parent
1ac2f9cbb2
commit
9aa096959f
@ -0,0 +1,14 @@
|
||||
Windows Event Log Analysis Splunk App version 1.5.1
|
||||
Copyright (C) 2016-2018 Adrian Grigorof All Rights Reserved.
|
||||
|
||||
The Windows Event Log Analysis Splunk App assumes that Splunk is collecting information from Windows servers and workstation via the Universal Forwarder, the local Windows event log collector or remotely via WMI.
|
||||
It analyzes the entries from indexes matching the "index="wineventlog" OR source=*WinEventLog*" criteria. This matches the defaults used by the Universal Forwarder, the collection of local Windows event logs and the collection via WMI.
|
||||
To collect the logs from remote computers without installing the Universal Forwarded on each computer, configure the forwarding of event logs to central location using the Windows built-in event forwarding.
|
||||
The Interesting Processes section from the Processes dashboard is partially based on a presentation by Michael Gough from www.malwarearchaeology.com: "The Top 10 Windows Event ID's Used To Catch Hackers In The Act". See https://www.malwarearchaeology.com/home/2016/5/7/windows-top-10-event-logs-from-my-dell-enterprise-security-summit-talk for the presentation slides and information on how to enable the auditing of processes, including command-line based ones. The list of “interesting processes” is based on a study by JPCERT CC (Japan Computer Emergency Response Team Coordination Center) on detecting lateral movement through tracking of event logs (https://www.jpcert.or.jp/english/pub/sr/ir_research.html). The list is stored in C:\Program Files\Splunk\etc\apps\eventid\lookups\interesting_processes.csv and it can be adjusted with a text editor if needed.
|
||||
If not data is displayed, please verify that the Universal Forwarder is installed properly and that the all the Windows event logs are sent to the "wineventlog" index (or the WinEventLog* sources).
|
||||
|
||||
See Configure Computers to Forward and Collect Events (https://msdn.microsoft.com/en-us/library/cc748890(v=ws.11).aspx) for details on how to configure a computer as a collector of logs.
|
||||
|
||||
Send any suggestions, questions etc. to adigrio@gmail.com or support@altairtech.ca.
|
||||
|
||||
For up-to-date documentation, see: https://www.eventid.net/splunk_addon.asp
|
||||
|
After Width: | Height: | Size: 1.6 KiB |
|
After Width: | Height: | Size: 2.1 KiB |
@ -0,0 +1,553 @@
|
||||
body {
|
||||
background-color: #cedec3;
|
||||
font-size: 12px;
|
||||
line-height: 130%;
|
||||
}
|
||||
|
||||
ul.accountBarItems {
|
||||
font-size: 11px;
|
||||
}
|
||||
|
||||
br {
|
||||
clear: both;
|
||||
}
|
||||
|
||||
.SplunkModule {
|
||||
padding: 0px;
|
||||
}
|
||||
|
||||
.appHeaderWrapper {
|
||||
background-color: #333333;
|
||||
background-image: none;
|
||||
}
|
||||
|
||||
#appContent h1 {
|
||||
font-size: 24px;
|
||||
font-weight: normal;
|
||||
letter-spacing: -1px;
|
||||
line-height: 130%;
|
||||
margin-bottom: 15px;
|
||||
text-shadow: white 0px 1px 1px;
|
||||
}
|
||||
|
||||
.splButton-primary span,
|
||||
.splButton-secondary span,
|
||||
.splButton-tertiary span {
|
||||
min-width: 110px;
|
||||
}
|
||||
|
||||
.resultsArea {
|
||||
background-color: #EDEDE7;
|
||||
}
|
||||
|
||||
/** app tabs **/
|
||||
div.appTabsWrapperOuter {
|
||||
background: #333 url(./images/bg_tabs.png) repeat-x 50% 100%;
|
||||
}
|
||||
|
||||
div.appTabsWrapper {
|
||||
margin: 0px auto 0px;
|
||||
width: 830px;
|
||||
overflow: hidden;
|
||||
}
|
||||
|
||||
/* Target Firefox 2 and older [!] */
|
||||
div.appTabsWrapper ul#appTabs, x:-moz-any-link {
|
||||
position: relative;
|
||||
top: 1px;
|
||||
}
|
||||
|
||||
div.appTabsWrapper ul#appTabs, x:-moz-any-link, x:default {
|
||||
position: relative;
|
||||
top: 0px;
|
||||
}
|
||||
|
||||
div.appTabsWrapper ul#appTabs {
|
||||
list-style-type: none;
|
||||
margin: 15px 0px 0px;
|
||||
overflow: hidden;
|
||||
padding: 0px;
|
||||
width: 100%;
|
||||
}
|
||||
|
||||
div.appTabsWrapper ul#appTabs li {
|
||||
float: left;
|
||||
list-style-type: none;
|
||||
margin: 0px 5px 0px 0px;
|
||||
}
|
||||
|
||||
div.appTabsWrapper ul#appTabs li a {
|
||||
background-color: #73A550;
|
||||
-moz-border-radius-topleft: 5px;
|
||||
-moz-border-radius-topright: 5px;
|
||||
-webkit-border-top-left-radius: 5px;
|
||||
-webkit-border-top-right-radius: 5px;
|
||||
border-top-left-radius: 5px;
|
||||
border-top-right-radius: 5px;
|
||||
color: white;
|
||||
display: block;
|
||||
font-size: 14px;
|
||||
padding: 8px 20px;
|
||||
text-decoration: none;
|
||||
-moz-text-shadow: #666 0px 1px 1px;
|
||||
-webkit-text-shadow: #666 0px 1px 1px;
|
||||
text-shadow: #666 0px 1px 1px;
|
||||
}
|
||||
|
||||
div.appTabsWrapper ul#appTabs li.current a {
|
||||
background-color: #EDEDE7;
|
||||
color: #333;
|
||||
text-shadow: white 0px 1px 1px;
|
||||
border: 1px solid white;
|
||||
border-bottom: none;
|
||||
}
|
||||
|
||||
div.launcherContent {
|
||||
margin: 15px auto;
|
||||
width: 830px;
|
||||
}
|
||||
|
||||
div.launcherList {
|
||||
float: left;
|
||||
width: 549px;
|
||||
}
|
||||
|
||||
/** launcher links **/
|
||||
ul.launcherLinks {
|
||||
/* -webkit-box-shadow: #DDD 0px 0px 5px; */
|
||||
border: 0px;
|
||||
margin: 0px 0px 0px -25px;
|
||||
list-style-type: none;
|
||||
position: relative;
|
||||
}
|
||||
|
||||
ul.launcherLinks li {
|
||||
/* background-color: white; */
|
||||
xxborder-bottom: 1px solid #edede7;
|
||||
xxcolor: #666;
|
||||
/* padding: 15px; */
|
||||
position: relative;
|
||||
z-index: 200;
|
||||
zoom: 1;
|
||||
_line-height: 0px;
|
||||
_font-size: 1%;
|
||||
}
|
||||
|
||||
ul.launcherLinks li .launcherApplistBackground {
|
||||
cursor: pointer;
|
||||
}
|
||||
|
||||
li.launcherMsg {
|
||||
background-color: white;
|
||||
margin-left: 25px;
|
||||
}
|
||||
|
||||
ul.launcherLinks li.launcherMsg p {
|
||||
padding: 0px;
|
||||
_font-size: 12px;
|
||||
}
|
||||
|
||||
li.launcherMsg .launcherMsgUpdate {
|
||||
background: transparent url(images/icon_update.png) 0px 0px no-repeat;
|
||||
_background-image: url(images/icon_update_ie6.png);
|
||||
padding-left: 20px;
|
||||
}
|
||||
|
||||
li.launcherMsg .launcherMsgSetup {
|
||||
background: transparent url(images/icon_setup.png) 0px 0px no-repeat;
|
||||
_background: transparent url(images/icon_setup_ie6.png) 0px 0px no-repeat;
|
||||
padding-left: 20px;
|
||||
}
|
||||
|
||||
ul.launcherLinks li.first div.launcherApplistBackground {
|
||||
-moz-border-radius-topleft: 5px;
|
||||
-moz-border-radius-topright: 5px;
|
||||
-webkit-border-top-left-radius: 5px;
|
||||
-webkit-border-top-right-radius: 5px;
|
||||
border-top-left-radius: 5px;
|
||||
border-top-right-radius: 5px;
|
||||
}
|
||||
|
||||
ul.launcherLinks li.last div.launcherApplistBackground {
|
||||
-moz-border-radius-bottomleft: 5px;
|
||||
-moz-border-radius-bottomright: 5px;
|
||||
-webkit-border-bottom-left-radius: 5px;
|
||||
-webkit-border-bottom-right-radius: 5px;
|
||||
border-bottom-left-radius: 5px;
|
||||
border-bottom-right-radius: 5px;
|
||||
border-bottom: none;
|
||||
}
|
||||
|
||||
ul.launcherLinks li:hover {
|
||||
xxbackground: #fff url(images/bg_gradient_100.png) repeat-x;
|
||||
}
|
||||
|
||||
ul.launcherLinks li div {
|
||||
background-repeat: no-repeat;
|
||||
min-height: 50px;
|
||||
xxpadding: 0px 0px 0px 46px;
|
||||
xxmargin-left: -20px;
|
||||
}
|
||||
|
||||
.appicon {
|
||||
width: 36px;
|
||||
height: 36px;
|
||||
padding: 5px;
|
||||
}
|
||||
|
||||
ul.launcherLinks li div.launcher-applist-wrapper,
|
||||
ul.launcherLinks li div.launcherApplistBackground {
|
||||
_font-size: 12px;
|
||||
_line-height: 130%;
|
||||
}
|
||||
|
||||
ul.launcherLinks li.datainputs div.launcherApplistIcon {
|
||||
background-image:url(images/icon_addData.png);
|
||||
background-position: 10px 10px;
|
||||
}
|
||||
|
||||
ul.launcherLinks li.search div.launcherApplistIcon {
|
||||
background-image:url(images/searchIcon.png);
|
||||
background-position: 10px 10px;
|
||||
}
|
||||
|
||||
|
||||
ul.launcherLinks li a {
|
||||
font-size: 16px;
|
||||
}
|
||||
|
||||
ul.launcherLinks li a:hover {
|
||||
text-decoration: none;
|
||||
_text-decoration: underline;
|
||||
}
|
||||
|
||||
ul.launcherLinks p {
|
||||
color: #666;
|
||||
line-height: 130%;
|
||||
margin: 0px;
|
||||
padding-top: 5px;
|
||||
}
|
||||
|
||||
/** launcher messages **/
|
||||
ul.launcherLinks li.launcherMsg {
|
||||
border-bottom: 1px solid #EEE;
|
||||
cursor: text;
|
||||
padding: 5px 15px;
|
||||
-webkit-border-top-left-radius: 5px;
|
||||
-webkit-border-top-right-radius: 5px;
|
||||
-moz-border-radius-topleft: 5px;
|
||||
-moz-border-radius-topright: 5px;
|
||||
border-top-left-radius: 5px;
|
||||
border-top-right-radius: 5px;
|
||||
}
|
||||
|
||||
ul.launcherLinks li.launcherMsg a {
|
||||
color: red;
|
||||
display: inline-block;
|
||||
text-decoration: underline;
|
||||
font-size: 12px;
|
||||
line-height: 130%;
|
||||
}
|
||||
|
||||
/** launcher app list **/
|
||||
ul.launcherLinks ul.launcherAppsList {
|
||||
margin: 0px;
|
||||
padding: 0px;
|
||||
list-style: none;
|
||||
z-index: 200;
|
||||
position: relative;
|
||||
*font-size: 1%;
|
||||
}
|
||||
|
||||
li.launcherShadow {
|
||||
-webkit-box-shadow: #DDD 0px 0px 5px;
|
||||
-moz-box-shadow: #DDD 0px 0px 5px;
|
||||
box-shadow: #DDD 0px 0px 5px;
|
||||
|
||||
-webkit-border-radius: 5px;
|
||||
-moz-border-radius: 5px;
|
||||
border-radius: 5px;
|
||||
z-index: 2 !important;
|
||||
position: absolute !important;
|
||||
height: 356px;
|
||||
width: 529px;
|
||||
top: 0px;
|
||||
left: 25px;
|
||||
}
|
||||
|
||||
/* Firefox 2 hacks for list border */
|
||||
li.launcherShadow, x:-moz-any-link {
|
||||
top: -1px;
|
||||
left: 24px;
|
||||
border: 1px solid #CCC;
|
||||
}
|
||||
|
||||
/* Firefox 3+ hacks for list border */
|
||||
li.launcherShadow, x:-moz-any-link, x:default {
|
||||
top: 0px;
|
||||
left: 25px;
|
||||
border: none;
|
||||
}
|
||||
|
||||
/* Firefox 3.0 - 3.5 hacks for list border */
|
||||
body.firefox3 li.launcherShadow {
|
||||
top: -1px;
|
||||
left: 24px;
|
||||
border: 1px solid #CCC;
|
||||
}
|
||||
|
||||
/* IE 8 and below hacks for list border */
|
||||
li.launcherShadow {
|
||||
border: 1px solid #CCC\9;
|
||||
top: -1px\9;
|
||||
left: 24px\9;
|
||||
}
|
||||
|
||||
/* IE 6 hack */
|
||||
#home li.launcherShadow {
|
||||
_left: -1px;
|
||||
}
|
||||
|
||||
/** launcher reorder handle **/
|
||||
ul.launcherLinks li div.reorderHandle {
|
||||
position: absolute;
|
||||
display: block;
|
||||
background-color: white;
|
||||
background-image: url("images/icon_reorderHandler.png") !important;
|
||||
_background-image: url("images/icon_reorderHandler_ie6.png") !important;
|
||||
background-position: 8px 5px;
|
||||
left: 0px;
|
||||
top: 5px;
|
||||
width: 20px;
|
||||
height: 20px;
|
||||
padding: 1px 0px 1px 5px;
|
||||
-moz-border-radius-topleft: 5px;
|
||||
-moz-border-radius-bottomleft: 5px;
|
||||
-webkit-border-top-left-radius: 5px;
|
||||
-webkit-border-bottom-left-radius: 5px;
|
||||
border-top-left-radius: 5px;
|
||||
border-bottom-left-radius: 5px;
|
||||
min-height: 0px !important;
|
||||
}
|
||||
|
||||
/* Firefox 2 hacks for reorder handle borders */
|
||||
ul.launcherLinks li div.reorderHandle, x:-moz-any-link {
|
||||
border: 1px solid #CCC;
|
||||
border-right: none;
|
||||
left: -1px;
|
||||
}
|
||||
|
||||
/* Firefox 3+ hacks for reorder handle border */
|
||||
ul.launcherLinks li div.reorderHandle, x:default {
|
||||
border: none;
|
||||
left: 0px;
|
||||
}
|
||||
|
||||
/* Firefox 3.0 - 3.5 hacks for reorder handle borders */
|
||||
body.firefox3 ul.launcherLinks li div.reorderHandle {
|
||||
border: 1px solid #CCC;
|
||||
border-right: none;
|
||||
left: -1px;
|
||||
}
|
||||
|
||||
/* IE 8 and below hacks for reorder handle borders */
|
||||
ul.launcherLinks li div.reorderHandle {
|
||||
border: 1px solid #CCC\9;
|
||||
border-right: none\9;
|
||||
left: -1px\9;
|
||||
}
|
||||
|
||||
ul.launcherLinks div.launcherApplistBackground {
|
||||
margin-left: 25px;
|
||||
background-color: white;
|
||||
border-bottom: 1px solid #edede7;
|
||||
zoom: 1;
|
||||
}
|
||||
ul.launcherLinks div.launcherApplistIcon {
|
||||
padding: 10px;
|
||||
}
|
||||
|
||||
ul.launcherLinks div.launcherApplistDesc {
|
||||
margin-left: 45px;
|
||||
*font-size: 12px;
|
||||
}
|
||||
|
||||
ul.launcherLinks div.launcherApplistBackground:hover {
|
||||
background: #fff url(images/bg_gradient_100.png) repeat-x bottom;
|
||||
}
|
||||
ul.launcherLinks .disabledApp div.launcherApplistBackground:hover {
|
||||
background-image: none;
|
||||
}
|
||||
ul.launcherLinks li div.reorderHandle:hover {
|
||||
cursor: move;
|
||||
background-position: 8px -15px;
|
||||
}
|
||||
|
||||
/** enable/set up buttons **/
|
||||
ul.launcherLinks .setupApp button {
|
||||
background-color: #BBB;
|
||||
border: 1px solid #999;
|
||||
}
|
||||
|
||||
ul.launcherLinks .setupApp button:hover {
|
||||
border-color: #666;
|
||||
}
|
||||
|
||||
ul.launcherLinks li.disabledApp button,
|
||||
ul.launcherLinks li.setupApp button {
|
||||
position: absolute;
|
||||
top: 5px;
|
||||
right: 7px;
|
||||
height: 23px;
|
||||
line-height: 20px;
|
||||
background-position: left -5px;
|
||||
padding: 0px 10px;
|
||||
}
|
||||
|
||||
ul.launcherLinks li.disabledApp button span,
|
||||
ul.launcherLinks li.setupApp button span {
|
||||
min-width: 0;
|
||||
line-height: 100%;
|
||||
}
|
||||
|
||||
ul.launcherLinks li.disabledApp:hover {
|
||||
background-image: none;
|
||||
}
|
||||
|
||||
ul.launcherLinks li.disabledApp button:hover {
|
||||
border-color: #000;
|
||||
}
|
||||
|
||||
ul.launcherLinks .disabledApp,
|
||||
ul.launcherLinks .disabledApp a {
|
||||
cursor: text;
|
||||
}
|
||||
ul.launcherLinks .disabledApp .launcher-applist-wrapper {
|
||||
opacity: 0.6;
|
||||
}
|
||||
|
||||
ul.launcherLinks .disabledApp p {
|
||||
color: #333;
|
||||
}
|
||||
|
||||
/** launchersidebar **/
|
||||
div.launchersidebar {
|
||||
float: left;
|
||||
margin-left: 30px;
|
||||
width: 250px;
|
||||
border: none;
|
||||
}
|
||||
|
||||
div.section {
|
||||
-moz-border-radius: 5px;
|
||||
-webkit-border-radius: 5px;
|
||||
border-radius: 5px;
|
||||
-moz-box-shadow: 0 0 5px #DDD;
|
||||
-webkit-box-shadow: #DDD 0 0 5px;
|
||||
-moz-box-shadow: #DDD 0 0 5px;
|
||||
-webkit-box-shadow: #DDD 0 0 5px;
|
||||
box-shadow: #DDD 0 0 5px;
|
||||
background: none repeat scroll 0 0 #E5F2F5;
|
||||
margin-bottom: 10px;
|
||||
padding: 15px;
|
||||
border: 1px solid #CCC;
|
||||
}
|
||||
|
||||
h2,
|
||||
div.launchersidebar h2 {
|
||||
color: #333;
|
||||
font-size: 16px;
|
||||
font-weight: normal;
|
||||
margin: 0px;
|
||||
padding: 0px;
|
||||
padding-bottom: 10px;
|
||||
text-shadow: 0 1px 1px white;
|
||||
}
|
||||
|
||||
div.launchersidebar ul {
|
||||
margin: 0px 5px;
|
||||
list-style: none;
|
||||
}
|
||||
|
||||
div.launchersidebar ul li {
|
||||
padding: 5px 0px;
|
||||
}
|
||||
|
||||
/** spotlight section **/
|
||||
div.launchersidebar div.spotlight {
|
||||
background-color: #666;
|
||||
-moz-box-shadow: 0 0 5px #555 inset;
|
||||
-webkit-box-shadow: 0 0 5px #555 inset;
|
||||
box-shadow: 0 0 5px #555 inset;
|
||||
border: 1px solid #555;
|
||||
}
|
||||
|
||||
div.launchersidebar div.spotlight h2 {
|
||||
color: white;
|
||||
text-shadow: 0px 1px 1px #333;
|
||||
}
|
||||
|
||||
div.launchersidebar div.spotlight button.splButton-primary {
|
||||
margin: 5px;
|
||||
background-color: #77AA44;
|
||||
}
|
||||
|
||||
div.launchersidebar div.spotlight button.splButton-primary:hover {
|
||||
background-color: #693;
|
||||
}
|
||||
|
||||
|
||||
/* IE 6 doesn't recognize min_width */
|
||||
div.launchersidebar div.spotlight button span {
|
||||
_width: 110px;
|
||||
}
|
||||
|
||||
/** icons for launchersidebar links **/
|
||||
.apps {
|
||||
background: url("images/icon_apps.png") no-repeat;
|
||||
padding-left: 20px;
|
||||
}
|
||||
|
||||
.tutorial {
|
||||
background: url("images/icon_tutorial.png") no-repeat;
|
||||
padding-left: 20px;
|
||||
}
|
||||
|
||||
.whatsNew {
|
||||
background: url("images/icon_mail.png") no-repeat;
|
||||
padding-left: 20px;
|
||||
}
|
||||
|
||||
.splunkDoc {
|
||||
background: url("images/icon_file.png") no-repeat;
|
||||
padding-left: 20px;
|
||||
}
|
||||
|
||||
.searches {
|
||||
background: url("images/icon_document.png") no-repeat;
|
||||
padding-left: 20px;
|
||||
}
|
||||
|
||||
.more {
|
||||
background: url("images/icon_circle_add.png") no-repeat;
|
||||
padding-left: 20px;
|
||||
}
|
||||
|
||||
.answers {
|
||||
background: url("images/icon_ask.png") no-repeat;
|
||||
padding-left: 20px;
|
||||
}
|
||||
|
||||
/** footer **/
|
||||
div.divider {
|
||||
margin-top: 20px;
|
||||
width: 100%;
|
||||
border-bottom: 1px solid #DDD;
|
||||
}
|
||||
|
||||
div.launcherFooter {
|
||||
padding-top: 10px;
|
||||
border-top: 1px solid #FFF;
|
||||
color: #666;
|
||||
text-shadow: 0px 1px 1px white;
|
||||
}
|
||||
@ -0,0 +1,78 @@
|
||||
|
||||
/* Set background */
|
||||
.main-section-body {
|
||||
background-color:#cedec3;
|
||||
background-image:-webkit-gradient(linear, 0 0, 0 100%, from(#e2e9eb), color-stop(400px, #cedec3), to(#cedec3));
|
||||
background-image:-webkit-linear-gradient(#e2e9eb, #cedec3 400px, #cedec3);
|
||||
background-image:-moz-linear-gradient(top, #e2e9eb, #cedec3 400px, #cedec3);
|
||||
background-image:-o-linear-gradient(#e2e9eb, #cedec3 400px, #cedec3);
|
||||
background-image:linear-gradient(#e2e9eb, #cedec3 400px, #cedec3);
|
||||
filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffe2e9eb', endColorstr='#ffcedec3', GradientType=0);
|
||||
}
|
||||
|
||||
/* Make the forms look like they are in a panel */
|
||||
/*.fieldset {
|
||||
border-radius: 4px;
|
||||
border: 1px solid #cccccc;
|
||||
background: white;
|
||||
margin: 0 0px 10px 0;
|
||||
box-shadow: 0px 1px 1px rgba(0, 0, 0, 0.08);
|
||||
position: relative;
|
||||
padding: 12px 15px 0px 15px;
|
||||
}
|
||||
|
||||
.fieldset .hide-label {
|
||||
}
|
||||
*/
|
||||
|
||||
/* Shrink the form text inputs */
|
||||
/* Removed because Splunk 6.1 spaces the fields differently */
|
||||
/*input, textarea, .uneditable-input {
|
||||
width: 120px;
|
||||
}*/
|
||||
|
||||
/* Make the Search button on each dashboard blue instead of green */
|
||||
|
||||
.btn-primary {
|
||||
background-color: #5c9732;
|
||||
background-image: -moz-linear-gradient(top, #0087df, #004f82);
|
||||
background-image: -webkit-gradient(linear, 0 0, 0 100%, from(#0087df), to(#004f82));
|
||||
background-image: -webkit-linear-gradient(top, #0087df, #004f82);
|
||||
background-image: -o-linear-gradient(top, #0087df, #004f82);
|
||||
background-image: linear-gradient(to bottom, #0087df, #004f82);
|
||||
background-repeat: repeat-x;
|
||||
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff0087df', endColorstr='#ff004f82', GradientType=0);
|
||||
background-color: #0087df;
|
||||
border: 1px solid #143ab1;
|
||||
border-bottom-color: #0048c9;
|
||||
border-top-color: #004f82;
|
||||
color: #ffffff;
|
||||
text-shadow: 0 -1px 0 rgba(51, 51, 51, 0.7);
|
||||
-webkit-box-shadow: 0px 1px 1px rgba(0, 0, 0, 0.08);
|
||||
-moz-box-shadow: 0px 1px 1px rgba(0, 0, 0, 0.08);
|
||||
box-shadow: 0px 1px 1px rgba(0, 0, 0, 0.08);
|
||||
}
|
||||
|
||||
.btn-primary:hover {
|
||||
background-color: #7db44d;
|
||||
background-image: -moz-linear-gradient(top, #6ac1fa, #007fd1);
|
||||
background-image: -webkit-gradient(linear, 0 0, 0 100%, from(#6ac1fa), to(#007fd1));
|
||||
background-image: -webkit-linear-gradient(top, #6ac1fa, #007fd1);
|
||||
background-image: -o-linear-gradient(top, #6ac1fa, #007fd1);
|
||||
background-image: linear-gradient(to bottom, #6ac1fa, #007fd1);
|
||||
background-repeat: repeat-x;
|
||||
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff6ac1fa', endColorstr='#ff007fd1', GradientType=0);
|
||||
background-color: #389ddf;
|
||||
border-color: #0c89db;
|
||||
border-bottom-color: #006eb4;
|
||||
border-top-color: #3f99d3;
|
||||
background-position: 0 0;
|
||||
}
|
||||
|
||||
.btn-primary:active, .btn-primary.active {
|
||||
background-color: #016baf 9;
|
||||
}
|
||||
.btn-primary:hover, .btn-primary:focus, .btn-primary:active, .btn-primary.active, .btn-primary.disabled, .btn-primary[disabled] {
|
||||
color: #ffffff;
|
||||
background-color: #016baf;
|
||||
}
|
||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,45 @@
|
||||
#!/usr/bin/env python
|
||||
|
||||
import csv
|
||||
import sys
|
||||
import re
|
||||
|
||||
|
||||
# arp.exe,Target Discovery,Obtains information about hosts on the local broadcast domain
|
||||
# New_Process_Name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
||||
# C:\Windows\System32\wbem\WmiPrvSE.exe
|
||||
|
||||
def process_interesting(full_path_process):
|
||||
try:
|
||||
process_path_elements = full_path_process.split("\\")
|
||||
process = process_path_elements[len(process_path_elements)-1]
|
||||
return process
|
||||
except:
|
||||
return full_path_process
|
||||
|
||||
def main():
|
||||
if len(sys.argv) != 3:
|
||||
print "Usage: python ev_process_proc.py [full_path_process] [process]"
|
||||
print sys.argv[1]
|
||||
print len(sys.argv)
|
||||
sys.exit(1)
|
||||
|
||||
full_path_process = sys.argv[1]
|
||||
process = sys.argv[2]
|
||||
|
||||
infile = sys.stdin
|
||||
outfile = sys.stdout
|
||||
|
||||
r = csv.DictReader(infile)
|
||||
header = r.fieldnames
|
||||
|
||||
w = csv.DictWriter(outfile, fieldnames=r.fieldnames)
|
||||
w.writeheader()
|
||||
|
||||
for result in r:
|
||||
if result[full_path_process]:
|
||||
result[process] = process_interesting(result[full_path_process])
|
||||
if result[process]:
|
||||
w.writerow(result)
|
||||
|
||||
main()
|
||||
@ -0,0 +1,48 @@
|
||||
#!/usr/bin/env python
|
||||
|
||||
import csv
|
||||
import sys
|
||||
import re
|
||||
import xml.etree.ElementTree as ET
|
||||
|
||||
# <Data Name='param1'>Windows Modules Installer</Data><Data Name='param2'>stopped</Data><Binary>540072007500730074006500640049006E007300740061006C006C00650072002F0031000000</Binary>
|
||||
|
||||
def process_xml(xml_info):
|
||||
try:
|
||||
xml_result = ""
|
||||
root = ET.fromstring("<Data>"+xml_info+"</Data>")
|
||||
for child in root:
|
||||
#xml_result = xml_result + child.tag + child.attrib + child.text+"\n"
|
||||
xml_result = xml_result + child.text + "@"
|
||||
#xml_result = xml_result + child.attrib + "\n"
|
||||
return xml_result
|
||||
except:
|
||||
return "Error: "+xml_info
|
||||
|
||||
def main():
|
||||
if len(sys.argv) != 3:
|
||||
print "Usage: python ev_process_xml_parameters.py [raw_xml_data] [extracted_xml_data]"
|
||||
print sys.argv[1]
|
||||
print len(sys.argv)
|
||||
sys.exit(3)
|
||||
|
||||
raw_xml_data = sys.argv[1]
|
||||
extracted_xml_data = sys.argv[2]
|
||||
|
||||
infile = sys.stdin
|
||||
outfile = sys.stdout
|
||||
|
||||
r = csv.DictReader(infile)
|
||||
header = r.fieldnames
|
||||
|
||||
w = csv.DictWriter(outfile, fieldnames=r.fieldnames)
|
||||
w.writeheader()
|
||||
|
||||
for result in r:
|
||||
if result[raw_xml_data]:
|
||||
result[extracted_xml_data] = process_xml(result[raw_xml_data])
|
||||
#result[extracted_xml_data] = raw_xml_data
|
||||
if result[extracted_xml_data]:
|
||||
w.writerow(result)
|
||||
|
||||
main()
|
||||
@ -0,0 +1,22 @@
|
||||
######################################################
|
||||
#
|
||||
# Splunk_EventId.Net
|
||||
#
|
||||
# Copyright (C) 2016-2018 Firegen Analytics Inc All Rights Reserved.
|
||||
#
|
||||
######################################################
|
||||
[install]
|
||||
is_configured = 0
|
||||
build = 1
|
||||
|
||||
[ui]
|
||||
is_visible = 1
|
||||
label = EventID.Net
|
||||
|
||||
[launcher]
|
||||
author = adigrio
|
||||
description = Dashboards for Windows event logs and links to www.eventid.net
|
||||
version = 1.5.1
|
||||
|
||||
[package]
|
||||
id = eventid
|
||||
@ -0,0 +1,14 @@
|
||||
<nav search_view="search">
|
||||
<view name="eventid" default="true" />
|
||||
<view name="audit_events" />
|
||||
<view name="users_and_groups" />
|
||||
<view name="interesting_events" />
|
||||
<view name="interesting_processes" />
|
||||
<view name="windows_event_sources" />
|
||||
<view name="windows_events_xml_source" />
|
||||
<view name="search" />
|
||||
<view name="dashboards" />
|
||||
<view name="documentation" />
|
||||
<!-- This is an external link -->
|
||||
<a href="https://www.eventid.net/">EventId.Net</a>
|
||||
</nav>
|
||||
@ -0,0 +1 @@
|
||||
Add all the views that your app needs in this directory
|
||||
@ -0,0 +1,405 @@
|
||||
<form>
|
||||
<label>Audit Events</label>
|
||||
<description>Click on the event to check it on www.eventid.net</description>
|
||||
<fieldset autoRun="true" submitButton="false">
|
||||
<input type="time" searchWhenChanged="true" token="interval">
|
||||
<label>Select time range</label>
|
||||
<default>
|
||||
<earliest>-24h@h</earliest>
|
||||
<latest>now</latest>
|
||||
</default>
|
||||
</input>
|
||||
<input type="multiselect" token="Computer" searchWhenChanged="true">
|
||||
<label>Computer</label>
|
||||
<choice value="*">All</choice>
|
||||
<default>*</default>
|
||||
<prefix>(</prefix>
|
||||
<suffix>)</suffix>
|
||||
<valuePrefix>host="</valuePrefix>
|
||||
<valueSuffix>"</valueSuffix>
|
||||
<delimiter> OR </delimiter>
|
||||
<search>
|
||||
<query>`event_sources` ("Audit Success" OR "Audit Failure") | stats count by host</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>host</fieldForLabel>
|
||||
<fieldForValue>host</fieldForValue>
|
||||
</input>
|
||||
<input type="checkbox" searchWhenChanged="true" token="Audit_Type">
|
||||
<label>Audit Events</label>
|
||||
<default>Audit Failure,Audit Success</default>
|
||||
<choice value="Audit Failure">Failure</choice>
|
||||
<choice value="Audit Success">Success</choice>
|
||||
<prefix>(</prefix>
|
||||
<suffix>)</suffix>
|
||||
<valuePrefix>"</valuePrefix>
|
||||
<valueSuffix>"</valueSuffix>
|
||||
<delimiter> OR </delimiter>
|
||||
<fieldForLabel>Audit Type</fieldForLabel>
|
||||
<fieldForValue>Audit Type</fieldForValue>
|
||||
<initialValue>Audit Failure,Audit Success</initialValue>
|
||||
</input>
|
||||
<input type="text" token="keyword" searchWhenChanged="true">
|
||||
<label>Keyword:</label>
|
||||
<default>*</default>
|
||||
</input>
|
||||
<input type="radio" token="nopriv" searchWhenChanged="true">
|
||||
<label>Hide privilege related events</label>
|
||||
<choice value="Message!="*privilege*"">Yes</choice>
|
||||
<choice value="*">No</choice>
|
||||
<default>Message!="*privilege*"</default>
|
||||
</input>
|
||||
<input type="radio" token="nocomputer" searchWhenChanged="true">
|
||||
<label>Hide computer accounts events</label>
|
||||
<choice value="Account_Name != "*$*"">Yes</choice>
|
||||
<choice value="*">No</choice>
|
||||
<default>Account_Name != "*$$*"</default>
|
||||
<initialValue>Account_Name != "*$$*"</initialValue>
|
||||
</input>
|
||||
</fieldset>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Audit events over time</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>`event_sources` ("Audit Success" OR "Audit Failure") AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$ $Audit_Type$
|
||||
| fillnull
|
||||
| timechart count</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">visible</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.enabled">0</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart">column</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.showDataLabels">none</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">none</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
</chart>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Accounts with 3 or more failed logons</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>`event_sources` Failure_Reason=* ("Audit Failure") AND $Computer$ AND $keyword$ $nopriv$ Message != "*privilege*" Account_Name != "*$*"
|
||||
| table host, Account_Name, Failure_Reason
|
||||
| stats count by Account_Name
|
||||
| where count > 2</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">visible</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.enabled">0</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart">pie</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.showDataLabels">none</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
</chart>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Audit Failure events by computer</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>`event_sources` "Audit Failure" AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$
|
||||
| fillnull
|
||||
| stats count by host</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">visible</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.enabled">0</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart">pie</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.showDataLabels">none</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
</chart>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Distinct Accounts</title>
|
||||
<single>
|
||||
<search>
|
||||
<query>`event_sources` AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$ TaskCategory=Logon $Audit_Type$
|
||||
| stats dc(Account_Name)</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="colorBy">value</option>
|
||||
<option name="colorMode">block</option>
|
||||
<option name="drilldown">all</option>
|
||||
<option name="numberPrecision">0</option>
|
||||
<option name="rangeColors">["0x6db7c6","0x6db7c6"]</option>
|
||||
<option name="rangeValues">[0]</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="showSparkline">1</option>
|
||||
<option name="showTrendIndicator">1</option>
|
||||
<option name="trellis.enabled">0</option>
|
||||
<option name="trellis.scales.shared">1</option>
|
||||
<option name="trellis.size">medium</option>
|
||||
<option name="trendColorInterpretation">standard</option>
|
||||
<option name="trendDisplayMode">absolute</option>
|
||||
<option name="unitPosition">after</option>
|
||||
<option name="useColors">1</option>
|
||||
<option name="useThousandSeparators">1</option>
|
||||
</single>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Logon Successful Audits</title>
|
||||
<single>
|
||||
<search>
|
||||
<query>`event_sources` AND $keyword$ $nopriv$ $nocomputer$ TaskCategory=Logon
|
||||
| stats count</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="colorMode">block</option>
|
||||
<option name="drilldown">all</option>
|
||||
<option name="rangeColors">["0x65a637","0x65a637"]</option>
|
||||
<option name="rangeValues">[0]</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="useColors">1</option>
|
||||
</single>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Logon Audit Failure events</title>
|
||||
<single>
|
||||
<search>
|
||||
<query>`event_sources` AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$ Failure_Reason=* ("Audit Failure")
|
||||
| stats count</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<option name="colorMode">block</option>
|
||||
<option name="drilldown">all</option>
|
||||
<option name="rangeColors">["0xd93f3c","0xd93f3c"]</option>
|
||||
<option name="rangeValues">[0]</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="useColors">1</option>
|
||||
<drilldown>
|
||||
<link target="_blank">search?q=`event_sources` Failure_Reason=* * ("Audit Failure") AND $Computer$ AND $keyword$ Message != "*privilege*" Account_Name != "*$*" | stats count&earliest=$interval.earliest$&latest=$interval.latest$</link>
|
||||
</drilldown>
|
||||
</single>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>New Local Admins</title>
|
||||
<single>
|
||||
<search>
|
||||
<query>`event_sources`AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$
|
||||
| transaction Security_ID maxspan=180m
|
||||
| search EventCode=4720 OR (EventCode=4732 Administrators)
|
||||
| stats count</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="colorBy">value</option>
|
||||
<option name="colorMode">block</option>
|
||||
<option name="drilldown">none</option>
|
||||
<option name="numberPrecision">0</option>
|
||||
<option name="rangeColors">["0xf58f39","0xf58f39"]</option>
|
||||
<option name="rangeValues">[0]</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="showSparkline">1</option>
|
||||
<option name="showTrendIndicator">1</option>
|
||||
<option name="trellis.enabled">0</option>
|
||||
<option name="trellis.scales.shared">1</option>
|
||||
<option name="trellis.size">medium</option>
|
||||
<option name="trendColorInterpretation">standard</option>
|
||||
<option name="trendDisplayMode">absolute</option>
|
||||
<option name="unitPosition">after</option>
|
||||
<option name="useColors">1</option>
|
||||
<option name="useThousandSeparators">1</option>
|
||||
</single>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Events Summary</title>
|
||||
<table id="link2">
|
||||
<search>
|
||||
<query>`event_sources` AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$ $Audit_Type$
|
||||
| fillnull
|
||||
| eval Type=if(Keywords=="Audit Success",Keywords, Type)
|
||||
| eval Type=if(Keywords=="Audit Failure",Keywords, Type)
|
||||
| stats earliest(_time) as First latest(_time) as Last max(Message) as Sample_Message count by host, EventCode, Type
|
||||
| sort -count host, EventCode, Type, Sample_message
|
||||
| rename EventCode as "EventId"
|
||||
| fieldformat First=strftime(First,"%x %X") | fieldformat Last=strftime(Last,"%x %X")</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<option name="count">10</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="drilldown">row</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="wrap">true</option>
|
||||
<drilldown>
|
||||
<link target="_blank">https://www.eventid.net/display.asp?eventid=$row.EventId$&source=$row.SourceName$&app=SplunkEvId</link>
|
||||
</drilldown>
|
||||
</table>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Audit Failure Events</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>`event_sources` AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$ AND "Audit Failure"
|
||||
| fillnull
|
||||
| eval user=mvindex(Account_Name,1)
|
||||
| table _time, host, EventCode, Message, user, Failure_Reason, Source_Workstation, Caller_Process_Name
|
||||
| rename EventCode as "EventId", Caller_Process_Name as Process</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="drilldown">cell</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="wrap">true</option>
|
||||
</table>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Accounts successfully logged on</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>`event_sources`AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$ AND TaskCategory=Logon AND NOT Account_Name="*ANONYMOUS*"
|
||||
| timechart count</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">visible</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.enabled">0</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart">column</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.showDataLabels">none</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">none</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
</chart>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Audit Success Events</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>`event_sources` AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$ "Audit Success"
|
||||
| fillnull
|
||||
| eval Type=if(Keywords=="Audit Success",Keywords, Type)
|
||||
| eval Type=if(Keywords=="Audit Failure",Keywords, Type)
|
||||
| eval user=mvindex(Account_Name,1)
|
||||
| table _time, host, EventCode, Message, user, Source_Workstation, Process_Name
|
||||
| rename EventCode as "EventId", Process_Name as Process</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="drilldown">cell</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="wrap">true</option>
|
||||
</table>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Audit events - drill down option</title>
|
||||
<event>
|
||||
<search>
|
||||
<query>`event_sources` $Audit_Type$ AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$
|
||||
| fillnull
|
||||
| eval Type=if(Keywords=="Audit Success",Keywords, Type)
|
||||
| eval Type=if(Keywords=="Audit Failure",Keywords, Type)
|
||||
| eval user=mvindex(Account_Name,1)
|
||||
| table _time, host, EventCode, Type, Message, user</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<fields>host, LogName, EventCode, SourceName, Type, Message, user</fields>
|
||||
<option name="list.drilldown">full</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="table.drilldown">all</option>
|
||||
<option name="type">list</option>
|
||||
</event>
|
||||
</panel>
|
||||
</row>
|
||||
</form>
|
||||
@ -0,0 +1,55 @@
|
||||
<dashboard>
|
||||
<label>Documentation</label>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Introduction</title>
|
||||
<html>
|
||||
<p>Welcome to the EventID.Net Windows Event Logs app!</p>
|
||||
</html>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Windows Event Log App sources of information</title>
|
||||
<html>
|
||||
<p>The Windows Event Log App assumes that Splunk is collecting information from Windows servers and workstation via one of the following methods:
|
||||
<ul>
|
||||
<li><a href="https://www.splunk.com/en_us/download/universal-forwarder.html">Splunk Universal Forwarder installed on the source computer</a></li>
|
||||
<li><a href="https://msdn.microsoft.com/en-us/library/cc748890(v=ws.11).aspx">Windows Event Log Forwarding</a> configured on the source computer combined with Splunk Universal Forwarder on the collector computer</li>
|
||||
<li><a href="https://docs.splunk.com/Documentation/Splunk/6.6.1/Data/MonitorWindowseventlogdata">Remote Windows Event Log collection via WMI</a> as Splunk input</li>
|
||||
<li>Events collected with the renderXML feature turned on. See <a href="https://www.splunk.com/blog/2014/11/04/splunk-6-2-feature-overview-xml-event-logs.html">Feature Overview: XML Event Logs</a></li>
|
||||
</ul>
|
||||
</p>
|
||||
|
||||
<p>All these methods will collect the events and either collect them in the "wineventlog" Splunk index or record them in the default index with source the source set as "*WinEventLog*" (notice the wildcards). The app analyzes the entries matching these criteria (index="wineventlog" OR source=*WinEventLog*). This matches the defaults used by the Universal Forwarder, the collection of local Windows event logs and the collection via WMI.</p>
|
||||
|
||||
<p>In order to create the proper indexes, we recommend the installation of the <a href="https://splunkbase.splunk.com/app/742/">Splunk Add-on for Microsoft Windows</a> app.</p>
|
||||
|
||||
<p>To collect the logs from remote computers without installing the Universal Forwarded on each computer, configure the forwarding of event logs to central location using the Windows built-in event forwarding. See <a href="https://msdn.microsoft.com/en-us/library/cc748890(v=ws.11).aspx">Configure Computers to Forward and Collect Events</a> for details on how to configure a computer as a collector of logs.</p>
|
||||
|
||||
</html>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Additional information and troubleshooting</title>
|
||||
<html>
|
||||
<p>If no data is displayed, please verify that the Universal Forwarder is installed properly and that the all the Windows event logs are sent to the "wineventlog" index (or the WinEventLog* sources).</p>
|
||||
|
||||
<p>If the data is stored in a different index, the user can update the macros.conf [event_sources] section by using the application setup.</p>
|
||||
|
||||
<p>The Interesting Processes section from the Processes dashboard is partially based on a presentation by Michael Gough from <a href="https://www.malwarearchaeology.com/">www.malwarearchaeology.com</a>: "<a href="https://www.malwarearchaeology.com/home/2016/5/7/windows-top-10-event-logs-from-my-dell-enterprise-security-summit-talk">The Top 10 Windows Event ID's Used To Catch Hackers In The Act</a>". See for the presentation slides and information on how to enable the auditing of processes, including command-line based ones. The list of "interesting processes" is based on a <a href="https://www.jpcert.or.jp/english/pub/sr/ir_research.html">study by JPCERT CC</a> (Japan Computer Emergency Response Team Coordination Center) on detecting lateral movement through tracking of event logs. The list is stored in C:\Program Files\Splunk\etc\apps\eventid\lookups\interesting_processes.csv and it can be adjusted with a text editor if needed. For full functionality the audit of the command line arguments has to be enabled as described in <a href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing">Command Line Process Auditing</a></p>
|
||||
|
||||
<p>The XML dashboard is design to report Windows events rendered from the XML by using the renderXML stanza. The renderXML option reduced the volume of data to about 25% of the regular events, however some details such as the full description of the event are no longer recorded. See <a href="https://www.splunk.com/blog/2014/11/04/splunk-6-2-feature-overview-xml-event-logs.html">Feature Overview: XML Event Logs</a> for more details.</p>
|
||||
|
||||
<p>Each of the dashboard can be set as an alarm (i.e. notifications when a certain number of failed logins are recorded, when certain processes are executed, etc).</p>
|
||||
|
||||
<p>Send any suggestions and questions to support@altairtech.ca. We can also provide advice in setting up the Splunk receiver for the Universal Forwarder.</p>
|
||||
|
||||
<p>We publish the most current version of EventID.Net Windows Event Logs Splunk app on <a href="https://www.eventid.net/splunk_addon.asp">www.eventid.net</a>. Splunk may takes weeks or months to certify a new version.</p>
|
||||
|
||||
</html>
|
||||
</panel>
|
||||
</row>
|
||||
|
||||
</dashboard>
|
||||
@ -0,0 +1,362 @@
|
||||
<form>
|
||||
<label>Windows Events Summary</label>
|
||||
<description>Click on the event to check it on www.eventid.net</description>
|
||||
<fieldset autoRun="true" submitButton="false">
|
||||
<input type="time" searchWhenChanged="true" token="interval">
|
||||
<label>Select time range</label>
|
||||
<default>
|
||||
<earliest>-24h@h</earliest>
|
||||
<latest>now</latest>
|
||||
</default>
|
||||
</input>
|
||||
<input type="checkbox" searchWhenChanged="true" token="Type">
|
||||
<label>Event types</label>
|
||||
<default>Error,Warning</default>
|
||||
<choice value="Error">Error</choice>
|
||||
<choice value="Warning">Warning</choice>
|
||||
<choice value="Information">Information</choice>
|
||||
<prefix>(</prefix>
|
||||
<suffix>)</suffix>
|
||||
<valuePrefix>Type="</valuePrefix>
|
||||
<valueSuffix>"</valueSuffix>
|
||||
<delimiter> OR </delimiter>
|
||||
<fieldForLabel>Type</fieldForLabel>
|
||||
<fieldForValue>Type</fieldForValue>
|
||||
</input>
|
||||
<input type="checkbox" searchWhenChanged="true" token="Audit_Type">
|
||||
<label>Security Events</label>
|
||||
<default>Denial,Audit Failure</default>
|
||||
<choice value="Audit Failure">Audit Failure</choice>
|
||||
<choice value="Audit Success">Audit Success</choice>
|
||||
<prefix>(</prefix>
|
||||
<suffix>)</suffix>
|
||||
<valuePrefix>"</valuePrefix>
|
||||
<valueSuffix>"</valueSuffix>
|
||||
<delimiter> OR </delimiter>
|
||||
<fieldForLabel>Audit Type</fieldForLabel>
|
||||
<fieldForValue>Audit Type</fieldForValue>
|
||||
<initialValue>Audit Failure</initialValue>
|
||||
</input>
|
||||
<input type="multiselect" searchWhenChanged="true" token="Computer">
|
||||
<label>Computer</label>
|
||||
<choice value="*">All</choice>
|
||||
<default>*</default>
|
||||
<prefix>(</prefix>
|
||||
<suffix>)</suffix>
|
||||
<valuePrefix>host="</valuePrefix>
|
||||
<valueSuffix>"</valueSuffix>
|
||||
<delimiter> OR </delimiter>
|
||||
<search>
|
||||
<query>`event_sources` | stats count by host</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>host</fieldForLabel>
|
||||
<fieldForValue>host</fieldForValue>
|
||||
</input>
|
||||
<input type="text" searchWhenChanged="true" token="keyword">
|
||||
<label>Keyword:</label>
|
||||
<default>*</default>
|
||||
</input>
|
||||
<input type="multiselect" token="sourcetype_token" searchWhenChanged="true">
|
||||
<label>Excluded event sources</label>
|
||||
<default>none</default>
|
||||
<!-- The final value will be surrounded by prefix and suffix -->
|
||||
<prefix>(</prefix>
|
||||
<suffix>)</suffix>
|
||||
<!-- Each value will be surrounded by the valuePrefix and valueSuffix -->
|
||||
<valuePrefix>SourceName!="</valuePrefix>
|
||||
<valueSuffix>"</valueSuffix>
|
||||
<!-- All the values and their valuePrefix and valueSuffix will be concatenated together with the delimiter between them -->
|
||||
<delimiter> AND </delimiter>
|
||||
<choice value="none">None</choice>
|
||||
<search>
|
||||
<query>`event_sources` $Type$ AND $Computer$ AND $keyword$ | stats count by SourceName</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>SourceName</fieldForLabel>
|
||||
<fieldForValue>SourceName</fieldForValue>
|
||||
</input>
|
||||
</fieldset>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Errors</title>
|
||||
<single>
|
||||
<search>
|
||||
<query>`event_sources` Type="Error" AND $Computer$ AND $keyword$ | stats count</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="colorBy">value</option>
|
||||
<option name="colorMode">block</option>
|
||||
<option name="drilldown">all</option>
|
||||
<option name="numberPrecision">0</option>
|
||||
<option name="rangeColors">["0xd93f3c","0xd93f3c"]</option>
|
||||
<option name="rangeValues">[0]</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="showSparkline">1</option>
|
||||
<option name="showTrendIndicator">1</option>
|
||||
<option name="trellis.enabled">0</option>
|
||||
<option name="trellis.scales.shared">1</option>
|
||||
<option name="trellis.size">medium</option>
|
||||
<option name="trendColorInterpretation">standard</option>
|
||||
<option name="trendDisplayMode">absolute</option>
|
||||
<option name="unitPosition">after</option>
|
||||
<option name="useColors">1</option>
|
||||
<option name="useThousandSeparators">1</option>
|
||||
</single>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Warnings</title>
|
||||
<single>
|
||||
<search>
|
||||
<query>`event_sources` Type="Warning" AND $Computer$ AND $keyword$ | stats count</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="colorBy">value</option>
|
||||
<option name="colorMode">block</option>
|
||||
<option name="drilldown">all</option>
|
||||
<option name="numberPrecision">0</option>
|
||||
<option name="rangeColors">["0xf7bc38","0xf7bc38"]</option>
|
||||
<option name="rangeValues">[0]</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="showSparkline">1</option>
|
||||
<option name="showTrendIndicator">1</option>
|
||||
<option name="trellis.enabled">0</option>
|
||||
<option name="trellis.scales.shared">1</option>
|
||||
<option name="trellis.size">medium</option>
|
||||
<option name="trendColorInterpretation">standard</option>
|
||||
<option name="trendDisplayMode">absolute</option>
|
||||
<option name="unitPosition">after</option>
|
||||
<option name="useColors">1</option>
|
||||
<option name="useThousandSeparators">1</option>
|
||||
</single>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Information</title>
|
||||
<single>
|
||||
<search>
|
||||
<query>`event_sources` Type="Information" AND NOT ("Audit Success" OR "Audit Failure") AND $Computer$ AND $keyword$ | stats count</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="colorBy">value</option>
|
||||
<option name="colorMode">block</option>
|
||||
<option name="drilldown">all</option>
|
||||
<option name="numberPrecision">0</option>
|
||||
<option name="rangeColors">["0x65a637","0x65a637"]</option>
|
||||
<option name="rangeValues">[0]</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="showSparkline">1</option>
|
||||
<option name="showTrendIndicator">1</option>
|
||||
<option name="trellis.enabled">0</option>
|
||||
<option name="trellis.scales.shared">1</option>
|
||||
<option name="trellis.size">medium</option>
|
||||
<option name="trendColorInterpretation">standard</option>
|
||||
<option name="trendDisplayMode">absolute</option>
|
||||
<option name="unitPosition">after</option>
|
||||
<option name="useColors">1</option>
|
||||
<option name="useThousandSeparators">1</option>
|
||||
<drilldown>
|
||||
<link target="_blank">search?q=`event_sources` Type="Information" | stats count&earliest=$interval.earliest$&latest=$interval.latest$</link>
|
||||
</drilldown>
|
||||
</single>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Audit Failure</title>
|
||||
<single>
|
||||
<search>
|
||||
<query>`event_sources` "Audit Failure" AND $Computer$ AND $keyword$
|
||||
| stats count</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="colorMode">block</option>
|
||||
<option name="drilldown">all</option>
|
||||
<option name="rangeColors">["0xf58f39","0xf58f39"]</option>
|
||||
<option name="rangeValues">[0]</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="useColors">1</option>
|
||||
<drilldown>
|
||||
<link target="_blank">/app/eventid/audit_events</link>
|
||||
</drilldown>
|
||||
</single>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Audit Success</title>
|
||||
<single>
|
||||
<search>
|
||||
<query>`event_sources` Keywords="Audit Success" AND $Computer$ AND $keyword$ | stats count</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="colorMode">block</option>
|
||||
<option name="drilldown">none</option>
|
||||
<option name="rangeColors">["0x6db7c6","0x6db7c6"]</option>
|
||||
<option name="rangeValues">[0]</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="useColors">1</option>
|
||||
</single>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Logon Audit Failure</title>
|
||||
<single>
|
||||
<search>
|
||||
<query>`event_sources` Failure_Reason=* ("Audit Failure") AND $Computer$ AND $keyword$ | eval user=mvindex(Account_Name,1) | stats count</query>
|
||||
<earliest>-24h@h</earliest>
|
||||
<latest>now</latest>
|
||||
</search>
|
||||
<option name="colorMode">block</option>
|
||||
<option name="drilldown">all</option>
|
||||
<option name="rangeColors">["0xcc0000","0xcc0000"]</option>
|
||||
<option name="rangeValues">[0]</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="useColors">1</option>
|
||||
<drilldown>
|
||||
<link target="_blank">/app/eventid/audit_events</link>
|
||||
</drilldown>
|
||||
</single>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Accounts with 3 or more failed logons</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>`event_sources` Failure_Reason=* * ("Audit Failure") AND $Computer$ AND $keyword$ | stats count by user | where count > 2</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">visible</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.enabled">0</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart">pie</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.showDataLabels">none</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
</chart>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Top computers generating events</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>`event_sources` AND $Computer$ AND $keyword$ AND ($Audit_Type$ OR $Type$)
|
||||
| eval SourceName = coalesce(SourceName,source)
|
||||
| fillnull
|
||||
| search $sourcetype_token$
|
||||
| stats count by host</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">pie</option>
|
||||
<option name="charting.legend.placement">none</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<drilldown>
|
||||
<link target="_blank">/app/eventid/eventid?form.Computer=$row.host$</link>
|
||||
</drilldown>
|
||||
</chart>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Windows events over time</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>`event_sources` AND $Computer$ AND $keyword$ AND ($Audit_Type$ OR $Type$)
|
||||
| timechart count</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.axisLabelsY.majorUnit">1</option>
|
||||
<option name="charting.axisTitleX.text">Time</option>
|
||||
<option name="charting.axisTitleY.text">Events</option>
|
||||
<option name="charting.axisY2.enabled">1</option>
|
||||
<option name="charting.chart">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.overlayFields">"Audit Failure"</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.placement">none</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
</chart>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Events Summary - Links to www.eventid.net</title>
|
||||
<table id="link2">
|
||||
<search>
|
||||
<query>`event_sources` AND $Computer$ AND $keyword$ AND ($Audit_Type$ OR $Type$)
|
||||
| eval SourceName = coalesce(SourceName,Provider)
|
||||
| eval Type = coalesce(Type,Keyword)
|
||||
| fillnull value="-"
|
||||
| stats earliest(_time) as First latest(_time) as Last count by host, EventCode, SourceName, Type
|
||||
| sort -count host, EventCode, SourceName, Type
|
||||
| rename EventCode as "EventId"
|
||||
| fieldformat First=strftime(First,"%x %X")
|
||||
| fieldformat Last=strftime(Last,"%x %X")</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<option name="count">10</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="drilldown">cell</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="wrap">true</option>
|
||||
<drilldown>
|
||||
<link target="_blank">https://www.eventid.net/display.asp?eventid=$row.EventId$&source=$row.SourceName$&app=SplunkEvId</link>
|
||||
</drilldown>
|
||||
</table>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Events List</title>
|
||||
<table id="link">
|
||||
<search>
|
||||
<query>`event_sources` AND $Computer$ AND $keyword$ AND ($Audit_Type$ OR $Type$)
|
||||
| eval SourceName = coalesce(SourceName,Provider)
|
||||
| eval Type = coalesce(Type,Keyword)
|
||||
| fillnull
|
||||
| table _time, host, EventCode, SourceName, Type, Message
|
||||
| rename EventCode as "EventId"</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<option name="count">10</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="drilldown">cell</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="wrap">true</option>
|
||||
</table>
|
||||
</panel>
|
||||
</row>
|
||||
</form>
|
||||
@ -0,0 +1,55 @@
|
||||
<form>
|
||||
<label>Interesting Events</label>
|
||||
<description>Click on the event to check it on www.eventid.net</description>
|
||||
<fieldset autoRun="true" submitButton="false">
|
||||
<input type="time" searchWhenChanged="true" token="interval">
|
||||
<label>Select time range</label>
|
||||
<default>
|
||||
<earliest>-24h@h</earliest>
|
||||
<latest>now</latest>
|
||||
</default>
|
||||
</input>
|
||||
<input type="multiselect" searchWhenChanged="true" token="Computer">
|
||||
<label>Computer</label>
|
||||
<choice value="*">All</choice>
|
||||
<default>*</default>
|
||||
<prefix>(</prefix>
|
||||
<suffix>)</suffix>
|
||||
<valuePrefix>ComputerName="</valuePrefix>
|
||||
<valueSuffix>"</valueSuffix>
|
||||
<delimiter> OR </delimiter>
|
||||
<search>
|
||||
<query>`event_sources` | stats count by ComputerName</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>ComputerName</fieldForLabel>
|
||||
<fieldForValue>ComputerName</fieldForValue>
|
||||
</input>
|
||||
<input type="text" searchWhenChanged="true" token="keyword">
|
||||
<label>Keyword:</label>
|
||||
<default>*</default>
|
||||
</input>
|
||||
</fieldset>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Interesting Events</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>`event_sources` AND $Computer$ AND $keyword$ | lookup interesting_events_lookup event_id AS EventCode, source AS SourceName OUTPUT source,description | search description="*" | table _time, ComputerName, EventCode, SourceName, Type, Message,description | rename EventCode as "EventId", description as "Why is it interesting?"</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="count">20</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="drilldown">none</option>
|
||||
<option name="percentagesRow">false</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="totalsRow">false</option>
|
||||
<option name="wrap">true</option>
|
||||
</table>
|
||||
</panel>
|
||||
</row>
|
||||
</form>
|
||||
@ -0,0 +1,189 @@
|
||||
<form>
|
||||
<label>Processes</label>
|
||||
<description>List of processes identified through event id 4688 and listed in the www.eventid.net list of processes that may indicate suspicious activity. To generate event id 4688, a system requires the audit of process creation. See the documentation for more details.</description>
|
||||
<fieldset autoRun="true" submitButton="false">
|
||||
<input type="time" searchWhenChanged="true" token="interval">
|
||||
<label>Select time range</label>
|
||||
<default>
|
||||
<earliest>-24h@h</earliest>
|
||||
<latest>now</latest>
|
||||
</default>
|
||||
</input>
|
||||
<input type="multiselect" token="Computer" searchWhenChanged="true">
|
||||
<label>Computer</label>
|
||||
<choice value="*">All</choice>
|
||||
<default>*</default>
|
||||
<prefix>(</prefix>
|
||||
<suffix>)</suffix>
|
||||
<valuePrefix>ComputerName="</valuePrefix>
|
||||
<valueSuffix>"</valueSuffix>
|
||||
<delimiter> OR </delimiter>
|
||||
<search>
|
||||
<query>`event_sources` (EventCode=4688) | stats count by ComputerName</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>ComputerName</fieldForLabel>
|
||||
<fieldForValue>ComputerName</fieldForValue>
|
||||
</input>
|
||||
<input type="multiselect" token="process_id" searchWhenChanged="true">
|
||||
<label>Process Id</label>
|
||||
<choice value="*">All</choice>
|
||||
<default>*</default>
|
||||
<prefix>(</prefix>
|
||||
<suffix>)</suffix>
|
||||
<valuePrefix>New_Process_ID="</valuePrefix>
|
||||
<valueSuffix>"</valueSuffix>
|
||||
<delimiter> OR </delimiter>
|
||||
<search>
|
||||
<query>`event_sources` (EventCode=4688) | stats count by New_Process_ID</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>New_Process_ID</fieldForLabel>
|
||||
<fieldForValue>New_Process_ID</fieldForValue>
|
||||
</input>
|
||||
<input type="multiselect" token="creator" searchWhenChanged="true">
|
||||
<label>Creator Process Id</label>
|
||||
<choice value="*">All</choice>
|
||||
<default>*</default>
|
||||
<prefix>(</prefix>
|
||||
<suffix>)</suffix>
|
||||
<valuePrefix>Creator_Process_ID="</valuePrefix>
|
||||
<valueSuffix>"</valueSuffix>
|
||||
<delimiter> OR </delimiter>
|
||||
<search>
|
||||
<query>`event_sources` (EventCode=4688) | stats count by Creator_Process_ID</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>Creator_Process_ID</fieldForLabel>
|
||||
<fieldForValue>Creator_Process_ID</fieldForValue>
|
||||
</input>
|
||||
<input type="text" token="keyword" searchWhenChanged="true">
|
||||
<label>Keyword:</label>
|
||||
<default>*</default>
|
||||
</input>
|
||||
<input type="radio" token="nocomputer" searchWhenChanged="true">
|
||||
<label>Hide computer accounts related events</label>
|
||||
<choice value="Account_Name != "*$*"">Yes</choice>
|
||||
<choice value="">No</choice>
|
||||
<default>Account_Name != "*$*"</default>
|
||||
<initialValue>Account_Name != "*$*"</initialValue>
|
||||
</input>
|
||||
<input type="radio" token="nocmdpowershell" searchWhenChanged="true">
|
||||
<label>Filter out cmd.exe and powershell.exe</label>
|
||||
<choice value="AND NOT (New_Process_Name = "*cmd.exe*" OR New_Process_Name = "*powershell.exe*")">Yes</choice>
|
||||
<choice value="New_Process_Name = "*"">No</choice>
|
||||
<default>New_Process_Name = "*"</default>
|
||||
<initialValue>New_Process_Name = "*"</initialValue>
|
||||
</input>
|
||||
</fieldset>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Interesting Processes</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>`event_sources` AND $Computer$ AND $keyword$ $nocomputer$ $creator$ $process_id$ $nocmdpowershell$ (EventCode=4688) | lookup processlookup full_path_process as New_Process_Name OUTPUT process | lookup interesting_process_lookup process OUTPUT Category,Process_Details | search Category="*" | table _time, host, Account_Name, Process_Command_Line, process,Category,Process_Details, New_Process_ID,
|
||||
Creator_Process_ID | rename host as Server,process as Process,Process_Details as "Interesting Process Details"</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="count">20</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="drilldown">cell</option>
|
||||
<option name="percentagesRow">false</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="totalsRow">false</option>
|
||||
<option name="wrap">true</option>
|
||||
</table>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Last 100 Processes</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>`event_sources` (EventCode=4688) AND $Computer$ AND $keyword$ $nocomputer$ $creator$ $process_id$ $nocmdpowershell$
|
||||
| head 100
|
||||
| table _time, host,Account_Name, New_Process_Name,Process_Command_Line, New_Process_ID,
|
||||
Creator_Process_ID</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="count">20</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="drilldown">cell</option>
|
||||
<option name="percentagesRow">false</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="totalsRow">false</option>
|
||||
<option name="wrap">true</option>
|
||||
</table>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Top Processes</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>`event_sources` (EventCode=4688) AND $Computer$ AND $keyword$ $nocomputer$ $creator$ $process_id$ $nocmdpowershell$ | stats count by host, New_Process_Name | table host, New_Process_Name,count | sort -count | rename count as Count</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="count">20</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="drilldown">cell</option>
|
||||
<option name="percentagesRow">false</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="totalsRow">false</option>
|
||||
<option name="wrap">true</option>
|
||||
</table>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Least Common Processes</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>`event_sources` (EventCode=4688) AND $Computer$ AND $keyword$ $nocomputer$ $creator$ $process_id$ $nocmdpowershell$ | stats count by host, New_Process_Name | table host, New_Process_Name,count | sort count| rename count as Count</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="count">20</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="drilldown">cell</option>
|
||||
<option name="percentagesRow">false</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="totalsRow">false</option>
|
||||
<option name="wrap">true</option>
|
||||
</table>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Unusually Long CLI Commands</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>`event_sources` (EventCode=4688) AND (ComputerName="*") AND * Account_Name != "*$$*" (Creator_Process_ID="*") (New_Process_ID="*") New_Process_Name = "*" | head 100 | table _time, host,Account_Name, New_Process_Name,Process_Command_Line, New_Process_ID,
|
||||
Creator_Process_ID</query>
|
||||
<earliest>-24h@h</earliest>
|
||||
<latest>now</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="count">20</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="drilldown">cell</option>
|
||||
<option name="percentagesRow">false</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="totalsRow">false</option>
|
||||
<option name="wrap">true</option>
|
||||
</table>
|
||||
</panel>
|
||||
</row>
|
||||
</form>
|
||||
@ -0,0 +1,225 @@
|
||||
<form>
|
||||
<label>Users and Groups</label>
|
||||
<description>Users and Groups Activities</description>
|
||||
<fieldset submitButton="false">
|
||||
<input type="time" token="interval">
|
||||
<label>Time interval</label>
|
||||
<default>
|
||||
<earliest>-24h@h</earliest>
|
||||
<latest>now</latest>
|
||||
</default>
|
||||
</input>
|
||||
<input type="text" token="keyword" searchWhenChanged="true">
|
||||
<label>Filter</label>
|
||||
<default>*</default>
|
||||
<initialValue>*</initialValue>
|
||||
</input>
|
||||
</fieldset>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Users Created</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>`event_sources` eventtype=windows_account_created $keyword$
|
||||
| timechart count</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">visible</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.abbreviation">none</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.abbreviation">none</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.abbreviation">none</option>
|
||||
<option name="charting.axisY2.enabled">0</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart">column</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.showDataLabels">all</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.mode">standard</option>
|
||||
<option name="charting.legend.placement">bottom</option>
|
||||
<option name="charting.lineWidth">2</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="trellis.enabled">0</option>
|
||||
<option name="trellis.scales.shared">1</option>
|
||||
<option name="trellis.size">medium</option>
|
||||
</chart>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Attempts to login with disabled accounts</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>`event_sources` name="*currently disabled*" $keyword$
|
||||
| eval domain=mvindex(Account_Domain,1)
|
||||
| eval source_computer = coalesce(Workstation_Name,src_ip)
|
||||
| eval domain = coalesce(domain,src_nt_domain)
|
||||
| table _time,host,domain,user,source_computer</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="count">20</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="drilldown">cell</option>
|
||||
<option name="percentagesRow">false</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="totalsRow">false</option>
|
||||
<option name="wrap">true</option>
|
||||
</table>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Users Added to Domain Admins or Enterprise Admins</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>`event_sources` name="A member was added to a security-enabled *" AND ("Enterprise Admins" OR "Domain Admins") $keyword$
|
||||
| rename dest_nt_domain as domain, EventCode as "event id", Display_Name as "user name",host as server
|
||||
| dedup _time,user
|
||||
| eval added_by=mvindex(Security_ID,0)
|
||||
| eval user=mvindex(Security_ID,1)
|
||||
| table _time, server,domain, user,added_by</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="count">20</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="drilldown">cell</option>
|
||||
<option name="percentagesRow">false</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="totalsRow">false</option>
|
||||
<option name="wrap">true</option>
|
||||
</table>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Users Added to local Administrators</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>`event_sources` name="A member was added to a security-enabled local group" AND user_group="Administrators" $keyword$
|
||||
| rename dest_nt_domain as domain, EventCode as "event id", Display_Name as "user name",host as server
|
||||
| eval added_by=mvindex(Security_ID,0)
|
||||
| eval user=mvindex(Security_ID,1)
|
||||
| table _time, server,domain, user,added_by</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="count">20</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="drilldown">cell</option>
|
||||
<option name="percentagesRow">false</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="totalsRow">false</option>
|
||||
<option name="wrap">true</option>
|
||||
</table>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Users Created</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>`event_sources` eventtype=windows_account_created
|
||||
| rename dest_nt_domain as domain, EventCode as "event id", Display_Name as "user name",host as server
|
||||
| dedup _time,user
|
||||
| eval created_by=mvindex(Account_Name,0)
|
||||
| table _time, server,domain, user,"user name", created_by
|
||||
| sort _time</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="count">20</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="drilldown">cell</option>
|
||||
<option name="percentagesRow">false</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="totalsRow">false</option>
|
||||
<option name="wrap">true</option>
|
||||
</table>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Users Deleted</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>`event_sources` AND eventtype=windows_account_deleted $keyword$
|
||||
| eval deleted_by=mvindex(Account_Name,0)
|
||||
| table _time, host, user,deleted_by
|
||||
| sort _time</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="drilldown">cell</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
</table>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Groups Created</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>`event_sources` name="A security-enabled global group was created"
|
||||
| dedup _time,Group_Name
|
||||
| rename dest_nt_domain as domain, EventCode as "event id", user as "created_by",host as server
|
||||
| table _time, server,domain,Group_Name, created_by
|
||||
| sort _time</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="count">20</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="drilldown">cell</option>
|
||||
<option name="percentagesRow">false</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="totalsRow">false</option>
|
||||
<option name="wrap">true</option>
|
||||
</table>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Groups Deleted</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>`event_sources` name="A security-enabled global group was deleted" $keyword$
|
||||
| rename dest_nt_domain as domain, EventCode as "event id", user as "Deleted by",host as server
|
||||
| table _time, server,domain,Group_Name, "Deleted by"
|
||||
| sort _time</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="count">20</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="drilldown">cell</option>
|
||||
<option name="percentagesRow">false</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="totalsRow">false</option>
|
||||
<option name="wrap">true</option>
|
||||
</table>
|
||||
</panel>
|
||||
</row>
|
||||
</form>
|
||||
@ -0,0 +1,120 @@
|
||||
<form>
|
||||
<label>Event Sources</label>
|
||||
<description>Click on the event source to check it on www.eventid.net</description>
|
||||
<fieldset autoRun="true" submitButton="false">
|
||||
<input type="time" searchWhenChanged="true">
|
||||
<label>Select time range</label>
|
||||
<default>
|
||||
<earliest>-24h@h</earliest>
|
||||
<latest>now</latest>
|
||||
</default>
|
||||
</input>
|
||||
<input type="multiselect" token="Type" searchWhenChanged="true">
|
||||
<label>Event types</label>
|
||||
<default>Error</default>
|
||||
<prefix>(</prefix>
|
||||
<suffix>)</suffix>
|
||||
<valuePrefix>Type="</valuePrefix>
|
||||
<valueSuffix>"</valueSuffix>
|
||||
<delimiter> OR </delimiter>
|
||||
<search>
|
||||
<query>`event_sources`| stats count by Type</query>
|
||||
<earliest>$earliest$</earliest>
|
||||
<latest>$latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>Type</fieldForLabel>
|
||||
<fieldForValue>Type</fieldForValue>
|
||||
</input>
|
||||
<input type="multiselect" token="Computer" searchWhenChanged="true">
|
||||
<label>Computer</label>
|
||||
<choice value="*">All</choice>
|
||||
<default>*</default>
|
||||
<prefix>(</prefix>
|
||||
<suffix>)</suffix>
|
||||
<valuePrefix>ComputerName="</valuePrefix>
|
||||
<valueSuffix>"</valueSuffix>
|
||||
<delimiter> OR </delimiter>
|
||||
<search>
|
||||
<query>`event_sources` | stats count by ComputerName</query>
|
||||
<earliest>$earliest$</earliest>
|
||||
<latest>$latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>ComputerName</fieldForLabel>
|
||||
<fieldForValue>ComputerName</fieldForValue>
|
||||
</input>
|
||||
<input type="text" token="keyword" searchWhenChanged="true">
|
||||
<label>Keyword:</label>
|
||||
<default>*</default>
|
||||
</input>
|
||||
</fieldset>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Event sources</title>
|
||||
<table id="link">
|
||||
<title>Click on the source to look it up on www.eventid.net</title>
|
||||
<search>
|
||||
<query>`event_sources` $Type$ AND $Computer$ AND $keyword$ | stats count as TotalEvents by SourceName</query>
|
||||
</search>
|
||||
<drilldown>
|
||||
<link target="_blank">https://www.eventid.net/source-name-$row.SourceName$.htm</link>
|
||||
</drilldown>
|
||||
<option name="wrap">true</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="count">10</option>
|
||||
<option name="drilldown">cell</option>
|
||||
</table>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Event sources percentages</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>`event_sources` $Type$ AND $Computer$ AND $keyword$ | stats count by SourceName</query>
|
||||
</search>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">visible</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.enabled">0</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart">pie</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.showDataLabels">none</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
</chart>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Matching events - drill down option</title>
|
||||
<event>
|
||||
<search>
|
||||
<query>`event_sources` $Type$ AND $Computer$ AND $keyword$| table _time, ComputerName, LogName, EventCode, SourceName, Type, Message, UserName</query>
|
||||
</search>
|
||||
<option name="type">table</option>
|
||||
<option name="count">10</option>
|
||||
<option name="list.drilldown">full</option>
|
||||
<option name="list.wrap">1</option>
|
||||
<option name="maxLines">5</option>
|
||||
<option name="raw.drilldown">full</option>
|
||||
<option name="rowNumbers">0</option>
|
||||
<option name="table.drilldown">all</option>
|
||||
<option name="table.wrap">1</option>
|
||||
<fields>["ComputerName","LogName","EventCode","SourceName","Type","Message","UserName"]</fields>
|
||||
</event>
|
||||
</panel>
|
||||
</row>
|
||||
</form>
|
||||
@ -0,0 +1,208 @@
|
||||
<form>
|
||||
<label>XML</label>
|
||||
<description>Dashboard for events collected using the renderXML option</description>
|
||||
<fieldset autoRun="true" submitButton="false">
|
||||
<input type="time" searchWhenChanged="true" token="interval">
|
||||
<label>Select time range</label>
|
||||
<default>
|
||||
<earliest>-24h@h</earliest>
|
||||
<latest>now</latest>
|
||||
</default>
|
||||
</input>
|
||||
<input type="checkbox" searchWhenChanged="true" token="Type">
|
||||
<label>Event types</label>
|
||||
<choice value="2">Error</choice>
|
||||
<choice value="3">Warning</choice>
|
||||
<choice value="4">Information</choice>
|
||||
<choice value="0">Audit</choice>
|
||||
<prefix>(</prefix>
|
||||
<suffix>)</suffix>
|
||||
<valuePrefix>Level="</valuePrefix>
|
||||
<valueSuffix>"</valueSuffix>
|
||||
<delimiter> OR </delimiter>
|
||||
<fieldForLabel>Level</fieldForLabel>
|
||||
<fieldForValue>Level</fieldForValue>
|
||||
<default>3,2</default>
|
||||
<initialValue>2,3</initialValue>
|
||||
</input>
|
||||
<input type="multiselect" searchWhenChanged="true" token="Computer">
|
||||
<label>Computer</label>
|
||||
<choice value="*">All</choice>
|
||||
<default>*</default>
|
||||
<prefix>(</prefix>
|
||||
<suffix>)</suffix>
|
||||
<valuePrefix>Computer="</valuePrefix>
|
||||
<valueSuffix>"</valueSuffix>
|
||||
<delimiter> OR </delimiter>
|
||||
<search>
|
||||
<query>`event_sources_xml` | stats count by Computer</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>Computer</fieldForLabel>
|
||||
<fieldForValue>Computer</fieldForValue>
|
||||
</input>
|
||||
<input type="text" searchWhenChanged="true" token="keyword">
|
||||
<label>Keyword:</label>
|
||||
<default>*</default>
|
||||
</input>
|
||||
<input type="multiselect" token="sourcetype_token" searchWhenChanged="true">
|
||||
<label>Excluded event sources</label>
|
||||
<default>none</default>
|
||||
<!-- The final value will be surrounded by prefix and suffix -->
|
||||
<prefix>(</prefix>
|
||||
<suffix>)</suffix>
|
||||
<!-- Each value will be surrounded by the valuePrefix and valueSuffix -->
|
||||
<valuePrefix>Name!="</valuePrefix>
|
||||
<valueSuffix>"</valueSuffix>
|
||||
<!-- All the values and their valuePrefix and valueSuffix will be concatenated together with the delimiter between them -->
|
||||
<delimiter> AND </delimiter>
|
||||
<choice value="none">None</choice>
|
||||
<search>
|
||||
<query>`event_sources_xml` $Type$ AND $Computer$ AND $keyword$ | rex field=Name mode=sed "s/\'//g" | stats count by Name</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>Name</fieldForLabel>
|
||||
<fieldForValue>Name</fieldForValue>
|
||||
</input>
|
||||
</fieldset>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Windows events over time</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>`event_sources_xml`
|
||||
| search $Type$ $Computer$ AND $keyword$
|
||||
| lookup xmleventtype_lookup xml_type AS Level OUTPUT event_type
|
||||
| timechart count by event_type</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.axisLabelsY.majorUnit">1</option>
|
||||
<option name="charting.axisTitleX.text">Time</option>
|
||||
<option name="charting.axisTitleY.text">Events</option>
|
||||
<option name="charting.chart">line</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.legend.placement">bottom</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
</chart>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Top computers generating events</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>`event_sources_xml` | fillnull value="-" | search $Computer$ AND $keyword$ | stats count by Computer</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">pie</option>
|
||||
<option name="charting.legend.placement">none</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
</chart>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Accounts with 3 or more failed logons</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>`event_sources_xml` eventtype=windows_logon_failure | stats count by user | where count > 2</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
<sampleRatio>1</sampleRatio>
|
||||
</search>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">visible</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.enabled">0</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart">pie</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.showDataLabels">none</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
</chart>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Logon Audit Failure events</title>
|
||||
<single>
|
||||
<search>
|
||||
<query>`event_sources_xml` eventtype=windows_logon_failure | eval user=mvindex(Account_Name,1) | stats count</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<option name="rangeValues">[0,2,5,10]</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="useColors">1</option>
|
||||
</single>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Events Summary</title>
|
||||
<table id="link2">
|
||||
<search>
|
||||
<query>`event_sources_xml` | search $Type$ $Computer$ | lookup xmleventtype_lookup xml_type AS Level OUTPUT event_type | rex field=Name mode=sed "s/\'//g" | stats earliest(_time) as First latest(_time) as Last count by Computer,EventID,Name,Channel, event_type,eventtype | sort -count Computer,EventID,Name,Channel, event_type,eventtype | fieldformat First=strftime(First,"%x %X") | fieldformat Last=strftime(Last,"%x %X") | rename Channel as Log, Name as Source,event_type as Level,eventtype as Category</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<option name="count">10</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="drilldown">cell</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="wrap">true</option>
|
||||
<drilldown>
|
||||
<link target="_blank">https://www.eventid.net/display.asp?eventid=$row.EventId$&source=$row.SourceName$&app=SplunkEvId</link>
|
||||
</drilldown>
|
||||
</table>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Logon Audit Failure events</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>`event_sources_xml` eventtype=windows_logon_failure | table _time,Computer,EventID,user,WorkstationName,LogonType,name | rename name as Details</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<option name="count">10</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="drilldown">cell</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="wrap">true</option>
|
||||
</table>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Events List</title>
|
||||
<table id="link">
|
||||
<search>
|
||||
<query>`event_sources_xml` | search ($Type$) AND $Computer$ AND $keyword$ $sourcetype_token$ | rex field=Name mode=sed "s/\'//g" | lookup xmleventtype_lookup xml_type AS Level OUTPUT event_type | lookup xml_raw_data_lookup raw_xml_data as EventData_Xml OUTPUT extracted_xml_data | eval extracted_xml_data = split(extracted_xml_data,"@") | table _time,EventID,Name,Channel, event_type,eventtype, extracted_xml_data | rename Channel as Log, event_type as Level, eventtype as Category, Name as Source</query>
|
||||
<earliest>$interval.earliest$</earliest>
|
||||
<latest>$interval.latest$</latest>
|
||||
</search>
|
||||
<option name="count">10</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="drilldown">cell</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="wrap">true</option>
|
||||
</table>
|
||||
</panel>
|
||||
</row>
|
||||
</form>
|
||||
@ -0,0 +1,23 @@
|
||||
<setup>
|
||||
|
||||
<block title="Specify the index and our data sources matching Windows events"
|
||||
endpoint="admin/macros"
|
||||
entity="event_sources">
|
||||
|
||||
<input field="definition">
|
||||
<label>The EventId App will analyze the specified index</label>
|
||||
<type>text</type>
|
||||
</input>
|
||||
</block>
|
||||
|
||||
<block title="Specify the index storing Windows XML events (only if using renderXML stanza)"
|
||||
endpoint="admin/macros"
|
||||
entity="event_sources_xml">
|
||||
|
||||
<input field="definition">
|
||||
<label>The XML dashboard will analyze the specified index</label>
|
||||
<type>text</type>
|
||||
</input>
|
||||
</block>
|
||||
|
||||
</setup>
|
||||
@ -0,0 +1,22 @@
|
||||
[interesting_process_lookup]
|
||||
default_match = N/A
|
||||
filename = eventid_interesting_processes.csv
|
||||
max_matches = 1
|
||||
|
||||
[processlookup]
|
||||
external_cmd = ev_process_proc.py full_path_process process
|
||||
fields_list = full_path_process,process
|
||||
|
||||
[xmleventtype_lookup]
|
||||
default_match = N/A
|
||||
filename = xml_event_types.csv
|
||||
max_matches = 1
|
||||
|
||||
[xml_raw_data_lookup]
|
||||
external_cmd = ev_process_xml_parameters.py raw_xml_data extracted_xml_data
|
||||
fields_list = raw_xml_data,extracted_xml_data
|
||||
|
||||
[interesting_events_lookup]
|
||||
default_match = N/A
|
||||
filename = eventid_interesting_events.csv
|
||||
max_matches = 1
|
||||