You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
225 lines
9.5 KiB
225 lines
9.5 KiB
<form>
|
|
<label>Users and Groups</label>
|
|
<description>Users and Groups Activities</description>
|
|
<fieldset submitButton="false">
|
|
<input type="time" token="interval">
|
|
<label>Time interval</label>
|
|
<default>
|
|
<earliest>-24h@h</earliest>
|
|
<latest>now</latest>
|
|
</default>
|
|
</input>
|
|
<input type="text" token="keyword" searchWhenChanged="true">
|
|
<label>Filter</label>
|
|
<default>*</default>
|
|
<initialValue>*</initialValue>
|
|
</input>
|
|
</fieldset>
|
|
<row>
|
|
<panel>
|
|
<title>Users Created</title>
|
|
<chart>
|
|
<search>
|
|
<query>`event_sources` eventtype=windows_account_created $keyword$
|
|
| timechart count</query>
|
|
<earliest>$interval.earliest$</earliest>
|
|
<latest>$interval.latest$</latest>
|
|
<sampleRatio>1</sampleRatio>
|
|
</search>
|
|
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
|
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
|
<option name="charting.axisTitleX.visibility">visible</option>
|
|
<option name="charting.axisTitleY.visibility">visible</option>
|
|
<option name="charting.axisTitleY2.visibility">visible</option>
|
|
<option name="charting.axisX.abbreviation">none</option>
|
|
<option name="charting.axisX.scale">linear</option>
|
|
<option name="charting.axisY.abbreviation">none</option>
|
|
<option name="charting.axisY.scale">linear</option>
|
|
<option name="charting.axisY2.abbreviation">none</option>
|
|
<option name="charting.axisY2.enabled">0</option>
|
|
<option name="charting.axisY2.scale">inherit</option>
|
|
<option name="charting.chart">column</option>
|
|
<option name="charting.chart.bubbleMaximumSize">50</option>
|
|
<option name="charting.chart.bubbleMinimumSize">10</option>
|
|
<option name="charting.chart.bubbleSizeBy">area</option>
|
|
<option name="charting.chart.nullValueMode">gaps</option>
|
|
<option name="charting.chart.showDataLabels">all</option>
|
|
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
|
<option name="charting.chart.stackMode">default</option>
|
|
<option name="charting.chart.style">shiny</option>
|
|
<option name="charting.drilldown">all</option>
|
|
<option name="charting.layout.splitSeries">0</option>
|
|
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
|
|
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
|
<option name="charting.legend.mode">standard</option>
|
|
<option name="charting.legend.placement">bottom</option>
|
|
<option name="charting.lineWidth">2</option>
|
|
<option name="refresh.display">progressbar</option>
|
|
<option name="trellis.enabled">0</option>
|
|
<option name="trellis.scales.shared">1</option>
|
|
<option name="trellis.size">medium</option>
|
|
</chart>
|
|
</panel>
|
|
<panel>
|
|
<title>Attempts to login with disabled accounts</title>
|
|
<table>
|
|
<search>
|
|
<query>`event_sources` name="*currently disabled*" $keyword$
|
|
| eval domain=mvindex(Account_Domain,1)
|
|
| eval source_computer = coalesce(Workstation_Name,src_ip)
|
|
| eval domain = coalesce(domain,src_nt_domain)
|
|
| table _time,host,domain,user,source_computer</query>
|
|
<earliest>$interval.earliest$</earliest>
|
|
<latest>$interval.latest$</latest>
|
|
<sampleRatio>1</sampleRatio>
|
|
</search>
|
|
<option name="count">20</option>
|
|
<option name="dataOverlayMode">none</option>
|
|
<option name="drilldown">cell</option>
|
|
<option name="percentagesRow">false</option>
|
|
<option name="refresh.display">progressbar</option>
|
|
<option name="rowNumbers">false</option>
|
|
<option name="totalsRow">false</option>
|
|
<option name="wrap">true</option>
|
|
</table>
|
|
</panel>
|
|
</row>
|
|
<row>
|
|
<panel>
|
|
<title>Users Added to Domain Admins or Enterprise Admins</title>
|
|
<table>
|
|
<search>
|
|
<query>`event_sources` name="A member was added to a security-enabled *" AND ("Enterprise Admins" OR "Domain Admins") $keyword$
|
|
| rename dest_nt_domain as domain, EventCode as "event id", Display_Name as "user name",host as server
|
|
| dedup _time,user
|
|
| eval added_by=mvindex(Security_ID,0)
|
|
| eval user=mvindex(Security_ID,1)
|
|
| table _time, server,domain, user,added_by</query>
|
|
<earliest>$interval.earliest$</earliest>
|
|
<latest>$interval.latest$</latest>
|
|
<sampleRatio>1</sampleRatio>
|
|
</search>
|
|
<option name="count">20</option>
|
|
<option name="dataOverlayMode">none</option>
|
|
<option name="drilldown">cell</option>
|
|
<option name="percentagesRow">false</option>
|
|
<option name="refresh.display">progressbar</option>
|
|
<option name="rowNumbers">false</option>
|
|
<option name="totalsRow">false</option>
|
|
<option name="wrap">true</option>
|
|
</table>
|
|
</panel>
|
|
<panel>
|
|
<title>Users Added to local Administrators</title>
|
|
<table>
|
|
<search>
|
|
<query>`event_sources` name="A member was added to a security-enabled local group" AND user_group="Administrators" $keyword$
|
|
| rename dest_nt_domain as domain, EventCode as "event id", Display_Name as "user name",host as server
|
|
| eval added_by=mvindex(Security_ID,0)
|
|
| eval user=mvindex(Security_ID,1)
|
|
| table _time, server,domain, user,added_by</query>
|
|
<earliest>$interval.earliest$</earliest>
|
|
<latest>$interval.latest$</latest>
|
|
<sampleRatio>1</sampleRatio>
|
|
</search>
|
|
<option name="count">20</option>
|
|
<option name="dataOverlayMode">none</option>
|
|
<option name="drilldown">cell</option>
|
|
<option name="percentagesRow">false</option>
|
|
<option name="refresh.display">progressbar</option>
|
|
<option name="rowNumbers">false</option>
|
|
<option name="totalsRow">false</option>
|
|
<option name="wrap">true</option>
|
|
</table>
|
|
</panel>
|
|
</row>
|
|
<row>
|
|
<panel>
|
|
<title>Users Created</title>
|
|
<table>
|
|
<search>
|
|
<query>`event_sources` eventtype=windows_account_created
|
|
| rename dest_nt_domain as domain, EventCode as "event id", Display_Name as "user name",host as server
|
|
| dedup _time,user
|
|
| eval created_by=mvindex(Account_Name,0)
|
|
| table _time, server,domain, user,"user name", created_by
|
|
| sort _time</query>
|
|
<earliest>$interval.earliest$</earliest>
|
|
<latest>$interval.latest$</latest>
|
|
<sampleRatio>1</sampleRatio>
|
|
</search>
|
|
<option name="count">20</option>
|
|
<option name="dataOverlayMode">none</option>
|
|
<option name="drilldown">cell</option>
|
|
<option name="percentagesRow">false</option>
|
|
<option name="refresh.display">progressbar</option>
|
|
<option name="rowNumbers">false</option>
|
|
<option name="totalsRow">false</option>
|
|
<option name="wrap">true</option>
|
|
</table>
|
|
</panel>
|
|
<panel>
|
|
<title>Users Deleted</title>
|
|
<table>
|
|
<search>
|
|
<query>`event_sources` AND eventtype=windows_account_deleted $keyword$
|
|
| eval deleted_by=mvindex(Account_Name,0)
|
|
| table _time, host, user,deleted_by
|
|
| sort _time</query>
|
|
<earliest>$interval.earliest$</earliest>
|
|
<latest>$interval.latest$</latest>
|
|
<sampleRatio>1</sampleRatio>
|
|
</search>
|
|
<option name="drilldown">cell</option>
|
|
<option name="refresh.display">progressbar</option>
|
|
</table>
|
|
</panel>
|
|
</row>
|
|
<row>
|
|
<panel>
|
|
<title>Groups Created</title>
|
|
<table>
|
|
<search>
|
|
<query>`event_sources` name="A security-enabled global group was created"
|
|
| dedup _time,Group_Name
|
|
| rename dest_nt_domain as domain, EventCode as "event id", user as "created_by",host as server
|
|
| table _time, server,domain,Group_Name, created_by
|
|
| sort _time</query>
|
|
<earliest>$interval.earliest$</earliest>
|
|
<latest>$interval.latest$</latest>
|
|
<sampleRatio>1</sampleRatio>
|
|
</search>
|
|
<option name="count">20</option>
|
|
<option name="dataOverlayMode">none</option>
|
|
<option name="drilldown">cell</option>
|
|
<option name="percentagesRow">false</option>
|
|
<option name="refresh.display">progressbar</option>
|
|
<option name="rowNumbers">false</option>
|
|
<option name="totalsRow">false</option>
|
|
<option name="wrap">true</option>
|
|
</table>
|
|
</panel>
|
|
<panel>
|
|
<title>Groups Deleted</title>
|
|
<table>
|
|
<search>
|
|
<query>`event_sources` name="A security-enabled global group was deleted" $keyword$
|
|
| rename dest_nt_domain as domain, EventCode as "event id", user as "Deleted by",host as server
|
|
| table _time, server,domain,Group_Name, "Deleted by"
|
|
| sort _time</query>
|
|
<earliest>$interval.earliest$</earliest>
|
|
<latest>$interval.latest$</latest>
|
|
<sampleRatio>1</sampleRatio>
|
|
</search>
|
|
<option name="count">20</option>
|
|
<option name="dataOverlayMode">none</option>
|
|
<option name="drilldown">cell</option>
|
|
<option name="percentagesRow">false</option>
|
|
<option name="refresh.display">progressbar</option>
|
|
<option name="rowNumbers">false</option>
|
|
<option name="totalsRow">false</option>
|
|
<option name="wrap">true</option>
|
|
</table>
|
|
</panel>
|
|
</row>
|
|
</form> |