[Total Events, Last 1 Hour]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.timeRangePicker.show = 0
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = bar
display.visualizations.type = singlevalue
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search` earliest=-1h | stats count

[Total Events, Last 1 Minute]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -1m@m
dispatch.latest_time = now
display.general.timeRangePicker.show = 0
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = bar
display.visualizations.type = singlevalue
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search` earliest=-1m | stats count

[Total Events, Last 1 day]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -1m@m
dispatch.latest_time = now
display.general.timeRangePicker.show = 0
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = bar
display.visualizations.type = singlevalue
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search` earliest=-1d | stats count

[Top 20 Host Names, Last 24 Hours]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = bar
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search` | top limit=20 "header.hostname"

[Total Events Bar Chart Time Picker]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.general.type = visualizations
display.page.search.mode = fast
display.page.search.tab = visualizations
display.statistics.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search` | timechart count

[Total Events Last 7 Days Bar Chart]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
display.general.timeRangePicker.show = 0
display.general.type = visualizations
display.page.search.mode = fast
display.page.search.tab = visualizations
display.statistics.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search` earliest=-7d@d |timechart count

[Total Events Trend, Last 7 Days]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -1m@m
dispatch.latest_time = now
display.general.timeRangePicker.show = 0
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = bar
display.visualizations.type = singlevalue
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search` earliest=-8d@d latest=-1d@d |timechart count

[Number of Events by HostName]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.timeRangePicker.show = 0
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = pie
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search` | rename header.hostname as HostName | stats count by HostName

[Sandfly by Hostname]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart = line
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search` | rename header.hostname as HostName | stats values(data.name) as Sandfly count by HostName

[Timechart by Hostname (1 Week)]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.timeRangePicker.show = 0
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = line
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search` | rename header.hostname as HostName | timechart span=1w count by HostName

[Sandfly Alarms by Status]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search` | stats count by data.status

[Sandfly Alarms by Raw Size]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -7d@w0
dispatch.latest_time = @w0
display.events.fields = ["host","source","sourcetype","data.name","header.hostname","data.status"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search`\
| eval raw_length=len(_raw)\
| search raw_length > 9999\
| stats count by raw_length\
| sort - raw_length

[Total Events Last 7 Days Pie Chart]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
display.general.timeRangePicker.show = 0
display.general.type = visualizations
display.page.search.mode = fast
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = pie
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search` earliest=-7d@d |timechart count

[Template Process Search SHA1 Hash]
action.email.useNSSubject = 1
alert.track = 0
description = Template to search for a current or past running process with matching binary SHA1 hash.
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","data.name","header.hostname","data.status"]
display.visualizations.charting.chart = pie
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search` data.results.process.hash.sha1="SHA1_HASH_TO_SEARCH_HERE"

[Template Process Search Name]
action.email.useNSSubject = 1
alert.track = 0
description = Template to search for a current or past running process with matching process name.
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","data.name","header.hostname","data.status"]
display.visualizations.charting.chart = pie
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search` data.results.process.name="PROCESS_NAME_HERE"

[Template User Search Username]
action.email.useNSSubject = 1
alert.track = 0
description = Template to search for a current or past username found in the remote system /etc/passwd listing.
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","data.name","header.hostname","data.status"]
display.visualizations.charting.chart = pie
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search` data.results.user.username="USERNAME_HERE"

[Operating Systems Identification Data]
action.email.useNSSubject = 1
alert.track = 0
description = Retrieves all OS Identify Sandfly data for all hosts. Contains extensive remote Linux operating system information each time Sandfly scans a host.
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","data.name","header.hostname","data.status"]
display.visualizations.charting.chart = pie
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search` data.name="os_identify"

[Operating System CPU Bugs]
action.email.useNSSubject = 1
alert.track = 0
description = Lists all hardware CPU bugs reported by the operating system.
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["source","sourcetype","data.name","data.results.process.name","data.results.log.lastlog.username","data.results.log.lastlog.hostname","data.results.log.btmp.hostname","header.hostname","data.results.log.btmp.username","data.results.log.wtmp.hostname","data.results.log.wtmp.username","data.results.os.hardware.cpu.bugs{}"]
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = index="*" sourcetype="sandfly:alarms" data.name="os_identify" "data.results.os.hardware.cpu.bugs{}"="*"

[SSH Keys - Hosts with Immutable authorized_keys File]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart = pie
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.engine="sandfly_engine_user" data.name="user_ssh_authorized_keys_immutable" data.status="alert"\
| dedup header.hostname\
| table header.hostname data.name data.status data.results.explanation
workload_pool = undefined

[SSH Keys - User Names Associated with SSH Key]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -4h@m
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart = pie
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true" \
| spath output=aaa_keys path=data.results.user.ssh.authorized_keys.data{}.key \
| mvexpand aaa_keys \
| eval aaa_keys_count = mvcount(aaa_keys) \
| eval aaa_keys_len = len(aaa_keys) \
| where aaa_keys_len > 0 \
| fields aaa_keys header.hostname data.results.user.username \
| rename aaa_keys as ssh_key, header.hostname as host_name, data.results.user.username as user_name \
| dedup ssh_key, user_name, host_name\
| stats values(user_name) as "User Names" by ssh_key\
| rename ssh_key as "SSH Key"\
| table "User Names" "SSH Key"

[SSH Keys - Number of Hosts with SSH Key]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart = pie
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true"\
| spath output=aaa_keys path=data.results.user.ssh.authorized_keys.data{}.key\
| mvexpand aaa_keys\
| eval aaa_keys_len=len(aaa_keys)\
| search aaa_keys_len > 0\
| dedup header.hostname aaa_keys\
| stats count by aaa_keys

[SSH Keys - authorized_keys File Last Accessed]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart = pie
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true" \
| rename data.results.user.ssh.authorized_keys.file{}.date.accessed_minutes as aaa_date_accessed_minutes \
| rename data.results.user.ssh.authorized_keys.file{}.date.accessed as aaa_date_accessed \
| eval temp_duration1 = tostring(aaa_date_accessed_minutes*60, "duration") \
| eval aaa_accessed_duration=replace(temp_duration1,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes \4 secs") \
| rename data.results.user.ssh.authorized_keys.file{}.date.created_minutes as aaa_date_created_minutes \
| rename data.results.user.ssh.authorized_keys.file{}.date.created as aaa_date_created \
| eval temp_duration2 = tostring(aaa_date_created_minutes*60, "duration") \
| eval aaa_created_duration=replace(temp_duration2,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes \4 secs") \
| rename data.results.user.ssh.authorized_keys.file{}.date.modified_minutes as aaa_date_modified_minutes \
| rename data.results.user.ssh.authorized_keys.file{}.date.modified as aaa_date_modified \
| eval temp_duration3 = tostring(aaa_date_modified_minutes*60, "duration") \
| eval aaa_modified_duration=replace(temp_duration3,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes \4 secs") \
| rename header.hostname as host_name \
| rename data.results.user.username as user_name \
| dedup host_name user_name \
| table host_name user_name aaa_accessed_duration aaa_modified_duration aaa_created_duration\
| sort aaa_date_accessed_minutes\
| rename host_name as "Host Name", user_name as "User Name", aaa_accessed_duration as "Last Accessed", aaa_modified_duration as "Last Modified", aaa_created_duration as "Created"

[SSH Keys - authorized_keys File Created Today]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.charting.chart = pie
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true" \
| rename data.results.user.ssh.authorized_keys.file{}.date.created as aaa_date_created \
| rename data.results.user.ssh.authorized_keys.file{}.path as aaa_file_path\
| rename header.hostname as host_name \
| rename data.results.user.username as user_name \
| dedup host_name user_name\
| eval aaa_date_created_epoch = strptime(aaa_date_created, "%Y-%m-%dT%H:%M:%SZ")\
| where aaa_date_created_epoch >= relative_time(now(), "@d")\
| table host_name user_name aaa_date_created aaa_file_path\
| rename host_name as "Host Name", user_name as "User Name", aaa_date_created as "Date Created", aaa_file_path as "File Path"

[SSH Keys - authorized_keys File Modified Today]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.charting.chart = pie
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true" \
| rename data.results.user.ssh.authorized_keys.file{}.date.modified as aaa_date_modified \
| rename data.results.user.ssh.authorized_keys.file{}.path as aaa_file_path\
| rename header.hostname as host_name \
| rename data.results.user.username as user_name \
| dedup host_name user_name\
| eval aaa_date_modified_epoch = strptime(aaa_date_modified, "%Y-%m-%dT%H:%M:%SZ")\
| where aaa_date_modified_epoch >= relative_time(now(), "@d")\
| table host_name user_name aaa_date_modified aaa_file_path\
| rename host_name as "Host Name", user_name as "User Name", aaa_date_modified as "Date Modified", aaa_file_path as "File Path"

[Host with Immutable authorized_keys File]
action.email.inline = 1
action.email.sendcsv = 1
action.email.sendresults = 1
action.email.to = ssnapp@gmail.com
action.email.useNSSubject = 1
alert.severity = 4
alert.suppress = 0
alert.track = 1
counttype = number of events
cron_schedule = 0 * * * *
dispatch.earliest_time = -1h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart = pie
display.visualizations.show = 0
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.engine="sandfly_engine_user" data.name="user_ssh_authorized_keys_immutable" data.status="alert"\
| dedup header.hostname\
| table header.hostname data.name data.status data.results.explanation
workload_pool = undefined

[SSH Keys - authorized_keys File Accessed Today]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.charting.chart = pie
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true" \
| rename data.results.user.ssh.authorized_keys.file{}.date.accessed as aaa_date_accessed \
| rename data.results.user.ssh.authorized_keys.file{}.path as aaa_file_path\
| rename header.hostname as host_name \
| rename data.results.user.username as user_name \
| dedup host_name user_name\
| eval aaa_date_accessed_epoch = strptime(aaa_date_accessed, "%Y-%m-%dT%H:%M:%SZ")\
| where aaa_date_accessed_epoch >= relative_time(now(), "@d")\
| table aaa_date_accessed host_name user_name aaa_file_path\
| rename aaa_date_accessed as "Date Accessed", host_name as "Host Name", user_name as "User Name", aaa_file_path as "File Path"

[SSH Keys - authorized_keys File Created Last 7 Days]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.charting.chart = pie
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true" \
| rename data.results.user.ssh.authorized_keys.file{}.date.created as aaa_date_created \
| rename data.results.user.ssh.authorized_keys.file{}.path as aaa_file_path\
| rename header.hostname as host_name \
| rename data.results.user.username as user_name \
| dedup host_name user_name\
| eval aaa_date_created_epoch = strptime(aaa_date_created, "%Y-%m-%dT%H:%M:%SZ")\
| where aaa_date_created_epoch >= relative_time(now(), "-7d@d")\
| table aaa_date_created host_name user_name aaa_file_path\
| rename aaa_date_created as "Date Created", host_name as "Host Name", user_name as "User Name", aaa_file_path as "File Path"

[SSH Keys - authorized_keys File Created Last 24 Hours]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.charting.chart = pie
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true" \
| rename data.results.user.ssh.authorized_keys.file{}.date.created as aaa_date_created \
| rename data.results.user.ssh.authorized_keys.file{}.path as aaa_file_path\
| rename header.hostname as host_name \
| rename data.results.user.username as user_name \
| dedup host_name user_name\
| eval aaa_date_created_epoch = strptime(aaa_date_created, "%Y-%m-%dT%H:%M:%SZ")\
| where aaa_date_created_epoch >= relative_time(now(), "-24h")\
| table aaa_date_created host_name user_name aaa_file_path\
| rename aaa_date_created as "Date Created", host_name as "Host Name", user_name as "User Name", aaa_file_path as "File Path"

[SSH Keys - authorized_keys File Created Last 48 Hours]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.charting.chart = pie
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true" \
| rename data.results.user.ssh.authorized_keys.file{}.date.created as aaa_date_created \
| rename data.results.user.ssh.authorized_keys.file{}.path as aaa_file_path\
| rename header.hostname as host_name \
| rename data.results.user.username as user_name \
| dedup host_name user_name\
| eval aaa_date_created_epoch = strptime(aaa_date_created, "%Y-%m-%dT%H:%M:%SZ")\
| where aaa_date_created_epoch >= relative_time(now(), "-48h")\
| table aaa_date_created host_name user_name aaa_file_path\
| rename aaa_date_created as "Date Created", host_name as "Host Name", user_name as "User Name", aaa_file_path as "File Path"

[SSH Keys - authorized_keys File Created Last 72 Hours]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.charting.chart = pie
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.results.user.ssh.authorized_keys.present="true" \
| rename data.results.user.ssh.authorized_keys.file{}.date.created as aaa_date_created \
| rename data.results.user.ssh.authorized_keys.file{}.path as aaa_file_path\
| rename header.hostname as host_name \
| rename data.results.user.username as user_name \
| dedup host_name user_name\
| eval aaa_date_created_epoch = strptime(aaa_date_created, "%Y-%m-%dT%H:%M:%SZ")\
| where aaa_date_created_epoch >= relative_time(now(), "-72h")\
| table aaa_date_created host_name user_name aaa_file_path\
| rename aaa_date_created as "Date Created", host_name as "Host Name", user_name as "User Name", aaa_file_path as "File Path"

[SSH Hunter - Keys Last Seen Report]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.charting.chart = pie
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_sshkeys` event_type=ssh_key_details\
| dedup ssh_key_details.friendly_name \
| rename ssh_key_details.last_seen as date_last_seen \
| eval last_seen_epoch = strptime(date_last_seen, "%Y-%m-%dT%H:%M:%S%Z") \
| eval local_last_seen = strftime(last_seen_epoch, "%Y-%m-%dT%H:%M:%S") \
| eval time_diff = ceiling(now() - last_seen_epoch)\
| eval temp_duration = tostring(time_diff, "duration") \
| eval key_last_seen=replace(temp_duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes \4 secs") \
| table ssh_key_details.friendly_name date_last_seen local_last_seen key_last_seen\
| rename ssh_key_details.friendly_name as "Friendly Name"\
| rename date_last_seen as "Date Last Seen (UTC)"\
| rename local_last_seen as "Date Last Seen (Local Time)"\
| rename key_last_seen as "Key Last Seen"

[Sandfly Hosts to Asset Lookup]
action.lookup = 1
action.lookup.filename = sandfly_assets.csv
alert.severity = 1
alert.suppress = 0
alert.track = 1
counttype = number of events
cron_schedule = 30 * * * *
dispatch.earliest_time = -1h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","sandfly_server"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_hosts` event_type=host_summary\
| dedup "host_summary.host_id" \
| spath output=aaa_tags path=host_summary.tags{} \
| spath output=aaa_active path=host_summary.active \
| eval asset_ip='host_summary.last_seen_ip_addr' \
| eval asset_mac="" \
| eval asset_nt_host="" \
| eval asset_dns="" \
| eval asset_owner="" \
| eval asset_priority="unknown" \
| eval asset_lat="" \
| eval asest_long="" \
| eval asset_city="" \
| eval asset_country="" \
| eval assset_bunit="" \
| eval asset_category=mvjoin(aaa_tags,"|") \
| eval asset_pci_domain="untrust" \
| eval asset_is_expected=if(aaa_active == "true", "true", "") \
| eval asset_should_timesync="" \
| eval asset_should_update="" \
| eval asset_requires_av="" \
| eval asset_cim_entity_zone="" \
| table asset_* \
| rename asset_* as *

[Sandfly Hosts to Hosts Lookup]
action.lookup = 1
action.lookup.filename = sandfly_hosts.csv
alert.severity = 1
alert.suppress = 0
alert.track = 1
counttype = number of events
cron_schedule = 15 * * * *
dispatch.earliest_time = -1h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","sandfly_server"]
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_hosts` event_type=host_summary\
| dedup "host_summary.host_id" \
| table host_summary.* \
| rename host_summary.* as *

[SSH Hunter - Keys First Seen Today]
alert.severity = 4
alert.suppress = 0
alert.track = 1
counttype = number of events
cron_schedule = 15 * * * *
dispatch.earliest_time = -1h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.charting.chart = pie
display.visualizations.type = singlevalue
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_ssh_hunter` event_type=ssh_key_details \
| dedup ssh_key_details.friendly_name \
| eval first_seen_epoch = strptime('ssh_key_details.first_seen', "%Y-%m-%dT%H:%M:%S%Z") \
| where first_seen_epoch >= relative_time(now(), "@d") \
| table ssh_key_details.friendly_name ssh_key_details.first_seen ssh_key_details.hash.sha512

[SSH Hunter - Keys First Seen This Week]
alert.severity = 4
alert.suppress = 0
alert.track = 1
counttype = number of events
cron_schedule = 0 19 * * 0
dispatch.earliest_time = -1w
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.charting.chart = pie
display.visualizations.type = singlevalue
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_ssh_hunter` event_type=ssh_key_details \
| dedup ssh_key_details.friendly_name \
| eval first_seen_epoch = strptime('ssh_key_details.first_seen', "%Y-%m-%dT%H:%M:%S%Z") \
| where first_seen_epoch >= relative_time(now(), "-7d@d") \
| table ssh_key_details.friendly_name ssh_key_details.first_seen ssh_key_details.hash.sha512

[Count of Sandflies]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart = pie
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search` | lookup sandflies.csv sandfly_name as data.name OUTPUT sandfly_name | stats count by sandfly_name | sort - count

[Events by Host with Description]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart = pie
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search` | dedup timestamp, header.hostname | lookup sandflies.csv sandfly_name as data.name | table timestamp header.hostname header.ip_addr sandfly_description

[Top 10 Sandflies over Time Range]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.statistics.show = 0
display.visualizations.charting.chart = bar
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search` \
| dedup timestamp, header.hostname \
| lookup sandflies.csv sandfly_name as data.name \
| top limit=10 sandfly_title

[Sandflies to Lookup File]
action.lookup = 1
action.lookup.filename = sandflies.csv
action.webhook.enable_allowlist = 0
alert.suppress = 0
alert.track = 1
counttype = number of events
cron_schedule = 15 * * * *
dispatch.earliest_time = -1h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","sandfly_server","event_type","index"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart = pie
display.visualizations.type = singlevalue
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_sandflies`\
| dedup sandfly_info.name\
| eval sandfly_temp = upper('sandfly_info.name')\
| eval sandfly_title = replace(sandfly_temp, "_", " ")\
| table sandfly_info.active sandfly_info.description sandfly_info.name sandfly_title sandfly_info.type\
| rename sandfly_info.active as sandfly_active\
| rename sandfly_info.description as "sandfly_description"\
| rename sandfly_info.name as "sandfly_name"\
| rename sandfly_info.type as "sandfly_type"

[Sandfly TA Internal Errors]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = index=_internal source="*ta_sandfly_security*" "*:log_error:*"

[Sandfly TA Internal Logs]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = index=_internal source="*ta_sandfly_security*"

[Audit Log Authentication Events]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_audit` audit_log.message="*login*" OR audit_log.message="*SAML*"\
| stats count by audit_log.message

[Scanning Error Log Alert]
action.webhook.enable_allowlist = 0
alert.digest_mode = 0
alert.expires = 7d
alert.severity = 4
alert.suppress = 0
alert.track = 1
counttype = number of events
cron_schedule = 30 * * * *
dispatch.earliest_time = -1h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_errors`\
| rex field=error_log.error_msg "(?<t_error_tag>[^:]*)" \
| rex field=error_log.error_msg "[^:]:\s(?<t_error_data>.*)" \
| eval TimeStamp=strftime(_time,"%x %r") \
| sort - _time \
| table TimeStamp t_error_tag error_log.hostname error_log.ip_addr error_log.queue_name t_error_data \
| rename t_error_tag as ErrorType \
| rename error_log.hostname as HostName \
| rename error_log.ip_addr as IP_Address \
| rename error_log.queue_name as QueueName \
| rename t_error_data as ErrorData

[Username root UID But Not Root]
action.webhook.enable_allowlist = 0
alert.track = 0
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.results.user.uid=0 AND data.results.user.username != "root"

[Logins by Username]
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -30d@d
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
search = `sandfly_search_alarms` data.name="recon_log_list_lastlog"\
| table _time data.results.log.lastlog.username data.results.log.lastlog.uid data.results.log.lastlog.terminal data.results.log.lastlog.hostname\
| rename data.results.log.lastlog.* as *

[Usernames with SSH Authorized Keys Present]
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -7d@h
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
search = `sandfly_search_alarms` data.name="recon_user_list_all" data.results.user.ssh.authorized_keys.present=true\
| table _time header.hostname header.ip_addr data.results.user.username data.results.user.ssh.authorized_keys.present\
| rename header.* as *\
| rename data.results.user.* as *

[Usernames with Password Hash Present]
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -7d@h
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
search = `sandfly_search_alarms` data.name="recon_user_list_all" data.results.user.password.present=true \
| table _time header.hostname header.ip_addr data.results.user.username data.results.user.password.present\
| rename header.* as *\
| rename data.results.user.* as *

[Usernames with Blank Password Fields]
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -7d@h
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
search = `sandfly_search_alarms` data.name="recon_user_list_all" data.results.user.password.empty=true\
| table _time header.hostname header.ip_addr data.results.user.username data.results.user.password.empty\
| rename header.* as *\
| rename data.results.user.* as *

[Usernames Valid Logins From Hostname]
action.webhook.enable_allowlist = 0
alert.track = 0
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.page.search.tab = visualizations
search = `sandfly_search_alarms` data.name="recon_log_list_logins_valid"\
| stats count by data.results.log.wtmp.hostname

[Usernames Valid Logins by Username]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = pie
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="recon_log_list_logins_valid"\
| stats count by data.results.log.wtmp.username

[Usernames Valid Logins Against Hostname]
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -7d@h
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = pie
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="recon_log_list_logins_valid"\
| stats count by header.hostname
workload_pool = undefined

[Usernames Present on Host]
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -7d@h
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.page.search.tab = visualizations
search = `sandfly_search_alarms` data.name="recon_user_list_all"\
| stats count by data.results.user.username

[Usernames Bad Logins From Hostname]
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -7d@h
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.page.search.tab = visualizations
search = `sandfly_search_alarms` data.name="recon_log_list_logins_failed"\
| stats count by data.results.log.btmp.hostname

[Usernames Bad Logins By Username]
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -7d@h
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.page.search.tab = visualizations
search = `sandfly_search_alarms` data.name="recon_log_list_logins_failed"\
| stats count by data.results.log.btmp.username

[Usernames Bad Logins Against Hostname]
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -7d@h
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.page.search.tab = visualizations
search = `sandfly_search_alarms` data.name="recon_log_list_logins_failed"\
| stats count by header.hostname

[Username Password Hash Types]
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -7d@h
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = pie
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="recon_user_list_all" data.results.user.password.present=true\
| stats count by data.results.user.password.type
workload_pool = undefined

[Username Login Shells In Use]
action.webhook.enable_allowlist = 0
alert.track = 0
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.page.search.tab = visualizations
search = `sandfly_search_alarms` data.name="recon_user_list_all"\
| stats count by data.results.user.shell

[Username Logged In]
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = pie
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="recon_log_list_logged_in_users"\
| stats count by data.results.log.utmp.username

[User Successful Logins Over Time]
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = area
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="recon_log_list_logins_valid"\
| eval _time=strptime('data.results.log.wtmp.date.created',"%Y-%m-%dT%H:%M:%SZ")\
| timechart count span=1d
workload_pool = undefined

[User Failed Logins Over Time]
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = area
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="recon_log_list_logins_failed"\
| eval _time=strptime('data.results.log.btmp.date.created',"%Y-%m-%dT%H:%M:%SZ")\
| timechart count span=1d

[Processes With Network Ports Operating]
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = pie
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="recon_process_list_all" data.results.process.network_ports.operating=true\
| stats count by data.results.process.name

[Processes With Network Ports Listening]
action.webhook.enable_allowlist = 0
alert.track = 0
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = pie
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="recon_process_list_all" data.results.process.network_ports.listening=true\
| stats count by data.results.process.name
workload_pool = undefined

[Operating System Uptime in Days]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="os_identify"\
| table _time header.hostname header.ip_addr data.results.os.info.uptime_days data.results.os.info.os_release.pretty_name\
| rename header.* as *\
| rename data.results.os.info.* as *

[Operating System Product Name]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = pie
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="os_identify"\
| stats count by data.results.os.hardware.dmi.product_name

[Operating System Machine Type]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = pie
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="os_identify"\
| stats count by data.results.os.info.machine

[Operating System Linux Version]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = pie
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="os_identify"\
| stats count by data.results.os.info.version

[Operating System Linux Kernel Release Version]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = pie
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="os_identify"\
| stats count by data.results.os.info.release

[Operating System CPU Model Name]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = pie
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="os_identify"\
| stats count by data.results.os.hardware.cpu.model_name

[Operating System CPU Architecture]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = pie
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="os_identify"\
| stats count by data.results.os.info.arch

[Operating System Bogo MIPS Rating]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = pie
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="os_identify"\
| stats count by data.results.os.hardware.cpu.bogo_mips

[Operating System BIOS Version]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = pie
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="os_identify"\
| stats count by data.results.os.hardware.dmi.bios_version

[Operating System BIOS Vendor]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = pie
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="os_identify"\
| stats count by data.results.os.hardware.dmi.bios_vendor

[At Jobs by Username]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = pie
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="recon_process_persistence_at_jobs_list_all"\
| stats count by data.results.atjob.username

[Crontabs by Username]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = visualizations
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart = pie
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="recon_process_persistence_cron_list_all"\
| stats count by data.results.cron.username

[Intrusion Detection Immutable Process Binary Running]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="recon_process_list_all" data.results.process.flags.immutable=true\
| table _time header.hostname data.results.process.username data.results.process.command\
| rename header.* as *\
| rename data.results.* as *

[Intrusion Detection High Entropy Process]
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="recon_process_list_all" data.results.process.entropy>=7.5\
| table _time header.hostname data.results.process.username data.results.process.command data.results.process.entropy\
| rename header.* as *\
| rename data.results.* as *

[Intrusion Detection Process Running As Sniffer]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="recon_process_list_all"\
| search data.results.process.file_descriptors{}.class="*packet*"\
| table _time header.hostname data.results.process.username data.results.process.command\
| rename header.* as *\
| rename data.results.* as *

[Intrusion Detection Process Running From /dev/shm]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="recon_process_list_all"\
| search data.results.process.path="/dev/shm*"\
| table _time header.hostname data.results.process.username data.results.process.command data.results.process.path\
| rename header.* as *\
| rename data.results.* as *

[Intrusion Detection Process Running from Public HTML Directory]
action.webhook.enable_allowlist = 0
alert.track = 0
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
search = `sandfly_search_alarms` data.name="recon_process_list_all"\
| search data.results.process.path="*public_html*"\
| table _time header.hostname data.results.process.username data.results.process.command data.results.process.path\
| rename header.* as *\
| rename data.results.* as *

[Intrusion Detection Process Running From Temp Directory]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_alarms` data.name="recon_process_list_all"\
| search data.results.process.path="/tmp/*" OR data.results.process.path="/var/tmp/*"\
| table _time header.hostname data.results.process.username data.results.process.command data.results.process.path\
| rename header.* as *\
| rename data.results.* as *

[SSH Hunter - Banned Keys Details]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","event_type","eventtype"]
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_sshkeys` event_type=ssh_key_details \
| dedup ssh_key_details.friendly_name \
| spath output=aaa_key_tags path=ssh_key_details.key_tags{} \
| eval aaa_is_banned_key = if(isnull(mvfind(aaa_key_tags, "^Banned$")), 0, 1) \
| search aaa_is_banned_key=1

[SSH Hunter - Banned Keys Report]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","event_type","eventtype"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_sshkeys` event_type=ssh_key_details \
| dedup ssh_key_details.friendly_name \
| spath output=aaa_key_tags path=ssh_key_details.key_tags{} \
| eval aaa_is_banned_key = if(isnull(mvfind(aaa_key_tags, "^Banned$")), 0, 1) \
| search aaa_is_banned_key=1 \
| eval aaa_key_tags_list=mvjoin(aaa_key_tags,", ") \
| rename ssh_key_details.last_seen as date_last_seen \
| eval last_seen_epoch = strptime(date_last_seen, "%Y-%m-%dT%H:%M:%S%Z") \
| eval local_last_seen = strftime(last_seen_epoch, "%Y-%m-%dT%H:%M:%S") \
| eval time_diff = ceiling(now() - last_seen_epoch) \
| eval temp_duration = tostring(time_diff, "duration") \
| eval key_last_seen=replace(temp_duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes \4 secs") \
| table ssh_key_details.friendly_name date_last_seen local_last_seen key_last_seen ssh_key_details.num_hosts_current ssh_key_details.num_users_current aaa_key_tags_list\
| rename ssh_key_details.friendly_name as "Friendly Name" \
| rename date_last_seen as "Date Last Seen (UTC)" \
| rename local_last_seen as "Date Last Seen (Local Time)" \
| rename key_last_seen as "Key Last Seen"\
| rename ssh_key_details.num_hosts_current as "Hosts"\
| rename ssh_key_details.num_users_current as "Users"\
| rename aaa_key_tags_list as "Key Tags"

[SSH Hunter - Banned Keys by Host Report]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","event_type","eventtype"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_sshkeys` event_type=ssh_key_details \
| dedup ssh_key_details.friendly_name \
| spath output=aaa_key_tags path=ssh_key_details.key_tags{} \
| eval aaa_is_banned_key = if(isnull(mvfind(aaa_key_tags, "^Banned$")), 0, 1) \
| search aaa_is_banned_key=1 \
| search ssh_key_details.num_hosts_current>0 \
| spath output=aaa_key_hosts path=ssh_key_details.key_hosts{} \
| mvexpand aaa_key_hosts \
| eval t_key_friendly_name='ssh_key_details.friendly_name'\
| fields - ssh_key_details.*\
| spath input=aaa_key_hosts \
| eval last_seen_epoch = strptime(key_last_seen, "%Y-%m-%dT%H:%M:%S%Z") \
| eval local_last_seen = strftime(last_seen_epoch, "%Y-%m-%dT%H:%M:%S") \
| eval time_diff = ceiling(now() - last_seen_epoch) \
| eval temp_duration = tostring(time_diff, "duration") \
| eval t_key_last_seen=replace(temp_duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes \4 secs") \
| table t_key_friendly_name node_name os_info_os_release_pretty_name users_with_key key_last_seen local_last_seen t_key_last_seen \
| rename t_key_friendly_name as "Friendly Name" \
| rename node_name as "Host Name"\
| rename os_info_os_release_pretty_name as "OS Release"\
| rename users_with_key as "Users"\
| rename key_last_seen as "Date Last Seen (UTC)" \
| rename local_last_seen as "Date Last Seen (Local Time)" \
| rename t_key_last_seen as "Key Last Seen"

[SSH Hunter - Banned Keys by User Report]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","event_type","eventtype"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_sshkeys` event_type=ssh_key_details \
| dedup ssh_key_details.friendly_name \
| spath output=aaa_key_tags path=ssh_key_details.key_tags{} \
| eval aaa_is_banned_key = if(isnull(mvfind(aaa_key_tags, "^Banned$")), 0, 1) \
| search aaa_is_banned_key=1 \
| search ssh_key_details.num_users_current>0 \
| spath output=aaa_key_users path=ssh_key_details.key_users{} \
| mvexpand aaa_key_users \
| eval t_key_friendly_name='ssh_key_details.friendly_name'\
| fields - ssh_key_details.*\
| spath input=aaa_key_users\
| eval last_seen_epoch = strptime(key_last_seen, "%Y-%m-%dT%H:%M:%S%Z") \
| eval local_last_seen = strftime(last_seen_epoch, "%Y-%m-%dT%H:%M:%S") \
| eval time_diff = ceiling(now() - last_seen_epoch) \
| eval temp_duration = tostring(time_diff, "duration") \
| eval t_key_last_seen=replace(temp_duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes \4 secs") \
| table t_key_friendly_name username hosts_with_key key_last_seen local_last_seen t_key_last_seen \
| rename t_key_friendly_name as "Friendly Name" \
| rename username as "User Name"\
| rename hosts_with_key as "Hosts"\
| rename key_last_seen as "Date Last Seen (UTC)" \
| rename local_last_seen as "Date Last Seen (Local Time)" \
| rename t_key_last_seen as "Key Last Seen"

[SSH Hunter - Banned Keys by Zone Report]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","event_type","eventtype"]
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_sshkeys` event_type=ssh_key_details \
| dedup ssh_key_details.friendly_name \
| spath output=aaa_key_tags path=ssh_key_details.key_tags{} \
| eval aaa_is_banned_key = if(isnull(mvfind(aaa_key_tags, "^Banned$")), 0, 1) \
| search aaa_is_banned_key=1 \
| spath output=aaa_key_zones path=ssh_key_details.key_zones{} \
| mvexpand aaa_key_zones \
| eval aaa_key_zones_len = len(aaa_key_zones) \
| where aaa_key_zones_len>0 \
| eval t_key_friendly_name='ssh_key_details.friendly_name' \
| fields - ssh_key_details.* \
| spath input=aaa_key_zones \
| table t_key_friendly_name name description hosts_count key_permitted permitted_keys_count violation_host_count \
| rename t_key_friendly_name as "Friendly Name" \
| rename name as "Zone"\
| rename description as "Description"\
| rename hosts_count as "Zone Hosts"\
| rename key_permitted as "Key Permitted"\
| rename permitted_keys_count as "Permitted Keys"\
| rename violation_host_count as "Violation Hosts"

[SSH Hunter - Banned Keys Daily Report]
action.webhook.enable_allowlist = 0
alert.expires = 7d
alert.severity = 1
alert.suppress = 0
alert.track = 1
counttype = number of events
cron_schedule = 0 6 * * *
dispatch.earliest_time = -1d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","event_type","eventtype"]
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_sshkeys` event_type=ssh_key_details \
| dedup ssh_key_details.friendly_name \
| spath output=aaa_key_tags path=ssh_key_details.key_tags{} \
| eval aaa_is_banned_key = if(isnull(mvfind(aaa_key_tags, "^Banned$")), 0, 1) \
| search aaa_is_banned_key=1 \
| eval aaa_key_tags_list=mvjoin(aaa_key_tags,", ") \
| table ssh_key_details.friendly_name ssh_key_details.last_seen ssh_key_details.num_hosts_current ssh_key_details.num_hosts_with_alerts ssh_key_details.zone_violation_hosts ssh_key_details.num_users_current ssh_key_details.permitted_zones_count aaa_key_tags_list\
| rename ssh_key_details.friendly_name as "Friendly Name" \
| rename ssh_key_details.last_seen as "Date Last Seen (UTC)" \
| rename ssh_key_details.num_hosts_current as "Hosts (Current)"\
| rename ssh_key_details.num_hosts_with_alerts as "Hosts with Alerts"\
| rename ssh_key_details.zone_violation_hosts as "Zone Violations"\
| rename ssh_key_details.num_users_current as "Users (Current)"\
| rename ssh_key_details.permitted_zones_count as "Permitted Zones"\
| rename aaa_key_tags_list as "Key Tags"

[Inactive Hosts Report]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","index","data.engine","data.name","eventtype","sandfly_status","data.status","data.status_msg","sandfly_status_msg","event_type","log_mode"]
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_hosts_summary` host_summary.active="false" \
| dedup "host_summary.host_id" \
| eval date_last_scan='host_summary.date_last_scan' \
| eval date_last_scan=if(isnull(date_last_scan) OR len(date_last_scan)==0 OR date_last_scan=="null", "N/A", date_last_scan) \
| table host_summary.hostname host_summary.os_info_os_release_pretty_name host_summary.active host_summary.tags{} host_summary.jump_hosts{} host_summary.authentication_status host_summary.credentials_id date_last_scan\
| rename host_summary.hostname as "Target Address" \
| rename host_summary.os_info_os_release_pretty_name as "OS" \
| rename host_summary.active as "Active" \
| rename host_summary.tags{} as "Tags" \
| rename host_summary.jump_hosts{} as "Jump Hosts" \
| rename host_summary.authentication_status as "Auth Status" \
| rename host_summary.credentials_id as "Credential"\
| rename date_last_scan as "Last Scan"

[Active Hosts Report by Last Scan Date]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_hosts_summary` host_summary.active="true"\
| dedup "host_summary.host_id" \
| rename host_summary.date_last_scan as date_last_scan\
| eval last_scan_epoch = strptime(date_last_scan, "%Y-%m-%dT%H:%M:%S%Z") \
| eval time_diff = ceiling(now() - last_scan_epoch) \
| eval temp_duration = tostring(time_diff, "duration") \
| eval host_last_scan=replace(temp_duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes") \
| table host_summary.hostname host_summary.last_seen_ip_addr host_summary.os_info_node host_summary.os_info_os_release_pretty_name date_last_scan host_last_scan\
| sort - host_last_scan\
| rename host_summary.hostname as "Target Address"\
| rename host_summary.last_seen_ip_addr as "IP Address"\
| rename host_summary.os_info_node as "Hostname"\
| rename host_summary.os_info_os_release_pretty_name as "OS"\
| rename date_last_scan as "Date Last Scan (UTC)"\
| rename host_last_scan as "Host Last Scan"

[Hosts Last Scan Greater Than 24 Hours Ago]
action.webhook.enable_allowlist = 0
alert.expires = 7d
alert.suppress = 0
alert.track = 1
counttype = number of events
cron_schedule = 0 6 * * *
dispatch.earliest_time = -1d
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.show = 0
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_hosts_summary` host_summary.active="true"\
| dedup "host_summary.host_id" \
| rename host_summary.date_last_scan as date_last_scan\
| eval last_scan_epoch = strptime(date_last_scan, "%Y-%m-%dT%H:%M:%S%Z") \
| eval time_diff = ceiling(now() - last_scan_epoch) \
| search time_diff > 86400\
| eval temp_duration = tostring(time_diff, "duration") \
| eval host_last_scan=replace(temp_duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes") \
| table host_summary.hostname host_summary.last_seen_ip_addr host_summary.os_info_node host_summary.os_info_os_release_pretty_name date_last_scan host_last_scan\
| sort - host_last_scan\
| rename host_summary.hostname as "Target Address"\
| rename host_summary.last_seen_ip_addr as "IP Address"\
| rename host_summary.os_info_node as "Hostname"\
| rename host_summary.os_info_os_release_pretty_name as "OS"\
| rename date_last_scan as "Date Last Scan (UTC)"\
| rename host_last_scan as "Host Last Scan"

[Hosts Last Scan Older Than Last Seen]
action.webhook.enable_allowlist = 0
alert.expires = 7d
alert.severity = 4
alert.suppress = 0
alert.track = 1
counttype = number of events
cron_schedule = 0 6 * * *
dispatch.earliest_time = -1d
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_hosts_summary` host_summary.active="true"\
| dedup "host_summary.host_id" \
| rename host_summary.date_last_scan as date_last_scan\
| rename host_summary.date_last_seen as date_last_seen\
| eval last_scan_epoch = strptime(date_last_scan, "%Y-%m-%dT%H:%M:%S%Z") \
| eval last_seen_epoch = strptime(date_last_seen, "%Y-%m-%dT%H:%M:%S%Z")\
| eval time_diff = ceiling(last_seen_epoch - last_scan_epoch) \
| search time_diff > 0\
| eval temp_duration = tostring(time_diff, "duration") \
| eval host_last_scan=replace(temp_duration,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes") \
| table host_summary.hostname host_summary.last_seen_ip_addr host_summary.os_info_node host_summary.os_info_os_release_pretty_name date_last_scan date_last_seen host_last_scan time_diff\
| sort - host_last_scan\
| rename host_summary.hostname as "Target Address"\
| rename host_summary.last_seen_ip_addr as "IP Address"\
| rename host_summary.os_info_node as "Hostname"\
| rename host_summary.os_info_os_release_pretty_name as "OS"\
| rename date_last_scan as "Date Last Scan (UTC)"\
| rename date_last_seen as "Date Last Seen (UTC)"\
| rename host_last_scan as "Host Last Scan Difference"

[Sandfly Server - Logins by Username]
action.email.useNSSubject = 1
action.webhook.enable_allowlist = 0
alert.track = 0
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = sandfly_security
request.ui_dispatch_view = search
search = `sandfly_search_audit` audit_log.message="successful login"\
| stats count by audit_log.username\
| sort - count