admingit
/
SH-Deployer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9fb61c78af'
${ noResults }
SH-Deployer/apps/eventid/default/data/ui/views/eventid.xml

362 lines
16 KiB
Raw Blame History

<form>
<label>Windows Events Summary</label>
<description>Click on the event to check it on www.eventid.net</description>
<fieldset autoRun="true" submitButton="false">
<input type="time" searchWhenChanged="true" token="interval">
<label>Select time range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="checkbox" searchWhenChanged="true" token="Type">
<label>Event types</label>
<default>Error,Warning</default>
<choice value="Error">Error</choice>
<choice value="Warning">Warning</choice>
<choice value="Information">Information</choice>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>Type="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<fieldForLabel>Type</fieldForLabel>
<fieldForValue>Type</fieldForValue>
</input>
<input type="checkbox" searchWhenChanged="true" token="Audit_Type">
<label>Security Events</label>
<default>Denial,Audit Failure</default>
<choice value="Audit Failure">Audit Failure</choice>
<choice value="Audit Success">Audit Success</choice>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<fieldForLabel>Audit Type</fieldForLabel>
<fieldForValue>Audit Type</fieldForValue>
<initialValue>Audit Failure</initialValue>
</input>
<input type="multiselect" searchWhenChanged="true" token="Computer">
<label>Computer</label>
<choice value="*">All</choice>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>host="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
<search>
<query>`event_sources` | stats count by host</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
</input>
<input type="text" searchWhenChanged="true" token="keyword">
<label>Keyword:</label>
<default>*</default>
</input>
<input type="multiselect" token="sourcetype_token" searchWhenChanged="true">
<label>Excluded event sources</label>
<default>none</default>
<!-- The final value will be surrounded by prefix and suffix -->
<prefix>(</prefix>
<suffix>)</suffix>
<!-- Each value will be surrounded by the valuePrefix and valueSuffix -->
<valuePrefix>SourceName!="</valuePrefix>
<valueSuffix>"</valueSuffix>
<!-- All the values and their valuePrefix and valueSuffix will be concatenated together with the delimiter between them -->
<delimiter> AND </delimiter>
<choice value="none">None</choice>
<search>
<query>`event_sources` $Type$ AND $Computer$ AND $keyword$ | stats count by SourceName</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<fieldForLabel>SourceName</fieldForLabel>
<fieldForValue>SourceName</fieldForValue>
</input>
</fieldset>
<row>
<panel>
<title>Errors</title>
<single>
<search>
<query>`event_sources` Type="Error" AND $Computer$ AND $keyword$ | stats count</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">all</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0xd93f3c","0xd93f3c"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
<panel>
<title>Warnings</title>
<single>
<search>
<query>`event_sources` Type="Warning" AND $Computer$ AND $keyword$ | stats count</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">all</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0xf7bc38","0xf7bc38"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
<panel>
<title>Information</title>
<single>
<search>
<query>`event_sources` Type="Information" AND NOT ("Audit Success" OR "Audit Failure") AND $Computer$ AND $keyword$ | stats count</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">block</option>
<option name="drilldown">all</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0x65a637"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
<drilldown>
<link target="_blank">search?q=`event_sources` Type="Information" | stats count&amp;earliest=$interval.earliest$&amp;latest=$interval.latest$</link>
</drilldown>
</single>
</panel>
<panel>
<title>Audit Failure</title>
<single>
<search>
<query>`event_sources` "Audit Failure" AND $Computer$ AND $keyword$
| stats count</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorMode">block</option>
<option name="drilldown">all</option>
<option name="rangeColors">["0xf58f39","0xf58f39"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="useColors">1</option>
<drilldown>
<link target="_blank">/app/eventid/audit_events</link>
</drilldown>
</single>
</panel>
<panel>
<title>Audit Success</title>
<single>
<search>
<query>`event_sources` Keywords="Audit Success" AND $Computer$ AND $keyword$ | stats count</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorMode">block</option>
<option name="drilldown">none</option>
<option name="rangeColors">["0x6db7c6","0x6db7c6"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="useColors">1</option>
</single>
</panel>
<panel>
<title>Logon Audit Failure</title>
<single>
<search>
<query>`event_sources` Failure_Reason=* ("Audit Failure") AND $Computer$ AND $keyword$ | eval user=mvindex(Account_Name,1) | stats count</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="colorMode">block</option>
<option name="drilldown">all</option>
<option name="rangeColors">["0xcc0000","0xcc0000"]</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
<option name="useColors">1</option>
<drilldown>
<link target="_blank">/app/eventid/audit_events</link>
</drilldown>
</single>
</panel>
</row>
<row>
<panel>
<title>Accounts with 3 or more failed logons</title>
<chart>
<search>
<query>`event_sources` Failure_Reason=* * ("Audit Failure") AND $Computer$ AND $keyword$ | stats count by user | where count &gt; 2</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
<panel>
<title>Top computers generating events</title>
<chart>
<search>
<query>`event_sources` AND $Computer$ AND $keyword$ AND ($Audit_Type$ OR $Type$)
| eval SourceName = coalesce(SourceName,source)
| fillnull
| search $sourcetype_token$
| stats count by host</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.legend.placement">none</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<link target="_blank">/app/eventid/eventid?form.Computer=$row.host$</link>
</drilldown>
</chart>
</panel>
</row>
<row>
<panel>
<title>Windows events over time</title>
<chart>
<search>
<query>`event_sources` AND $Computer$ AND $keyword$ AND ($Audit_Type$ OR $Type$)
| timechart count</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<option name="charting.axisLabelsY.majorUnit">1</option>
<option name="charting.axisTitleX.text">Time</option>
<option name="charting.axisTitleY.text">Events</option>
<option name="charting.axisY2.enabled">1</option>
<option name="charting.chart">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.overlayFields">"Audit Failure"</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.placement">none</option>
<option name="refresh.display">progressbar</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Events Summary - Links to www.eventid.net</title>
<table id="link2">
<search>
<query>`event_sources` AND $Computer$ AND $keyword$ AND ($Audit_Type$ OR $Type$)
| eval SourceName = coalesce(SourceName,Provider)
| eval Type = coalesce(Type,Keyword)
| fillnull value="-"
| stats earliest(_time) as First latest(_time) as Last count by host, EventCode, SourceName, Type
| sort -count host, EventCode, SourceName, Type
| rename EventCode as "EventId"
| fieldformat First=strftime(First,"%x %X")
| fieldformat Last=strftime(Last,"%x %X")</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
<drilldown>
<link target="_blank">https://www.eventid.net/display.asp?eventid=$row.EventId$&amp;source=$row.SourceName$&amp;app=SplunkEvId</link>
</drilldown>
</table>
</panel>
</row>
<row>
<panel>
<title>Events List</title>
<table id="link">
<search>
<query>`event_sources` AND $Computer$ AND $keyword$ AND ($Audit_Type$ OR $Type$)
| eval SourceName = coalesce(SourceName,Provider)
| eval Type = coalesce(Type,Keyword)
| fillnull
| table _time, host, EventCode, SourceName, Type, Message
| rename EventCode as "EventId"</query>
<earliest>$interval.earliest$</earliest>
<latest>$interval.latest$</latest>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
Reference in new issue View Git Blame Copy Permalink