diff --git a/apps/audit_trail/appserver/static/img/ellipse.svg b/apps/audit_trail/appserver/static/img/ellipse.svg new file mode 100755 index 00000000..19bc4cb2 --- /dev/null +++ b/apps/audit_trail/appserver/static/img/ellipse.svg @@ -0,0 +1,3 @@ + + + diff --git a/apps/audit_trail/appserver/static/img/feedback_icon.svg b/apps/audit_trail/appserver/static/img/feedback_icon.svg new file mode 100755 index 00000000..fb3f8439 --- /dev/null +++ b/apps/audit_trail/appserver/static/img/feedback_icon.svg @@ -0,0 +1,4 @@ + + + + diff --git a/apps/audit_trail/appserver/static/img/goto_icon.svg b/apps/audit_trail/appserver/static/img/goto_icon.svg new file mode 100755 index 00000000..c29a490a --- /dev/null +++ b/apps/audit_trail/appserver/static/img/goto_icon.svg @@ -0,0 +1,4 @@ + + + + diff --git a/apps/audit_trail/appserver/static/img/header_img.png b/apps/audit_trail/appserver/static/img/header_img.png new file mode 100755 index 00000000..13aee18f Binary files /dev/null and b/apps/audit_trail/appserver/static/img/header_img.png differ diff --git a/apps/audit_trail/appserver/static/img/icon.svg b/apps/audit_trail/appserver/static/img/icon.svg new file mode 100755 index 00000000..c0dae463 --- /dev/null +++ b/apps/audit_trail/appserver/static/img/icon.svg @@ -0,0 +1,5 @@ + + + + + diff --git a/apps/audit_trail/appserver/static/img/isMenuIcon.svg b/apps/audit_trail/appserver/static/img/isMenuIcon.svg new file mode 100755 index 00000000..05c78143 --- /dev/null +++ b/apps/audit_trail/appserver/static/img/isMenuIcon.svg @@ -0,0 +1,3 @@ + + + diff --git a/apps/audit_trail/appserver/static/img/link_icon.svg b/apps/audit_trail/appserver/static/img/link_icon.svg new file mode 100755 index 00000000..fb3f8439 --- /dev/null +++ b/apps/audit_trail/appserver/static/img/link_icon.svg @@ -0,0 +1,4 @@ + + + + diff --git a/apps/audit_trail/appserver/static/img/nav-actions.png b/apps/audit_trail/appserver/static/img/nav-actions.png new file mode 100755 index 00000000..62c526e2 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/nav-actions.png differ diff --git a/apps/audit_trail/appserver/static/img/nav-context.png b/apps/audit_trail/appserver/static/img/nav-context.png new file mode 100755 index 00000000..bfb33abf Binary files /dev/null and b/apps/audit_trail/appserver/static/img/nav-context.png differ diff --git a/apps/audit_trail/appserver/static/img/nav-spl.png b/apps/audit_trail/appserver/static/img/nav-spl.png new file mode 100755 index 00000000..6588efff Binary files /dev/null and b/apps/audit_trail/appserver/static/img/nav-spl.png differ diff --git a/apps/audit_trail/appserver/static/img/nav-time.png b/apps/audit_trail/appserver/static/img/nav-time.png new file mode 100755 index 00000000..94792f16 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/nav-time.png differ diff --git a/apps/audit_trail/appserver/static/img/objects_dashboard.png b/apps/audit_trail/appserver/static/img/objects_dashboard.png new file mode 100755 index 00000000..985aacec Binary files /dev/null and b/apps/audit_trail/appserver/static/img/objects_dashboard.png differ diff --git a/apps/audit_trail/appserver/static/img/open.png b/apps/audit_trail/appserver/static/img/open.png new file mode 100755 index 00000000..4a2d1c02 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/open.png differ diff --git a/apps/audit_trail/appserver/static/img/open.svg b/apps/audit_trail/appserver/static/img/open.svg new file mode 100755 index 00000000..6d11ef7f --- /dev/null +++ b/apps/audit_trail/appserver/static/img/open.svg @@ -0,0 +1,4 @@ + + + + diff --git a/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/actions_section.png b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/actions_section.png new file mode 100755 index 00000000..d065967a Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/actions_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/activities_table_section.png b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/activities_table_section.png new file mode 100755 index 00000000..da39a538 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/activities_table_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/activities_table_tour_section.png b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/activities_table_tour_section.png new file mode 100755 index 00000000..f114bf73 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/activities_table_tour_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/apps_section.png b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/apps_section.png new file mode 100755 index 00000000..0305a138 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/apps_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/context_section.png b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/context_section.png new file mode 100755 index 00000000..0949cd13 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/context_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/filters_section.png b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/filters_section.png new file mode 100755 index 00000000..596d43ec Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/filters_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/filters_tour_section.png b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/filters_tour_section.png new file mode 100755 index 00000000..cc767da8 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/filters_tour_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/hosts_section.png b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/hosts_section.png new file mode 100755 index 00000000..b41dce2d Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/hosts_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/login_section.png b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/login_section.png new file mode 100755 index 00000000..6721b047 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/login_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/overview_tour_section.png b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/overview_tour_section.png new file mode 100755 index 00000000..b2813cb5 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/overview_tour_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/small_hosts_section.png b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/small_hosts_section.png new file mode 100755 index 00000000..455df3fe Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/small_hosts_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/small_login_section.png b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/small_login_section.png new file mode 100755 index 00000000..c8ff22e9 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/small_login_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/small_useragents_section.png b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/small_useragents_section.png new file mode 100755 index 00000000..db310378 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/small_useragents_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/tabs_section.png b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/tabs_section.png new file mode 100755 index 00000000..f728726a Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/tabs_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/tabs_tour_section.png b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/tabs_tour_section.png new file mode 100755 index 00000000..dbfade58 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/tabs_tour_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/timeline_section.png b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/timeline_section.png new file mode 100755 index 00000000..60162574 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/timeline_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/tour1.png b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/tour1.png new file mode 100755 index 00000000..602bbee7 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/tour1.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/useragents_section.png b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/useragents_section.png new file mode 100755 index 00000000..9aa6c2a7 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/useragents_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/users_and_actions_section.png b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/users_and_actions_section.png new file mode 100755 index 00000000..28bc7183 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/users_and_actions_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/users_section.png b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/users_section.png new file mode 100755 index 00000000..f444e3be Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/activities_per_user_audit/users_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/activities_tab_section.png b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/activities_tab_section.png new file mode 100755 index 00000000..503b2cde Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/activities_tab_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/activity_table_tour_section.png b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/activity_table_tour_section.png new file mode 100755 index 00000000..f47ff964 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/activity_table_tour_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/apps_section.png b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/apps_section.png new file mode 100755 index 00000000..e921c97e Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/apps_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/apps_section_small.png b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/apps_section_small.png new file mode 100755 index 00000000..9bd49a1e Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/apps_section_small.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/charts_section.png b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/charts_section.png new file mode 100755 index 00000000..54d5abdc Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/charts_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/filters_section.png b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/filters_section.png new file mode 100755 index 00000000..c2bdc2a0 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/filters_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/filters_tour_section.png b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/filters_tour_section.png new file mode 100755 index 00000000..88d71409 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/filters_tour_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/hosts_section.png b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/hosts_section.png new file mode 100755 index 00000000..5ea6a6db Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/hosts_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/hosts_section_small.png b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/hosts_section_small.png new file mode 100755 index 00000000..1a63befd Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/hosts_section_small.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/names_section.png b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/names_section.png new file mode 100755 index 00000000..f1fde790 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/names_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/overview_tour_section.png b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/overview_tour_section.png new file mode 100755 index 00000000..f2a04b76 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/overview_tour_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/tables_section.png b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/tables_section.png new file mode 100755 index 00000000..5fd1b888 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/tables_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/tabs_section.png b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/tabs_section.png new file mode 100755 index 00000000..7100c529 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/tabs_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/tabs_tour_section.png b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/tabs_tour_section.png new file mode 100755 index 00000000..dbfade58 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/tabs_tour_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/timeline_section.png b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/timeline_section.png new file mode 100755 index 00000000..54d48848 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/timeline_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/tour1.png b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/tour1.png new file mode 100755 index 00000000..602bbee7 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/tour1.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/types_section.png b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/types_section.png new file mode 100755 index 00000000..17cb28a6 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/types_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/types_section_small.png b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/types_section_small.png new file mode 100755 index 00000000..622388f9 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/types_section_small.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/users_section.png b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/users_section.png new file mode 100755 index 00000000..50a58fdb Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/users_section.png differ diff --git a/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/users_section_small.png b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/users_section_small.png new file mode 100755 index 00000000..62e2686e Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tours/knowledge_objects_audit/users_section_small.png differ diff --git a/apps/audit_trail/appserver/static/img/tutorial.png b/apps/audit_trail/appserver/static/img/tutorial.png new file mode 100755 index 00000000..43fb98b3 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/tutorial.png differ diff --git a/apps/audit_trail/appserver/static/img/tutorial.svg b/apps/audit_trail/appserver/static/img/tutorial.svg new file mode 100755 index 00000000..93414280 --- /dev/null +++ b/apps/audit_trail/appserver/static/img/tutorial.svg @@ -0,0 +1,4 @@ + + + + diff --git a/apps/audit_trail/appserver/static/img/types_filter.png b/apps/audit_trail/appserver/static/img/types_filter.png new file mode 100755 index 00000000..ea257b61 Binary files /dev/null and b/apps/audit_trail/appserver/static/img/types_filter.png differ diff --git a/apps/audit_trail/appserver/static/img/users_dashboard.png b/apps/audit_trail/appserver/static/img/users_dashboard.png new file mode 100755 index 00000000..bdb9f2db Binary files /dev/null and b/apps/audit_trail/appserver/static/img/users_dashboard.png differ diff --git a/apps/audit_trail/default/app.conf b/apps/audit_trail/default/app.conf new file mode 100755 index 00000000..6ca7fd3c --- /dev/null +++ b/apps/audit_trail/default/app.conf @@ -0,0 +1,14 @@ +[install] +is_configured = true +state = enabled +allows_disable = false + +[ui] +is_visible = true +show_in_nav = true +label = Audit Trail + +[launcher] +author = Splunk +description = App for Audit Trail dashboards +version = 1.0.0 diff --git a/apps/audit_trail/default/data/ui/nav/default.xml b/apps/audit_trail/default/data/ui/nav/default.xml new file mode 100755 index 00000000..e6e8c820 --- /dev/null +++ b/apps/audit_trail/default/data/ui/nav/default.xml @@ -0,0 +1,7 @@ + + diff --git a/apps/audit_trail/default/data/ui/views/activities_per_user_audit.xml b/apps/audit_trail/default/data/ui/views/activities_per_user_audit.xml new file mode 100755 index 00000000..0ed58241 --- /dev/null +++ b/apps/audit_trail/default/data/ui/views/activities_per_user_audit.xml @@ -0,0 +1,1185 @@ + + + + statics | formatByType(formattedConfig)", + "statics": [ + [ + "Any", + "Mozilla", + "n/a", + "unknown" + ], + [ + "*", + "Mozilla", + "n/a", + "unknown" + ] + ], + "label": ">primary | seriesByName(\"useragent\") | renameSeries(\"label\") | formatByType(formattedConfig)", + "value": ">primary | seriesByName(\"useragent\") | renameSeries(\"value\") | formatByType(formattedConfig)" + }, + "dataSources": { + "primary": "ds_LwcvAxAb" + }, + "options": { + "defaultValue": [ + "Mozilla", + "unknown", + "n/a" + ], + "items": ">frame(label, value) | prepend(formattedStatics) | objects()", + "token": "ms_user_agents" + }, + "title": "Login user agent(s)", + "type": "input.multiselect" + }, + "input_8cPLfS0W": { + "context": { + "formattedConfig": { + "number": { + "prefix": "" + } + }, + "formattedStatics": ">statics | formatByType(formattedConfig)", + "statics": [ + [ + "Any" + ], + [ + "*" + ] + ], + "label": ">primary | seriesByName(\"object_name\") | renameSeries(\"label\") | formatByType(formattedConfig)", + "value": ">primary | seriesByName(\"object_name\") | renameSeries(\"value\") | formatByType(formattedConfig)" + }, + "dataSources": { + "primary": "ds_eSukAtNI" + }, + "options": { + "defaultValue": [ + "*" + ], + "items": ">frame(label, value) | prepend(formattedStatics) | objects()", + "token": "ms_object_names" + }, + "title": "Context(s)", + "type": "input.multiselect" + }, + "input_PYpDbVm3": { + "context": { + "formattedConfig": { + "number": { + "prefix": "" + } + }, + "formattedStatics": ">statics | formatByType(formattedConfig)", + "statics": [ + [ + "Any" + ], + [ + "*" + ] + ], + "label": ">primary | seriesByName(\"app\") | renameSeries(\"label\") | formatByType(formattedConfig)", + "value": ">primary | seriesByName(\"app\") | renameSeries(\"value\") | formatByType(formattedConfig)" + }, + "dataSources": { + "primary": "ds_oUwKmA5u" + }, + "options": { + "defaultValue": [ + "*" + ], + "items": ">frame(label, value) | prepend(formattedStatics) | objects()", + "token": "ms_app_names" + }, + "title": "App(s)", + "type": "input.multiselect" + }, + "input_T7BIJ7Pm": { + "dataSources": { + "primary": "ds_x2TEDIbr" + }, + "options": { + "defaultValue": [ + "*" + ], + "items": ">frame(label, value) | prepend(formattedStatics) | objects()", + "token": "ms_actions" + }, + "title": "Action(s)", + "type": "input.multiselect", + "context": { + "formattedConfig": { + "number": { + "prefix": "" + } + }, + "formattedStatics": ">statics | formatByType(formattedConfig)", + "statics": [ + [ + "Any" + ], + [ + "*" + ] + ], + "label": ">primary | seriesByName(\"user_action\") | renameSeries(\"label\") | formatByType(formattedConfig)", + "value": ">primary | seriesByName(\"user_action\") | renameSeries(\"value\") | formatByType(formattedConfig)" + } + }, + "input_V8goUdiM": { + "context": { + "formattedConfig": { + "number": { + "prefix": "" + } + }, + "formattedStatics": ">statics | formatByType(formattedConfig)", + "statics": [ + [ + "Any" + ], + [ + "*" + ] + ], + "label": ">primary | seriesByName(\"user\") | renameSeries(\"label\") | formatByType(formattedConfig)", + "value": ">primary | seriesByName(\"user\") | renameSeries(\"value\") | formatByType(formattedConfig)" + }, + "dataSources": { + "primary": "ds_DUABMnxY" + }, + "options": { + "items": ">frame(label, value) | prepend(formattedStatics) | objects()", + "token": "ms_user_names", + "defaultValue": [ + "*" + ] + }, + "title": "User(s)", + "type": "input.multiselect" + }, + "input_WAwuApNh": { + "options": { + "defaultValue": "-7d@h,now", + "token": "time" + }, + "title": "Time range", + "type": "input.timerange" + }, + "input_n59hT3WT": { + "options": { + "defaultValue": "*", + "token": "text_token" + }, + "title": "SPL condition(s)", + "type": "input.text" + }, + "input_yLyZgaC5": { + "context": { + "formattedConfig": { + "number": { + "prefix": "" + } + }, + "formattedStatics": ">statics | formatByType(formattedConfig)", + "statics": [ + [ + "Any" + ], + [ + "*" + ] + ], + "label": ">primary | seriesByName(\"host\") | renameSeries(\"label\") | formatByType(formattedConfig)", + "value": ">primary | seriesByName(\"host\") | renameSeries(\"value\") | formatByType(formattedConfig)" + }, + "dataSources": { + "primary": "ds_fTyQF8LC" + }, + "options": { + "defaultValue": [ + "*" + ], + "items": ">frame(label, value) | prepend(formattedStatics) | objects()", + "token": "ms_host_names" + }, + "title": "Host(s)", + "type": "input.multiselect" + }, + "input_3yYi4vGy": { + "options": { + "items": [ + { + "label": "No", + "value": "no" + }, + { + "label": "Yes", + "value": "yes" + } + ], + "defaultValue": "no", + "token": "dd_augment_action" + }, + "title": "Add context to timeline", + "type": "input.dropdown" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": {} + } + } + } + }, + "visualizations": { + "viz_4gLfdNAZ": { + "dataSources": { + "primary": "ds_AXgjIFgY" + }, + "eventHandlers": [ + { + "options": { + "tokens": [ + { + "key": "row.name.value", + "token": "ms_object_names" + } + ] + }, + "type": "drilldown.setToken" + } + ], + "showLastUpdated": false, + "showProgressBar": true, + "title": "Context(s)", + "type": "splunk.pie" + }, + "viz_FTCFDEzH": { + "dataSources": { + "primary": "ds_EkqGpKKc_ds_34ljSSqf_ds_WY4obnmU" + }, + "eventHandlers": [ + { + "options": { + "tokens": [ + { + "key": "row.host.value", + "token": "ms_host_names" + } + ] + }, + "type": "drilldown.setToken" + } + ], + "showLastUpdated": false, + "showProgressBar": true, + "title": "Host(s)", + "type": "splunk.pie" + }, + "viz_FZih8hXD": { + "dataSources": { + "primary": "ds_OOnwhUDc" + }, + "eventHandlers": [ + { + "type": "drilldown.setToken", + "options": { + "tokens": [ + { + "key": "row.app.value", + "token": "ms_app_names" + } + ] + } + } + ], + "options": { + "columnFormat": { + "count": { + "width": 30 + } + }, + "drilldown": "cell", + "count": 8 + }, + "showProgressBar": true, + "title": "Apps", + "type": "splunk.table" + }, + "viz_VC5BEx25": { + "dataSources": { + "primary": "ds_wVOevxkK_ds_AXgjIFgY" + }, + "eventHandlers": [ + { + "type": "drilldown.setToken", + "options": { + "tokens": [ + { + "key": "row.context.value", + "token": "ms_object_names" + } + ] + } + } + ], + "options": { + "drilldown": "cell", + "showInternalFields": false, + "columnFormat": { + "context": { + "width": 700 + } + }, + "count": 8 + }, + "showProgressBar": true, + "title": "", + "type": "splunk.table" + }, + "viz_WvdnTwBR": { + "dataSources": { + "primary": "ds_WY4obnmU" + }, + "eventHandlers": [ + { + "options": { + "tokens": [ + { + "key": "row.user.value", + "token": "ms_user_names" + } + ] + }, + "type": "drilldown.setToken" + } + ], + "options": { + "columnFormat": { + "count": { + "width": 30 + } + }, + "count": 8 + }, + "showProgressBar": true, + "title": "", + "type": "splunk.table", + "showLastUpdated": false + }, + "viz_aILjq6jc": { + "dataSources": { + "primary": "ds_2bG53cci_ds_EkqGpKKc_ds_34ljSSqf_ds_WY4obnmU" + }, + "eventHandlers": [ + { + "options": { + "tokens": [ + { + "key": "row.object_type.value", + "token": "ms_object_types" + } + ] + }, + "type": "drilldown.setToken" + } + ], + "options": { + "seriesColors": [ + "#FF677B", + "#FFA476", + "#DD9900", + "#99B100", + "#008C80", + "#0051B5", + "#7B56DB", + "#009CEB", + "#00CDAF", + "#CB2196", + "#813193", + "#FF6ACE", + "#AE8CFF", + "#00689D", + "#00490A", + "#465D00", + "#9D6300", + "#F6540B", + "#FF969E", + "#E47BFE" + ] + }, + "showLastUpdated": false, + "showProgressBar": true, + "title": "Login user agent(s)", + "type": "splunk.pie" + }, + "viz_jJX71ybc": { + "dataSources": { + "primary": "ds_eKo8k29O_ds_WY4obnmU" + }, + "eventHandlers": [ + { + "options": { + "tokens": [ + { + "key": "row.user.value", + "token": "ms_user_names" + } + ] + }, + "type": "drilldown.setToken" + } + ], + "showLastUpdated": false, + "showProgressBar": true, + "title": "Distinct user(s)", + "type": "splunk.singlevalue" + }, + "viz_u0J839pR": { + "dataSources": { + "primary": "ds_SG2pKPV7_ds_slbguYLS_ds_EkqGpKKc_ds_34ljSSqf_ds_WY4obnmU" + }, + "eventHandlers": [ + { + "type": "drilldown.setToken", + "options": { + "tokens": [ + { + "key": "row.useragent.value", + "token": "ms_user_agents" + } + ] + } + } + ], + "showLastUpdated": false, + "showProgressBar": true, + "title": "", + "type": "splunk.table", + "options": { + "columnFormat": { + "count": { + "width": 30 + } + }, + "count": 8 + } + }, + "viz_UDaNf0MI": { + "dataSources": { + "primary": "ds_yX0sUuiQ_ds_0LBHfs3r" + }, + "eventHandlers": [], + "options": { + "legendDisplay": "bottom", + "xAxisTitleVisibility": "hide", + "yAxisTitleVisibility": "hide" + }, + "showLastUpdated": false, + "showProgressBar": true, + "title": "Activities timeline", + "type": "splunk.column" + }, + "viz_yfinOS8e": { + "type": "splunk.markdown", + "options": { + "markdown": "" + } + }, + "viz_Kwcgllyn": { + "type": "splunk.markdown", + "options": { + "markdown": "" + } + }, + "viz_jYUHKU20": { + "type": "splunk.markdown", + "options": { + "markdown": "" + } + }, + "viz_tXPCk9WN": { + "dataSources": { + "primary": "ds_eWH0mViw_ds_WY4obnmU" + }, + "eventHandlers": [ + { + "type": "drilldown.setToken", + "options": { + "tokens": [ + { + "key": "row.action.value", + "token": "ms_actions" + } + ] + } + } + ], + "options": { + "columnFormat": { + "count": { + "width": 30 + } + }, + "count": 8 + }, + "showProgressBar": true, + "title": "Action(s)", + "type": "splunk.table", + "showLastUpdated": false + }, + "viz_5EikTgSW": { + "dataSources": { + "primary": "ds_XvxGTFs0_ds_AXgjIFgY" + }, + "eventHandlers": [ + { + "type": "drilldown.setToken", + "options": { + "tokens": [ + { + "key": "row.user.value", + "token": "ms_users" + } + ] + } + } + ], + "showLastUpdated": false, + "showProgressBar": true, + "title": "Users and actions", + "type": "splunk.linkgraph", + "options": { + "nodeWidth": 220, + "showValueCounts": false + } + }, + "viz_0yVOacxL": { + "dataSources": { + "primary": "ds_uplRMfgR_ds_OOnwhUDc" + }, + "eventHandlers": [ + { + "options": { + "tokens": [ + { + "key": "row.appname.value", + "token": "ms_app_names" + } + ] + }, + "type": "drilldown.setToken" + } + ], + "showLastUpdated": false, + "showProgressBar": true, + "title": "Distinct app(s)", + "type": "splunk.singlevalue" + }, + "viz_BicnhG3j": { + "context": { + "actionColumnFormatEditorConfig": { + "string": { + "unitPosition": "after" + } + }, + "actionRowColorsEditorConfig": [ + { + "match": "delete", + "value": "#D41F1F" + }, + { + "match": "update", + "value": "#118832" + } + ] + }, + "dataSources": { + "primary": "ds_BKJ013Yc_ds_nQAbGEMe" + }, + "eventHandlers": [], + "options": { + "columnFormat": { + "action": { + "data": "> table | seriesByName(\"action\") | formatByType(actionColumnFormatEditorConfig)", + "rowColors": "> table | seriesByName(\"action\") | matchValue(actionRowColorsEditorConfig)", + "width": 146 + }, + "event": { + "width": 1150 + }, + "name": { + "width": 300 + }, + "time": { + "width": 250 + }, + "user": { + "width": 150 + } + }, + "fontSize": "large", + "overflow-y": "scroll", + "overflow-x": "hidden" + }, + "showLastUpdated": false, + "showProgressBar": true, + "title": "Activities", + "type": "splunk.table" + }, + "viz_IQswgbde": { + "dataSources": { + "primary": "ds_BOYrM8sc_ds_uplRMfgR_ds_OOnwhUDc" + }, + "eventHandlers": [ + { + "options": { + "tokens": [ + { + "key": "row.appname.value", + "token": "ms_app_names" + } + ] + }, + "type": "drilldown.setToken" + } + ], + "showLastUpdated": false, + "showProgressBar": true, + "title": "Failed logins", + "type": "splunk.singlevalue", + "options": { + "majorColor": "#dc4e41" + } + }, + "viz_T8DEJLv3": { + "dataSources": { + "primary": "ds_B9ZY1Wof_ds_BOYrM8sc_ds_uplRMfgR_ds_OOnwhUDc" + }, + "eventHandlers": [ + { + "options": { + "tokens": [ + { + "key": "row.appname.value", + "token": "ms_app_names" + } + ] + }, + "type": "drilldown.setToken" + } + ], + "showLastUpdated": false, + "showProgressBar": true, + "title": "All logins", + "type": "splunk.singlevalue", + "containerOptions": {}, + "options": { + "majorColor": "#53a051" + }, + "description": "include the failed logins" + } + }, + "dataSources": { + "ds_0LBHfs3r": { + "name": "activities by user", + "options": { + "extend": "ds_sxu2HJOI", + "query": " | timechart count by user" + }, + "type": "ds.chain" + }, + "ds_1dnRSxiQ_ds_KtFg8oQ2": { + "name": "Object Creation By Type - Pie chart search copy 1", + "options": { + "enableSmartSources": true, + "extend": "ds_sxu2HJOI", + "query": "| search object_action = create | chart count by object_type" + }, + "type": "ds.chain" + }, + "ds_2bG53cci_ds_EkqGpKKc_ds_34ljSSqf_ds_WY4obnmU": { + "name": "Logins By User Agent - Chart search", + "options": { + "extend": "ds_sxu2HJOI", + "query": "| search NOT useragent = \"n/a\" AND NOT useragent=\"unknown\"\n| stats count by useragent" + }, + "type": "ds.chain" + }, + "ds_AXgjIFgY": { + "name": "Activity By Object", + "options": { + "extend": "ds_sxu2HJOI", + "query": "| stats count by object_name" + }, + "type": "ds.chain" + }, + "ds_EkqGpKKc_ds_34ljSSqf_ds_WY4obnmU": { + "name": "Activity By Host - Chart search", + "options": { + "extend": "ds_sxu2HJOI", + "query": " | eval fields=split(host,\".\") | eval host=mvindex(fields,0) | stats count by host" + }, + "type": "ds.chain" + }, + "ds_KtFg8oQ2": { + "name": "Object Creation By Type - Pie chart search", + "options": { + "enableSmartSources": true, + "extend": "ds_sxu2HJOI", + "query": "| search object_action = create | chart count by object_type" + }, + "type": "ds.chain" + }, + "ds_OOnwhUDc": { + "name": "Activity By App - Table search", + "options": { + "extend": "ds_sxu2HJOI", + "query": "| stats count by app" + }, + "type": "ds.chain" + }, + "ds_SG2pKPV7_ds_slbguYLS_ds_EkqGpKKc_ds_34ljSSqf_ds_WY4obnmU": { + "name": "Logins By User Agent - Table search", + "options": { + "extend": "ds_sxu2HJOI", + "query": "| search NOT useragent = \"n/a\" AND NOT useragent=\"unknown\"\n| stats count by useragent" + }, + "type": "ds.chain" + }, + "ds_WY4obnmU": { + "name": "Activity By User - Table search", + "options": { + "extend": "ds_sxu2HJOI", + "query": "| stats count by user" + }, + "type": "ds.chain" + }, + "ds_eKo8k29O_ds_WY4obnmU": { + "name": "Activity By User - Chart search", + "options": { + "extend": "ds_sxu2HJOI", + "query": "| stats dc(user)" + }, + "type": "ds.chain" + }, + "ds_nQAbGEMe": { + "name": "events", + "options": { + "extend": "ds_sxu2HJOI", + "query": "| eval action=user_action\n| sort -_time,\n| eval event=orig_body\n| eval name=object_name\n| eval time=strftime(_time,\"%Y-%m-%d %H:%M:%S.%Q\")\n| fields time, user, action, name, event\n| fields - _time" + }, + "type": "ds.chain" + }, + "ds_slbguYLS_ds_EkqGpKKc_ds_34ljSSqf_ds_WY4obnmU": { + "name": "Activity By Host - Table search", + "options": { + "extend": "ds_sxu2HJOI", + "query": " | stats count by host" + }, + "type": "ds.chain" + }, + "ds_sxu2HJOI": { + "name": "ds_baseSelection", + "options": { + "query": "| savedsearch audit_trail_users_query ss_user_names=\"$ms_user_names$\" ss_host_names=\"$ms_host_names$\" ss_text=\"$text_token$\"\n```Tags may have mnulti values: {[0]='tag_1' [1]='tag_2'}- split it to separate events```\n| eval tagnames=split(replace(object_name, \"\\[[0-9]*\\]=\",\"\"), \"' '\") | mvexpand tagnames | eval object_name=ltrim(rtrim(tagnames,\"'}\"),\"{'\")\n```raw attributes (redundant)```\n| search user IN ($ms_user_names$)\n| search host IN ($ms_host_names$)\n```calculated attributes```\n| search user_action IN ($ms_actions$)\n| search object_name IN ($ms_object_names$)\n| search app IN ($ms_app_names$)\n| search useragent IN ($ms_user_agents$)\n\n", + "queryParameters": { + "earliest": "$time.earliest$", + "latest": "$time.latest$" + } + }, + "type": "ds.search" + }, + "ds_uplRMfgR_ds_OOnwhUDc": { + "name": "Activity By App - Chart search", + "options": { + "extend": "ds_sxu2HJOI", + "query": "| stats dc(app)" + }, + "type": "ds.chain" + }, + "ds_wVOevxkK_ds_AXgjIFgY": { + "name": "Activity By Object - table search", + "options": { + "extend": "ds_sxu2HJOI", + "query": "| eval context=object_name\n| stats count by context" + }, + "type": "ds.chain" + }, + "ds_yX0sUuiQ_ds_0LBHfs3r": { + "name": "activities by action", + "options": { + "extend": "ds_sxu2HJOI", + "query": " | eval the_action=IF(\"$dd_augment_action$\" == \"yes\", ex_user_action, user_action)\n | timechart count by the_action" + }, + "type": "ds.chain" + }, + "ds_Af3ExPjS_ds_eKo8k29O_ds_WY4obnmU": { + "name": "Distinct stacks", + "options": { + "extend": "ds_sxu2HJOI", + "query": "| stats dc(stack)" + }, + "type": "ds.chain" + }, + "ds_bkO5kv5T_ds_WY4obnmU": { + "name": "Activity By Stack - Table Search", + "options": { + "extend": "ds_sxu2HJOI", + "query": "| stats count by stack" + }, + "type": "ds.chain" + }, + "ds_eWH0mViw_ds_WY4obnmU": { + "name": "Activities - Table search", + "options": { + "extend": "ds_sxu2HJOI", + "query": "| eval action=user_action\n| stats count by action" + }, + "type": "ds.chain" + }, + "ds_XvxGTFs0_ds_AXgjIFgY": { + "name": "Users And Action", + "options": { + "extend": "ds_sxu2HJOI", + "query": "| eval action=user_action\n| dedup user, action\n| table user, action \n" + }, + "type": "ds.chain" + }, + "ds_x2TEDIbr": { + "type": "ds.chain", + "options": { + "extend": "ds_sxu2HJOI", + "query": "| table user_action \n| dedup user_action" + }, + "name": "List of Actions" + }, + "ds_LwcvAxAb": { + "type": "ds.chain", + "options": { + "query": "| table useragent \n| dedup useragent", + "extend": "ds_sxu2HJOI" + }, + "name": "List Of Useragents" + }, + "ds_eSukAtNI": { + "type": "ds.chain", + "options": { + "extend": "ds_sxu2HJOI", + "query": "| table object_name \n| dedup object_name\n| eval object_name=if(match(object_name, \".*[\\s\\(\\)].*\"), \"\\\"\" . object_name . \"\\\"\", object_name)" + }, + "name": "List of Object Names" + }, + "ds_DUABMnxY": { + "type": "ds.chain", + "options": { + "extend": "ds_sxu2HJOI", + "query": "| table user \n| dedup user" + }, + "name": "List of Users" + }, + "ds_oUwKmA5u": { + "type": "ds.chain", + "options": { + "extend": "ds_sxu2HJOI", + "query": "| table app \n| dedup app" + }, + "name": "List of Apps" + }, + "ds_fTyQF8LC": { + "type": "ds.chain", + "options": { + "extend": "ds_sxu2HJOI", + "query": "| table host \n| dedup host" + }, + "name": "Search_1" + }, + "ds_ir6wOG8o_ds_eKo8k29O_ds_WY4obnmU": { + "name": "Activity By User - Chart search copy 1", + "options": { + "extend": "ds_sxu2HJOI", + "query": "| stats dc(user)" + }, + "type": "ds.chain" + }, + "ds_BKJ013Yc_ds_nQAbGEMe": { + "name": "events copy 1", + "options": { + "extend": "ds_sxu2HJOI", + "query": "| eval action=user_action\n| sort -_time,\n| eval event=orig_body\n| eval name=object_name\n| eval time=strftime(_time,\"%Y-%m-%d %H:%M:%S.%Q\")\n| fields time, user, action, name, event\n| fields - _time\n| fields - _mkv_child" + }, + "type": "ds.chain" + }, + "ds_BOYrM8sc_ds_uplRMfgR_ds_OOnwhUDc": { + "name": "Failed Logins - Single Value", + "options": { + "extend": "ds_sxu2HJOI", + "query": "| search user_action=\"login_attempt\" AND NOT info=\"succeeded\" \n| stats count" + }, + "type": "ds.chain" + }, + "ds_B9ZY1Wof_ds_BOYrM8sc_ds_uplRMfgR_ds_OOnwhUDc": { + "name": "All Logins - Single Value", + "options": { + "extend": "ds_sxu2HJOI", + "query": "| search user_action=\"login_attempt\" \n| stats count " + }, + "type": "ds.chain" + } + }, + "layout": { + "tabs": { + "items": [ + { + "layoutId": "layout_1", + "label": "Overview" + }, + { + "layoutId": "layout_VYHINhpE", + "label": "Activity log" + } + ] + }, + "layoutDefinitions": { + "layout_1": { + "type": "absolute", + "options": { + "backgroundColor": "transparent", + "display": "fit-to-width", + "height": 3000, + "width": 2000 + }, + "structure": [ + { + "item": "viz_FTCFDEzH", + "position": { + "h": 430, + "w": 490, + "x": 1500, + "y": 820 + }, + "type": "block" + }, + { + "item": "viz_4gLfdNAZ", + "position": { + "h": 430, + "w": 590, + "x": 0, + "y": 820 + }, + "type": "block" + }, + { + "item": "viz_jJX71ybc", + "position": { + "h": 250, + "w": 200, + "x": 530, + "y": 270 + }, + "type": "block" + }, + { + "item": "viz_WvdnTwBR", + "position": { + "h": 250, + "w": 400, + "x": 730, + "y": 270 + }, + "type": "block" + }, + { + "item": "viz_FZih8hXD", + "position": { + "h": 280, + "w": 400, + "x": 730, + "y": 530 + }, + "type": "block" + }, + { + "item": "viz_VC5BEx25", + "position": { + "h": 430, + "w": 900, + "x": 590, + "y": 820 + }, + "type": "block" + }, + { + "item": "viz_aILjq6jc", + "position": { + "h": 250, + "w": 490, + "x": 1500, + "y": 270 + }, + "type": "block" + }, + { + "item": "viz_u0J839pR", + "position": { + "h": 290, + "w": 490, + "x": 1500, + "y": 520 + }, + "type": "block" + }, + { + "item": "viz_UDaNf0MI", + "position": { + "x": 530, + "y": 0, + "w": 1460, + "h": 260 + }, + "type": "block" + }, + { + "item": "viz_yfinOS8e", + "type": "block", + "position": { + "x": 0, + "y": 2310, + "w": 300, + "h": 300 + } + }, + { + "item": "viz_Kwcgllyn", + "type": "block", + "position": { + "x": 300, + "y": 2310, + "w": 300, + "h": 300 + } + }, + { + "item": "viz_jYUHKU20", + "type": "block", + "position": { + "x": 600, + "y": 2310, + "w": 300, + "h": 300 + } + }, + { + "item": "viz_tXPCk9WN", + "position": { + "x": 0, + "y": 420, + "w": 520, + "h": 390 + }, + "type": "block" + }, + { + "item": "viz_5EikTgSW", + "position": { + "x": 0, + "y": 0, + "w": 520, + "h": 410 + }, + "type": "block" + }, + { + "item": "viz_0yVOacxL", + "position": { + "x": 530, + "y": 530, + "w": 200, + "h": 280 + }, + "type": "block" + }, + { + "item": "viz_IQswgbde", + "position": { + "x": 1140, + "y": 270, + "w": 350, + "h": 250 + }, + "type": "block" + }, + { + "item": "viz_T8DEJLv3", + "position": { + "x": 1140, + "y": 530, + "w": 350, + "h": 280 + }, + "type": "block" + } + ] + }, + "layout_VYHINhpE": { + "type": "grid", + "structure": [ + { + "item": "viz_BicnhG3j", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 1200, + "h": 770 + } + } + ] + } + }, + "globalInputs": [ + "input_n59hT3WT", + "input_V8goUdiM", + "input_T7BIJ7Pm", + "input_8cPLfS0W", + "input_PYpDbVm3", + "input_yLyZgaC5", + "input_0m4aAr88", + "input_3yYi4vGy", + "input_WAwuApNh" + ], + "options": { + "submitButton": true, + "submitOnDashboardLoad": true + } + } +} + ]]> + + \ No newline at end of file diff --git a/apps/audit_trail/default/data/ui/views/audit_trail_home.xml b/apps/audit_trail/default/data/ui/views/audit_trail_home.xml new file mode 100755 index 00000000..4e5b442d --- /dev/null +++ b/apps/audit_trail/default/data/ui/views/audit_trail_home.xml @@ -0,0 +1,489 @@ + + + + + + + +
+
+ Monitor your Splunk instance with ease
+ Splunk Audit Trail provides real-time visibility into user activity and knowledge object changes using data from the _audit index. Designed for security and compliance. Main purpose of this app is to improve auditors experience from compliance and operational perspectives. This app helps detect unauthorized changes, track admin modifications, and troubleshoot issues efficiently. Currently it provides two dashboards: User Activity Dashboard, which displays human users activities like: logins, searches, failed login attempts, and admin actions, and Knowledge Object Changes Dashboard, which monitors state mutations of saved searches, dashboards, reports, lookups, field extractions, etc. But this is just a start base. You can add your own dashboards with data which gives you most valuable data. +
+
+ +
+
+ + + + + + +

+ The Dashboards +

+ + + + + + + + +
+ +
+
+
+ Users activities dashboard +
+ Presents actions performed by users in Splunk, monitoring user activity logs and interactions. + +
+
+ + Button 1 + + + + Button 2 + +
+
+ Large Image + +
+ + +
+
+
+ Objects modifications dashboard +
+ Shows modifications made to Splunk objects, including Views, Panels, and Saved Searches, etc. + +
+
+ + Button 1 + + + Button 2 + +
+
+ Large Image +
+
+ + + + + + +

+ Some Filters You Can Use +

+ + + + + + + + +
+ +
+
+ Actions
+ The Actions filter exists in both dashboards. In the Audit Trail Users dashboard, the Actions dropdown contains all available values for actions performed by users. In the Audit Trail Objects dashboard, the Actions dropdown includes three values: Create, Update, and Delete. These values cover all CUD (Create, Update, Delete) actions related to specific objects. +
+ + + + + +
+ +
+
+ Types
+ The Types filter is an element of the Audit Trail Objects dashboard. It lists the types of modified objects. Possible values include: dashboard (for views and dashboards), prebuilt_panel, user, saved_search, etc. +
+ + + + +
+ +
+
+ Context
+ The Context filter is element of the Audit Trail Users dashboard. For each action, one attribute is chosen that best represents the context of that action. The best context value for the search action is the value of the 'provenance' attribute. For modifications of objects (such as views, users, saved searches, mapping groups, etc.), the best context value is the object's name. +
+ + + + +
+ +
+
+ + SPL conditions + +
+ The SPL conditions filter is element of both dashboards and in both dashboards it works in the same way. Using this input, the Auditor can provide a spl condition, which will be inserted into data retrieving query, changing data displayed in the dashboard. E.g "user = foo" +
+ + + + + + +

+

+ + + + + + + + +
+ + +
+ + + + \ No newline at end of file diff --git a/apps/audit_trail/default/data/ui/views/knowledge_objects_audit.xml b/apps/audit_trail/default/data/ui/views/knowledge_objects_audit.xml new file mode 100755 index 00000000..10189410 --- /dev/null +++ b/apps/audit_trail/default/data/ui/views/knowledge_objects_audit.xml @@ -0,0 +1,1041 @@ + + + + Users and Knowledge Objects creations / updates / deletions. + table | seriesByName(\"action\") | formatByType(actionColumnFormatEditorConfig)", + "rowColors": "> table | seriesByName(\"action\") | matchValue(actionRowColorsEditorConfig)", + "width": 100 + }, + "time": { + "width": 250 + }, + "user": { + "width": 150 + }, + "name": { + "width": 300 + }, + "event": { + "width": 1150 + } + }, + "fontSize": "large" + } + }, + "viz_jJX71ybc": { + "type": "splunk.pie", + "dataSources": { + "primary": "ds_eKo8k29O_ds_WY4obnmU" + }, + "eventHandlers": [ + { + "type": "drilldown.setToken", + "options": { + "tokens": [ + { + "token": "ms_user_names", + "key": "row.user.value" + } + ] + } + } + ], + "title": "User(s)", + "showProgressBar": true, + "containerOptions": {}, + "showLastUpdated": false, + "cornerRadius": [ + 5, + 5, + 0, + 0 + ], + "options": { + "seriesColors": [ + "#FF677B", + "#FFA476", + "#DD9900", + "#99B100", + "#008C80", + "#0051B5", + "#7B56DB", + "#009CEB", + "#00CDAF", + "#CB2196", + "#813193", + "#FF6ACE", + "#AE8CFF", + "#00689D", + "#00490A", + "#465D00", + "#9D6300", + "#F6540B", + "#FF969E", + "#E47BFE" + ] + } + }, + "viz_caAWiK8D": { + "type": "splunk.pie", + "options": { + "seriesColors": [ + "#FF677B", + "#FFA476", + "#DD9900", + "#99B100", + "#008C80", + "#0051B5", + "#7B56DB", + "#009CEB", + "#00CDAF", + "#CB2196", + "#813193", + "#FF6ACE", + "#AE8CFF", + "#00689D", + "#00490A", + "#465D00", + "#9D6300", + "#F6540B", + "#FF969E", + "#E47BFE" + ] + }, + "dataSources": { + "primary": "ds_uplRMfgR_ds_OOnwhUDc" + }, + "eventHandlers": [ + { + "type": "drilldown.setToken", + "options": { + "tokens": [ + { + "token": "ms_app_names", + "key": "row.appname.value" + } + ] + } + } + ], + "title": "App(s)", + "showProgressBar": true, + "containerOptions": {}, + "showLastUpdated": false, + "cornerRadius": [ + 5, + 5, + 0, + 0 + ] + }, + "viz_FTCFDEzH": { + "type": "splunk.pie", + "dataSources": { + "primary": "ds_EkqGpKKc_ds_34ljSSqf_ds_WY4obnmU" + }, + "eventHandlers": [ + { + "type": "drilldown.setToken", + "options": { + "tokens": [ + { + "token": "ms_host_names", + "key": "row.host.value" + } + ] + } + } + ], + "title": "Host(s)", + "showProgressBar": true, + "containerOptions": {}, + "showLastUpdated": false, + "cornerRadius": [ + 5, + 5, + 0, + 0 + ], + "options": { + "seriesColors": [ + "#FF677B", + "#FFA476", + "#DD9900", + "#99B100", + "#008C80", + "#0051B5", + "#7B56DB", + "#009CEB", + "#00CDAF", + "#CB2196", + "#813193", + "#FF6ACE", + "#AE8CFF", + "#00689D", + "#00490A", + "#465D00", + "#9D6300", + "#F6540B", + "#FF969E", + "#E47BFE" + ] + } + }, + "viz_VC5BEx25": { + "type": "splunk.table", + "options": { + "drilldown": "cell", + "showInternalFields": false, + "columnFormat": { + "name": { + "width": 700 + } + } + }, + "dataSources": { + "primary": "ds_wVOevxkK_ds_AXgjIFgY" + }, + "eventHandlers": [ + { + "type": "drilldown.setToken", + "options": { + "tokens": [ + { + "token": "ms_object_names", + "key": "row.name.value" + } + ] + } + } + ], + "title": "", + "showProgressBar": true, + "cornerRadius": [ + 0, + 5, + 5, + 0 + ] + }, + "viz_hC1y1jIc": { + "type": "splunk.table", + "dataSources": { + "primary": "ds_slbguYLS_ds_EkqGpKKc_ds_34ljSSqf_ds_WY4obnmU" + }, + "eventHandlers": [ + { + "type": "drilldown.setToken", + "options": { + "tokens": [ + { + "token": "ms_host_names", + "key": "row.host.value" + } + ] + } + } + ], + "title": "", + "showProgressBar": true, + "containerOptions": {}, + "showLastUpdated": false, + "cornerRadius": [ + 0, + 0, + 5, + 5 + ], + "options": { + "count": 3, + "columnFormat": { + "count": { + "width": 30 + } + } + } + }, + "viz_aILjq6jc": { + "type": "splunk.pie", + "dataSources": { + "primary": "ds_2bG53cci_ds_EkqGpKKc_ds_34ljSSqf_ds_WY4obnmU" + }, + "eventHandlers": [ + { + "type": "drilldown.setToken", + "options": { + "tokens": [ + { + "token": "ms_object_types", + "key": "row.object_type.value" + } + ] + } + } + ], + "title": "Type(s)", + "showProgressBar": true, + "containerOptions": {}, + "showLastUpdated": false, + "cornerRadius": [ + 5, + 5, + 0, + 0 + ], + "options": { + "seriesColors": [ + "#FF677B", + "#FFA476", + "#DD9900", + "#99B100", + "#008C80", + "#0051B5", + "#7B56DB", + "#009CEB", + "#00CDAF", + "#CB2196", + "#813193", + "#FF6ACE", + "#AE8CFF", + "#00689D", + "#00490A", + "#465D00", + "#9D6300", + "#F6540B", + "#FF969E", + "#E47BFE" + ] + } + }, + "viz_u0J839pR": { + "type": "splunk.table", + "dataSources": { + "primary": "ds_SG2pKPV7_ds_slbguYLS_ds_EkqGpKKc_ds_34ljSSqf_ds_WY4obnmU" + }, + "eventHandlers": [ + { + "type": "drilldown.setToken", + "options": { + "tokens": [ + { + "token": "ms_object_types", + "key": "row.object_type.value" + } + ] + } + } + ], + "title": "", + "showProgressBar": true, + "containerOptions": {}, + "showLastUpdated": false, + "cornerRadius": [ + 0, + 0, + 5, + 5 + ], + "options": { + "count": 3, + "columnFormat": { + "count": { + "width": 30 + } + } + } + } + }, + "inputs": { + "input_n59hT3WT": { + "type": "input.text", + "options": { + "token": "text_token", + "defaultValue": "*" + }, + "title": "SPL condition(s)" + }, + "input_T7BIJ7Pm": { + "options": { + "items": [ + { + "label": "Create", + "value": "create" + }, + { + "label": "Update", + "value": "update" + }, + { + "label": "Delete", + "value": "delete" + } + ], + "token": "ms_actions", + "defaultValue": [ + "create", + "update", + "delete" + ] + }, + "title": "Action(s)", + "type": "input.multiselect", + "dataSources": {} + }, + "input_0m4aAr88": { + "options": { + "items": ">frame(label, value) | prepend(formattedStatics) | objects()", + "defaultValue": [ + "*" + ], + "token": "ms_object_types" + }, + "title": "Type(s)", + "type": "input.multiselect", + "dataSources": { + "primary": "ds_sxu2HJOI" + }, + "context": { + "formattedConfig": { + "number": { + "prefix": "" + } + }, + "formattedStatics": ">statics | formatByType(formattedConfig)", + "statics": [ + [ + "Any" + ], + [ + "*" + ] + ], + "label": ">primary | seriesByName(\"object_type\") | renameSeries(\"label\") | formatByType(formattedConfig)", + "value": ">primary | seriesByName(\"object_type\") | renameSeries(\"value\") | formatByType(formattedConfig)" + } + }, + "input_8cPLfS0W": { + "options": { + "items": ">frame(label, value) | prepend(formattedStatics) | objects()", + "defaultValue": [ + "*" + ], + "token": "ms_object_names" + }, + "title": "Name(s)", + "type": "input.multiselect", + "dataSources": { + "primary": "ds_4IlbgBew" + }, + "context": { + "formattedConfig": { + "number": { + "prefix": "" + } + }, + "formattedStatics": ">statics | formatByType(formattedConfig)", + "statics": [ + [ + "Any" + ], + [ + "*" + ] + ], + "label": ">primary | seriesByName(\"name\") | renameSeries(\"label\") | formatByType(formattedConfig)", + "value": ">primary | seriesByName(\"name\") | renameSeries(\"value\") | formatByType(formattedConfig)" + } + }, + "input_V8goUdiM": { + "options": { + "items": ">frame(label, value) | prepend(formattedStatics) | objects()", + "defaultValue": [ + "*" + ], + "token": "ms_user_names" + }, + "title": "User(s)", + "type": "input.multiselect", + "dataSources": { + "primary": "ds_sxu2HJOI" + }, + "context": { + "formattedConfig": { + "number": { + "prefix": "" + } + }, + "formattedStatics": ">statics | formatByType(formattedConfig)", + "statics": [ + [ + "Any" + ], + [ + "*" + ] + ], + "label": ">primary | seriesByName(\"user\") | renameSeries(\"label\") | formatByType(formattedConfig)", + "value": ">primary | seriesByName(\"user\") | renameSeries(\"value\") | formatByType(formattedConfig)" + } + }, + "input_PYpDbVm3": { + "options": { + "items": ">frame(label, value) | prepend(formattedStatics) | objects()", + "defaultValue": [ + "*" + ], + "token": "ms_app_names" + }, + "title": "App(s)", + "type": "input.multiselect", + "dataSources": { + "primary": "ds_sxu2HJOI" + }, + "context": { + "formattedConfig": { + "number": { + "prefix": "" + } + }, + "formattedStatics": ">statics | formatByType(formattedConfig)", + "statics": [ + [ + "Any" + ], + [ + "*" + ] + ], + "label": ">primary | seriesByName(\"appname\") | renameSeries(\"label\") | formatByType(formattedConfig)", + "value": ">primary | seriesByName(\"appname\") | renameSeries(\"value\") | formatByType(formattedConfig)" + } + }, + "input_yLyZgaC5": { + "options": { + "items": ">frame(label, value) | prepend(formattedStatics) | objects()", + "defaultValue": [ + "*" + ], + "token": "ms_host_names" + }, + "title": "Host(s)", + "type": "input.multiselect", + "dataSources": { + "primary": "ds_sxu2HJOI" + }, + "context": { + "formattedConfig": { + "number": { + "prefix": "" + } + }, + "formattedStatics": ">statics | formatByType(formattedConfig)", + "statics": [ + [ + "Any" + ], + [ + "*" + ] + ], + "label": ">primary | seriesByName(\"host\") | renameSeries(\"label\") | formatByType(formattedConfig)", + "value": ">primary | seriesByName(\"host\") | renameSeries(\"value\") | formatByType(formattedConfig)" + } + }, + "input_WAwuApNh": { + "type": "input.timerange", + "options": { + "token": "time", + "defaultValue": "-7d@h,now" + }, + "title": "Time range" + } + }, + "title": "Audit Trail Dashboard / Objects Modifications", + "description": "Users and Knowledge Objects creations / updates / deletions.", + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": {} + } + } + } + }, + "layout": { + "tabs": { + "items": [ + { + "layoutId": "layout_1", + "label": "Overview" + }, + { + "layoutId": "layout_TLv2IQya", + "label": "Activity log" + } + ] + }, + "layoutDefinitions": { + "layout_1": { + "type": "absolute", + "options": { + "height": 3000, + "width": 2000, + "display": "fit-to-width", + "backgroundColor": "transparent" + }, + "structure": [ + { + "item": "viz_FTCFDEzH", + "type": "block", + "position": { + "x": 1000, + "y": 290, + "w": 490, + "h": 300 + } + }, + { + "item": "viz_4gLfdNAZ", + "type": "block", + "position": { + "x": 0, + "y": 830, + "w": 1070, + "h": 500 + } + }, + { + "item": "viz_ojU9o0Oe", + "type": "block", + "position": { + "x": 0, + "y": 10, + "w": 1990, + "h": 260 + } + }, + { + "item": "viz_jJX71ybc", + "type": "block", + "position": { + "x": 0, + "y": 290, + "w": 490, + "h": 300 + } + }, + { + "item": "viz_WvdnTwBR", + "type": "block", + "position": { + "x": 0, + "y": 610, + "w": 490, + "h": 200 + } + }, + { + "item": "viz_caAWiK8D", + "type": "block", + "position": { + "x": 500, + "y": 290, + "w": 490, + "h": 300 + } + }, + { + "item": "viz_FZih8hXD", + "type": "block", + "position": { + "x": 500, + "y": 610, + "w": 490, + "h": 200 + } + }, + { + "item": "viz_VC5BEx25", + "type": "block", + "position": { + "x": 1070, + "y": 830, + "w": 920, + "h": 500 + } + }, + { + "item": "viz_hC1y1jIc", + "type": "block", + "position": { + "x": 1000, + "y": 610, + "w": 490, + "h": 200 + } + }, + { + "item": "viz_aILjq6jc", + "type": "block", + "position": { + "x": 1500, + "y": 290, + "w": 490, + "h": 300 + } + }, + { + "item": "viz_u0J839pR", + "type": "block", + "position": { + "x": 1500, + "y": 610, + "w": 490, + "h": 200 + } + } + ] + }, + "layout_TLv2IQya": { + "type": "grid", + "structure": [ + { + "item": "viz_6FMhU41W", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 1200, + "h": 770 + } + } + ] + } + }, + "globalInputs": [ + "input_n59hT3WT", + "input_0m4aAr88", + "input_8cPLfS0W", + "input_V8goUdiM", + "input_PYpDbVm3", + "input_yLyZgaC5", + "input_T7BIJ7Pm", + "input_WAwuApNh" + ], + "options": { + "submitButton": true, + "submitOnDashboardLoad": true + } + } +} + ]]> + + \ No newline at end of file diff --git a/apps/audit_trail/default/savedsearches.conf b/apps/audit_trail/default/savedsearches.conf new file mode 100755 index 00000000..20a6cb73 --- /dev/null +++ b/apps/audit_trail/default/savedsearches.conf @@ -0,0 +1,94 @@ +# Version 10.0.2 + +# main query used in audit trail for users activities app +[audit_trail_users_query] +disabled=0 +dispatch.earliest_time = -24h@h +dispatch.latest_time = now +search = ```filter out capability checks, internal users and quota checks``` \ + index=_audit NOT info IN (denied, granted, "denied *", "granted *") NOT cap=1 NOT action=quota user IN ($ss_user_names$) host IN ($ss_host_names$) $ss_text$ \ + ```Filter out audit v2 logs```\ + | search sourcetype="audittrail"\ + | rex field=_raw "user=(?[a-zA-Z0-9/\s_\.-]*)," \ + | rex field=_raw "action=(?[a-zA-Z0-9_\s]*)," \ + ```calculate user_action to get rid of spaces``` \ + | eval user_action=lower(replace(auditrep_action, "\s", "_")) \ + ```filter out internal or unknown users, preserve specific actions``` \ + | eval auditrep_user=IF(auditrep_user == "n/a" AND user_action IN ("splunkstarting", "splunkshuttingdown"), "unknown", auditrep_user) \ + | search NOT auditrep_user IN ("n/a", internal_observability, splunk-system-user, internal_automation, soar_proxy_user, soar_automation_user) \ + ```filter out SCS events``` \ + | spath input=info path=generated_by output=scs_generated_by | where isnull(scs_generated_by) \ + ```filter out internal automated non-human actions``` \ + | search NOT user_action IN (validate_token, get_password, alert_fired, list_scs_token) \ + ```calculate useragent_prefix for login_attempt actions``` \ + | eval normalized_useragent=IF(user_action=="login_attempt" AND (isnull(useragent) OR useragent=""), "unknown", useragent) \ + | eval useragent_prefix=IF(user_action=="login_attempt", mvindex(split(mvindex(split(normalized_useragent,"/"),0), " "), 0), "n/a") \ + ```filter out cancelled searches, searches ran by scheduler and subsearches``` \ + | eval skip="0" \ + | eval skip=IF(user_action=="search" AND (info=="cancel" OR info=="canceled" OR provenance="scheduler" OR search_id like "'subsearch_%"), "1", skip) \ + ```| eval skip=IF(user_action=="login_attempt" AND useragent_prefix != "Mozilla", "1", skip) ``` \ + | search skip="0" \ + ```calculate extended user_action - ex_user_action``` \ + | rex field=user_action "(?[a-zA-Z]+)_(?[a-zA-Z_]*)" \ + | eval ex_user_action=user_action \ + | eval object_name=name \ + | eval object_name=IF(object_type=="saved_search", savedsearch_name, object_name) \ + | eval object_name=IF(object_type=="token", tokenId, object_name) \ + | eval object_name=IF(object_type=="user", IF(isnull(username), user, username), object_name) \ + | eval object_name=IF(object_type=="app", IF( NOT isnull(app_name), app_name, IF(NOT isnull(app), app, object_name)), object_name) \ + | eval object_name=IF(object_type=="saml_group_map", group, object_name) \ + | eval object_name=IF(object_type=="datamodel", IF(isnull(object_name), displayName, object_name), object_name) \ + | eval object_name=IF(object_type=="password", password_id, object_name) \ + | eval ex_user_action=IF(object_action IN ("edit", "create", "new", "remove", "delete", "update", "updated", "disable", "enable", "move", "install") AND NOT isnull(object_name) AND NOT lower(provenance)=="n/a", ex_user_action."@".object_name, ex_user_action) \ + | eval ex_user_action=IF(user_action like "login_attempt%" OR user_action like "logout%" , ex_user_action."@".user, ex_user_action) \ + ```search is treated a little differently``` \ + | eval object_name=IF(user_action=="search", IF(NOT isnull(provenance) AND NOT provenance=="N/A", provenance, \ + IF(NOT isnull(savedsearch_name) AND savedsearch_name != "", savedsearch_name, "noname_search")), object_name) \ + | eval ex_user_action=IF(user_action=="search", "search@".object_name, ex_user_action) \ + ```Preserve original event body``` \ + | eval orig_body=_raw \ + | eval object_name=IF(isnull(object_name), "n/a", object_name) \ + | eval host=IF(isnull(host), "n/a", host) \ + | eval app=IF(isnull(app), "n/a", app) \ + | eval useragent=IF(isnull(useragent_prefix), "n/a", useragent_prefix) \ + | eval user=auditrep_user \ + | stats count by _time, user, user_action, ex_user_action, app, object_name, host, useragent, info, orig_body \ + +# main query used in audit trail knowledge objects app +[audit_trail_knowledge_objects_query] +action.email.useNSSubject = 1 +action.webhook.enable_allowlist = 0 +dispatch.earliest_time = -7d@h +dispatch.latest_time = now +display.general.type = statistics +display.page.search.tab = statistics +display.visualizations.show = 0 +request.ui_dispatch_app = audit_trail +request.ui_dispatch_view = search +search = ```Firstly filter out capability checks and non CRUD, non knowledge objects audit logs```\ + index=_audit | where isnull(cap) AND NOT info IN ("granted", "denied") | search action IN ("create_*", "update_*", "updated_*", "edit_*", "remove_*", "delete_*", "disable_*", "new_*", "move_*", "enable_*", "acl_*") | search action IN ("*_user", "*_saved_search", "*_data_model_file", "*_event_type", "*_tag", "*_fields_*", "*_lookup_table", "*_ui_view*", "*_ui_panel", "*_macro", "*_command")\ + ```Filter out audit v2 logs```\ + | search sourcetype="audittrail"\ + ```Extract object type and action```\ + | rex action="(?[a-zA-Z]+)_(?[a-zA-Z_]*),"\ + ```Extract application name```\ + | rex field=info "app=\"(?.*)\"" \ + | eval appnametmp=IF(!isnull(apptmp),apptmp,IF(isnull(app),"-missing-",app) )\ + | rex field=appnametmp "'(?.*)'" \ + | eval appname=IF(!isnull(apptmp2),apptmp2,appnametmp) \ + ```Unify object name```\ + | eval name=IF(object_type="user",username,name) \ + | eval name=IF(object_type="saved_search",savedsearch_name,name)\ + | eval name=IF(!isnull(name),name,"-missing-")\ + ```Tags may have mnulti values: {[0]='tag_1' [1]='tag_2'}- split it to separate events```\ + | eval tagnames=split(replace(name, "\\[[0-9]*\\]=",""), "' '") | mvexpand tagnames | eval name=ltrim(rtrim(tagnames,"'}"),"{'")\ + ```Extract host name from fqdn```\ + | eval host=mvindex(split(host,"."),0)\ + ```Finally rename object type and actions to user friendly ones```\ + | lookup object_types_normalization ORIG_OBJECT_TYPE AS object_type OUTPUT DEST_OBJECT_TYPE AS object_type\ + | lookup action_types_normalization ORIG_ACTION AS object_action OUTPUT DEST_ACTION AS object_action\ + ```Preserve original event body```\ + | eval orig_body=_raw\ + ```Apply filtering in the base search to avoid 'unknown sid' issue```\ + ```| where "text_token$"="-" OR orig_body like "%text_token$%"``` \ + | stats count by _time, user, action, name, appname, host, info, object_type, object_action, orig_body diff --git a/apps/audit_trail/default/transforms.conf b/apps/audit_trail/default/transforms.conf new file mode 100755 index 00000000..417d0f73 --- /dev/null +++ b/apps/audit_trail/default/transforms.conf @@ -0,0 +1,5 @@ +[action_types_normalization] +filename = action_types.csv + +[object_types_normalization] +filename = object_types.csv diff --git a/apps/audit_trail/default/ui-tour.conf b/apps/audit_trail/default/ui-tour.conf new file mode 100755 index 00000000..a71c12f3 --- /dev/null +++ b/apps/audit_trail/default/ui-tour.conf @@ -0,0 +1,63 @@ +# Version 20250117 +# +# This file contains the tours available for Splunk Onboarding +# +# To update tours, copy the configuration block into +# ui-tour.conf in $SPLUNK_HOME/etc/system/local/. Restart the Splunk software to +# see the changes. +# +# To learn more about configuration files (including precedence) see the +# documentation located at +# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles +# + +# Image Tour +[activities_per_user_audit-tour] +type = image +context = audit_trail +imageName1 = filters_tour_section.png +imageCaption1 = The Filters section allows you to select the data you want to analyze. Your selections impact the data displayed below in the presentation section and also affect the values available in dropdowns. Remember to use the 'Submit' button after selecting the appropriate values. +imageName2 = tabs_tour_section.png +imageCaption2 = Below filters section there is a data presentation part. It starts with tabs section, which allows to switch between different presentation sections. +imageName3 = overview_tour_section.png +imageCaption3 = The Overview tab provides an analytical presentation of data related to audited actions performed by human users across the Splunk ecosystem. It is useful for a general review of trends and anomaly detection. +imageName4 = activities_table_tour_section.png +imageCaption4 = The Activity Log tab provides more detailed data useful for investigations of specific anomalies and incidents. The source of the data is _audit index. +imgPath = /tours/activities_per_user_audit +doneText = Go to Dashboard +doneURL = app/audit_trail/activities_per_user_audit + + +[knowledge_objects_audit-tour] +tourPage = knowledge_objects_audit +intro=Objects Modifications Dashboard Tour +type = image +imageName1 = filters_tour_section.png +imageCaption1 = The Filters section allows you to select the data you want to analyze. Your selections impact the data displayed below in the presentation section and also affect the values available in dropdowns. Remember to use the 'Submit' button after selecting the appropriate values. +imageName2 = tabs_tour_section.png +imageCaption2 = Below filters section there is a data presentation part. It starts with tabs section, which allows to switch between different presentation sections. +imageName3 = overview_tour_section.png +imageCaption3 = The Overview tab provides an analytical presentation of data related to audited changes in the state of Splunk’s knowledge objects, such as create, delete, and update actions. It is useful for a general review of trends and anomaly detection. +imageName4 = activity_table_tour_section.png +imageCaption4 = The Activity Log tab provides more detailed data useful for investigations of specific anomalies and incidents. The source of the data is _audit index. +imgPath = /tours/knowledge_objects_audit +context = audit_trail +doneText = Go to Dashboard +doneURL = app/audit_trail/knowledge_objects_audit + + + +# Interactive Tour +#[test-interactive-tour] +#type = interactive +#tourPage = reports +#urlData = data=foo&moredata=bar +#label = Interactive Tour Test +#stepText1 = Welcome to this test tour +#stepText2 = This is the first step in the tour +#stepElement2 = .test-selector +#stepText3 = This is the second step in the tour +#stepElement3 = .test-selector +#stepClickEvent3 = mousedown +#stepClickElement3 = .test-click-element +#forceTour = 1 \ No newline at end of file diff --git a/apps/audit_trail/local/savedsearches.conf b/apps/audit_trail/local/savedsearches.conf new file mode 100755 index 00000000..bbf66da0 --- /dev/null +++ b/apps/audit_trail/local/savedsearches.conf @@ -0,0 +1,29 @@ +[audit_trail_knowledge_objects_query] +alert.track = 0 +search = ```Firstly filter out capability checks and non CRUD, non knowledge objects audit logs```\ + index=_audit ```| where isnull(cap) AND NOT info IN ("granted", "denied")``` | search action IN ("create_*", "update_*", "updated_*", "edit_*", "remove_*", "delete_*", "disable_*", "new_*", "move_*", "enable_*", "acl_*") | search action IN ("*_user", "*_saved_search", "*_data_model_file", "*_event_type", "*_tag", "*_fields_*", "*_lookup_table", "*_ui_view*", "*_ui_panel", "*_macro", "*_command")\ + ```Filter out audit v2 logs```\ + | search sourcetype="audittrail"\ + ```Extract object type and action```\ + | rex action="(?[a-zA-Z]+)_(?[a-zA-Z_]*),"\ + ```Extract application name```\ + | rex field=info "app=\"(?.*)\"" \ + | eval appnametmp=IF(!isnull(apptmp),apptmp,IF(isnull(app),"-missing-",app) )\ + | rex field=appnametmp "'(?.*)'" \ + | eval appname=IF(!isnull(apptmp2),apptmp2,appnametmp) \ + ```Unify object name```\ + | eval name=IF(object_type="user",username,name) \ + | eval name=IF(object_type="saved_search",savedsearch_name,name)\ + | eval name=IF(!isnull(name),name,"-missing-")\ + ```Tags may have mnulti values: {[0]='tag_1' [1]='tag_2'}- split it to separate events```\ + | eval tagnames=split(replace(name, "\\[[0-9]*\\]=",""), "' '") | mvexpand tagnames | eval name=ltrim(rtrim(tagnames,"'}"),"{'")\ + ```Extract host name from fqdn```\ + | eval host=mvindex(split(host,"."),0)\ + ```Finally rename object type and actions to user friendly ones```\ + | lookup object_types_normalization ORIG_OBJECT_TYPE AS object_type OUTPUT DEST_OBJECT_TYPE AS object_type\ + | lookup action_types_normalization ORIG_ACTION AS object_action OUTPUT DEST_ACTION AS object_action\ + ```Preserve original event body```\ + | eval orig_body=_raw\ + ```Apply filtering in the base search to avoid 'unknown sid' issue```\ + ```| where "text_token$"="-" OR orig_body like "%text_token$%"``` \ + | stats count by _time, user, action, name, appname, host, info, object_type, object_action, orig_body diff --git a/apps/audit_trail/lookups/action_types.csv b/apps/audit_trail/lookups/action_types.csv new file mode 100755 index 00000000..9c3f22b0 --- /dev/null +++ b/apps/audit_trail/lookups/action_types.csv @@ -0,0 +1,12 @@ +"DEST_ACTION","ORIG_ACTION" +create,create +update,update +update,updated +update,edit +delete,remove +delete,delete +update,disable +update,enable +create,new +update,move +update,acl \ No newline at end of file diff --git a/apps/audit_trail/lookups/object_types.csv b/apps/audit_trail/lookups/object_types.csv new file mode 100755 index 00000000..7b84ec76 --- /dev/null +++ b/apps/audit_trail/lookups/object_types.csv @@ -0,0 +1,19 @@ +"DEST_OBJECT_TYPE","ORIG_OBJECT_TYPE" +"automatic_lookup","fields_lookup" +"calculated_field","fields_calc" +dashboard,"ui_view" +"data_model_definition","data_model_file" +"event_type","event_type" +"field_alias","fields_alias" +"field_extraction","fields_extract" +"field_transformation","fields_transform" +"fileds_workflow_action","fields_workflow_action" +"lookup_table_file","lookup_table" +"navigation_menu","ui_view_collection" +"prebuilt_panel","ui_panel" +"saved_search","saved_search" +"search_command",command +"search_macro",macro +"source_type_rename","fields_srctype_rename" +tag,tag +user,user diff --git a/apps/audit_trail/metadata/default.meta b/apps/audit_trail/metadata/default.meta new file mode 100755 index 00000000..77628da5 --- /dev/null +++ b/apps/audit_trail/metadata/default.meta @@ -0,0 +1,12 @@ +# Application-level permissions +[] + +access = read : [ admin ], write : [ admin ] +[savedsearches] +access = read : [ admin ], write : [ admin ] +owner = admin +[views/audit_trail_home_simple_xml] +access = read : [*], write : [nobody] +[] +access = read : [admin], write : [admin] +export = none diff --git a/apps/audit_trail/metadata/local.meta b/apps/audit_trail/metadata/local.meta new file mode 100755 index 00000000..a3bee173 --- /dev/null +++ b/apps/audit_trail/metadata/local.meta @@ -0,0 +1,3 @@ +[savedsearches/audit_trail_knowledge_objects_query] +version = 10.0.0 +modtime = 1762252923.267079000 diff --git a/apps/audit_trail/static/appIcon.png b/apps/audit_trail/static/appIcon.png new file mode 100755 index 00000000..3aa3e2f3 Binary files /dev/null and b/apps/audit_trail/static/appIcon.png differ diff --git a/apps/audit_trail/static/appIconAlt.png b/apps/audit_trail/static/appIconAlt.png new file mode 100755 index 00000000..3aa3e2f3 Binary files /dev/null and b/apps/audit_trail/static/appIconAlt.png differ diff --git a/apps/audit_trail/static/appIconAlt_2x.png b/apps/audit_trail/static/appIconAlt_2x.png new file mode 100755 index 00000000..693cacf3 Binary files /dev/null and b/apps/audit_trail/static/appIconAlt_2x.png differ diff --git a/apps/audit_trail/static/appIcon_2x.png b/apps/audit_trail/static/appIcon_2x.png new file mode 100755 index 00000000..693cacf3 Binary files /dev/null and b/apps/audit_trail/static/appIcon_2x.png differ