">case($click.value$ == "Allowed", "False", $click.value$ != "Allowed", "True")</eval>
<link>
<![CDATA[/app/sb_ad_ldap/page_ad_changes?form.eventTime.earliest=$eventTime.earliest$&form.eventTime.latest=$eventTime.latest$&form.actionBlocked=$clickedBlocked$]]>
</link>
</drilldown>
</chart>
</panel>
<panel id="gpoEventTypes">
<title>GPO Events By Type</title>
<chart>
<search>
<query>
`stealthData`
| where not match(event_id, ".*%.*") and like(event_id, "%GPO%")
| eval eventID = replace(event_id, "SI Events Log ", "")
| stats count by eventID
| eval percent=round(percent)
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>$eventTime.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">zero</option>
<option name="charting.legend.placement">none</option>
<drilldown>
<link>
<![CDATA[/app/sb_ad_ldap/page_gpo_changes?form.eventTime.earliest=$eventTime.earliest$&form.eventTime.latest=$eventTime.latest$&form.actionPerformed=$click.value$]]>
</link>
</drilldown>
</chart>
</panel>
<panel id="gpoEventResult">
<title>GPO Successful/Failed Changes</title>
<chart>
<search>
<query>
`stealthData`
| where like(event_id, "%GPO%")
| stats count BY SuccessfulChange
| replace False WITH "Failed", True WITH "Successful" IN SuccessfulChange
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>$eventTime.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">zero</option>
<option name="charting.legend.placement">none</option>
<drilldown>
<eval token="clickedResult">case($click.value$ == "Successful", "True", $click.value$ == "Failed", "False")</eval>
<link>
<![CDATA[/app/sb_ad_ldap/page_ad_changes?form.eventTime.earliest=$eventTime.earliest$&form.eventTime.latest=$eventTime.latest$&form.actionResult=$clickedResult$]]>
</link>
</drilldown>
</chart>
</panel>
<panel id="gpoEventBlocked">
<title>GPO Allowed/Blocked Changes</title>
<chart>
<search>
<query>
`stealthData`
| where like(event_id, "%GPO%")
| stats count BY BlockedEvent
| replace False WITH "Allowed", True WITH "Blocked" IN BlockedEvent
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>$eventTime.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">zero</option>
<option name="charting.legend.placement">none</option>
<drilldown>
<eval token="clickedBlocked">case($click.value$ == "Allowed", "False", $click.value$ != "Allowed", "True")</eval>
<link>
<![CDATA[/app/sb_ad_ldap/page_gpo_changes?form.eventTime.earliest=$eventTime.earliest$&form.eventTime.latest=$eventTime.latest$&form.actionBlocked=$clickedBlocked$]]>
</link>
</drilldown>
</chart>
</panel>
</row>
<row>
<panel>
<html id="ldaptitle">
<div>
<h2 style="position:relative; top:-10px; left:-5px;">
<b>LDAP Events</b>
</h2>
</div>
</html>
</panel>
</row>
<row>
<panel id="ldapMostActiveHosts">
<title>LDAP Most Active Source Hosts</title>
<chart>
<search>
<query>
`stealthData`
Protocol = "LDAP"
| stats count BY Server
| rename count as "Event Count"
| sort -"Event Count"
| head 5
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>$eventTime.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.chart">bar</option>
<option name="charting.chart.nullValueMode">zero</option>
<option name="charting.legend.placement">none</option>
<drilldown>
<eval token="clickedDomain">mvindex(split($click.value$, "\\"), 0)</eval>
<eval token="clickedHost">mvindex(split($click.value$, "\\"), 1)</eval>
<link>
<![CDATA[/app/sb_ad_ldap/page_ldap_monitoring?form.eventTime.earliest=$eventTime.earliest$&form.eventTime.latest=$eventTime.latest$&form.initiatedDomain=$clickedDomain$&form.initiatedHost=$clickedHost$]]>
</link>
</drilldown>
</chart>
</panel>
<panel id="ldapMostActiveUrls">
<title>LDAP Most Active Access URLs</title>
<chart>
<search>
<query>
`stealthData`
Protocol = "LDAP"
| eval AccessURL = replace(AccessURL, "LDAP:", "")
| stats count BY AccessURL
| sort - count
| head 5
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>$eventTime.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.chart">bar</option>
<option name="charting.chart.nullValueMode">zero</option>
<option name="charting.legend.placement">none</option>
<drilldown>
<link>
<![CDATA[/app/sb_ad_ldap/page_ldap_monitoring?form.eventTime.earliest=$eventTime.earliest$&form.eventTime.latest=$eventTime.latest$&form.accessUrl=$click.value$]]>
</link>
</drilldown>
</chart>
</panel>
<panel id="ldapMostActiveUsers">
<title>LDAP Most Active Users</title>
<chart>
<search>
<query>
`stealthData`
Protocol = "LDAP"
| stats count BY Perpetrator
| sort - count
| head 5
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>$eventTime.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.chart">bar</option>
<option name="charting.chart.nullValueMode">zero</option>
<option name="charting.legend.placement">none</option>
<drilldown>
<eval token="clickedDomain">mvindex(split($click.value$, "\\"), 0)</eval>
<eval token="clickedUser">mvindex(split($click.value$, "\\"), 1)</eval>
<link>
<![CDATA[/app/sb_ad_ldap/page_ldap_monitoring?form.eventTime.earliest=$eventTime.earliest$&form.eventTime.latest=$eventTime.latest$&form.initiatedDomain=$clickedDomain$&form.initiatedUser=$clickedUser$]]>
</link>
</drilldown>
</chart>
</panel>
</row>
<row>
<panel id="ldapPiePanel1">
<title>LDAP Events By Type</title>
<chart>
<search>
<query>
`stealthData`
Protocol = "LDAP"
| stats count BY EventName
| eval percent=round(percent)
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>$eventTime.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">zero</option>
<option name="charting.legend.placement">none</option>
<drilldown>
<link>
<![CDATA[/app/sb_ad_ldap/page_ldap_monitoring?form.eventTime.earliest=$eventTime.earliest$&form.eventTime.latest=$eventTime.latest$&form.actionPerformed=$click.value$]]>
</link>
</drilldown>
</chart>
</panel>
<panel id="ldapBlocked">
<title>LDAP Allowed/Blocked Queries</title>
<chart>
<search>
<query>
`stealthData`
Protocol = "LDAP"
| stats count BY BlockedEvent
| replace False WITH "Allowed", True WITH "Blocked" IN BlockedEvent
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>$eventTime.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">zero</option>
<option name="charting.legend.placement">none</option>
<drilldown>
<eval token="clickedBlocked">case($click.value$ == "Allowed", "No", $click.value$ != "Allowed", "Yes")</eval>
<link>
<![CDATA[/app/sb_ad_ldap/page_ldap_monitoring?form.eventTime.earliest=$eventTime.earliest$&form.eventTime.latest=$eventTime.latest$&form.actionBlocked=$clickedBlocked$]]>
</link>
</drilldown>
</chart>
</panel>
<panel id="ldapLdaps">
<title>LDAPS vs. LDAP</title>
<chart>
<search>
<query>
`stealthData`
Protocol = "LDAP"
| stats count BY SecureQuery
| replace No WITH "LDAP", Yes WITH "LDAPS" IN SecureQuery
| eval percent=round(percent)
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>$eventTime.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">zero</option>
<option name="charting.legend.placement">none</option>
<drilldown>
<eval token="clickedSecure">case($click.value$ == "LDAPS", "Yes", $click.value$ == "LDAP", "No")</eval>
<link>
<![CDATA[/app/sb_ad_ldap/page_ldap_monitoring?form.eventTime.earliest=$eventTime.earliest$&form.eventTime.latest=$eventTime.latest$&form.searchSecure=$clickedSecure$]]>
</link>
</drilldown>
</chart>
</panel>
<panel id="ldapSignedSealed">
<title>Signed and Sealed vs. LDAP</title>
<chart>
<search>
<query>
`stealthData`
Protocol = "LDAP"
| stats count BY SecurityType
| replace None WITH "LDAP", "Add Random Data" WITH "LDAP" IN SecurityType
| eval percent=round(percent)
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>$eventTime.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">zero</option>
<option name="charting.legend.placement">none</option>
<drilldown>
<eval token="clickedSecurityType">case($click.value$ == "LDAP", "None", $click.value$ != "LDAP", $click.value$)</eval>
<link>
<![CDATA[/app/sb_ad_ldap/page_ldap_monitoring?form.eventTime.earliest=$eventTime.earliest$&form.eventTime.latest=$eventTime.latest$&form.searchSecurityType=$clickedSecurityType$]]>
</link>
</drilldown>
</chart>
</panel>
<panel id="ldapSecure">
<title>Secure vs. Insecure</title>
<chart>
<search>
<query>
`stealthData`
Protocol = "LDAP"
| stats count BY SecureQuery
| replace No WITH "Unsecure", Yes WITH "Secure" IN SecureQuery
| eval percent=round(percent)
</query>
<earliest>$eventTime.earliest$</earliest>
<latest>$eventTime.latest$</latest>
</search>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">zero</option>
<option name="charting.legend.placement">none</option>
<drilldown>
<eval token="clickedSecure">case($click.value$ == "Secure", "Yes", $click.value$ == "Unsecure", "No")</eval>
<link>
<![CDATA[/app/sb_ad_ldap/page_ldap_monitoring?form.eventTime.earliest=$eventTime.earliest$&form.eventTime.latest=$eventTime.latest$&form.searchSecure=$clickedSecure$]]>
</link>
</drilldown>
</chart>
</panel>
</row>
</form>

11
apps/stealthbits_ad_ldap/default/eventtypes.conf
Unescape View File

@ -0,0 +1,11 @@
[StealthINTERCEPT_Authentication]
priority = 5
search = `stealthData` event_id="Authentication Auth *"
[StealthINTERCEPT_Active_Directory]
priority = 5
search = `stealthData` event_id="Active Directory*"
[StealthINTERCEPT_Group_Policy]
priority = 5
search = `stealthData` event_id="*GPO*"

3
apps/stealthbits_ad_ldap/default/macros.conf
Unescape View File

@ -0,0 +1,3 @@
[stealthData]
definition = index=* (sourcetype=STEALTHbits OR sourcetype=StealthINTERCEPT)
iseval = 0

21
apps/stealthbits_ad_ldap/default/props.conf
Unescape View File

@ -0,0 +1,21 @@
[StealthINTERCEPT]
EVAL-action = case(like(event_id, "%Password _hanged"), "updated", like(event_id, "%Object _odified"), "modified", like(event_id, "%Object _dded"), "created", like(event_id, "%Group Members _dded"), "modified", like(event_id, "%Account _nabled"), "updated", like(event_id, "%Object _eleted"), "deleted", like(event_id, "%Group Members _emoved"), "modified", like(event_id, "%Account _nlocked"), "unlocked", like(event_id, "%Account _isabled"), "updated", like(event_id, "%_ock%"), "lockout")
EVAL-change_type = case(like(event_id, "Active Directory%"), "AD", like(event_id, "%File%"), "filesystem")
EVAL-dvc = coalesce(Server,ServerAddress)
EVAL-dest = coalesce(TargetHost, TargetHostIP, Server, ServerAddress)
EVAL-src = coalesce(ClientHost, ClientAddress)
EVAL-status = case(SuccessfulChange == "True", "success", SuccessfulChange == "False", "failure")
EVAL-vendor_product = "STEALTHbits StealthINTERCEPT"
EXTRACT-event_id = [STEALTHbits Activity Monitor|StealthINTERCEPT] - (?P<event_id>[^\-]+)\s\-
FIELDALIAS-CIM: Authentication = AttributeName AS object_attrs DistinguishedName AS object Domain AS src_nt_domain ObjectClass AS object_category Perpetrator AS user _time AS file_access_time result AS status event_id AS EventName
[STEALTHbits]
EVAL-action = case(like(event_id, "%Password _hanged"), "updated", like(event_id, "%Object _odified"), "modified", like(event_id, "%Object _dded"), "created", like(event_id, "%Group Members _dded"), "modified", like(event_id, "%Account _nabled"), "updated", like(event_id, "%Object _eleted"), "deleted", like(event_id, "%Group Members _emoved"), "modified", like(event_id, "%Account _nlocked"), "unlocked", like(event_id, "%Account _isabled"), "updated", like(event_id, "%_ock%"), "lockout")
EVAL-change_type = case(like(event_id, "Active Directory%"), "AD", like(event_id, "%File%"), "filesystem")
EVAL-dvc = coalesce(Server,ServerAddress)
EVAL-dest = coalesce(TargetHost, TargetHostIP, Server, ServerAddress)
EVAL-src = coalesce(ClientHost, ClientAddress)
EVAL-status = case(SuccessfulChange == "True", "success", SuccessfulChange == "False", "failure")
EVAL-vendor_product = "STEALTHbits StealthINTERCEPT"
EXTRACT-event_id = [STEALTHbits Activity Monitor|StealthINTERCEPT] - (?P<event_id>[^\-]+)\s\-
FIELDALIAS-CIM: Authentication = AttributeName AS object_attrs DistinguishedName AS object Domain AS src_nt_domain ObjectClass AS object_category Perpetrator AS user _time AS file_access_time result AS status event_id AS EventName

9
apps/stealthbits_ad_ldap/default/tags.conf
Unescape View File

@ -0,0 +1,9 @@
[eventtype=StealthINTERCEPT%20Active%20Directory]
change = enabled
[eventtype=StealthINTERCEPT%20Authentication]
change = enabled
authentication = enabled
[eventtype=StealthINTERCEPT%20Group%20Policy]
change = enabled

8
apps/stealthbits_ad_ldap/metadata/default.meta
Unescape View File

@ -0,0 +1,8 @@
[]
access = read : [ * ], write : [ admin ]
export = system
[views]
access = read : [ * ], write : [ admin ]
export = none

BIN
apps/stealthbits_ad_ldap/static/appIcon.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.3 KiB

BIN
apps/stealthbits_ad_ldap/static/appIconAlt.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.4 KiB

BIN
apps/stealthbits_ad_ldap/static/appIconAlt_2x.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.7 KiB

BIN
apps/stealthbits_ad_ldap/static/appIcon_2x.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.7 KiB

BIN
apps/stealthbits_ad_ldap/static/appLogo_2x_red.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
apps/stealthbits_ad_ldap/static/appLogo_red.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.3 KiB

BIN
apps/stealthbits_ad_ldap/static/screenshot.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

1
apps/stealthbits_ad_ldap/stealthbits_ad_ldap.aob_meta
View File

File diff suppressed because one or more lines are too long
Write Preview
Loading…
Cancel
Save