master
admingit 1 year ago
parent 1ac2f9cbb2
commit 9aa096959f

@ -0,0 +1,14 @@
Windows Event Log Analysis Splunk App version 1.5.1
Copyright (C) 2016-2018 Adrian Grigorof All Rights Reserved.
The Windows Event Log Analysis Splunk App assumes that Splunk is collecting information from Windows servers and workstation via the Universal Forwarder, the local Windows event log collector or remotely via WMI.
It analyzes the entries from indexes matching the "index="wineventlog" OR source=*WinEventLog*" criteria. This matches the defaults used by the Universal Forwarder, the collection of local Windows event logs and the collection via WMI.
To collect the logs from remote computers without installing the Universal Forwarded on each computer, configure the forwarding of event logs to central location using the Windows built-in event forwarding.
The Interesting Processes section from the Processes dashboard is partially based on a presentation by Michael Gough from www.malwarearchaeology.com: "The Top 10 Windows Event ID's Used To Catch Hackers In The Act". See https://www.malwarearchaeology.com/home/2016/5/7/windows-top-10-event-logs-from-my-dell-enterprise-security-summit-talk for the presentation slides and information on how to enable the auditing of processes, including command-line based ones. The list of “interesting processes” is based on a study by JPCERT CC (Japan Computer Emergency Response Team Coordination Center) on detecting lateral movement through tracking of event logs (https://www.jpcert.or.jp/english/pub/sr/ir_research.html). The list is stored in C:\Program Files\Splunk\etc\apps\eventid\lookups\interesting_processes.csv and it can be adjusted with a text editor if needed.
If not data is displayed, please verify that the Universal Forwarder is installed properly and that the all the Windows event logs are sent to the "wineventlog" index (or the WinEventLog* sources).
See Configure Computers to Forward and Collect Events (https://msdn.microsoft.com/en-us/library/cc748890(v=ws.11).aspx) for details on how to configure a computer as a collector of logs.
Send any suggestions, questions etc. to adigrio@gmail.com or support@altairtech.ca.
For up-to-date documentation, see: https://www.eventid.net/splunk_addon.asp

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.6 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 2.1 KiB

@ -0,0 +1,553 @@
body {
background-color: #cedec3;
font-size: 12px;
line-height: 130%;
}
ul.accountBarItems {
font-size: 11px;
}
br {
clear: both;
}
.SplunkModule {
padding: 0px;
}
.appHeaderWrapper {
background-color: #333333;
background-image: none;
}
#appContent h1 {
font-size: 24px;
font-weight: normal;
letter-spacing: -1px;
line-height: 130%;
margin-bottom: 15px;
text-shadow: white 0px 1px 1px;
}
.splButton-primary span,
.splButton-secondary span,
.splButton-tertiary span {
min-width: 110px;
}
.resultsArea {
background-color: #EDEDE7;
}
/** app tabs **/
div.appTabsWrapperOuter {
background: #333 url(./images/bg_tabs.png) repeat-x 50% 100%;
}
div.appTabsWrapper {
margin: 0px auto 0px;
width: 830px;
overflow: hidden;
}
/* Target Firefox 2 and older [!] */
div.appTabsWrapper ul#appTabs, x:-moz-any-link {
position: relative;
top: 1px;
}
div.appTabsWrapper ul#appTabs, x:-moz-any-link, x:default {
position: relative;
top: 0px;
}
div.appTabsWrapper ul#appTabs {
list-style-type: none;
margin: 15px 0px 0px;
overflow: hidden;
padding: 0px;
width: 100%;
}
div.appTabsWrapper ul#appTabs li {
float: left;
list-style-type: none;
margin: 0px 5px 0px 0px;
}
div.appTabsWrapper ul#appTabs li a {
background-color: #73A550;
-moz-border-radius-topleft: 5px;
-moz-border-radius-topright: 5px;
-webkit-border-top-left-radius: 5px;
-webkit-border-top-right-radius: 5px;
border-top-left-radius: 5px;
border-top-right-radius: 5px;
color: white;
display: block;
font-size: 14px;
padding: 8px 20px;
text-decoration: none;
-moz-text-shadow: #666 0px 1px 1px;
-webkit-text-shadow: #666 0px 1px 1px;
text-shadow: #666 0px 1px 1px;
}
div.appTabsWrapper ul#appTabs li.current a {
background-color: #EDEDE7;
color: #333;
text-shadow: white 0px 1px 1px;
border: 1px solid white;
border-bottom: none;
}
div.launcherContent {
margin: 15px auto;
width: 830px;
}
div.launcherList {
float: left;
width: 549px;
}
/** launcher links **/
ul.launcherLinks {
/* -webkit-box-shadow: #DDD 0px 0px 5px; */
border: 0px;
margin: 0px 0px 0px -25px;
list-style-type: none;
position: relative;
}
ul.launcherLinks li {
/* background-color: white; */
xxborder-bottom: 1px solid #edede7;
xxcolor: #666;
/* padding: 15px; */
position: relative;
z-index: 200;
zoom: 1;
_line-height: 0px;
_font-size: 1%;
}
ul.launcherLinks li .launcherApplistBackground {
cursor: pointer;
}
li.launcherMsg {
background-color: white;
margin-left: 25px;
}
ul.launcherLinks li.launcherMsg p {
padding: 0px;
_font-size: 12px;
}
li.launcherMsg .launcherMsgUpdate {
background: transparent url(images/icon_update.png) 0px 0px no-repeat;
_background-image: url(images/icon_update_ie6.png);
padding-left: 20px;
}
li.launcherMsg .launcherMsgSetup {
background: transparent url(images/icon_setup.png) 0px 0px no-repeat;
_background: transparent url(images/icon_setup_ie6.png) 0px 0px no-repeat;
padding-left: 20px;
}
ul.launcherLinks li.first div.launcherApplistBackground {
-moz-border-radius-topleft: 5px;
-moz-border-radius-topright: 5px;
-webkit-border-top-left-radius: 5px;
-webkit-border-top-right-radius: 5px;
border-top-left-radius: 5px;
border-top-right-radius: 5px;
}
ul.launcherLinks li.last div.launcherApplistBackground {
-moz-border-radius-bottomleft: 5px;
-moz-border-radius-bottomright: 5px;
-webkit-border-bottom-left-radius: 5px;
-webkit-border-bottom-right-radius: 5px;
border-bottom-left-radius: 5px;
border-bottom-right-radius: 5px;
border-bottom: none;
}
ul.launcherLinks li:hover {
xxbackground: #fff url(images/bg_gradient_100.png) repeat-x;
}
ul.launcherLinks li div {
background-repeat: no-repeat;
min-height: 50px;
xxpadding: 0px 0px 0px 46px;
xxmargin-left: -20px;
}
.appicon {
width: 36px;
height: 36px;
padding: 5px;
}
ul.launcherLinks li div.launcher-applist-wrapper,
ul.launcherLinks li div.launcherApplistBackground {
_font-size: 12px;
_line-height: 130%;
}
ul.launcherLinks li.datainputs div.launcherApplistIcon {
background-image:url(images/icon_addData.png);
background-position: 10px 10px;
}
ul.launcherLinks li.search div.launcherApplistIcon {
background-image:url(images/searchIcon.png);
background-position: 10px 10px;
}
ul.launcherLinks li a {
font-size: 16px;
}
ul.launcherLinks li a:hover {
text-decoration: none;
_text-decoration: underline;
}
ul.launcherLinks p {
color: #666;
line-height: 130%;
margin: 0px;
padding-top: 5px;
}
/** launcher messages **/
ul.launcherLinks li.launcherMsg {
border-bottom: 1px solid #EEE;
cursor: text;
padding: 5px 15px;
-webkit-border-top-left-radius: 5px;
-webkit-border-top-right-radius: 5px;
-moz-border-radius-topleft: 5px;
-moz-border-radius-topright: 5px;
border-top-left-radius: 5px;
border-top-right-radius: 5px;
}
ul.launcherLinks li.launcherMsg a {
color: red;
display: inline-block;
text-decoration: underline;
font-size: 12px;
line-height: 130%;
}
/** launcher app list **/
ul.launcherLinks ul.launcherAppsList {
margin: 0px;
padding: 0px;
list-style: none;
z-index: 200;
position: relative;
*font-size: 1%;
}
li.launcherShadow {
-webkit-box-shadow: #DDD 0px 0px 5px;
-moz-box-shadow: #DDD 0px 0px 5px;
box-shadow: #DDD 0px 0px 5px;
-webkit-border-radius: 5px;
-moz-border-radius: 5px;
border-radius: 5px;
z-index: 2 !important;
position: absolute !important;
height: 356px;
width: 529px;
top: 0px;
left: 25px;
}
/* Firefox 2 hacks for list border */
li.launcherShadow, x:-moz-any-link {
top: -1px;
left: 24px;
border: 1px solid #CCC;
}
/* Firefox 3+ hacks for list border */
li.launcherShadow, x:-moz-any-link, x:default {
top: 0px;
left: 25px;
border: none;
}
/* Firefox 3.0 - 3.5 hacks for list border */
body.firefox3 li.launcherShadow {
top: -1px;
left: 24px;
border: 1px solid #CCC;
}
/* IE 8 and below hacks for list border */
li.launcherShadow {
border: 1px solid #CCC\9;
top: -1px\9;
left: 24px\9;
}
/* IE 6 hack */
#home li.launcherShadow {
_left: -1px;
}
/** launcher reorder handle **/
ul.launcherLinks li div.reorderHandle {
position: absolute;
display: block;
background-color: white;
background-image: url("images/icon_reorderHandler.png") !important;
_background-image: url("images/icon_reorderHandler_ie6.png") !important;
background-position: 8px 5px;
left: 0px;
top: 5px;
width: 20px;
height: 20px;
padding: 1px 0px 1px 5px;
-moz-border-radius-topleft: 5px;
-moz-border-radius-bottomleft: 5px;
-webkit-border-top-left-radius: 5px;
-webkit-border-bottom-left-radius: 5px;
border-top-left-radius: 5px;
border-bottom-left-radius: 5px;
min-height: 0px !important;
}
/* Firefox 2 hacks for reorder handle borders */
ul.launcherLinks li div.reorderHandle, x:-moz-any-link {
border: 1px solid #CCC;
border-right: none;
left: -1px;
}
/* Firefox 3+ hacks for reorder handle border */
ul.launcherLinks li div.reorderHandle, x:default {
border: none;
left: 0px;
}
/* Firefox 3.0 - 3.5 hacks for reorder handle borders */
body.firefox3 ul.launcherLinks li div.reorderHandle {
border: 1px solid #CCC;
border-right: none;
left: -1px;
}
/* IE 8 and below hacks for reorder handle borders */
ul.launcherLinks li div.reorderHandle {
border: 1px solid #CCC\9;
border-right: none\9;
left: -1px\9;
}
ul.launcherLinks div.launcherApplistBackground {
margin-left: 25px;
background-color: white;
border-bottom: 1px solid #edede7;
zoom: 1;
}
ul.launcherLinks div.launcherApplistIcon {
padding: 10px;
}
ul.launcherLinks div.launcherApplistDesc {
margin-left: 45px;
*font-size: 12px;
}
ul.launcherLinks div.launcherApplistBackground:hover {
background: #fff url(images/bg_gradient_100.png) repeat-x bottom;
}
ul.launcherLinks .disabledApp div.launcherApplistBackground:hover {
background-image: none;
}
ul.launcherLinks li div.reorderHandle:hover {
cursor: move;
background-position: 8px -15px;
}
/** enable/set up buttons **/
ul.launcherLinks .setupApp button {
background-color: #BBB;
border: 1px solid #999;
}
ul.launcherLinks .setupApp button:hover {
border-color: #666;
}
ul.launcherLinks li.disabledApp button,
ul.launcherLinks li.setupApp button {
position: absolute;
top: 5px;
right: 7px;
height: 23px;
line-height: 20px;
background-position: left -5px;
padding: 0px 10px;
}
ul.launcherLinks li.disabledApp button span,
ul.launcherLinks li.setupApp button span {
min-width: 0;
line-height: 100%;
}
ul.launcherLinks li.disabledApp:hover {
background-image: none;
}
ul.launcherLinks li.disabledApp button:hover {
border-color: #000;
}
ul.launcherLinks .disabledApp,
ul.launcherLinks .disabledApp a {
cursor: text;
}
ul.launcherLinks .disabledApp .launcher-applist-wrapper {
opacity: 0.6;
}
ul.launcherLinks .disabledApp p {
color: #333;
}
/** launchersidebar **/
div.launchersidebar {
float: left;
margin-left: 30px;
width: 250px;
border: none;
}
div.section {
-moz-border-radius: 5px;
-webkit-border-radius: 5px;
border-radius: 5px;
-moz-box-shadow: 0 0 5px #DDD;
-webkit-box-shadow: #DDD 0 0 5px;
-moz-box-shadow: #DDD 0 0 5px;
-webkit-box-shadow: #DDD 0 0 5px;
box-shadow: #DDD 0 0 5px;
background: none repeat scroll 0 0 #E5F2F5;
margin-bottom: 10px;
padding: 15px;
border: 1px solid #CCC;
}
h2,
div.launchersidebar h2 {
color: #333;
font-size: 16px;
font-weight: normal;
margin: 0px;
padding: 0px;
padding-bottom: 10px;
text-shadow: 0 1px 1px white;
}
div.launchersidebar ul {
margin: 0px 5px;
list-style: none;
}
div.launchersidebar ul li {
padding: 5px 0px;
}
/** spotlight section **/
div.launchersidebar div.spotlight {
background-color: #666;
-moz-box-shadow: 0 0 5px #555 inset;
-webkit-box-shadow: 0 0 5px #555 inset;
box-shadow: 0 0 5px #555 inset;
border: 1px solid #555;
}
div.launchersidebar div.spotlight h2 {
color: white;
text-shadow: 0px 1px 1px #333;
}
div.launchersidebar div.spotlight button.splButton-primary {
margin: 5px;
background-color: #77AA44;
}
div.launchersidebar div.spotlight button.splButton-primary:hover {
background-color: #693;
}
/* IE 6 doesn't recognize min_width */
div.launchersidebar div.spotlight button span {
_width: 110px;
}
/** icons for launchersidebar links **/
.apps {
background: url("images/icon_apps.png") no-repeat;
padding-left: 20px;
}
.tutorial {
background: url("images/icon_tutorial.png") no-repeat;
padding-left: 20px;
}
.whatsNew {
background: url("images/icon_mail.png") no-repeat;
padding-left: 20px;
}
.splunkDoc {
background: url("images/icon_file.png") no-repeat;
padding-left: 20px;
}
.searches {
background: url("images/icon_document.png") no-repeat;
padding-left: 20px;
}
.more {
background: url("images/icon_circle_add.png") no-repeat;
padding-left: 20px;
}
.answers {
background: url("images/icon_ask.png") no-repeat;
padding-left: 20px;
}
/** footer **/
div.divider {
margin-top: 20px;
width: 100%;
border-bottom: 1px solid #DDD;
}
div.launcherFooter {
padding-top: 10px;
border-top: 1px solid #FFF;
color: #666;
text-shadow: 0px 1px 1px white;
}

@ -0,0 +1,78 @@
/* Set background */
.main-section-body {
background-color:#cedec3;
background-image:-webkit-gradient(linear, 0 0, 0 100%, from(#e2e9eb), color-stop(400px, #cedec3), to(#cedec3));
background-image:-webkit-linear-gradient(#e2e9eb, #cedec3 400px, #cedec3);
background-image:-moz-linear-gradient(top, #e2e9eb, #cedec3 400px, #cedec3);
background-image:-o-linear-gradient(#e2e9eb, #cedec3 400px, #cedec3);
background-image:linear-gradient(#e2e9eb, #cedec3 400px, #cedec3);
filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffe2e9eb', endColorstr='#ffcedec3', GradientType=0);
}
/* Make the forms look like they are in a panel */
/*.fieldset {
border-radius: 4px;
border: 1px solid #cccccc;
background: white;
margin: 0 0px 10px 0;
box-shadow: 0px 1px 1px rgba(0, 0, 0, 0.08);
position: relative;
padding: 12px 15px 0px 15px;
}
.fieldset .hide-label {
}
*/
/* Shrink the form text inputs */
/* Removed because Splunk 6.1 spaces the fields differently */
/*input, textarea, .uneditable-input {
width: 120px;
}*/
/* Make the Search button on each dashboard blue instead of green */
.btn-primary {
background-color: #5c9732;
background-image: -moz-linear-gradient(top, #0087df, #004f82);
background-image: -webkit-gradient(linear, 0 0, 0 100%, from(#0087df), to(#004f82));
background-image: -webkit-linear-gradient(top, #0087df, #004f82);
background-image: -o-linear-gradient(top, #0087df, #004f82);
background-image: linear-gradient(to bottom, #0087df, #004f82);
background-repeat: repeat-x;
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff0087df', endColorstr='#ff004f82', GradientType=0);
background-color: #0087df;
border: 1px solid #143ab1;
border-bottom-color: #0048c9;
border-top-color: #004f82;
color: #ffffff;
text-shadow: 0 -1px 0 rgba(51, 51, 51, 0.7);
-webkit-box-shadow: 0px 1px 1px rgba(0, 0, 0, 0.08);
-moz-box-shadow: 0px 1px 1px rgba(0, 0, 0, 0.08);
box-shadow: 0px 1px 1px rgba(0, 0, 0, 0.08);
}
.btn-primary:hover {
background-color: #7db44d;
background-image: -moz-linear-gradient(top, #6ac1fa, #007fd1);
background-image: -webkit-gradient(linear, 0 0, 0 100%, from(#6ac1fa), to(#007fd1));
background-image: -webkit-linear-gradient(top, #6ac1fa, #007fd1);
background-image: -o-linear-gradient(top, #6ac1fa, #007fd1);
background-image: linear-gradient(to bottom, #6ac1fa, #007fd1);
background-repeat: repeat-x;
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff6ac1fa', endColorstr='#ff007fd1', GradientType=0);
background-color: #389ddf;
border-color: #0c89db;
border-bottom-color: #006eb4;
border-top-color: #3f99d3;
background-position: 0 0;
}
.btn-primary:active, .btn-primary.active {
background-color: #016baf 9;
}
.btn-primary:hover, .btn-primary:focus, .btn-primary:active, .btn-primary.active, .btn-primary.disabled, .btn-primary[disabled] {
color: #ffffff;
background-color: #016baf;
}

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

@ -0,0 +1,45 @@
#!/usr/bin/env python
import csv
import sys
import re
# arp.exe,Target Discovery,Obtains information about hosts on the local broadcast domain
# New_Process_Name = C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
# C:\Windows\System32\wbem\WmiPrvSE.exe
def process_interesting(full_path_process):
try:
process_path_elements = full_path_process.split("\\")
process = process_path_elements[len(process_path_elements)-1]
return process
except:
return full_path_process
def main():
if len(sys.argv) != 3:
print "Usage: python ev_process_proc.py [full_path_process] [process]"
print sys.argv[1]
print len(sys.argv)
sys.exit(1)
full_path_process = sys.argv[1]
process = sys.argv[2]
infile = sys.stdin
outfile = sys.stdout
r = csv.DictReader(infile)
header = r.fieldnames
w = csv.DictWriter(outfile, fieldnames=r.fieldnames)
w.writeheader()
for result in r:
if result[full_path_process]:
result[process] = process_interesting(result[full_path_process])
if result[process]:
w.writerow(result)
main()

@ -0,0 +1,48 @@
#!/usr/bin/env python
import csv
import sys
import re
import xml.etree.ElementTree as ET
# <Data Name='param1'>Windows Modules Installer</Data><Data Name='param2'>stopped</Data><Binary>540072007500730074006500640049006E007300740061006C006C00650072002F0031000000</Binary>
def process_xml(xml_info):
try:
xml_result = ""
root = ET.fromstring("<Data>"+xml_info+"</Data>")
for child in root:
#xml_result = xml_result + child.tag + child.attrib + child.text+"\n"
xml_result = xml_result + child.text + "@"
#xml_result = xml_result + child.attrib + "\n"
return xml_result
except:
return "Error: "+xml_info
def main():
if len(sys.argv) != 3:
print "Usage: python ev_process_xml_parameters.py [raw_xml_data] [extracted_xml_data]"
print sys.argv[1]
print len(sys.argv)
sys.exit(3)
raw_xml_data = sys.argv[1]
extracted_xml_data = sys.argv[2]
infile = sys.stdin
outfile = sys.stdout
r = csv.DictReader(infile)
header = r.fieldnames
w = csv.DictWriter(outfile, fieldnames=r.fieldnames)
w.writeheader()
for result in r:
if result[raw_xml_data]:
result[extracted_xml_data] = process_xml(result[raw_xml_data])
#result[extracted_xml_data] = raw_xml_data
if result[extracted_xml_data]:
w.writerow(result)
main()

@ -0,0 +1,22 @@
######################################################
#
# Splunk_EventId.Net
#
# Copyright (C) 2016-2018 Firegen Analytics Inc All Rights Reserved.
#
######################################################
[install]
is_configured = 0
build = 1
[ui]
is_visible = 1
label = EventID.Net
[launcher]
author = adigrio
description = Dashboards for Windows event logs and links to www.eventid.net
version = 1.5.1
[package]
id = eventid

@ -0,0 +1,14 @@
<nav search_view="search">
<view name="eventid" default="true" />
<view name="audit_events" />
<view name="users_and_groups" />
<view name="interesting_events" />
<view name="interesting_processes" />
<view name="windows_event_sources" />
<view name="windows_events_xml_source" />
<view name="search" />
<view name="dashboards" />
<view name="documentation" />
<!-- This is an external link -->
<a href="https://www.eventid.net/">EventId.Net</a>
</nav>

@ -0,0 +1 @@
Add all the views that your app needs in this directory

@ -0,0 +1,405 @@
<form>
<label>Audit Events</label>
<description>Click on the event to check it on www.eventid.net</description>
<fieldset autoRun="true" submitButton="false">
<input type="time" searchWhenChanged="true" token="interval">
<label>Select time range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" token="Computer" searchWhenChanged="true">
<label>Computer</label>
<choice value="*">All</choice>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>host="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<search>
<query>`event_sources` ("Audit Success" OR "Audit Failure") | stats count by host</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
</input>
<input type="checkbox" searchWhenChanged="true" token="Audit_Type">
<label>Audit Events</label>
<default>Audit Failure,Audit Success</default>
<choice value="Audit Failure">Failure</choice>
<choice value="Audit Success">Success</choice>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<fieldForLabel>Audit Type</fieldForLabel>
<fieldForValue>Audit Type</fieldForValue>
<initialValue>Audit Failure,Audit Success</initialValue>
</input>
<input type="text" token="keyword" searchWhenChanged="true">
<label>Keyword:</label>
<default>*</default>
</input>
<input type="radio" token="nopriv" searchWhenChanged="true">
<label>Hide privilege related events</label>
<choice value="Message!=&quot;*privilege*&quot;">Yes</choice>
<choice value="*">No</choice>
<default>Message!="*privilege*"</default>
</input>
<input type="radio" token="nocomputer" searchWhenChanged="true">
<label>Hide computer accounts events</label>
<choice value="Account_Name != &quot;*$*&quot;">Yes</choice>
<choice value="*">No</choice>
<default>Account_Name != "*$$*"</default>
<initialValue>Account_Name != "*$$*"</initialValue>
</input>
</fieldset>
<row>
<panel>
<title>Audit events over time</title>
<chart>
<search>
<query>`event_sources` ("Audit Success" OR "Audit Failure") AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$ $Audit_Type$
| fillnull
| timechart count</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>Accounts with 3 or more failed logons</title>
<chart>
<search>
<query>`event_sources` Failure_Reason=* ("Audit Failure") AND $Computer$ AND $keyword$ $nopriv$ Message != "*privilege*" Account_Name != "*$*"
| table host, Account_Name, Failure_Reason
| stats count by Account_Name
| where count &gt; 2</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Audit Failure events by computer</title>
<chart>
<search>
<query>`event_sources` "Audit Failure" AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$
| fillnull
| stats count by host</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>Distinct Accounts</title>
<single>
<search>
<query>`event_sources` AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$ TaskCategory=Logon $Audit_Type$
| stats dc(Account_Name)</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">all</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x6db7c6","0x6db7c6"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
<panel>
<title>Logon Successful Audits</title>
<single>
<search>
<query>`event_sources` AND $keyword$ $nopriv$ $nocomputer$ TaskCategory=Logon
| stats count</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorMode">block</option>
<option name="drilldown">all</option>
<option name="rangeColors">["0x65a637","0x65a637"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="useColors">1</option>
</single>
</panel>
<panel>
<title>Logon Audit Failure events</title>
<single>
<search>
<query>`event_sources` AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$ Failure_Reason=* ("Audit Failure")
| stats count</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<option name="colorMode">block</option>
<option name="drilldown">all</option>
<option name="rangeColors">["0xd93f3c","0xd93f3c"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="useColors">1</option>
<drilldown>
<link target="_blank">search?q=`event_sources` Failure_Reason=* * ("Audit Failure") AND $Computer$ AND $keyword$ Message != "*privilege*" Account_Name != "*$*" | stats count&amp;earliest=$interval.earliest$&amp;latest=$interval.latest$</link>
</drilldown>
</single>
</panel>
<panel>
<title>New Local Admins</title>
<single>
<search>
<query>`event_sources`AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$
| transaction Security_ID maxspan=180m
| search EventCode=4720 OR (EventCode=4732 Administrators)
| stats count</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0xf58f39","0xf58f39"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
</row>
<row>
<panel>
<title>Events Summary</title>
<table id="link2">
<search>
<query>`event_sources` AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$ $Audit_Type$
| fillnull
| eval Type=if(Keywords=="Audit Success",Keywords, Type)
| eval Type=if(Keywords=="Audit Failure",Keywords, Type)
| stats earliest(_time) as First latest(_time) as Last max(Message) as Sample_Message count by host, EventCode, Type
| sort -count host, EventCode, Type, Sample_message
| rename EventCode as "EventId"
| fieldformat First=strftime(First,"%x %X") | fieldformat Last=strftime(Last,"%x %X")</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
<drilldown>
<link target="_blank">https://www.eventid.net/display.asp?eventid=$row.EventId$&amp;source=$row.SourceName$&amp;app=SplunkEvId</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<title>Audit Failure Events</title>
<table>
<search>
<query>`event_sources` AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$ AND "Audit Failure"
| fillnull
| eval user=mvindex(Account_Name,1)
| table _time, host, EventCode, Message, user, Failure_Reason, Source_Workstation, Caller_Process_Name
| rename EventCode as "EventId", Caller_Process_Name as Process</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Accounts successfully logged on</title>
<chart>
<search>
<query>`event_sources`AND $Computer$ AND $keyword$ $nocomputer$ $nopriv$ AND TaskCategory=Logon AND NOT Account_Name="*ANONYMOUS*"
| timechart count</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Audit Success Events</title>
<table>
<search>
<query>`event_sources` AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$ "Audit Success"
| fillnull
| eval Type=if(Keywords=="Audit Success",Keywords, Type)
| eval Type=if(Keywords=="Audit Failure",Keywords, Type)
| eval user=mvindex(Account_Name,1)
| table _time, host, EventCode, Message, user, Source_Workstation, Process_Name
| rename EventCode as "EventId", Process_Name as Process</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Audit events - drill down option</title>
<event>
<search>
<query>`event_sources` $Audit_Type$ AND $Computer$ AND $keyword$ $nopriv$ $nocomputer$
| fillnull
| eval Type=if(Keywords=="Audit Success",Keywords, Type)
| eval Type=if(Keywords=="Audit Failure",Keywords, Type)
| eval user=mvindex(Account_Name,1)
| table _time, host, EventCode, Type, Message, user</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<fields>host, LogName, EventCode, SourceName, Type, Message, user</fields>
<option name="list.drilldown">full</option>
<option name="refresh.display">progressbar</option>
<option name="table.drilldown">all</option>
<option name="type">list</option>
</event>
</panel>
</row>
</form>

@ -0,0 +1,55 @@
<dashboard>
<label>Documentation</label>
<row>
<panel>
<title>Introduction</title>
<html>
<p>Welcome to the EventID.Net Windows Event Logs app!</p>
</html>
</panel>
</row>
<row>
<panel>
<title>Windows Event Log App sources of information</title>
<html>
<p>The Windows Event Log App assumes that Splunk is collecting information from Windows servers and workstation via one of the following methods:
<ul>
<li><a href="https://www.splunk.com/en_us/download/universal-forwarder.html">Splunk Universal Forwarder installed on the source computer</a></li>
<li><a href="https://msdn.microsoft.com/en-us/library/cc748890(v=ws.11).aspx">Windows Event Log Forwarding</a> configured on the source computer combined with Splunk Universal Forwarder on the collector computer</li>
<li><a href="https://docs.splunk.com/Documentation/Splunk/6.6.1/Data/MonitorWindowseventlogdata">Remote Windows Event Log collection via WMI</a> as Splunk input</li>
<li>Events collected with the renderXML feature turned on. See <a href="https://www.splunk.com/blog/2014/11/04/splunk-6-2-feature-overview-xml-event-logs.html">Feature Overview: XML Event Logs</a></li>
</ul>
</p>
<p>All these methods will collect the events and either collect them in the "wineventlog" Splunk index or record them in the default index with source the source set as "*WinEventLog*" (notice the wildcards). The app analyzes the entries matching these criteria (index="wineventlog" OR source=*WinEventLog*). This matches the defaults used by the Universal Forwarder, the collection of local Windows event logs and the collection via WMI.</p>
<p>In order to create the proper indexes, we recommend the installation of the <a href="https://splunkbase.splunk.com/app/742/">Splunk Add-on for Microsoft Windows</a> app.</p>
<p>To collect the logs from remote computers without installing the Universal Forwarded on each computer, configure the forwarding of event logs to central location using the Windows built-in event forwarding. See <a href="https://msdn.microsoft.com/en-us/library/cc748890(v=ws.11).aspx">Configure Computers to Forward and Collect Events</a> for details on how to configure a computer as a collector of logs.</p>
</html>
</panel>
</row>
<row>
<panel>
<title>Additional information and troubleshooting</title>
<html>
<p>If no data is displayed, please verify that the Universal Forwarder is installed properly and that the all the Windows event logs are sent to the "wineventlog" index (or the WinEventLog* sources).</p>
<p>If the data is stored in a different index, the user can update the macros.conf [event_sources] section by using the application setup.</p>
<p>The Interesting Processes section from the Processes dashboard is partially based on a presentation by Michael Gough from <a href="https://www.malwarearchaeology.com/">www.malwarearchaeology.com</a>: "<a href="https://www.malwarearchaeology.com/home/2016/5/7/windows-top-10-event-logs-from-my-dell-enterprise-security-summit-talk">The Top 10 Windows Event ID's Used To Catch Hackers In The Act</a>". See for the presentation slides and information on how to enable the auditing of processes, including command-line based ones. The list of "interesting processes" is based on a <a href="https://www.jpcert.or.jp/english/pub/sr/ir_research.html">study by JPCERT CC</a> (Japan Computer Emergency Response Team Coordination Center) on detecting lateral movement through tracking of event logs. The list is stored in C:\Program Files\Splunk\etc\apps\eventid\lookups\interesting_processes.csv and it can be adjusted with a text editor if needed. For full functionality the audit of the command line arguments has to be enabled as described in <a href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing">Command Line Process Auditing</a></p>
<p>The XML dashboard is design to report Windows events rendered from the XML by using the renderXML stanza. The renderXML option reduced the volume of data to about 25% of the regular events, however some details such as the full description of the event are no longer recorded. See <a href="https://www.splunk.com/blog/2014/11/04/splunk-6-2-feature-overview-xml-event-logs.html">Feature Overview: XML Event Logs</a> for more details.</p>
<p>Each of the dashboard can be set as an alarm (i.e. notifications when a certain number of failed logins are recorded, when certain processes are executed, etc).</p>
<p>Send any suggestions and questions to support@altairtech.ca. We can also provide advice in setting up the Splunk receiver for the Universal Forwarder.</p>
<p>We publish the most current version of EventID.Net Windows Event Logs Splunk app on <a href="https://www.eventid.net/splunk_addon.asp">www.eventid.net</a>. Splunk may takes weeks or months to certify a new version.</p>
</html>
</panel>
</row>
</dashboard>

@ -0,0 +1,362 @@
<form>
<label>Windows Events Summary</label>
<description>Click on the event to check it on www.eventid.net</description>
<fieldset autoRun="true" submitButton="false">
<input type="time" searchWhenChanged="true" token="interval">
<label>Select time range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="checkbox" searchWhenChanged="true" token="Type">
<label>Event types</label>
<default>Error,Warning</default>
<choice value="Error">Error</choice>
<choice value="Warning">Warning</choice>
<choice value="Information">Information</choice>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>Type="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<fieldForLabel>Type</fieldForLabel>
<fieldForValue>Type</fieldForValue>
</input>
<input type="checkbox" searchWhenChanged="true" token="Audit_Type">
<label>Security Events</label>
<default>Denial,Audit Failure</default>
<choice value="Audit Failure">Audit Failure</choice>
<choice value="Audit Success">Audit Success</choice>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<fieldForLabel>Audit Type</fieldForLabel>
<fieldForValue>Audit Type</fieldForValue>
<initialValue>Audit Failure</initialValue>
</input>
<input type="multiselect" searchWhenChanged="true" token="Computer">
<label>Computer</label>
<choice value="*">All</choice>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>host="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<search>
<query>`event_sources` | stats count by host</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
</input>
<input type="text" searchWhenChanged="true" token="keyword">
<label>Keyword:</label>
<default>*</default>
</input>
<input type="multiselect" token="sourcetype_token" searchWhenChanged="true">
<label>Excluded event sources</label>
<default>none</default>
<!-- The final value will be surrounded by prefix and suffix -->
<prefix>(</prefix>
<suffix>)</suffix>
<!-- Each value will be surrounded by the valuePrefix and valueSuffix -->
<valuePrefix>SourceName!="</valuePrefix>
<valueSuffix>"</valueSuffix>
<!-- All the values and their valuePrefix and valueSuffix will be concatenated together with the delimiter between them -->
<delimiter> AND </delimiter>
<choice value="none">None</choice>
<search>
<query>`event_sources` $Type$ AND $Computer$ AND $keyword$ | stats count by SourceName</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<fieldForLabel>SourceName</fieldForLabel>
<fieldForValue>SourceName</fieldForValue>
</input>
</fieldset>
<row>
<panel>
<title>Errors</title>
<single>
<search>
<query>`event_sources` Type="Error" AND $Computer$ AND $keyword$ | stats count</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">all</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0xd93f3c","0xd93f3c"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
<panel>
<title>Warnings</title>
<single>
<search>
<query>`event_sources` Type="Warning" AND $Computer$ AND $keyword$ | stats count</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">all</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0xf7bc38","0xf7bc38"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
<panel>
<title>Information</title>
<single>
<search>
<query>`event_sources` Type="Information" AND NOT ("Audit Success" OR "Audit Failure") AND $Computer$ AND $keyword$ | stats count</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">all</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0x65a637"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<drilldown>
<link target="_blank">search?q=`event_sources` Type="Information" | stats count&amp;earliest=$interval.earliest$&amp;latest=$interval.latest$</link>
</drilldown>
</single>
</panel>
<panel>
<title>Audit Failure</title>
<single>
<search>
<query>`event_sources` "Audit Failure" AND $Computer$ AND $keyword$
| stats count</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorMode">block</option>
<option name="drilldown">all</option>
<option name="rangeColors">["0xf58f39","0xf58f39"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="useColors">1</option>
<drilldown>
<link target="_blank">/app/eventid/audit_events</link>
</drilldown>
</single>
</panel>
<panel>
<title>Audit Success</title>
<single>
<search>
<query>`event_sources` Keywords="Audit Success" AND $Computer$ AND $keyword$ | stats count</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorMode">block</option>
<option name="drilldown">none</option>
<option name="rangeColors">["0x6db7c6","0x6db7c6"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="useColors">1</option>
</single>
</panel>
<panel>
<title>Logon Audit Failure</title>
<single>
<search>
<query>`event_sources` Failure_Reason=* ("Audit Failure") AND $Computer$ AND $keyword$ | eval user=mvindex(Account_Name,1) | stats count</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="colorMode">block</option>
<option name="drilldown">all</option>
<option name="rangeColors">["0xcc0000","0xcc0000"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="useColors">1</option>
<drilldown>
<link target="_blank">/app/eventid/audit_events</link>
</drilldown>
</single>
</panel>
</row>
<row>
<panel>
<title>Accounts with 3 or more failed logons</title>
<chart>
<search>
<query>`event_sources` Failure_Reason=* * ("Audit Failure") AND $Computer$ AND $keyword$ | stats count by user | where count &gt; 2</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>Top computers generating events</title>
<chart>
<search>
<query>`event_sources` AND $Computer$ AND $keyword$ AND ($Audit_Type$ OR $Type$)
| eval SourceName = coalesce(SourceName,source)
| fillnull
| search $sourcetype_token$
| stats count by host</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.legend.placement">none</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<link target="_blank">/app/eventid/eventid?form.Computer=$row.host$</link>
</drilldown>
</chart>
</panel>
</row>
<row>
<panel>
<title>Windows events over time</title>
<chart>
<search>
<query>`event_sources` AND $Computer$ AND $keyword$ AND ($Audit_Type$ OR $Type$)
| timechart count</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<option name="charting.axisLabelsY.majorUnit">1</option>
<option name="charting.axisTitleX.text">Time</option>
<option name="charting.axisTitleY.text">Events</option>
<option name="charting.axisY2.enabled">1</option>
<option name="charting.chart">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.overlayFields">"Audit Failure"</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.placement">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Events Summary - Links to www.eventid.net</title>
<table id="link2">
<search>
<query>`event_sources` AND $Computer$ AND $keyword$ AND ($Audit_Type$ OR $Type$)
| eval SourceName = coalesce(SourceName,Provider)
| eval Type = coalesce(Type,Keyword)
| fillnull value="-"
| stats earliest(_time) as First latest(_time) as Last count by host, EventCode, SourceName, Type
| sort -count host, EventCode, SourceName, Type
| rename EventCode as "EventId"
| fieldformat First=strftime(First,"%x %X")
| fieldformat Last=strftime(Last,"%x %X")</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
<drilldown>
<link target="_blank">https://www.eventid.net/display.asp?eventid=$row.EventId$&amp;source=$row.SourceName$&amp;app=SplunkEvId</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<title>Events List</title>
<table id="link">
<search>
<query>`event_sources` AND $Computer$ AND $keyword$ AND ($Audit_Type$ OR $Type$)
| eval SourceName = coalesce(SourceName,Provider)
| eval Type = coalesce(Type,Keyword)
| fillnull
| table _time, host, EventCode, SourceName, Type, Message
| rename EventCode as "EventId"</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>

@ -0,0 +1,55 @@
<form>
<label>Interesting Events</label>
<description>Click on the event to check it on www.eventid.net</description>
<fieldset autoRun="true" submitButton="false">
<input type="time" searchWhenChanged="true" token="interval">
<label>Select time range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" searchWhenChanged="true" token="Computer">
<label>Computer</label>
<choice value="*">All</choice>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>ComputerName="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<search>
<query>`event_sources` | stats count by ComputerName</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<fieldForLabel>ComputerName</fieldForLabel>
<fieldForValue>ComputerName</fieldForValue>
</input>
<input type="text" searchWhenChanged="true" token="keyword">
<label>Keyword:</label>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<title>Interesting Events</title>
<table>
<search>
<query>`event_sources` AND $Computer$ AND $keyword$ | lookup interesting_events_lookup event_id AS EventCode, source AS SourceName OUTPUT source,description | search description="*" | table _time, ComputerName, EventCode, SourceName, Type, Message,description | rename EventCode as "EventId", description as "Why is it interesting?"</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>

@ -0,0 +1,189 @@
<form>
<label>Processes</label>
<description>List of processes identified through event id 4688 and listed in the www.eventid.net list of processes that may indicate suspicious activity. To generate event id 4688, a system requires the audit of process creation. See the documentation for more details.</description>
<fieldset autoRun="true" submitButton="false">
<input type="time" searchWhenChanged="true" token="interval">
<label>Select time range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" token="Computer" searchWhenChanged="true">
<label>Computer</label>
<choice value="*">All</choice>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>ComputerName="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<search>
<query>`event_sources` (EventCode=4688) | stats count by ComputerName</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<fieldForLabel>ComputerName</fieldForLabel>
<fieldForValue>ComputerName</fieldForValue>
</input>
<input type="multiselect" token="process_id" searchWhenChanged="true">
<label>Process Id</label>
<choice value="*">All</choice>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>New_Process_ID="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<search>
<query>`event_sources` (EventCode=4688) | stats count by New_Process_ID</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<fieldForLabel>New_Process_ID</fieldForLabel>
<fieldForValue>New_Process_ID</fieldForValue>
</input>
<input type="multiselect" token="creator" searchWhenChanged="true">
<label>Creator Process Id</label>
<choice value="*">All</choice>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>Creator_Process_ID="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<search>
<query>`event_sources` (EventCode=4688) | stats count by Creator_Process_ID</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<fieldForLabel>Creator_Process_ID</fieldForLabel>
<fieldForValue>Creator_Process_ID</fieldForValue>
</input>
<input type="text" token="keyword" searchWhenChanged="true">
<label>Keyword:</label>
<default>*</default>
</input>
<input type="radio" token="nocomputer" searchWhenChanged="true">
<label>Hide computer accounts related events</label>
<choice value="Account_Name != &quot;*$*&quot;">Yes</choice>
<choice value="">No</choice>
<default>Account_Name != "*$*"</default>
<initialValue>Account_Name != "*$*"</initialValue>
</input>
<input type="radio" token="nocmdpowershell" searchWhenChanged="true">
<label>Filter out cmd.exe and powershell.exe</label>
<choice value="AND NOT (New_Process_Name = &quot;*cmd.exe*&quot; OR New_Process_Name = &quot;*powershell.exe*&quot;)">Yes</choice>
<choice value="New_Process_Name = &quot;*&quot;">No</choice>
<default>New_Process_Name = "*"</default>
<initialValue>New_Process_Name = "*"</initialValue>
</input>
</fieldset>
<row>
<panel>
<title>Interesting Processes</title>
<table>
<search>
<query>`event_sources` AND $Computer$ AND $keyword$ $nocomputer$ $creator$ $process_id$ $nocmdpowershell$ (EventCode=4688) | lookup processlookup full_path_process as New_Process_Name OUTPUT process | lookup interesting_process_lookup process OUTPUT Category,Process_Details | search Category="*" | table _time, host, Account_Name, Process_Command_Line, process,Category,Process_Details, New_Process_ID,
Creator_Process_ID | rename host as Server,process as Process,Process_Details as "Interesting Process Details"</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Last 100 Processes</title>
<table>
<search>
<query>`event_sources` (EventCode=4688) AND $Computer$ AND $keyword$ $nocomputer$ $creator$ $process_id$ $nocmdpowershell$
| head 100
| table _time, host,Account_Name, New_Process_Name,Process_Command_Line, New_Process_ID,
Creator_Process_ID</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Top Processes</title>
<table>
<search>
<query>`event_sources` (EventCode=4688) AND $Computer$ AND $keyword$ $nocomputer$ $creator$ $process_id$ $nocmdpowershell$ | stats count by host, New_Process_Name | table host, New_Process_Name,count | sort -count | rename count as Count</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Least Common Processes</title>
<table>
<search>
<query>`event_sources` (EventCode=4688) AND $Computer$ AND $keyword$ $nocomputer$ $creator$ $process_id$ $nocmdpowershell$ | stats count by host, New_Process_Name | table host, New_Process_Name,count | sort count| rename count as Count</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Unusually Long CLI Commands</title>
<table>
<search>
<query>`event_sources` (EventCode=4688) AND (ComputerName="*") AND * Account_Name != "*$$*" (Creator_Process_ID="*") (New_Process_ID="*") New_Process_Name = "*" | head 100 | table _time, host,Account_Name, New_Process_Name,Process_Command_Line, New_Process_ID,
Creator_Process_ID</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>

@ -0,0 +1,225 @@
<form>
<label>Users and Groups</label>
<description>Users and Groups Activities</description>
<fieldset submitButton="false">
<input type="time" token="interval">
<label>Time interval</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="keyword" searchWhenChanged="true">
<label>Filter</label>
<default>*</default>
<initialValue>*</initialValue>
</input>
</fieldset>
<row>
<panel>
<title>Users Created</title>
<chart>
<search>
<query>`event_sources` eventtype=windows_account_created $keyword$
| timechart count</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">bottom</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
</chart>
</panel>
<panel>
<title>Attempts to login with disabled accounts</title>
<table>
<search>
<query>`event_sources` name="*currently disabled*" $keyword$
| eval domain=mvindex(Account_Domain,1)
| eval source_computer = coalesce(Workstation_Name,src_ip)
| eval domain = coalesce(domain,src_nt_domain)
| table _time,host,domain,user,source_computer</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Users Added to Domain Admins or Enterprise Admins</title>
<table>
<search>
<query>`event_sources` name="A member was added to a security-enabled *" AND ("Enterprise Admins" OR "Domain Admins") $keyword$
| rename dest_nt_domain as domain, EventCode as "event id", Display_Name as "user name",host as server
| dedup _time,user
| eval added_by=mvindex(Security_ID,0)
| eval user=mvindex(Security_ID,1)
| table _time, server,domain, user,added_by</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel>
<title>Users Added to local Administrators</title>
<table>
<search>
<query>`event_sources` name="A member was added to a security-enabled local group" AND user_group="Administrators" $keyword$
| rename dest_nt_domain as domain, EventCode as "event id", Display_Name as "user name",host as server
| eval added_by=mvindex(Security_ID,0)
| eval user=mvindex(Security_ID,1)
| table _time, server,domain, user,added_by</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Users Created</title>
<table>
<search>
<query>`event_sources` eventtype=windows_account_created
| rename dest_nt_domain as domain, EventCode as "event id", Display_Name as "user name",host as server
| dedup _time,user
| eval created_by=mvindex(Account_Name,0)
| table _time, server,domain, user,"user name", created_by
| sort _time</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel>
<title>Users Deleted</title>
<table>
<search>
<query>`event_sources` AND eventtype=windows_account_deleted $keyword$
| eval deleted_by=mvindex(Account_Name,0)
| table _time, host, user,deleted_by
| sort _time</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Groups Created</title>
<table>
<search>
<query>`event_sources` name="A security-enabled global group was created"
| dedup _time,Group_Name
| rename dest_nt_domain as domain, EventCode as "event id", user as "created_by",host as server
| table _time, server,domain,Group_Name, created_by
| sort _time</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
<panel>
<title>Groups Deleted</title>
<table>
<search>
<query>`event_sources` name="A security-enabled global group was deleted" $keyword$
| rename dest_nt_domain as domain, EventCode as "event id", user as "Deleted by",host as server
| table _time, server,domain,Group_Name, "Deleted by"
| sort _time</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>

@ -0,0 +1,120 @@
<form>
<label>Event Sources</label>
<description>Click on the event source to check it on www.eventid.net</description>
<fieldset autoRun="true" submitButton="false">
<input type="time" searchWhenChanged="true">
<label>Select time range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" token="Type" searchWhenChanged="true">
<label>Event types</label>
<default>Error</default>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>Type="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<search>
<query>`event_sources`| stats count by Type</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<fieldForLabel>Type</fieldForLabel>
<fieldForValue>Type</fieldForValue>
</input>
<input type="multiselect" token="Computer" searchWhenChanged="true">
<label>Computer</label>
<choice value="*">All</choice>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>ComputerName="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<search>
<query>`event_sources` | stats count by ComputerName</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<fieldForLabel>ComputerName</fieldForLabel>
<fieldForValue>ComputerName</fieldForValue>
</input>
<input type="text" token="keyword" searchWhenChanged="true">
<label>Keyword:</label>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<title>Event sources</title>
<table id="link">
<title>Click on the source to look it up on www.eventid.net</title>
<search>
<query>`event_sources` $Type$ AND $Computer$ AND $keyword$ | stats count as TotalEvents by SourceName</query>
</search>
<drilldown>
<link target="_blank">https://www.eventid.net/source-name-$row.SourceName$.htm</link>
</drilldown>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
<option name="drilldown">cell</option>
</table>
</panel>
<panel>
<title>Event sources percentages</title>
<chart>
<search>
<query>`event_sources` $Type$ AND $Computer$ AND $keyword$ | stats count by SourceName</query>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Matching events - drill down option</title>
<event>
<search>
<query>`event_sources` $Type$ AND $Computer$ AND $keyword$| table _time, ComputerName, LogName, EventCode, SourceName, Type, Message, UserName</query>
</search>
<option name="type">table</option>
<option name="count">10</option>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<fields>["ComputerName","LogName","EventCode","SourceName","Type","Message","UserName"]</fields>
</event>
</panel>
</row>
</form>

@ -0,0 +1,208 @@
<form>
<label>XML</label>
<description>Dashboard for events collected using the renderXML option</description>
<fieldset autoRun="true" submitButton="false">
<input type="time" searchWhenChanged="true" token="interval">
<label>Select time range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="checkbox" searchWhenChanged="true" token="Type">
<label>Event types</label>
<choice value="2">Error</choice>
<choice value="3">Warning</choice>
<choice value="4">Information</choice>
<choice value="0">Audit</choice>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>Level="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<fieldForLabel>Level</fieldForLabel>
<fieldForValue>Level</fieldForValue>
<default>3,2</default>
<initialValue>2,3</initialValue>
</input>
<input type="multiselect" searchWhenChanged="true" token="Computer">
<label>Computer</label>
<choice value="*">All</choice>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>Computer="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<search>
<query>`event_sources_xml` | stats count by Computer</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<fieldForLabel>Computer</fieldForLabel>
<fieldForValue>Computer</fieldForValue>
</input>
<input type="text" searchWhenChanged="true" token="keyword">
<label>Keyword:</label>
<default>*</default>
</input>
<input type="multiselect" token="sourcetype_token" searchWhenChanged="true">
<label>Excluded event sources</label>
<default>none</default>
<!-- The final value will be surrounded by prefix and suffix -->
<prefix>(</prefix>
<suffix>)</suffix>
<!-- Each value will be surrounded by the valuePrefix and valueSuffix -->
<valuePrefix>Name!="</valuePrefix>
<valueSuffix>"</valueSuffix>
<!-- All the values and their valuePrefix and valueSuffix will be concatenated together with the delimiter between them -->
<delimiter> AND </delimiter>
<choice value="none">None</choice>
<search>
<query>`event_sources_xml` $Type$ AND $Computer$ AND $keyword$ | rex field=Name mode=sed "s/\'//g" | stats count by Name</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<fieldForLabel>Name</fieldForLabel>
<fieldForValue>Name</fieldForValue>
</input>
</fieldset>
<row>
<panel>
<title>Windows events over time</title>
<chart>
<search>
<query>`event_sources_xml`
| search $Type$ $Computer$ AND $keyword$
| lookup xmleventtype_lookup xml_type AS Level OUTPUT event_type
| timechart count by event_type</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<option name="charting.axisLabelsY.majorUnit">1</option>
<option name="charting.axisTitleX.text">Time</option>
<option name="charting.axisTitleY.text">Events</option>
<option name="charting.chart">line</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.legend.placement">bottom</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>Top computers generating events</title>
<chart>
<search>
<query>`event_sources_xml` | fillnull value="-" | search $Computer$ AND $keyword$ | stats count by Computer</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.legend.placement">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>Accounts with 3 or more failed logons</title>
<chart>
<search>
<query>`event_sources_xml` eventtype=windows_logon_failure | stats count by user | where count &gt; 2</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>Logon Audit Failure events</title>
<single>
<search>
<query>`event_sources_xml` eventtype=windows_logon_failure | eval user=mvindex(Account_Name,1) | stats count</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<option name="rangeValues">[0,2,5,10]</option>
<option name="refresh.display">progressbar</option>
<option name="useColors">1</option>
</single>
</panel>
</row>
<row>
<panel>
<title>Events Summary</title>
<table id="link2">
<search>
<query>`event_sources_xml` | search $Type$ $Computer$ | lookup xmleventtype_lookup xml_type AS Level OUTPUT event_type | rex field=Name mode=sed "s/\'//g" | stats earliest(_time) as First latest(_time) as Last count by Computer,EventID,Name,Channel, event_type,eventtype | sort -count Computer,EventID,Name,Channel, event_type,eventtype | fieldformat First=strftime(First,"%x %X") | fieldformat Last=strftime(Last,"%x %X") | rename Channel as Log, Name as Source,event_type as Level,eventtype as Category</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
<drilldown>
<link target="_blank">https://www.eventid.net/display.asp?eventid=$row.EventId$&amp;source=$row.SourceName$&amp;app=SplunkEvId</link>
</drilldown>
</table>
</panel>
<panel>
<title>Logon Audit Failure events</title>
<table>
<search>
<query>`event_sources_xml` eventtype=windows_logon_failure | table _time,Computer,EventID,user,WorkstationName,LogonType,name | rename name as Details</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Events List</title>
<table id="link">
<search>
<query>`event_sources_xml` | search ($Type$) AND $Computer$ AND $keyword$ $sourcetype_token$ | rex field=Name mode=sed "s/\'//g" | lookup xmleventtype_lookup xml_type AS Level OUTPUT event_type | lookup xml_raw_data_lookup raw_xml_data as EventData_Xml OUTPUT extracted_xml_data | eval extracted_xml_data = split(extracted_xml_data,"@") | table _time,EventID,Name,Channel, event_type,eventtype, extracted_xml_data | rename Channel as Log, event_type as Level, eventtype as Category, Name as Source</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>

@ -0,0 +1,8 @@

[event_sources]
definition = (index="wineventlog" OR source=*WinEventLog*)
iseval = 0
[event_sources_xml]
definition = index="wineventlog_xml"
disabled = 0

@ -0,0 +1,23 @@
<setup>
<block title="Specify the index and our data sources matching Windows events"
endpoint="admin/macros"
entity="event_sources">
<input field="definition">
<label>The EventId App will analyze the specified index</label>
<type>text</type>
</input>
</block>
<block title="Specify the index storing Windows XML events (only if using renderXML stanza)"
endpoint="admin/macros"
entity="event_sources_xml">
<input field="definition">
<label>The XML dashboard will analyze the specified index</label>
<type>text</type>
</input>
</block>
</setup>

@ -0,0 +1,22 @@
[interesting_process_lookup]
default_match = N/A
filename = eventid_interesting_processes.csv
max_matches = 1
[processlookup]
external_cmd = ev_process_proc.py full_path_process process
fields_list = full_path_process,process
[xmleventtype_lookup]
default_match = N/A
filename = xml_event_types.csv
max_matches = 1
[xml_raw_data_lookup]
external_cmd = ev_process_xml_parameters.py raw_xml_data extracted_xml_data
fields_list = raw_xml_data,extracted_xml_data
[interesting_events_lookup]
default_match = N/A
filename = eventid_interesting_events.csv
max_matches = 1

@ -0,0 +1,10 @@

[Eventid.Net lookup]
display_location = event_menu
eventtypes = winapp
fields = $EventCode$,$SourceName$
label = Lookup event id $EventCode$ on www.eventid.net
link.method = get
link.target = blank
link.uri = https://www.eventid.net/display.asp?eventid=$EventCode$&app=Splunk&source=$SourceName$
type = link

@ -0,0 +1,57 @@
{\rtf1\ansi\ansicpg1252\deff0{\fonttbl{\f0\fswiss\fcharset0 Helvetica;}}
{\*\generator Msftedit 5.41.21.2508;}
{\info
{\title Splunk Software License Agreement}
{\*\company Splunk Inc.}}\viewkind4\uc1\pard\qc\lang1033\b\f0\fs22 SPLUNK SOFTWARE LICENSE AGREEMENT\par
\pard\b0\fs18\par
THIS SPLUNK SOFTWARE LICENSE AGREEMENT (THE "AGREEMENT") GOVERNS ALL SOFTWARE PROVIDED BY SPLUNK INC. ("SPLUNK") INCLUDING FREE SPLUNK SOFTWARE ("FREE SOFTWARE") AND SOFTWARE PURCHASED THROUGH SPLUNK'S ONLINE STORE OR OTHER CHANNELS ("PURCHASED SOFTWARE"), COLLECTIVELY THE SPLUNK SOFTWARE ("SOFTWARE") AND ANY AND ALL UPDATES, UPGRADES, AND MODIFICATIONS THERETO. CONFIRMATION OF YOUR ORDERS ("ORDER CONFIRMATION") WILL BE DEEMED INCORPORATED INTO AND MADE PART OF THIS AGREEMENT.\par
\par
YOU WILL BE REQUIRED TO INDICATE YOUR AGREEMENT TO THESE TERMS AND CONDITIONS IN ORDER TO DOWNLOAD THE SOFTWARE AND REGISTER WITH SPLUNK IN ORDER TO OBTAIN LICENSE KEYS NECESSARY TO COMPLETE THE INSTALLATION PROCESS FOR PURCHASED SOFTWARE. BY CLICKING ON THE "YES" BUTTON, DOWNLOADING OR INSTALLING THE SOFTWARE, OR USING ANY MEDIA THAT CONTAINS THE SOFTWARE, YOU ARE CONSENTING TO BE BOUND BY THIS AGREEMENT.\par
\par
IF YOU AGREE TO THESE TERMS ON BEHALF OF A BUSINESS, YOU REPRESENT AND WARRANT THAT YOU HAVE AUTHORITY TO BIND THAT BUSINESS TO THIS AGREEMENT, AND YOUR AGREEMENT TO THESE TERMS WILL BE TREATED AS THE AGREEMENT OF THE BUSINESS. IN THAT EVENT, "YOU" AND "YOUR" REFER HEREIN TO THAT BUSINESS.\par
\par
"Splunk Developer API" means the documentation and functionality enabling the creation of extensions to the Software. "Example Modules" means the source code and binary form of examples that use the Splunk Developer API. \par
\par
PURCHASED SOFTWARE TERM. Unless earlier terminated, this Agreement will be in effect perpetually for any Purchased Software. "Term" means the period in which the Agreement is in effect.\par
\par
PURCHASED SOFTWARE FREE TRIAL. Notwithstanding the foregoing, if the applicable Order Confirmation is limited to a free trial license, then the Term will be limited to the free trial period specified in the Order Confirmation, this Agreement and any license rights granted hereunder will automatically terminate at the end of the free trial period, and there will be no Renewal Term. Any license keys provided for a free trial will automatically expire and may cause the Software to become non-operational at the end of the free trial period. Provisions in this Agreement regarding License Fees, Maintenance and Support, and Warranty will not apply to free trials.\par
\par
PURCHASED SOFTWARE LICENSE. Subject to your compliance with the terms and conditions of this Agreement, including your payment of the license fees set forth in each Order Confirmation (the "License Fees"), Splunk grants you a nonexclusive, nontransferable, revocable, limited license during the Term to use the Software for which you have paid the applicable License Fees as set forth in your Order Confirmation(s), only for your internal business purposes (which shall include use by consultants, accountants, auditors and attorneys hired to perform services for you) and only subject to the following conditions: you may use each Splunk Server with an Enterprise license to index no more than the peak daily volume of uncompressed data for which you have paid the applicable License Fees as set forth in your Order Confirmation (the "Maximum Peak Daily Volume"). The Software will be configured to display warnings and/or cease indexing data when the Maximum Peak Daily Volume is reached.\par
\par
FREE SOFTWARE LICENSE. Subject to the terms and conditions of this Agreement, Splunk grants to You a non-exclusive, worldwide, fully-paid up copyright license to use the Free Splunk Software in binary form only and only subject to the following conditions: (i) to index no more than 500MB of peak daily volume of uncompressed data (the 'Maximum Peak Daily Volume') and only for your internal business purposes (which shall include use by consultants, accountants, auditors and attorneys hired to perform services for you). The Software will be configured to display warnings, reduce available functionality, and/or cease indexing data when the Maximum Peak Daily Volume is reached.\par
\par
EXTENSION LICENSE. Splunk further grants to You a non-exclusive, worldwide, fully-paid up copyright license to use the Splunk Developer API and Example Modules included with the Software solely for the purpose of developing extensions to access the Splunk API or Example Modules for Your use in conjunction with the Software (collectively, "Your Extensions"). You agree to assume full responsibility for the performance of Your Extensions, and shall indemnify, hold harmless, and defend Splunk (including all of its officers, employees, directors, subsidiaries, representatives, affiliates and agents) and Splunk's suppliers from and against any claims or lawsuits, including attorney's fees and expenses, that arise or result from Your Extensions pursuant to this Agreement. You retain title to and copyright for Your Extensions, subject to Splunk's title to and copyright for the Software, the Splunk Developer API, and the Example Modules as specified in Ownership and Copyrights, below. This Agreement does not grant you any distribution rights. If you want to distribute or provide to any third parties Your Extensions, you must first register as a Splunk application developer and agree to the Splunk Developer Agreement at http://www.splunk.com/goto/devagreement. You will not remove or change any Splunk copyright notices or branding included in the Splunk Software or required by Splunk's Identity Guidelines as set forth at http://www.splunk.com/goto/splunkpowered, Splunk Developer APIs, or Example Modules, and will include such notices and branding in each copy of Your Extensions, the Splunk Software, the Splunk Developer APIs, and the Examples Modules that you make or distribute.\par
\par
PURCHASED SOFTWARE RESTRICTIONS. You agree not to (i) use the Software except as expressly authorized in this Agreement and your Order Confirmation; (ii) copy the Software (except as required to run the Software and for reasonable backup purposes); (iii) modify, adapt, or create derivative works of the Software; (iv) rent, lease, loan, resell, transfer, sublicense (including but not limited to offering any of the functionality of the Software on a service provider, hosted or time sharing basis) or distribute the Software to any third party; (v) decompile, disassemble or reverse-engineer the Software or otherwise attempt to derive the Software source code; (vi) disclose to any third party the results of any benchmark tests or other evaluation of the Software, or (vii) authorize any third parties to do any of the above.\par
\par
FREE SOFTWARE RESTRICTIONS. You shall not (i) decompile, disassemble or reverse engineer the Free Software without the express written authorization of Splunk; (ii) modify, adapt, or create derivative works of the Free Software; (iii) rent, lease, loan, or resell the Free Software, the Splunk Developer API, Example Modules, or Your Extensions (including but not limited to offering the functionality of the Free Software on an applications service provider or time sharing basis), except as expressly permitted in the Splunkbase Application Developer Agreement; (iv) decompile, disassemble or reverse-engineer the Software or otherwise attempt to derive the Software source code; (v) disclose to any third party the results of any benchmark tests or other evaluation of the Software, or (vi) authorize any third parties to do any of the above.\par
\par
OWNERSHIP. Splunk and/or its licensors own all worldwide right, title and interest in and to the Software, including all worldwide intellectual property rights therein. You will not delete or in any manner alter the copyright, trademark, and other proprietary rights notices appearing in or on the Software as provided. All right, title, and interest in and to all copies the Splunk Developer API, and the Example Modules remains with Splunk and/or its licensors. The Software, Splunk Developer API, and Example Modules are copyrighted and protected by the laws of the United States and other countries, and international treaty provisions. You may not remove any copyright notices from the Software, the Splunk Developer API, or the Example Modules.\par
\par
PURCHASED SOFTWARE LICENSE AND FEES. In order to access and use the Software, you are required to pay to Splunk the License Fees in accordance with your Order Confirmation. The License Fees will be due and payable in accordance with the terms set forth in your Order Confirmation. Any failure to pay the License Fees in accordance with an Order Confirmation will result in automatic revocation and termination of this Agreement and all rights and licenses granted hereunder. All License Fees are non-refundable once paid.\par
\par
MAINTENANCE AND SUPPORT. Subject to your payment of the applicable annual maintenance and support fees set forth in your Order Confirmation (the "Support Fees"), Splunk will provide the level of support for the Purchased Software identified in your Order Confirmation in accordance with the support descriptions set forth on Splunk's website at www.splunk.com. Splunk is not obligated to support, update or upgrade the Free Software.\par
\par
PURCHASED SOFTWARE VERIFICATION AND AUDIT. At Splunk's written request, you will furnish Splunk with a certification signed by an officer of your company verifying that the Software is being used in accordance with the terms and conditions of this Agreement and the applicable Order Confirmations. Upon at least ten (10) days prior written notice, Splunk may audit your use of the Software to ensure that you are in compliance with the terms of this Agreement and the applicable Orders. Any such audit will be conducted during regular business hours at your facilities, will not unreasonably interfere with your business activities and will be in compliance with your reasonable security procedures. You will provide Splunk with access to the relevant records and facilities. If an audit reveals that you have exceeded the daily peak volume during the period audited, then Splunk will invoice you, and you will promptly pay Splunk any underpaid fees based on Splunk's price list in effect at the time the audit is completed. If the daily peak volume usage exceeds ten percent (10%) of the licensed usage, then you will also pay Splunk's reasonable costs of conducting the audit.\par
\par
PURCHASED SOFTWARE WARRANTY. Splunk warrants that for a period of thirty (30) days after your registration of the Software with Splunk, the Software will substantially achieve any material function described in documentation for the Software published by Splunk. As Splunk's sole liability and your sole remedy for any failure of the Software to conform to this warranty, Splunk will repair or replace (at Splunk's option) your copy of the Software.\par
\par
WARRANTY DISCLAIMER. EXCEPT AS SET FORTH ABOVE, SPLUNK DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, QUIET ENJOYMENT AND WARRANTIES ARISING OUT OF COURSE OF DEALING OR USAGE OF TRADE. Splunk does not warrant (i) that the Software, developer's API'S or example modules will meet your requirements, (ii) that the Software will operate in the combinations that you may select, (iii) that the Software will serve the purposes intended by you, or (iv) that the operation of the Software will be error free or uninterrupted or that any Software errors will be corrected.\par
\par
LIMITATION OF LIABILITY. SPLUNK'S TOTAL CUMULATIVE LIABILITY TO YOU, FROM ALL CAUSES OF ACTION AND ALL THEORIES OF LIABILITY, WILL BE LIMITED TO AND WILL NOT EXCEED THE AMOUNTS PAID BY YOU TO SPLUNK IN THE TWELVE MONTHS PRIOR TO THE EVENT GIVING RISE TO SUCH LIABILITY. IN NO EVENT WILL SPLUNK BE LIABLE TO YOU FOR ANY SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES (INCLUDING LOSS OF USE, DATA, OR PROFITS, BUSINESS INTERRUPTION, OR COSTS OF PROCURING SUBSTITUTE SOFTWARE) ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT OR THE USE OR PERFORMANCE OF THE SOFTWARE, WHETHER SUCH LIABILITY ARISES FROM CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, AND WHETHER OR NOT SPLUNK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. THE PARTIES HAVE AGREED THAT THESE LIMITATIONS WILL SURVIVE AND APPLY EVEN IF ANY REMEDY IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE. WITHOUT LIMITING THE FOREGOING, SPLUNK WILL HAVE NO LIABILITY OR RESPONSIBILITY FOR ANY BUSINESS INTERRUPTION OR LOSS OF DATA ARISING FROM THE AUTOMATIC TERMINATION OF THE LICENSE RIGHTS GRANTED HEREIN AND ANY ASSOCIATED CESSATION OF THE SOFTWARE FUNCTIONS. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.\par
\par
PURCHASED SOFTWARE INDEMNITY. Splunk will defend, indemnify and hold you harmless from and against any loss, damage, liability or cost (including reasonable attorneys' fees) resulting from any third party claim that the Purchased Software infringes or violates any third party's patent, copyright or trademark rights; provided that you promptly notify Splunk in writing of any and all such claims. In the event of any loss, damage, liability or cost for which Splunk is obligated to indemnify you hereunder, Splunk shall have sole control of the defense and all related settlement negotiations, and you shall reasonably cooperate with Splunk in the defense and/or settlement thereof at Splunk's expense; provided that you may participate in such defense using your own counsel, at your own expense.\par
\par
TERMINATION. You may terminate this Agreement at any time by destroying or returning to Splunk all copies of the Software, including any documentation, in your possession and control, and providing to Splunk a written statement signed by an authorized representative of your company notifying Splunk that you are terminating the Agreement and certifying such destruction or return. Upon thirty days notice, Splunk may terminate this Agreement (and your license rights) upon notice in the event that you breach any provision of this Agreement and have not cured the breach during such notice period. Upon any expiration or termination of this Agreement, the rights and licenses granted hereunder will automatically terminate, and you agree to immediately cease using the Software and to return or destroy all copies of the Software in your possession or control. In the event of termination of this Agreement, Splunk will have no obligation to refund any License Fees, Support Fees, or other fees received from you during the Term. All provisions of this Agreement related to disclaimers of warranties, limitation of liability, remedies, damages, or Splunk's proprietary rights shall survive termination.\par
\par
SEVERABILITY. All rights and remedies, whether conferred hereunder or by any other instrument or law, will be cumulative and may be exercised singularly or concurrently. Failure by either Splunk or You to enforce any term will not be deemed a waiver of future enforcement of that or any other term. The terms and conditions stated herein are declared to be severable. Should any term(s) or condition(s) of this Agreement be held to be invalid or unenforceable the validity, construction and enforceability of the remaining terms and conditions of this Agreement shall not be affected.\par
\par
EXPORT. You agree to comply fully with all relevant export laws and regulations of the United States ("Export Laws") to ensure that the Software is not (i) exported or re-exported directly or indirectly in violation of Export Laws; or (ii) intended to be used for any purposes prohibited by the Export Laws, including but not limited to nuclear, chemical, or biological weapons proliferation.\par
\par
GOVERNMENT RESTRICTED RIGHTS. The Software shall be classified as "commercial computer software" as defined in the applicable provisions of the Federal Acquisition Regulation (the "FAR") and supplements thereto, including the Department of Defense (DoD) FAR Supplement (the "DFARS"). The parties acknowledge that the Software was developed entirely at private expense and that no part of the Software was first produced in the performance of a Government contract. If the Software is supplied for use by DoD, the Software is delivered subject to the terms of this Agreement and in accordance with DFARS 227.7202-1(a) and 227.7202-3(a) (1995), with restricted rights in accordance with DFARS 252.227-7013(c)(1)(ii) (OCT 1988), as applicable. If the Software is supplied for use by a Federal agency other than DoD, the Software is restricted computer software delivered subject to the terms of this Agreement and FAR 12.212(a) (1995); (ii) FAR 52.227-19; or FAR 52.227-14(ALT III), as applicable.\par
\par
PUBLICITY. You agree that Splunk may identify you as a Splunk customer on Splunk websites, client lists, press releases, and/or other marketing. You also agree that Splunk may publish a brief description highlighting your deployment of the Software.\par
\par
GENERAL. This Agreement shall be governed by and construed in accordance with the laws of the State of California, as if performed wholly within the state and without giving effect to the principles of conflict of law. Any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in the Northern District of California and the parties hereby consent to personal jurisdiction and venue therein. If any portion hereof is found to be void or unenforceable, the remaining provisions of this Agreement shall remain in full force and effect. Neither party may assign this Agreement, in whole or in part, except in connection with an internal reorganization or a sale of the business with which this Agreement is associated without Splunk's prior written consent, and any attempt to assign this Agreement other than as permitted above will be null and void. This Agreement is intended for the sole and exclusive benefit of the parties and is not intended to benefit any third party. Only the parties to this Agreement may enforce it. This Agreement and any Order Confirmations constitute the complete and exclusive understanding and agreement between the parties regarding their subject matter and supersede all prior or contemporaneous agreements or understandings, written or oral, relating to their subject matter. Any waiver, modification or amendment of any provision of this Agreement will be effective only if in writing and signed by duly authorized representatives of both parties.\par
}

@ -0,0 +1,52 @@
SPLUNK SOFTWARE LICENSE AGREEMENT
THIS SPLUNK SOFTWARE LICENSE AGREEMENT (THE "AGREEMENT") GOVERNS ALL SOFTWARE PROVIDED BY SPLUNK INC. ("SPLUNK") INCLUDING FREE SPLUNK SOFTWARE ("FREE SOFTWARE") AND SOFTWARE PURCHASED THROUGH SPLUNK'S ONLINE STORE OR OTHER CHANNELS ("PURCHASED SOFTWARE"), COLLECTIVELY THE SPLUNK SOFTWARE ("SOFTWARE") AND ANY AND ALL UPDATES, UPGRADES, AND MODIFICATIONS THERETO. CONFIRMATION OF YOUR ORDERS ("ORDER CONFIRMATION") WILL BE DEEMED INCORPORATED INTO AND MADE PART OF THIS AGREEMENT.
YOU WILL BE REQUIRED TO INDICATE YOUR AGREEMENT TO THESE TERMS AND CONDITIONS IN ORDER TO DOWNLOAD THE SOFTWARE AND REGISTER WITH SPLUNK IN ORDER TO OBTAIN LICENSE KEYS NECESSARY TO COMPLETE THE INSTALLATION PROCESS FOR PURCHASED SOFTWARE. BY CLICKING ON THE "YES" BUTTON, DOWNLOADING OR INSTALLING THE SOFTWARE, OR USING ANY MEDIA THAT CONTAINS THE SOFTWARE, YOU ARE CONSENTING TO BE BOUND BY THIS AGREEMENT.
IF YOU AGREE TO THESE TERMS ON BEHALF OF A BUSINESS, YOU REPRESENT AND WARRANT THAT YOU HAVE AUTHORITY TO BIND THAT BUSINESS TO THIS AGREEMENT, AND YOUR AGREEMENT TO THESE TERMS WILL BE TREATED AS THE AGREEMENT OF THE BUSINESS. IN THAT EVENT, "YOU" AND "YOUR" REFER HEREIN TO THAT BUSINESS.
"Splunk Developer API" means the documentation and functionality enabling the creation of extensions to the Software. "Example Modules" means the source code and binary form of examples that use the Splunk Developer API.
PURCHASED SOFTWARE TERM. Unless earlier terminated, this Agreement will be in effect perpetually for any Purchased Software. "Term" means the period in which the Agreement is in effect.
PURCHASED SOFTWARE FREE TRIAL. Notwithstanding the foregoing, if the applicable Order Confirmation is limited to a free trial license, then the Term will be limited to the free trial period specified in the Order Confirmation, this Agreement and any license rights granted hereunder will automatically terminate at the end of the free trial period, and there will be no Renewal Term. Any license keys provided for a free trial will automatically expire and may cause the Software to become non-operational at the end of the free trial period. Provisions in this Agreement regarding License Fees, Maintenance and Support, and Warranty will not apply to free trials.
PURCHASED SOFTWARE LICENSE. Subject to your compliance with the terms and conditions of this Agreement, including your payment of the license fees set forth in each Order Confirmation (the "License Fees"), Splunk grants you a nonexclusive, nontransferable, revocable, limited license during the Term to use the Software for which you have paid the applicable License Fees as set forth in your Order Confirmation(s), only for your internal business purposes (which shall include use by consultants, accountants, auditors and attorneys hired to perform services for you) and only subject to the following conditions: you may use each Splunk Server with an Enterprise license to index no more than the peak daily volume of uncompressed data for which you have paid the applicable License Fees as set forth in your Order Confirmation (the "Maximum Peak Daily Volume"). The Software will be configured to display warnings and/or cease indexing data when the Maximum Peak Daily Volume is reached.
FREE SOFTWARE LICENSE. Subject to the terms and conditions of this Agreement, Splunk grants to You a non-exclusive, worldwide, fully-paid up copyright license to use the Free Splunk Software in binary form only and only subject to the following conditions: (i) to index no more than 500MB of peak daily volume of uncompressed data (the 'Maximum Peak Daily Volume') and only for your internal business purposes (which shall include use by consultants, accountants, auditors and attorneys hired to perform services for you). The Software will be configured to display warnings, reduce available functionality, and/or cease indexing data when the Maximum Peak Daily Volume is reached.
EXTENSION LICENSE. Splunk further grants to You a non-exclusive, worldwide, fully-paid up copyright license to use the Splunk Developer API and Example Modules included with the Software solely for the purpose of developing extensions to access the Splunk API or Example Modules for Your use in conjunction with the Software (collectively, "Your Extensions"). You agree to assume full responsibility for the performance of Your Extensions, and shall indemnify, hold harmless, and defend Splunk (including all of its officers, employees, directors, subsidiaries, representatives, affiliates and agents) and Splunk's suppliers from and against any claims or lawsuits, including attorney's fees and expenses, that arise or result from Your Extensions pursuant to this Agreement. You retain title to and copyright for Your Extensions, subject to Splunk's title to and copyright for the Software, the Splunk Developer API, and the Example Modules as specified in Ownership and Copyrights, below. This Agreement does not grant you any distribution rights. If you want to distribute or provide to any third parties Your Extensions, you must first register as a Splunk application developer and agree to the Splunk Developer Agreement at http://www.splunk.com/goto/devagreement. You will not remove or change any Splunk copyright notices or branding included in the Splunk Software or required by Splunk's Identity Guidelines as set forth at http://www.splunk.com/goto/splunkpowered, Splunk Developer APIs, or Example Modules, and will include such notices and branding in each copy of Your Extensions, the Splunk Software, the Splunk Developer APIs, and the Examples Modules that you make or distribute.
PURCHASED SOFTWARE RESTRICTIONS. You agree not to (i) use the Software except as expressly authorized in this Agreement and your Order Confirmation; (ii) copy the Software (except as required to run the Software and for reasonable backup purposes); (iii) modify, adapt, or create derivative works of the Software; (iv) rent, lease, loan, resell, transfer, sublicense (including but not limited to offering any of the functionality of the Software on a service provider, hosted or time sharing basis) or distribute the Software to any third party; (v) decompile, disassemble or reverse-engineer the Software or otherwise attempt to derive the Software source code; (vi) disclose to any third party the results of any benchmark tests or other evaluation of the Software, or (vii) authorize any third parties to do any of the above.
FREE SOFTWARE RESTRICTIONS. You shall not (i) decompile, disassemble or reverse engineer the Free Software without the express written authorization of Splunk; (ii) modify, adapt, or create derivative works of the Free Software; (iii) rent, lease, loan, or resell the Free Software, the Splunk Developer API, Example Modules, or Your Extensions (including but not limited to offering the functionality of the Free Software on an applications service provider or time sharing basis), except as expressly permitted in the Splunkbase Application Developer Agreement; (iv) decompile, disassemble or reverse-engineer the Software or otherwise attempt to derive the Software source code; (v) disclose to any third party the results of any benchmark tests or other evaluation of the Software, or (vi) authorize any third parties to do any of the above.
OWNERSHIP. Splunk and/or its licensors own all worldwide right, title and interest in and to the Software, including all worldwide intellectual property rights therein. You will not delete or in any manner alter the copyright, trademark, and other proprietary rights notices appearing in or on the Software as provided. All right, title, and interest in and to all copies the Splunk Developer API, and the Example Modules remains with Splunk and/or its licensors. The Software, Splunk Developer API, and Example Modules are copyrighted and protected by the laws of the United States and other countries, and international treaty provisions. You may not remove any copyright notices from the Software, the Splunk Developer API, or the Example Modules.
PURCHASED SOFTWARE LICENSE AND FEES. In order to access and use the Software, you are required to pay to Splunk the License Fees in accordance with your Order Confirmation. The License Fees will be due and payable in accordance with the terms set forth in your Order Confirmation. Any failure to pay the License Fees in accordance with an Order Confirmation will result in automatic revocation and termination of this Agreement and all rights and licenses granted hereunder. All License Fees are non-refundable once paid.
MAINTENANCE AND SUPPORT. Subject to your payment of the applicable annual maintenance and support fees set forth in your Order Confirmation (the "Support Fees"), Splunk will provide the level of support for the Purchased Software identified in your Order Confirmation in accordance with the support descriptions set forth on Splunk's website at www.splunk.com. Splunk is not obligated to support, update or upgrade the Free Software.
PURCHASED SOFTWARE VERIFICATION AND AUDIT. At Splunk's written request, you will furnish Splunk with a certification signed by an officer of your company verifying that the Software is being used in accordance with the terms and conditions of this Agreement and the applicable Order Confirmations. Upon at least ten (10) days prior written notice, Splunk may audit your use of the Software to ensure that you are in compliance with the terms of this Agreement and the applicable Orders. Any such audit will be conducted during regular business hours at your facilities, will not unreasonably interfere with your business activities and will be in compliance with your reasonable security procedures. You will provide Splunk with access to the relevant records and facilities. If an audit reveals that you have exceeded the daily peak volume during the period audited, then Splunk will invoice you, and you will promptly pay Splunk any underpaid fees based on Splunk's price list in effect at the time the audit is completed. If the daily peak volume usage exceeds ten percent (10%) of the licensed usage, then you will also pay Splunk's reasonable costs of conducting the audit.
PURCHASED SOFTWARE WARRANTY. Splunk warrants that for a period of thirty (30) days after your registration of the Software with Splunk, the Software will substantially achieve any material function described in documentation for the Software published by Splunk. As Splunk's sole liability and your sole remedy for any failure of the Software to conform to this warranty, Splunk will repair or replace (at Splunk's option) your copy of the Software.
WARRANTY DISCLAIMER. EXCEPT AS SET FORTH ABOVE, SPLUNK DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, QUIET ENJOYMENT AND WARRANTIES ARISING OUT OF COURSE OF DEALING OR USAGE OF TRADE. Splunk does not warrant (i) that the Software, developer's API'S or example modules will meet your requirements, (ii) that the Software will operate in the combinations that you may select, (iii) that the Software will serve the purposes intended by you, or (iv) that the operation of the Software will be error free or uninterrupted or that any Software errors will be corrected.
LIMITATION OF LIABILITY. SPLUNK'S TOTAL CUMULATIVE LIABILITY TO YOU, FROM ALL CAUSES OF ACTION AND ALL THEORIES OF LIABILITY, WILL BE LIMITED TO AND WILL NOT EXCEED THE AMOUNTS PAID BY YOU TO SPLUNK IN THE TWELVE MONTHS PRIOR TO THE EVENT GIVING RISE TO SUCH LIABILITY. IN NO EVENT WILL SPLUNK BE LIABLE TO YOU FOR ANY SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES (INCLUDING LOSS OF USE, DATA, OR PROFITS, BUSINESS INTERRUPTION, OR COSTS OF PROCURING SUBSTITUTE SOFTWARE) ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT OR THE USE OR PERFORMANCE OF THE SOFTWARE, WHETHER SUCH LIABILITY ARISES FROM CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, AND WHETHER OR NOT SPLUNK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. THE PARTIES HAVE AGREED THAT THESE LIMITATIONS WILL SURVIVE AND APPLY EVEN IF ANY REMEDY IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE. WITHOUT LIMITING THE FOREGOING, SPLUNK WILL HAVE NO LIABILITY OR RESPONSIBILITY FOR ANY BUSINESS INTERRUPTION OR LOSS OF DATA ARISING FROM THE AUTOMATIC TERMINATION OF THE LICENSE RIGHTS GRANTED HEREIN AND ANY ASSOCIATED CESSATION OF THE SOFTWARE FUNCTIONS. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
PURCHASED SOFTWARE INDEMNITY. Splunk will defend, indemnify and hold you harmless from and against any loss, damage, liability or cost (including reasonable attorneys' fees) resulting from any third party claim that the Purchased Software infringes or violates any third party's patent, copyright or trademark rights; provided that you promptly notify Splunk in writing of any and all such claims. In the event of any loss, damage, liability or cost for which Splunk is obligated to indemnify you hereunder, Splunk shall have sole control of the defense and all related settlement negotiations, and you shall reasonably cooperate with Splunk in the defense and/or settlement thereof at Splunk's expense; provided that you may participate in such defense using your own counsel, at your own expense.
TERMINATION. You may terminate this Agreement at any time by destroying or returning to Splunk all copies of the Software, including any documentation, in your possession and control, and providing to Splunk a written statement signed by an authorized representative of your company notifying Splunk that you are terminating the Agreement and certifying such destruction or return. Upon thirty days notice, Splunk may terminate this Agreement (and your license rights) upon notice in the event that you breach any provision of this Agreement and have not cured the breach during such notice period. Upon any expiration or termination of this Agreement, the rights and licenses granted hereunder will automatically terminate, and you agree to immediately cease using the Software and to return or destroy all copies of the Software in your possession or control. In the event of termination of this Agreement, Splunk will have no obligation to refund any License Fees, Support Fees, or other fees received from you during the Term. All provisions of this Agreement related to disclaimers of warranties, limitation of liability, remedies, damages, or Splunk's proprietary rights shall survive termination.
SEVERABILITY. All rights and remedies, whether conferred hereunder or by any other instrument or law, will be cumulative and may be exercised singularly or concurrently. Failure by either Splunk or You to enforce any term will not be deemed a waiver of future enforcement of that or any other term. The terms and conditions stated herein are declared to be severable. Should any term(s) or condition(s) of this Agreement be held to be invalid or unenforceable the validity, construction and enforceability of the remaining terms and conditions of this Agreement shall not be affected.
EXPORT. You agree to comply fully with all relevant export laws and regulations of the United States ("Export Laws") to ensure that the Software is not (i) exported or re-exported directly or indirectly in violation of Export Laws; or (ii) intended to be used for any purposes prohibited by the Export Laws, including but not limited to nuclear, chemical, or biological weapons proliferation.
GOVERNMENT RESTRICTED RIGHTS. The Software shall be classified as "commercial computer software" as defined in the applicable provisions of the Federal Acquisition Regulation (the "FAR") and supplements thereto, including the Department of Defense (DoD) FAR Supplement (the "DFARS"). The parties acknowledge that the Software was developed entirely at private expense and that no part of the Software was first produced in the performance of a Government contract. If the Software is supplied for use by DoD, the Software is delivered subject to the terms of this Agreement and in accordance with DFARS 227.7202-1(a) and 227.7202-3(a) (1995), with restricted rights in accordance with DFARS 252.227-7013(c)(1)(ii) (OCT 1988), as applicable. If the Software is supplied for use by a Federal agency other than DoD, the Software is restricted computer software delivered subject to the terms of this Agreement and FAR 12.212(a) (1995); (ii) FAR 52.227-19; or FAR 52.227-14(ALT III), as applicable.
PUBLICITY. You agree that Splunk may identify you as a Splunk customer on Splunk websites, client lists, press releases, and/or other marketing. You also agree that Splunk may publish a brief description highlighting your deployment of the Software.
GENERAL. This Agreement shall be governed by and construed in accordance with the laws of the State of California, as if performed wholly within the state and without giving effect to the principles of conflict of law. Any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in the Northern District of California and the parties hereby consent to personal jurisdiction and venue therein. If any portion hereof is found to be void or unenforceable, the remaining provisions of this Agreement shall remain in full force and effect. Neither party may assign this Agreement, in whole or in part, except in connection with an internal reorganization or a sale of the business with which this Agreement is associated without Splunk's prior written consent, and any attempt to assign this Agreement other than as permitted above will be null and void. This Agreement is intended for the sole and exclusive benefit of the parties and is not intended to benefit any third party. Only the parties to this Agreement may enforce it. This Agreement and any Order Confirmations constitute the complete and exclusive understanding and agreement between the parties regarding their subject matter and supersede all prior or contemporaneous agreements or understandings, written or oral, relating to their subject matter. Any waiver, modification or amendment of any provision of this Agreement will be effective only if in writing and signed by duly authorized representatives of both parties.

@ -0,0 +1,22 @@
event_id,source,description
104,Microsoft-Windows-Eventlog,Attackers tend to clear logs in order to hide previous activity.
104,Eventlog,Attackers tend to clear logs in order to hide previous activity.
517,Security,Attackers tend to clear logs in order to hide previous activity.
1000,Application Error,Critical application error
1001,Microsoft-Windows-WER-SystemErrorReporting,Blue Screen of Death
1002,Application Hang,Application hang
1076,USER32,An admin provided a reason for an unexpected restart
1102,Eventlog,Attackers tend to clear logs in order to hide previous activity.
2004,Microsoft-Windows-Windows Firewall with Advanced Security,Firewall rule added
2006,Microsoft-Windows-Windows Firewall with Advanced Security,Firewall rule deleted
2033,Microsoft-Windows-Windows Firewall with Advanced Security,Firewall rule deleted
4608,Microsoft Windows security auditing,The computer has been restarted - not an usual event.
4625,Microsoft Windows security auditing,A user failed to logon
4663,Microsoft-Windows-Security-Auditing,An audited object has been accessed.
4719,Microsoft-Windows-Security-Auditing,System audit policy was changed
4728,Microsoft-Windows-Security-Auditing,User Added to Privileged Group
4732,Microsoft-Windows-Security-Auditing,User Added to Privileged Group
4735,Microsoft-Windows-Security-Auditing,Security-Enabled Group Modification
4740,Microsoft-Windows-Security-Auditing,Account lockout
4756,Microsoft-Windows-Security-Auditing,User Added to Privileged Group
7045,Service Control Manager,Installation of new services are not typical events.
1 event_id source description
2 104 Microsoft-Windows-Eventlog Attackers tend to clear logs in order to hide previous activity.
3 104 Eventlog Attackers tend to clear logs in order to hide previous activity.
4 517 Security Attackers tend to clear logs in order to hide previous activity.
5 1000 Application Error Critical application error
6 1001 Microsoft-Windows-WER-SystemErrorReporting Blue Screen of Death
7 1002 Application Hang Application hang
8 1076 USER32 An admin provided a reason for an unexpected restart
9 1102 Eventlog Attackers tend to clear logs in order to hide previous activity.
10 2004 Microsoft-Windows-Windows Firewall with Advanced Security Firewall rule added
11 2006 Microsoft-Windows-Windows Firewall with Advanced Security Firewall rule deleted
12 2033 Microsoft-Windows-Windows Firewall with Advanced Security Firewall rule deleted
13 4608 Microsoft Windows security auditing The computer has been restarted - not an usual event.
14 4625 Microsoft Windows security auditing A user failed to logon
15 4663 Microsoft-Windows-Security-Auditing An audited object has been accessed.
16 4719 Microsoft-Windows-Security-Auditing System audit policy was changed
17 4728 Microsoft-Windows-Security-Auditing User Added to Privileged Group
18 4732 Microsoft-Windows-Security-Auditing User Added to Privileged Group
19 4735 Microsoft-Windows-Security-Auditing Security-Enabled Group Modification
20 4740 Microsoft-Windows-Security-Auditing Account lockout
21 4756 Microsoft-Windows-Security-Auditing User Added to Privileged Group
22 7045 Service Control Manager Installation of new services are not typical events.

@ -0,0 +1,72 @@
process,Category,Process_Details
arp.exe,Target Discovery,Obtains information about hosts on the local broadcast domain
at.exe,Command Execution,Executes a task at the specified time and it may be used to secretly place an application or script without being recognized by the user in advance and then execute it at the desired time.
bcdedit.exe,Privilege Escalation,Tool for editing the boot configuration and it may be used to escalate privileges
bcp.exe,Data extraction,Bulk copy of data from database. It may be used to exfiltrate data.
chcp.exe,Malware,"Displays the number of the active console code page, or changes the console's active console code page."
cmd.exe,Command Execution,Can be used to execute a large number of commands
cscript.exe,Command Execution,Can be used to execute a large number of scripts
csvde.exe,Acquisition of Account Information,Outputs account information on the Active Directory in the CSV format and it can be used to extract information on an existing account and select users and clients available as attack targets.
dsquery.exe,Acquisition of Account Information,"Obtains information, such as users and groups, from a directory service and it can be used to extract information on an existing account and select users and clients available as attack targets."
Find-GPOPasswords.ps1,Password Hash Acquisition,Acquires any password descriptions in a group policy file and may attempt to infiltrate other hosts using acquired passwords (by executing the tool on Active Directory).
GSECDUMP.EXE,Password Hash Acquisition,Extracts hash from SAM/AD or logon sessions and use it to log on to other hosts using acquired hash information.
icacls.exe,File Sharing,Changes the file access rights and it can be used to change the rights to read a file that cannot be read by the used account. It is also used to capture rights so that the content of a file created by the attacker will not be viewable
ipconfig.exe,Target Discovery,Displays or changes IP stack information
ldifde.exe,Acquisition of Account Information,Outputs account information on the Active Directory in the LDIF format and it can be used to extract information on an existing account and select users and clients available as attack targets.
mailpv.exe,Password Hash Acquisition,Extracts account information saved in the mail client settings on the machine
mimikatz.exe,Password Hash Acquisition,Steals recorded authentication information and it can be used to escalate the privileges to the domain Administrator privileges.
ms14-068.exe,Escalation to SYSTEM Privileges,Changes the privileges of the domain user to those of another user
nbtstat.exe,Target Discovery,Allows a refresh of the NetBIOS name cache and the names registered with Windows Internet Name Service (WINS).
nc.exe,Target Discovery,"Multpurpose tool, can be used for probing ports"
net.exe,Adding or Deleting a Local User/Group,Adds a user account in a client or the domain or creates a network share and it can be used to create accounts or additional sessions in the machine the attacker has infected or to communicate with other hosts.
net1.exe,Adding or Deleting a Local User/Group,Adds a user account in a client or the domain or creates a network share and it can be used to create accounts or additional sessions in the machine the attacker has infected or to communicate with other hosts.
netcat.exe,Target Discovery,"Multpurpose tool, can be used for probing ports"
netsh,Command Execution,"Allows to, either locally or remotely, display or modify the network configuration of a computer that is currently running. "
netstat.exe,Target Discovery,"Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics "
nmap,Target Discovery,Port scanner
nslookup.exe,Target Discovery,Performs a DNS lookup
ntdsutil.exe,Capturing Active Directory Database,"A command to maintain Active Directory databases and it can be used to extract NTDS.DIT, a database for NTDS, and other tools are used to analyze passwords (executed in Active Directory)."
OSQL.exe,Data extraction,"Allows execution of Transact-SQL statements, system procedures, and script files. Can be used to attack a database or exfiltrate information."
powercat.ps1,Malware,Part of PSAttack hacking tools
powershell.exe,Command Execution,Allows remote command execution and it may be used to change settings to enable the Domain Controller and other hosts on the network to perform operations requiring administrator rights
procdump.exe,Command Execution,Utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike
psexec.exe,Command Execution,Executes a process on a remote system and it may be used to remotely execute a command on client and servers in a domain.
psexecsvc.exe,Command Execution,Tool used for remotely executing processes on other systems
psLoggedOn.exe,Target Discovery,Displays both the locally logged on users and users logged on via resources for either the local computer
PwDump7.exe,Password Hash Acquisition,Displays a list of password hashes in the system and it may be used to perform logon authentication on other hosts using the acquired hash information.
PWDumpX.exe,Password Hash Acquisition,Acquires a password hash from a remote host and use it to perform attacks such as pass-the-hash.
qprocess.exe,Privilege Escalation,Query Process Utility - It can be used to start an elevated subprocess
QuarksPwDump.exe,Password Hash Acquisition,Acquires the NTLM hash of a local domain account and cached domain password and it may be used to perform logon authentication on other hosts using the acquired hash information.
query.exe,Target Discovery,Query User Sessions in Windows
rar.exe,Command Execution,"Used by many attackers to deploy tools, exfiltrate information"
rdpv.exe,Password Hash Acquisition,Extracts account information saved in the RDP settings on the machine and use it to log in to other hosts with such passwords.
reg.exe,Command Execution,"Adds, changes, and displays registry subkey information and values in registry entries."
route.exe,Target Discovery,Display or changes routing information
runas.exe,Command Execution,Runs command using a different account
rundll32,Command Execution,Tool responsible for running DLLs and placing its libraries in the memory
sc.exe,Command Execution,Retrieves and sets control information about services.
schtasks.exe,Command Execution,"Enables an administrator to create, delete, query, change, run, and end scheduled tasks on a local or remote computer. Can be used by an attacker in many situations."
sdbinst.exe,Privilege Escalation,SDB UAC Bypass - used to execute an application that is not normally executed by pretending to execute a typical application.
sdelete.exe,Deleting Evidence,Deletes a file after overwriting it several times and it can be used to delete a file created in the course of an attack to make it impossible to be recovered.
sethc.exe,Privilege Escalation,Sticky Keys utility
sqlcmd.exe,Command Execution,Manage SQL server from command line
ssh.exe,Command Execution,Opens a secure shell on a remote host
sysprep.exe,Privilege Escalation,"Prepares an installation of Windows for duplication, auditing, and customer delivery."
systeminfo.exe,Target Discovery,"Command-line utility that displays information about your Windows version, BIOS, processor, memory, network configuration"
tasklist.exe,Target Discovery,Displays running processes
timestomp.exe,Deleting Evidence,Changes the file timestamp and it can be used to conceal the access to the file by restoring the timestamp.
tracert.exe,Target Discovery,Traceroute tool. It can be used to discover information about the network
vssadmin.exe,Capturing Active Directory Database,"Creates Volume Shadow Copy and extracts NTDS.DIT and it can be used to extract NTDS.DIT, a database for NTDS, so that the password can be analysed using other tools."
wce.exe,Password Hash Acquisition,Acquires password hash information in the memory of a logged in host
wceaux.dll,Privilege Escalation,Executes a command with higher privileges using the hash of the acquired password
WebBrowserPassView.exe,Password Hash Acquisition,Extracts user names and passwords saved in the web browser of a machine
wevtutil.exe,Deleting Evidence,Deletes Windows event logs and it can be used to delete the evidence of an attack.
whoami.exe,Target Discovery,Displays information about the current user
winrar.exe,Command Execution,"Used by many attackers to deploy tools, exfiltrate information"
winrs.exe,Command Execution,Executes a command on a remote hosts
WMIC.exe,Command Execution,A tool used for Windows system management and it may be used to acquire information on the remote system or to execute a command with WMI.
wmic.exe,Command Execution,Windows Management Instrumentation Command-line
wmiexec.vbs,Command Execution,A tool used for Windows system management that may execute a script for other hosts.
wscript.exe,Command Execution,Can be used to execute a large number of scripts
wsmprovhost.exe,Privilege Escalation,WinRM Remote Powershell - Can be used to elevate privileges
wusa.exe,Privilege Escalation,Windows Update Standalone Installer - Can be used to elevate privileges
1 process Category Process_Details
2 arp.exe Target Discovery Obtains information about hosts on the local broadcast domain
3 at.exe Command Execution Executes a task at the specified time and it may be used to secretly place an application or script without being recognized by the user in advance and then execute it at the desired time.
4 bcdedit.exe Privilege Escalation Tool for editing the boot configuration and it may be used to escalate privileges
5 bcp.exe Data extraction Bulk copy of data from database. It may be used to exfiltrate data.
6 chcp.exe Malware Displays the number of the active console code page, or changes the console's active console code page.
7 cmd.exe Command Execution Can be used to execute a large number of commands
8 cscript.exe Command Execution Can be used to execute a large number of scripts
9 csvde.exe Acquisition of Account Information Outputs account information on the Active Directory in the CSV format and it can be used to extract information on an existing account and select users and clients available as attack targets.
10 dsquery.exe Acquisition of Account Information Obtains information, such as users and groups, from a directory service and it can be used to extract information on an existing account and select users and clients available as attack targets.
11 Find-GPOPasswords.ps1 Password Hash Acquisition Acquires any password descriptions in a group policy file and may attempt to infiltrate other hosts using acquired passwords (by executing the tool on Active Directory).
12 GSECDUMP.EXE Password Hash Acquisition Extracts hash from SAM/AD or logon sessions and use it to log on to other hosts using acquired hash information.
13 icacls.exe File Sharing Changes the file access rights and it can be used to change the rights to read a file that cannot be read by the used account. It is also used to capture rights so that the content of a file created by the attacker will not be viewable
14 ipconfig.exe Target Discovery Displays or changes IP stack information
15 ldifde.exe Acquisition of Account Information Outputs account information on the Active Directory in the LDIF format and it can be used to extract information on an existing account and select users and clients available as attack targets.
16 mailpv.exe Password Hash Acquisition Extracts account information saved in the mail client settings on the machine
17 mimikatz.exe Password Hash Acquisition Steals recorded authentication information and it can be used to escalate the privileges to the domain Administrator privileges.
18 ms14-068.exe Escalation to SYSTEM Privileges Changes the privileges of the domain user to those of another user
19 nbtstat.exe Target Discovery Allows a refresh of the NetBIOS name cache and the names registered with Windows Internet Name Service (WINS).
20 nc.exe Target Discovery Multpurpose tool, can be used for probing ports
21 net.exe Adding or Deleting a Local User/Group Adds a user account in a client or the domain or creates a network share and it can be used to create accounts or additional sessions in the machine the attacker has infected or to communicate with other hosts.
22 net1.exe Adding or Deleting a Local User/Group Adds a user account in a client or the domain or creates a network share and it can be used to create accounts or additional sessions in the machine the attacker has infected or to communicate with other hosts.
23 netcat.exe Target Discovery Multpurpose tool, can be used for probing ports
24 netsh Command Execution Allows to, either locally or remotely, display or modify the network configuration of a computer that is currently running.
25 netstat.exe Target Discovery Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics
26 nmap Target Discovery Port scanner
27 nslookup.exe Target Discovery Performs a DNS lookup
28 ntdsutil.exe Capturing Active Directory Database A command to maintain Active Directory databases and it can be used to extract NTDS.DIT, a database for NTDS, and other tools are used to analyze passwords (executed in Active Directory).
29 OSQL.exe Data extraction Allows execution of Transact-SQL statements, system procedures, and script files. Can be used to attack a database or exfiltrate information.
30 powercat.ps1 Malware Part of PSAttack hacking tools
31 powershell.exe Command Execution Allows remote command execution and it may be used to change settings to enable the Domain Controller and other hosts on the network to perform operations requiring administrator rights
32 procdump.exe Command Execution Utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike
33 psexec.exe Command Execution Executes a process on a remote system and it may be used to remotely execute a command on client and servers in a domain.
34 psexecsvc.exe Command Execution Tool used for remotely executing processes on other systems
35 psLoggedOn.exe Target Discovery Displays both the locally logged on users and users logged on via resources for either the local computer
36 PwDump7.exe Password Hash Acquisition Displays a list of password hashes in the system and it may be used to perform logon authentication on other hosts using the acquired hash information.
37 PWDumpX.exe Password Hash Acquisition Acquires a password hash from a remote host and use it to perform attacks such as pass-the-hash.
38 qprocess.exe Privilege Escalation Query Process Utility - It can be used to start an elevated subprocess
39 QuarksPwDump.exe Password Hash Acquisition Acquires the NTLM hash of a local domain account and cached domain password and it may be used to perform logon authentication on other hosts using the acquired hash information.
40 query.exe Target Discovery Query User Sessions in Windows
41 rar.exe Command Execution Used by many attackers to deploy tools, exfiltrate information
42 rdpv.exe Password Hash Acquisition Extracts account information saved in the RDP settings on the machine and use it to log in to other hosts with such passwords.
43 reg.exe Command Execution Adds, changes, and displays registry subkey information and values in registry entries.
44 route.exe Target Discovery Display or changes routing information
45 runas.exe Command Execution Runs command using a different account
46 rundll32 Command Execution Tool responsible for running DLLs and placing its libraries in the memory
47 sc.exe Command Execution Retrieves and sets control information about services.
48 schtasks.exe Command Execution Enables an administrator to create, delete, query, change, run, and end scheduled tasks on a local or remote computer. Can be used by an attacker in many situations.
49 sdbinst.exe Privilege Escalation SDB UAC Bypass - used to execute an application that is not normally executed by pretending to execute a typical application.
50 sdelete.exe Deleting Evidence Deletes a file after overwriting it several times and it can be used to delete a file created in the course of an attack to make it impossible to be recovered.
51 sethc.exe Privilege Escalation Sticky Keys utility
52 sqlcmd.exe Command Execution Manage SQL server from command line
53 ssh.exe Command Execution Opens a secure shell on a remote host
54 sysprep.exe Privilege Escalation Prepares an installation of Windows for duplication, auditing, and customer delivery.
55 systeminfo.exe Target Discovery Command-line utility that displays information about your Windows version, BIOS, processor, memory, network configuration
56 tasklist.exe Target Discovery Displays running processes
57 timestomp.exe Deleting Evidence Changes the file timestamp and it can be used to conceal the access to the file by restoring the timestamp.
58 tracert.exe Target Discovery Traceroute tool. It can be used to discover information about the network
59 vssadmin.exe Capturing Active Directory Database Creates Volume Shadow Copy and extracts NTDS.DIT and it can be used to extract NTDS.DIT, a database for NTDS, so that the password can be analysed using other tools.
60 wce.exe Password Hash Acquisition Acquires password hash information in the memory of a logged in host
61 wceaux.dll Privilege Escalation Executes a command with higher privileges using the hash of the acquired password
62 WebBrowserPassView.exe Password Hash Acquisition Extracts user names and passwords saved in the web browser of a machine
63 wevtutil.exe Deleting Evidence Deletes Windows event logs and it can be used to delete the evidence of an attack.
64 whoami.exe Target Discovery Displays information about the current user
65 winrar.exe Command Execution Used by many attackers to deploy tools, exfiltrate information
66 winrs.exe Command Execution Executes a command on a remote hosts
67 WMIC.exe Command Execution A tool used for Windows system management and it may be used to acquire information on the remote system or to execute a command with WMI.
68 wmic.exe Command Execution Windows Management Instrumentation Command-line
69 wmiexec.vbs Command Execution A tool used for Windows system management that may execute a script for other hosts.
70 wscript.exe Command Execution Can be used to execute a large number of scripts
71 wsmprovhost.exe Privilege Escalation WinRM Remote Powershell - Can be used to elevate privileges
72 wusa.exe Privilege Escalation Windows Update Standalone Installer - Can be used to elevate privileges

@ -0,0 +1,6 @@
xml_type,event_type
0,Audit Success
1,Audit Failure
2,Error
3,Warning
4,Information
1 xml_type event_type
2 0 Audit Success
3 1 Audit Failure
4 2 Error
5 3 Warning
6 4 Information

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.5 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.3 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 2.7 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 3.2 KiB

Loading…
Cancel
Save