##Index Pre-Filters [ms__obj_win_events_index] definition = index="idx_eventlog_win" iseval = 0 [ms__obj_win_perfmon_index] definition = index=idx_perfmon_win iseval = 0 [ms__obj_win_api_index] definition = index=idx_api_win iseval = 0 [ms__obj_win_ad_index] definition = index=idx_msad_win iseval = 0 ##Windows WinHostMon Search [ms_obj_winhostmon_base] definition = `ms__obj_win_api_index` sourcetype="WinHostMon" iseval = 0 ##Windows EventLog Sourcetype and Source Searches## [ms_obj_win_events_all] definition = `ms__obj_win_events_index` (sourcetype="WinEventLog" OR sourcetype="XMLWinEventLog" OR sourcetype="WMIWineventLog") iseval = 0 [ms_obj_win_events_security] definition = `ms__obj_win_events_index` (source="WinEventLog:Security" OR source="XMLWinEventLog:Security" OR source="WMIWineventLog:Security") iseval = 0 [ms_obj_win_events_application] definition = `ms__obj_win_events_index` (source="WinEventLog:Application" OR source="XMLWinEventLog:Application" OR source="WMIWineventLog:Application") iseval = 0 [ms_obj_win_events_system] definition = `ms__obj_win_events_index` (source="WinEventLog:System" OR source="XMLWinEventLog:System" OR source="WMIWineventLog:System") iseval = 0 ##Active Directory Searches ##- admon - base index and sourcetype search [ms_obj_admon_base] definition = `ms__obj_win_ad_index` sourcetype="ActiveDirectory" iseval = 0 ##- admon - Filter components - Types admonEventType [ms_obj_admon_base_a_type] definition = ("admonEventType=Sync" OR "admonEventType=Update" OR "admonEventType=Deleted") iseval = 0 [ms_obj_admon_base_del_type] definition = "admonEventType=Deleted" iseval = 0 [ms_obj_admon_base_upd_type] definition = "admonEventType=Update" iseval = 0 [ms_obj_admon_base_sync_type] definition = "admonEventType=Sync" iseval = 0 [ms_obj_admon_base_start_type] definition = "admonEventType=Start" iseval = 0 ##- admon - Filter components - Object Type [ms_obj_admon_base_a_obj] definition = `ms_obj_admon_base` ("objectClass=top|person|organizationalPerson|user" OR "objectClass=top|group" OR "objectClass=top|container|groupPolicyContainer" OR (("objectClass=top|organizationalUnit") OR ("objectClass=top|container" NOT "CN=Policies," NOT "CN=DomainUpdates"))) iseval = 0 [ms_obj_admon_user] definition = `ms_obj_admon_base` "objectClass=top|person|organizationalPerson|user" NOT "objectClass=top|person|organizationalPerson|user|computer" NOT ([| inputlookup AD_Obj_Domain WHERE multi_lkps_enabled="t" | stats count by dc_val | table dc_val]) iseval = 0 [ms_obj_admon_group] definition = `ms_obj_admon_base` "objectClass=top|group" NOT ([| inputlookup AD_Obj_Domain WHERE multi_lkps_enabled="t" | stats count by dc_val | table dc_val]) iseval = 0 [ms_obj_admon_computer] definition = `ms_obj_admon_base` "objectClass=top|person|organizationalPerson|user|computer" NOT ([| inputlookup AD_Obj_Domain WHERE multi_lkps_enabled="t" | stats count by dc_val | table dc_val]) iseval = 0 [ms_obj_admon_ou] definition = `ms_obj_admon_base` (("objectClass=top|organizationalUnit") OR ("objectClass=top|container" NOT "CN=Policies," NOT "CN=DomainUpdates")) iseval = 0 [ms_obj_admon_gpo] definition = `ms_obj_admon_base` "objectClass=top|container|groupPolicyContainer" iseval = 0 [ms_obj_admon_gpo(1)] args = domain_dc_val definition = `ms_obj_admon_base` "objectClass=top|container|groupPolicyContainer" dc_val="$domain_dc_val$" iseval = 0 ###-------------------------------------------------------------------------------### #--- Macro's Used for Filtering either raw text, using IN() or a Field ---# ###-------------------------------------------------------------------------------### ###-------------------------------------------------------------------------------### #-- NOTE: Requires a | before the macro (ie |`ms_obj_ss_filt_raw("User","*","sAMAccountName","joebob","sAMAccountName,dn,cn,userPrincipalName")`) #-- Arguments: #-- - tok_obj_type = Object Type part of the Lookup Name #-- - Has to be one of the following (User, Group, Computer, OU, GPO) #-- - tok_domain = Past AD Domain or * #-- - tok_match_field = This is the field from the lookup that matches the #-- passed filtering value, $tok_obj_val$. #-- - tok_obj_val = This is the value that is passed and will be used to match the #-- $tok_match_field$ specified field. #-- - tok_comb_fields = This is a comma seperated list of the lookup fields that #-- will be combined for the filtering search. #-- - tok_link_field = This is the field in the source results that will be #-- linked to the passed object value $tok_obj_val$. ###-------------------------------------------------------------------------------### ###-------------------------------------------------------------------------------### #-- Examples: ## - Raw Text Sub Search: ## - ms_obj_ss_filt_raw(5) Subsearch Ex: ## index=idx_eventlog_win [|`ms_obj_ss_filt_raw("User","*","sAMAccountName","joebob","sAMAccountName,dn,cn,userPrincipalName")` ## - Example txt Output = "joebob" OR "CN=Joe Bob,CN=Users,DC=sedemo,DC=local" OR "Joe Bob" OR "joebob@sedemo.local" ## - ms_obj_ss_filt_raw(5) Basic Example: ## |`ms_obj_ss_filt_raw("User","*","sAMAccountName","joebob","sAMAccountName,dn,cn,userPrincipalName")` ## - Search IN() Sub Search: ## - ms_obj_ss_filt_raw(5) Ex: ## index=idx_eventlog_win | fields _time,user | search user IN([|`ms_obj_ss_filt_in("User","*","sAMAccountName","joebob","sAMAccountName,dn,cn,userPrincipalName")`) ## - Example txt Output = "joebob","CN=Administrator,CN=Users,DC=sedemo,DC=local","Joe Bob","joebob@sedemo.local" ## - Linking to a results field: ## - ms_obj_ss_filt_raw(6) Ex: ## index=idx_eventlog_win | fields _time,user | search user IN([|`ms_obj_ss_filt_in("User","*","sAMAccountName","joebob","sAMAccountName,dn,cn,userPrincipalName")`) ## - Example txt Output = user="joebob" OR user="CN=Administrator,CN=Users,DC=sedemo,DC=local" OR user="Joe Bob" OR user="joebob@sedemo.local" #-- Multi-Domain Examples - With kv_suffix(sedemo): ## - Raw Text Sub Search: ## - ms_obj_ss_filt_raw(5) Subsearch Ex: ## index=idx_eventlog_win [|`ms_obj_ss_filt_raw("User_sedemo","*","sAMAccountName","joebob","sAMAccountName,dn,cn,userPrincipalName")` ## - Example txt Output = "joebob" OR "CN=Joe Bob,CN=Users,DC=sedemo,DC=local" OR "Joe Bob" OR "joebob@sedemo.local" ## - ms_obj_ss_filt_raw(5) Basic Example: ## |`ms_obj_ss_filt_raw("User_sedemo","*","sAMAccountName","joebob","sAMAccountName,dn,cn,userPrincipalName")` ## - Search IN() Sub Search: ## - ms_obj_ss_filt_raw(5) Ex: ## index=idx_eventlog_win | fields _time,user | search user IN([|`ms_obj_ss_filt_in("User_sedemo","*","sAMAccountName","joebob","sAMAccountName,dn,cn,userPrincipalName")`) ## - Example txt Output = "joebob","CN=Administrator,CN=Users,DC=sedemo,DC=local","Joe Bob","joebob@sedemo.local" ## - Linking to a results field: ## - ms_obj_ss_filt_raw(6) Ex: ## index=idx_eventlog_win | fields _time,user | search user IN([|`ms_obj_ss_filt_in("User_sedemo","*","sAMAccountName","joebob","sAMAccountName,dn,cn,userPrincipalName")`) ## - Example txt Output = user="joebob" OR user="CN=Administrator,CN=Users,DC=sedemo,DC=local" OR user="Joe Bob" OR user="joebob@sedemo.local" [ms_obj_ss_filt_raw(5)] args = tok_obj_type,tok_domain,tok_match_field,tok_obj_val,tok_comb_fields definition = inputlookup AD_Obj_$tok_obj_type$ WHERE domain="$tok_domain$" AND $tok_match_field$="$tok_obj_val$"\ | fields $tok_comb_fields$\ | eval search=mvdedup(mvappend($tok_comb_fields$))\ | stats values(search) AS search\ | eval search=if(mvcount(search)==1,"\"".search."\"",replace("\"".mvjoin(search,"\" OR \"")."\"","(^\"\"\sOR\s|\sOR\s\"\"$)",""))\ | table search iseval = 0 [ms_obj_ss_filt_in(5)] args = tok_obj_type,tok_domain,tok_match_field,tok_obj_val,tok_comb_fields definition = inputlookup AD_Obj_$tok_obj_type$ WHERE domain="$tok_domain$" AND $tok_match_field$="$tok_obj_val$"\ | fields $tok_comb_fields$\ | eval search=mvdedup(mvappend($tok_comb_fields$))\ | stats values(search) AS search\ | eval search=if(mvcount(search)==1,"\"".search."\"",replace("\"".mvjoin(search,"\",\"")."\"","(^\"\",|,\"\"$)",""))\ | table search iseval = 0 [ms_obj_ss_filt_field(6)] args = tok_obj_type,tok_domain,tok_match_field,tok_obj_val,tok_comb_fields,tok_link_field definition = inputlookup AD_Obj_$tok_obj_type$ WHERE domain="$tok_domain$" AND $tok_match_field$="$tok_obj_val$"\ | fields $tok_comb_fields$\ | eval search=mvdedup(mvappend($tok_comb_fields$))\ | stats values(search) AS search\ | eval search=if(mvcount(search)==1,"$tok_link_field$=\"".search."\"",replace("$tok_link_field$=\"".mvjoin(search,"\" OR $tok_link_field$=\"")."\"","(^$tok_link_field$=\"\"\sOR\s|\sOR\s$tok_link_field$=\"\"$)",""))\ | table search iseval = 0 ###-------------------------------------------------------------------------------### #### By Group Filters #### ###-------------------------------------------------------------------------------### ## ms_obj_ss_filt_multi_raw - Multiple Object Filter - Requires | before ## - The tok_match_field and the tok_obj_val are for retrieving a specific group's members. ## - Example: | `ms_obj_ss_filt_by_groupm_raw("User","*","dn","CN=Administrators,CN=Builtin,DC=sedemo,DC=local","sAMAccountName,dn,cn,userPrincipalName")` [ms_obj_ss_filt_by_groupm_raw(5)] args = tok_obj_type,tok_domain,tok_match_field,tok_obj_val,tok_comb_fields definition = inputlookup AD_Obj_$tok_obj_type$ WHERE domain="$tok_domain$" AND [| inputlookup AD_Obj_Group WHERE $tok_match_field$="$tok_obj_val$" | fields member | rename member AS dn | table dn]\ | fields $tok_comb_fields$\ | eval search=mvdedup(mvappend($tok_comb_fields$))\ | stats values(search) AS search\ | eval search=if(mvcount(search)==1,"\"".search."\"",replace("\"".mvjoin(search,"\" OR \"")."\"","(^\"\"\sOR\s|\sOR\s\"\"$)",""))\ | table search iseval = 0 [ms_obj_ss_filt_by_groupm_in(5)] args = tok_obj_type,tok_domain,tok_match_field,tok_obj_val,tok_comb_fields definition = inputlookup AD_Obj_$tok_obj_type$ WHERE domain="$tok_domain$" AND [| inputlookup AD_Obj_Group WHERE $tok_match_field$="$tok_obj_val$" | fields member | rename member AS dn | table dn]\ | fields $tok_comb_fields$\ | eval search=mvdedup(mvappend($tok_comb_fields$))\ | stats values(search) AS search\ | eval search=if(mvcount(search)==1,"\"".search."\"",replace("\"".mvjoin(search,"\",\"")."\"","(^\"\",|,\"\"$)",""))\ | table search iseval = 0 [ms_obj_ss_filt_by_groupm_field(6)] args = tok_obj_type,tok_domain,tok_match_field,tok_obj_val,tok_comb_fields,tok_link_field definition = inputlookup AD_Obj_$tok_obj_type$ WHERE domain="$tok_domain$" AND [| inputlookup AD_Obj_Group WHERE $tok_match_field$="$tok_obj_val$" | fields member | rename member AS dn | table dn]\ | fields $tok_comb_fields$\ | eval search=mvdedup(mvappend($tok_comb_fields$))\ | stats values(search) AS search\ | eval search=if(mvcount(search)==1,"$tok_link_field$=\"".search."\"",replace("$tok_link_field$=\"".mvjoin(search,"\" OR $tok_link_field$=\"")."\"","(^$tok_link_field$=\"\"\sOR\s|\sOR\s$tok_link_field$=\"\"$)",""))\ | table search iseval = 0 ###-------------------------------------------------------------------------------### #### MULTI-DOMAIN - Split KV - By Group Filters #### ###-------------------------------------------------------------------------------### ## ms_obj_ss_filt_multi_raw - Multiple Object Filter - Requires | before ## - The tok_match_field and the tok_obj_val are for retrieving a specific group's members. ## - Example: | `ms_obj_ss_filt_by_groupm_raw("User","sedemo","*","dn","CN=Administrators,CN=Builtin,DC=sedemo,DC=local","sAMAccountName,dn,cn,userPrincipalName")` [ms_obj_md_ss_filt_by_groupm_raw(6)] args = tok_obj_type,tok_kv_suffix_type,tok_domain,tok_match_field,tok_obj_val,tok_comb_fields definition = inputlookup AD_Obj_$tok_obj_type$_$tgt_kv_suffix$ WHERE domain="$tok_domain$" AND [| inputlookup AD_Obj_Group_$tgt_kv_suffix$ WHERE $tok_match_field$="$tok_obj_val$" | fields member | rename member AS dn | table dn]\ | fields $tok_comb_fields$\ | eval search=mvdedup(mvappend($tok_comb_fields$))\ | stats values(search) AS search\ | eval search=if(mvcount(search)==1,"\"".search."\"",replace("\"".mvjoin(search,"\" OR \"")."\"","(^\"\"\sOR\s|\sOR\s\"\"$)",""))\ | table search iseval = 0 [ms_obj_md_ss_filt_by_groupm_in(6)] args = tok_obj_type,tok_kv_suffix,tok_domain,tok_match_field,tok_obj_val,tok_comb_fields definition = inputlookup AD_Obj_$tok_obj_type$_$tgt_kv_suffix$ WHERE domain="$tok_domain$" AND [| inputlookup AD_Obj_Group_$tgt_kv_suffix$ WHERE $tok_match_field$="$tok_obj_val$" | fields member | rename member AS dn | table dn]\ | fields $tok_comb_fields$\ | eval search=mvdedup(mvappend($tok_comb_fields$))\ | stats values(search) AS search\ | eval search=if(mvcount(search)==1,"\"".search."\"",replace("\"".mvjoin(search,"\",\"")."\"","(^\"\",|,\"\"$)",""))\ | table search iseval = 0 [ms_obj_md_ss_filt_by_groupm_field(7)] args = tok_obj_type,tok_kv_suffix,tok_domain,tok_match_field,tok_obj_val,tok_comb_fields,tok_link_field definition = inputlookup AD_Obj_$tok_obj_type$_$tgt_kv_suffix$ WHERE domain="$tok_domain$" AND [| inputlookup AD_Obj_Group_$tgt_kv_suffix$ WHERE $tok_match_field$="$tok_obj_val$" | fields member | rename member AS dn | table dn]\ | fields $tok_comb_fields$\ | eval search=mvdedup(mvappend($tok_comb_fields$))\ | stats values(search) AS search\ | eval search=if(mvcount(search)==1,"$tok_link_field$=\"".search."\"",replace("$tok_link_field$=\"".mvjoin(search,"\" OR $tok_link_field$=\"")."\"","(^$tok_link_field$=\"\"\sOR\s|\sOR\s$tok_link_field$=\"\"$)",""))\ | table search iseval = 0 ###-------------------------------------------------------------------------------### #### By Admin Audit Specific - By Group Filters #### ###-------------------------------------------------------------------------------### ## ms_obj_ss_filt_multi_raw - Multiple Object Filter - Requires | before ## - The tok_match_field and the tok_obj_val are for retrieving a specific group's members. ## - Example: | `ms_obj_aa_filt_by_groupm_raw("*","dn","CN=Administrators,CN=Builtin,DC=sedemo,DC=local","sAMAccountName,dn,cn,userPrincipalName","AD_Obj_User","AD_Obj_Group")` ## - Example Multi-Domain: | `ms_obj_aa_filt_by_groupm_raw("*","dn","CN=Administrators,CN=Builtin,DC=sedemo,DC=local","sAMAccountName,dn,cn,userPrincipalName","AD_Obj_User_sedemo","AD_Obj_Group_sedemo")` [ms_obj_aa_filt_by_groupm_raw(6)] args = tok_domain,tok_match_field,tok_obj_val,tok_comb_fields,user_lookup,group_lookup definition = inputlookup AD_Obj_Admin_Audit WHERE admin_domain="$tok_domain$" AND [| inputlookup $group_lookup$ WHERE $tok_match_field$="$tok_obj_val$"| fields member | rename member AS dn | lookup $user_lookup$ dn OUTPUT lookup_usr AS admin_user| stats values(admin_user) AS admin_user | format]\ | lookup $user_lookup$ lookup_usr AS admin_user OUTPUT cn,sAMAccountName,userPrincipalName\ | `ms_obj_ss_filt_flds_raw("$tok_comb_fields$")` iseval = 0 [ms_obj_aa_filt_by_groupm_in(6)] args = tok_domain,tok_match_field,tok_obj_val,tok_comb_fields,user_lookup,group_lookup definition = inputlookup AD_Obj_Admin_Audit WHERE admin_domain="$tok_domain$" AND [| inputlookup $group_lookup$ WHERE $tok_match_field$="$tok_obj_val$"| fields member | rename member AS dn | lookup $user_lookup$ dn OUTPUT lookup_usr AS admin_user| stats values(admin_user) AS admin_user | format]\ | lookup $user_lookup$ lookup_usr AS admin_user OUTPUT cn,sAMAccountName,userPrincipalName\ | `ms_obj_ss_filt_flds_in("$tok_comb_fields$")` iseval = 0 ###-------------------------------------------------------------------------------### #### By Admin Audit Specific - By Admin Filters #### ###-------------------------------------------------------------------------------### [ms_obj_aa_filt_by_admin_raw(5)] args = tok_domain,tok_match_field,tok_obj_val,tok_comb_fields,user_lookup definition = inputlookup AD_Obj_Admin_Audit WHERE admin_domain="$tok_domain$"\ | lookup $user_lookup$ lookup_usr AS admin_user OUTPUT dn,cn,sAMAccountName,userPrincipalName\ | search $tok_match_field$="$tok_obj_val$"\ | `ms_obj_ss_filt_flds_raw("$tok_comb_fields$")` iseval = 0 [ms_obj_aa_filt_by_admin_in(5)] args = tok_domain,tok_match_field,tok_obj_val,tok_comb_fields,user_lookup definition = inputlookup AD_Obj_Admin_Audit WHERE admin_domain="$tok_domain$"\ | lookup $user_lookup$ lookup_usr AS admin_user OUTPUT dn,cn,sAMAccountName,userPrincipalName\ | search $tok_match_field$="$tok_obj_val$"\ | `ms_obj_ss_filt_flds_in("$tok_comb_fields$")` iseval = 0 ## - Replaced with ms_obj_aa_filt_by_groupm_raw(6) for supporting Multi-Domain KV Split ##[ms_obj_aa_filt_by_groupm_raw(4)] ##args = tok_domain,tok_match_field,tok_obj_val,tok_comb_fields ##definition = inputlookup AD_Obj_Admin_Audit WHERE domain="$tok_domain$" AND [| inputlookup AD_Obj_Group WHERE $tok_match_field$="$tok_obj_val$" | fields member | rename member AS admin_dn | table admin_dn]\ ##| fields $tok_comb_fields$\ ##| eval search=mvdedup(mvappend($tok_comb_fields$))\ ##| stats values(search) AS search\ ##| eval search=if(mvcount(search)==1,"\"".search."\"",replace("\"".mvjoin(search,"\" OR \"")."\"","(^\"\"\sOR\s|\sOR\s\"\"$)",""))\ ##| table search ##iseval = 0 ## - Replaced with ms_obj_aa_filt_by_groupm_in(6) for supporting Multi-Domain KV Split ##[ms_obj_aa_filt_by_groupm_in(4)] ##args = tok_domain,tok_match_field,tok_obj_val,tok_comb_fields ##definition = inputlookup AD_Obj_Admin_Audit WHERE domain="$tok_domain$" AND [| inputlookup AD_Obj_Group WHERE $tok_match_field$="$tok_obj_val$" | fields member | rename member AS admin_dn | table admin_dn]\ ##| fields $tok_comb_fields$\ ##| eval search=mvdedup(mvappend($tok_comb_fields$))\ ##| stats values(search) AS search\ ##| eval search=if(mvcount(search)==1,"\"".search."\"",replace("\"".mvjoin(search,"\",\"")."\"","(^\"\",|,\"\"$)",""))\ ##| table search ##iseval = 0 ###-------------------------------------------------------------------------------### #### REMOVE - Using Single macro for MULTI-DOMAIN OR non-Split KV - By Admin Audit Specific - By Group Filters #### ###-------------------------------------------------------------------------------### ## ms_obj_ss_filt_multi_raw - Multiple Object Filter - Requires | before ## - The tok_match_field and the tok_obj_val are for retrieving a specific group's members. ## - Example: | `ms_obj_aa_filt_by_groupm_raw("*","sedemo","dn","CN=Administrators,CN=Builtin,DC=sedemo,DC=local","sAMAccountName,dn,cn,userPrincipalName")` ##[ms_obj_md_aa_filt_by_groupm_raw(5)] ##args = tok_domain,tok_kv_suffix,tok_match_field,tok_obj_val,tok_comb_fields ##definition = inputlookup AD_Obj_Admin_Audit WHERE domain="$tok_domain$" AND [| inputlookup AD_Obj_Group_$tok_kv_suffix$ WHERE $tok_match_field$="$tok_obj_val$" | fields member | rename member AS admin_dn | table admin_dn]\ ##| fields $tok_comb_fields$\ ##| eval search=mvdedup(mvappend($tok_comb_fields$))\ ##| stats values(search) AS search\ ##| eval search=if(mvcount(search)==1,"\"".search."\"",replace("\"".mvjoin(search,"\" OR \"")."\"","(^\"\"\sOR\s|\sOR\s\"\"$)",""))\ ##| table search ##iseval = 0 ##[ms_obj_md_aa_filt_by_groupm_in(5)] ##args = tok_domain,tok_kv_suffix,tok_match_field,tok_obj_val,tok_comb_fields ##definition = inputlookup AD_Obj_Admin_Audit WHERE domain="$tok_domain$" AND [| inputlookup AD_Obj_Group_$tok_kv_suffix$ WHERE $tok_match_field$="$tok_obj_val$" | fields member | rename member AS admin_dn | table admin_dn]\ ##| fields $tok_comb_fields$\ ##| eval search=mvdedup(mvappend($tok_comb_fields$))\ ##| stats values(search) AS search\ ##| eval search=if(mvcount(search)==1,"\"".search."\"",replace("\"".mvjoin(search,"\",\"")."\"","(^\"\",|,\"\"$)",""))\ ##| table search ##iseval = 0 ###-------------------------------------------------------------------------------### #--- Macros Used for AD Changes ---# ###-------------------------------------------------------------------------------### ###-------------------------------------------------------------------------------### ### NOTE: UPDATED MACROS - Consolidated ##-- User --## ## ms_obj_user_changes_base Replaced With `ms_obj_changes_base_cat("User")` ## ms_obj_user_changes_action(1) Replaced With `ms_obj_changes_base_cat_act("User",)` ##-- Groups --## ## ms_obj_group_changes_base Replaced With `ms_obj_changes_base_cat("Group")` ## ms_obj_group_changes_action(1) Replaced With `ms_obj_changes_base_cat_act("Group",)` ##-- Group Membership --## ## ms_obj_group_membership_changes_base Replaced With `ms_obj_changes_base_cat("Group Membership")` ## ms_obj_group_membership_changes_action(1) Replaced With `ms_obj_changes_base_cat_act("Group Membership",)` ##-- Computer --## ## ms_obj_computer_changes_base Replaced With `ms_obj_changes_base_cat("Computer")` ## ms_obj_computer_changes_action(1) Replaced With `ms_obj_changes_base_cat_act("Computer",)` ##-- Organizational Units --## ## ms_obj_ou_changes_base Replaced With `ms_obj_changes_base_cat("OU")` ## ms_obj_ou_changes_action(1) Replaced With `ms_obj_changes_base_cat_act("OU",)` ##-- Group Policy --## ## ms_obj_gpo_changes_base Replaced With `ms_obj_changes_base_cat("Group Policy")` ## ms_obj_gpo_changes_action(1) Replaced With `ms_obj_changes_base_cat_act("Group Policy",)` ##-- Change Search with formatted output --## ## ms_obj_computer_changes_search(3) AND ms_obj_user_changes_search(3) Replaced with `ms_obj_changes_search(4)` ###-------------------------------------------### ## Macros to speed up searches [ms_obj_change_raw_std] definition = inputlookup AD_Audit_Change_EventCodes \ | fields EventCode \ | stats values(EventCode) AS search \ | eval search="\"EventCode=".mvjoin(search,"\" OR \"EventCode=")."\"" \ | table search iseval = 0 [ms_obj_change_raw_xml] definition = inputlookup AD_Audit_Change_EventCodes \ | fields EventCode \ | stats values(EventCode) AS search \ | eval search="\"".mvjoin(search,"\" OR \"")."\"" \ | table search iseval = 0 [ms_obj_change_raw_cmb] definition = inputlookup AD_Audit_Change_EventCodes\ | fields EventCode\ | stats values(EventCode) AS search\ | eval search="\"EventCode=".mvjoin(search,"\" OR \"EventCode=")."\" OR \"".mvjoin(search,"\" OR \"")."\"" \ | table search iseval = 0 [ms_obj_change_raw_cmb(1)] args = tok_chg_cat definition = inputlookup AD_Audit_Change_EventCodes WHERE change_category="$tok_chg_cat$"\ | fields EventCode\ | stats values(EventCode) AS search\ | eval search="\"EventCode=".mvjoin(search,"\" OR \"EventCode=")."\" OR \"".mvjoin(search,"\" OR \"")."\"" \ | table search iseval = 0 [ms_obj_change_raw_cmb(2)] args = tok_chg_cat,tok_obj_type definition = inputlookup AD_Audit_Change_EventCodes WHERE change_category="$tok_chg_cat$"\ | fields EventCode\ | stats values(EventCode) AS search\ | eval search="obj_type=\"$tok_obj_type$\" (\"EventCode=".mvjoin(search,"\" OR \"EventCode=")."\" OR \"".mvjoin(search,"\" OR \"")."\")" \ | table search iseval = 0 ## Base Change Macros [ms_obj_changes_base_type(1)] args = tok_chg_type definition = `ms_obj_win_events_security` [|inputlookup AD_Audit_Change_EventCodes WHERE obj_type="$tok_chg_type$" |stats values(EventCode) AS EventCode,values(obj_type) AS obj_type | format] src_user_type="user" NOT((EventCode=4723 OR EventCode=4738) AND src_user=user) iseval = 0 ##-- User Changing their Own Password --## [ms_obj_changes_filt_pwd_res] definition = NOT((EventCode=4723 OR EventCode=4738) AND src_user!=user) iseval = 0 ##-- All Changes --## [ms_obj_changes_base_all] args = tok_chg_cat,tok_chg_action definition = `ms_obj_win_events_security` [|inputlookup AD_Audit_Change_EventCodes |stats values(EventCode) AS EventCode,values(obj_type) AS obj_type | format] src_user_type="user" NOT((EventCode=4723 OR EventCode=4738) AND src_user!=user) iseval = 0 ##-- All Changes for Category--## [ms_obj_changes_base_cat(1)] args = tok_chg_cat definition = `ms_obj_win_events_security` [|inputlookup AD_Audit_Change_EventCodes WHERE change_category="$tok_chg_cat$" |stats values(EventCode) AS EventCode,values(obj_type) AS obj_type | format] src_user_type="user" NOT((EventCode=4723 OR EventCode=4738) AND src_user=user) iseval = 0 ##-- All Changes for Action--## [ms_obj_changes_base_act(1)] args = tok_chg_action definition = `ms_obj_win_events_security` [|inputlookup AD_Audit_Change_EventCodes WHERE change_action="$tok_chg_action$"|stats values(EventCode) AS EventCode,values(obj_type) AS obj_type | format] src_user_type="user" NOT((EventCode=4723 OR EventCode=4738) AND src_user!=user) iseval = 0 ##-- All Changes for Category and Action--## [ms_obj_changes_base_cat_act(2)] args = tok_chg_cat,tok_chg_action definition = `ms_obj_win_events_security` [|inputlookup AD_Audit_Change_EventCodes WHERE change_category="$tok_chg_cat$" AND change_action="$tok_chg_action$" | stats values(EventCode) AS EventCode,values(obj_type) AS obj_type | format] src_user_type="user" NOT((EventCode=4723 OR EventCode=4738) AND src_user=user) iseval = 0 ##-- Changes Formated Output - All ## ##-- Important for Computer add $ for tok_user value [ms_obj_changes_search(4)] args = tok_domain,tok_user,tok_action,tok_category definition = `ms_obj_changes_base_cat_act($tok_category$,$tok_action$)` (cn="$tok_user$" OR user="$tok_user$" OR New_Account_Name="$tok_user$" OR Old_Account_Name="$tok_user$") (src_nt_domain="$tok_domain$" OR dest_nt_domain="$tok_domain$") msad_action=$tok_action$ \ | eval adminuser=src_nt_domain."\\".src_user\ | eval dest_user_subject=dest_nt_domain."\\".user\ | `ms_obj_msad-changed-attributes`\ | table _time,adminuser,user,msad_action,dest_user_subject,MSADChanges\ | rename adminuser as "Administrator",msad_action as "Action",user as "Target_$tok_category$",dest_user_subject as "Target $tok_category$ ID",MSADChanges as "Changes" iseval = 0 ##-- All Changes for Computer Category--## [ms_obj_changes_base_cat_computer] definition = `ms_obj_win_events_security` [|inputlookup AD_Audit_Change_EventCodes WHERE change_category="Computer" |stats values(EventCode) AS EventCode,values(obj_type) AS obj_type | format] src_user_type="user" NOT((EventCode=4723 OR EventCode=4738) AND src_user=user) iseval = 0 ##-- All Changes for Group Category--## [ms_obj_changes_base_cat_group] definition = `ms_obj_win_events_security` [|inputlookup AD_Audit_Change_EventCodes WHERE change_category="Group" |stats values(EventCode) AS EventCode,values(obj_type) AS obj_type | format] src_user_type="user" NOT((EventCode=4723 OR EventCode=4738) AND src_user=user) iseval = 0 ##-- All Changes for Group Membership Category--## [ms_obj_changes_base_cat_group_membership] definition = `ms_obj_win_events_security` [|inputlookup AD_Audit_Change_EventCodes WHERE change_category="Group Membership" |stats values(EventCode) AS EventCode,values(obj_type) AS obj_type | format] src_user_type="user" NOT((EventCode=4723 OR EventCode=4738) AND src_user=user) iseval = 0 ##-- All Changes for User Membership Category--## [ms_obj_changes_base_cat_user] definition = `ms_obj_win_events_security` [|inputlookup AD_Audit_Change_EventCodes WHERE change_category="User" |stats values(EventCode) AS EventCode,values(obj_type) AS obj_type | format] src_user_type="user" NOT((EventCode=4723 OR EventCode=4738) AND src_user=user) iseval = 0 ##-- OU Changes for OU's with specified GPO --## [ms_obj_ou_changes_gplink(1)] args = gPLink definition = `ms_obj_changes_base_cat("OU")` Value="$gPLink$" iseval = 0 ##-- Groups And Group Membership Changes --## [ms_obj_group_all_changes_base] definition = `ms_obj_changes_base_cat("Group*")` iseval = 0 ##-- Group Policy Change Search --## [ms_obj_gpo_changes(2)] args = domain,gpo_guid definition = `ms_obj_changes_base_cat("Group Policy")` src_nt_domain="$domain$"\ | eval adminuser=src_user\ | eval Object_Lookup_Name="{" . lower(Object_Name_Guid) . "}"\ | search Object_Lookup_Name="$gpo_guid$"\ | lookup AD_Obj_GPO cn AS Object_Lookup_Name OUTPUT displayName\ | stats max(_time) AS last_time, min(_time) AS start_time, count by session_id,src_nt_domain,src_user,displayName\ | sort -last_time\ | eval start_session_event_time=strftime(start_time,"%m/%d/%y %I:%M:%S %P")\ | eval last_session_event_time=strftime(last_time,"%m/%d/%y %I:%M:%S %P")\ | table displayName,src_nt_domain,src_user,start_session_event_time, last_session_event_time, session_id\ | rename src_nt_domian as "Domain",src_user as "Administrator", displayName as "Group Policy Name" iseval = 0 [audit-gpo-changes(1)] args = domain definition = `ms_obj_changes_base_cat("Group Policy")`|lookup HostToDomain host|search src_nt_domain="$domain$"|eval adminuser=src_nt_domain."\\".src_user|eval Object_Name=replace(Object_Name,"}CN","},CN")|fields _time,Object_Name,adminuser,session_id|transaction maxspan=10m Object_Name,adminuser,session_id|lookup AD_Obj_GPO distinguishedName as Object_Name OUTPUT displayName,deletedDate,cn | `format-ad-object-displayname(displayName,deletedDate)` iseval = 0 ##-------------------------------------------## #--- User,Group,Computer Changes Macros ---# ##-------------------------------------------## [ms_obj_user_change_out] definition = fields _time, src_user, user, user_obj_dn, user_obj_email,msad_action, MSADChanges, dest_nt_domain, signature, MSADChangedAttributes,Correlation_ID,AttributeLDAPDisplayName,AttributeValue,DN,Old_DN,New_DN,dir_svcs_action\ | eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\ | eval user_obj_lkp=if(isnull(user_obj_dn),if(isnull(user_obj_email),if(isnull(DN),if(isnull(Old_DN),if(isnull(New_DN),lower(user),lower(New_DN)),lower(Old_DN)),lower(DN)),lower(user_obj_email)),lower(user_obj_dn))\ | lookup AD_Obj_User lookup_usr AS user_obj_lkp OUTPUT sAMAccountName AS b_user_obj_sam,cn AS b_user_obj_cn\ | eval user=if(isnull(b_user_obj_sam),if(isnull(b_user_obj_cn),if(isnull(user_obj_lkp),"NA",lower(user_obj_lkp)),lower(b_user_obj_cn)),lower(b_user_obj_sam))\ | eval dest_user_subject=if(isnull(dest_nt_domain),user,dest_nt_domain."\\".lower(user))\ | `ms_obj_msad-changed-attributes`\ | stats count, values(Correlation_ID) AS Correlation_IDs,values(MSADChanges) AS MSADChanges by _time,src_user,adminuser,msad_action,dest_user_subject,user,signature\ | eval signature=mvdedup(signature)\ | eval MSADChanges=mvjoin(MSADChanges, "########")\ | eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnull(MSADChanges),"Signature: ".signature,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\ | makemv delim="########" MSADChanges\ | table _time,src_user,adminuser,msad_action,user,dest_user_subject,Correlation_IDs,MSADChanges iseval = 0 [ms_obj_computer_change_out] definition = fields _time, src_user, user, comp_obj_dn, comp_obj_sam,msad_action, MSADChanges, dest_nt_domain, signature, MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,Old_DN,New_DN,dir_svcs_action\ | eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\ | eval comp_obj_lkp=if(isnull(comp_obj_dn),if(isnull(DN),if(isnull(Old_DN),if(isnull(New_DN),if(isnull(comp_obj_sam),lower(user),lower(comp_obj_sam)),lower(New_DN)),lower(Old_DN)),lower(DN)),lower(comp_obj_dn))\ | lookup AD_Obj_Computer lookup_cmp AS comp_obj_lkp OUTPUT sAMAccountName AS b_comp_obj_sam\ | eval user=if(isnull(b_comp_obj_sam),if(isnull(comp_obj_lkp),"NA",lower(comp_obj_lkp)),lower(b_comp_obj_sam))\ | eval dest_user_subject=if(isnull(dest_nt_domain),user,dest_nt_domain."\\".lower(user))\ | `ms_obj_msad-changed-attributes`\ | stats count, values(MSADChanges) AS MSADChanges by _time,adminuser,msad_action,dest_user_subject,user,signature\ | eval signature=mvdedup(signature)\ | eval MSADChanges=mvjoin(MSADChanges, "########")\ | eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnull(MSADChanges),"Signature: ".signature,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\ | makemv delim="########" MSADChanges\ | table _time,adminuser,msad_action,user,dest_user_subject,MSADChanges iseval = 0 [ms_obj_group_change_out] definition = fields _time, _raw, src_user, src_nt_domain, dest_nt_domain, msad_action, signature,DN,New_DN,Old_DN,group_obj_lkp,member_obj_lkp,MSADGroupClass,MSADGroupClassID,MSADGroupType,MSADChanges,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,dir_svcs_action \ | eval msad_action=if(isnull(msad_action),if(isnull(dir_svcs_action),"NA",dir_svcs_action),if(isnull(dir_svcs_action),msad_action,msad_action." (".dir_svcs_action.")"))\ | eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\ | lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass\ | lookup AD_Obj_Group lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\ | eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\ | eval MSADGroupClass=if(isnull(MSADGroupClass),if(isnull(MSADGroupClass_u),"NA",MSADGroupClass_u),MSADGroupClass)\ | eval MSADGroupType=if(isnull(MSADGroupType),if(isnull(MSADGroupType_u),"NA",MSADGroupType_u),MSADGroupType)\ | fillnull value="N/A" Correlation_ID,member_obj_lkp\ | `ms_obj_msad-changed-attributes`\ | stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,adminuser,msad_action,group_obj_nm,MSADGroupType,MSADGroupClass,member_obj_lkp,signature\ | eval MSADChanges=mvjoin(MSADChanges, "########")\ | eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\ | makemv delim="########" MSADChanges\ | table _time, adminuser, group_obj_nm,msad_action,MSADGroupType,MSADGroupClass,member_obj_lkp,MSADChanges iseval = 0 ## Group Membership Changes - Output Part - needs | before ## [ms_obj_groupmembership_change_out] definition = fields _time, _raw, src_user, src_nt_domain, dest_nt_domain, msad_action, signature,DN,New_DN,Old_DN,group_obj_lkp,member_obj_domain,member_obj_id,member_obj_lkp,MSADGroupClass,MSADGroupClassID,MSADGroupType,MSADChanges,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,dir_svcs_action \ | eval member=if(isnull(member_obj_domain),member_obj_id,member_obj_domain."\\".member_obj_id) \ | eval member=if(isnull(member),if(isnull(member_obj_dn),"NA",member_obj_dn),member) \ | eval msad_action=if(isnull(msad_action),if(isnull(dir_svcs_action),"NA",dir_svcs_action),if(isnull(dir_svcs_action),msad_action,msad_action." (".dir_svcs_action.")"))\ | eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\ | lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass\ | lookup AD_Obj_Group lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\ | eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\ | eval MSADGroupClass=if(isnull(MSADGroupClass),if(isnull(MSADGroupClass_u),"NA",MSADGroupClass_u),MSADGroupClass)\ | eval MSADGroupType=if(isnull(MSADGroupType),if(isnull(MSADGroupType_u),"NA",MSADGroupType_u),MSADGroupType)\ | fillnull value="N/A" Correlation_ID,member_obj_lkp\ | `ms_obj_msad-changed-attributes`\ | stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,adminuser,msad_action,group_obj_nm,member,MSADGroupType,MSADGroupClass,member_obj_lkp,signature\ | eval MSADChanges=mvjoin(MSADChanges, "########")\ | eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\ | makemv delim="########" MSADChanges\ | lookup AD_Obj_User lookup_usr AS member_obj_lkp OUTPUT cn AS u_cn, dn AS u_dn \ | lookup AD_Obj_Group lookup_grp AS member_obj_lkp OUTPUT cn AS g_cn, dn AS g_dn \ | lookup AD_Obj_Computer lookup_cmp AS member_obj_lkp OUTPUT cn AS c_cn, dn AS c_dn \ | eval member_obj_dn=if(isnull(u_dn),if(isnull(g_dn),if(isnull(c_dn),member_obj_dn,c_dn),g_dn),u_dn) \ | eval Member_Type=if(isnull(u_cn),if(isnull(g_cn),"Computer","Group"),"User") \ | table _time, adminuser,group_obj_nm,msad_action,MSADGroupType,MSADGroupClass,Member_Type,member_obj_lkp,member,MSADChanges iseval = 0 [ms_obj_groupmembership_change_events(2)] args = domain,group definition = `ms_obj_changes_base_cat("Group Membership")` "$group$"\ | fields _time,_raw,member_obj_dn,member_obj_id,member_obj_domain,member_obj_class,src_user,src_nt_domain,group_obj_id,group_obj_dn,group_obj_nm,user_group,group_id,Group_Name,msad_action,MSADGroupClassID,MSADGroupType,MSADGroupClass,signature,Correlation_ID,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action,Old_DN,New_DN\ | search (group_obj_dn="$group$" OR user_group="$group$" OR group_id="$group$" OR Group_Name="$group$") (src_nt_domain="$domain$" OR dest_nt_domain="$domain$") \ | eval adminuser=if(isnull(src_nt_domain),lower(src_user),lower(src_nt_domain)."\\".lower(src_user)\ | eval group_obj_dn=if(isnull(group_obj_dn),if(isnull(user_group),if(isnull(group_id),"",lower(group_id)),lower(user_group)),lower(group_obj_dn))\ | eval group_obj_cn=if(isnull(Group_Name),"",lower(Group_Name))\ | eval member=if(isnull(member_obj_domain),replace(member_obj_id,"\x5C{1}",""),member_obj_domain."\\".lower(replace(member_obj_id,"\x5C{1}","")))\ | eval member=if(isnull(member),if(isnull(member_obj_dn),"NA",lower(member_obj_dn)),member)\ | lookup AD_Obj_Group dn AS group_obj_dn OUTPUT cn AS group_obj_nm,MSADGroupType,MSADGroupClass\ | lookup AD_Obj_Group cn AS group_obj_cn OUTPUT cn AS c_group_obj_nm,MSADGroupType AS c_MSADGroupType,MSADGroupClass AS c_MSADGroupClass\ | eval group_obj_nm=if(isnull(group_obj_nm),if(isnull(c_group_obj_nm),if(isnull(group_obj_id),if(isnull(user_group),lower(group_obj_dn),lower(user_group)),lower(group_obj_id)),lower(c_group_obj_nm)),lower(group_obj_nm)),MSADGroupType = if(isnull(MSADGroupType),c_MSADGroupType,MSADGroupType),MSADGroupClass=if(isnull(MSADGroupClass),c_MSADGroupClass,MSADGroupClass)\ | `ms_obj_msad-changed-attributes`\ | stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,adminuser,src_user,msad_action,group_obj_nm,MSADGroupType,MSADGroupClass,member,signature\ | eval MSADChanges=mvjoin(MSADChanges, "########")\ | eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\ | makemv delim="########" MSADChanges\ | table _time,adminuser,msad_action,group_obj_nm,MSADGroupType,MSADGroupClass,member,MSADChanges, src_user iseval = 0 [ms_obj_group_change_events(2)] args = domain,group definition = `ms_obj_changes_base_cat("Group")` "$group$"\ | fields _time,_raw,member_obj_dn,member_obj_id,member_obj_domain,member_obj_class,src_user,src_nt_domain,dest_nt_domain,group_obj_id,group_obj_dn,group_obj_nm,user_group,Group_Name,group_id,msad_action,MSADGroupClassID,MSADGroupType,MSADGroupClass,signature,Correlation_ID,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action,Old_DN,New_DN \ | search (group_obj_dn="$group$" OR user_group="$group$" OR group_id="$group$" OR Group_Name="$group$") (src_nt_domain="$domain$" OR dest_nt_domain="$domain$") NOT AttributeLDAPDisplayName="member"\ | eval group_obj_dn=if(isnull(group_obj_dn),if(isnull(user_group),if(isnull(group_id),"",lower(group_id)),lower(user_group)),lower(group_obj_dn))\ | eval group_obj_cn=if(isnull(Group_Name),"",lower(Group_Name))\ | eval adminuser=if(isnull(src_nt_domain),lower(src_user),lower(src_nt_domain)."\\".lower(src_user)) \ | eval member=if(isnull(member_obj_domain),replace(member_obj_id,"\x5C{1}",""),member_obj_domain."\\".lower(replace(member_obj_id,"\x5C{1}",""))) \ | eval member=if(isnull(member),"NA",member) \ | lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass \ | eval objectGUID=lower(objectGUID)\ | lookup AD_Obj_Group dn AS group_obj_dn OUTPUT cn AS group_obj_nm,MSADGroupType,MSADGroupClass\ | lookup AD_Obj_Group cn AS group_obj_cn OUTPUT cn AS c_group_obj_nm,MSADGroupType AS c_MSADGroupType,MSADGroupClass AS c_MSADGroupClass\ | eval group_obj_nm=if(isnull(group_obj_nm),c_group_obj_nm,group_obj_nm),MSADGroupType = if(isnull(MSADGroupType),c_MSADGroupType,MSADGroupType),MSADGroupClass=if(isnull(MSADGroupClass),c_MSADGroupClass,MSADGroupClass)\ | eval dir_svcs_action=if(isnull(dir_svcs_action) OR dir_svcs_action="Unknown","","Action: ".dir_svcs_action."########") \ | eval MSADChangedAttributes=mvfilter(NOT match(MSADChangedAttributes, ":(\s*\-\s*|)$")) \ | fillnull value="" signature,Correlation_IDs \ | eval MSADChanges=if(isnull(MSADChangedAttributes),if(isnull(AttributeLDAPDisplayName),if(msad_action="moved","Moved:########--From: ".Old_DN."########--To: ".New_DN,dir_svcs_action.""),if(isnull(AttributeValue) OR AttributeValue="-" OR AttributeValue="",NULL,dir_svcs_action."-- ".AttributeLDAPDisplayName.": ".AttributeValue)),dir_svcs_action."".MSADChangedAttributes) \ | stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,adminuser,msad_action,group_obj_nm,MSADGroupType,MSADGroupClass,member,signature \ | eval MSADChanges=mvjoin(MSms_obj_admon_bld_upd_outADChanges, "########") \ | eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges) \ | makemv delim="########" MSADChanges \ | table _time,adminuser,msad_action,group_obj_nm,MSADGroupType,MSADGroupClass,member,MSADChanges iseval = 0 [ms_obj_group_members_list_all(2)] args = domain,group definition = inputlookup AD_Obj_Group WHERE cn="$group$" AND domain="$domain$"\ | eval group_members="####".mvjoin(member,"####")\ | rex mode=sed field=group_members "s/####/####(Direct)/g"\ | makemv delim="####" member \ | mvexpand member\ | eval emb_group=member\ | fields cn, description, emb_group, emb_group_name, group_members_emb,member,group_members\ | join type=left emb_group [| inputlookup AD_Obj_Group| eval emb_group=distinguishedName | eval emb_group_name=cn | makemv delim="|" member | mvexpand member | eval group_members_emb="####(Embedded Group -".emb_group_name.")".member | stats values(group_members_emb) AS group_members_emb by emb_group, emb_group_name | mvcombine group_members_emb | table emb_group,emb_group_name,group_members_emb]\ | table cn, description,member,emb_group,emb_group_name,group_members,group_members_emb\ | eval group_members_comb=if(isnull(group_members_emb),group_members,group_members."".group_members_emb)\ | table cn, description, group_members,group_members_emb,group_members_comb\ | makemv delim="####" group_members_comb\ | mvexpand group_members_comb\ | table cn, description, group_members_comb\ | rex field=group_members_comb "\((?Direct|Embedded Group)"\ | rex field=group_members_comb "\(Embedded Group\s\-(?[^\)]+)"\ | rex field=group_members_comb "\)(?.*)"\ | rex field=member_dn "^CN\=(?[^\,]+)\,(OU|DC|CN)"\ | eval member_emb_assoc_group=case(member_assoc_type="Embedded Group",member_assoc_type."( ".embedded_group." )")\ | eval member_dn=trim(member_dn)\ | table cn, description, member_assoc_type,embedded_group,member_dn,member_name,member_emb_assoc_group iseval = 0 [ms_obj_member_groupmembership_change_events(2)] args = domain,member definition = `ms_obj_changes_base_cat("Group Membership")` (src_nt_domain="$domain$" OR dest_nt_domain="$domain$") [|inputlookup AD_Obj_User WHERE cn="$member$" | fields sAMAccountName,distinguishedName,cn | eval member_obj_id=cn."|".sAMAccountName."|".distinguishedName | makemv delim="|" member_obj_id | stats values(member_obj_id) AS member_obj_id | format]\ | fields _raw,_time,member_obj_domain, member_obj_sam,member_obj_id,member_obj_dn,member_obj_cn,src_user, group_obj_id,src_nt_domain,MSADGroupClassID,msad_action,signature,group_obj_dn\ | eval member_obj_dn=lower(replace(member_obj_dn,"\x5C{1}",""))\ | eval adminuser=if(isnull(src_nt_domain),lower(src_user),lower(src_nt_domain)."\\".lower(src_user))\ | eval member=if(isnull(member_obj_domain),lower(member_obj_id),member_obj_domain."\\".lower(member_obj_id))\ | lookup AD_Obj_Group cn AS group_obj_id OUTPUT MSADGroupType,MSADGroupClass,dn AS group_obj_dn\ | eval group_obj_dn=lower(group_obj_dn)\ | join type=left group_obj_dn [|inputlookup AD_Obj_Group | search NOT dn_hist="" |eval group_obj_dn=lower(dn_hist)| rename cn AS group_obj_nm| table group_obj_dn, group_obj_nm, MSADGroupClass, MSADGroupType,orig_cn]\ | eval group_obj_nm=if(isnull(group_obj_nm),if(isnull(group_obj_id),if(isnull(user_group),group_obj_dn,user_group),group_obj_id),group_obj_nm)\ | `ms_obj_msad-changed-attributes`\ | fillnull value="N/A" \ | stats values(MSADChanges) AS MSADChanges by _time,group_obj_nm,msad_action,adminuser,member, member_obj_dn, signature,MSADGroupClass,MSADGroupType\ | table _time,adminuser,msad_action,member,member_obj_dn,group_obj_nm,MSADGroupClass,MSADGroupType,MSADChanges\ | rename group_obj_nm as "Group Name",MSADGroupClass as "Class",msad_action AS "Action",member AS "Target Member",member_obj_dn AS "Target MemberDN",MSADGroupType as "Type",adminuser as "Admin User" iseval = 0 [ms_obj_user_action_events(3)] args = domain,user,action definition = `ms_obj_changes_base_cat("User")` ([| inputlookup AD_Obj_User WHERE lookup_usr="$user$" | fields lookup_usr | stats values(lookup_usr) AS search | eval search="\"".mvjoin(search,"\" OR \"")."\""]) (src_nt_domain="$domain$" OR dest_nt_domain="$domain$") ($action$)\ | `ms_obj_user_change_out`\ | rename adminuser as "Administrator",msad_action as "Action",dest_user_subject as "Target User ID",MSADChanges as "Changes" iseval = 0 [ms_obj_user_change_events(3)] args = domain,user,action definition = `ms_obj_win_events_security` \ [| inputlookup AD_Audit_Change_EventCodes WHERE change_category="User" \ | stats values(EventCode) AS EventCode by obj_type \ | format \ | table search] src_user_type="user" [|inputlookup AD_Obj_User WHERE sAMAccountName="$user$" | fields cn,sAMAccountName,userPrincipalName,distinguishedName | eval search="\"".cn."\" OR \"".sAMAccountName."\" OR \"".userPrincipalName."\" OR \"".distinguishedName."\"" | table search]\ | eval user_obj_dn=lower(user_obj_dn)\ | lookup AD_Obj_User distinguishedName AS user_obj_dn OUTPUTNEW cn AS user_cn sAMAccountName AS user\ | eval adminuser=if(isnull(src_nt_domain),lower(src_user),lower(src_nt_domain)."\\".lower(src_user))\ | eval user=if(isnull(user),user_obj_dn,lower(user))\ | search (user="$user$" OR New_Account_Name="$user$" OR Old_Account_Name="$user$") (src_nt_domain="$domain$" OR dest_nt_domain="$domain$") msad_action=$action$\ | eval dest_user_subject=if(isnull(dest_nt_domain) OR match(user,"(?si)cn\="),user,upper(dest_nt_domain)."\\".user)\ | `ms_obj_msad-changed-attributes`\ | fillnull value="" adminuser,msad_action,dest_user_subject,Correlation_ID,signature,MSADChanges\ | stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,adminuser,msad_action,dest_user_subject,signature,src_user\ | eval MSADChanges=mvjoin(MSADChanges, "########")\ | eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\ | makemv delim="########" MSADChanges\ | table _time,adminuser,msad_action,dest_user_subject,MSADChanges,src_user iseval = 0 [ms_obj_group_members_user_accounts(2)] args = domain,group definition = inputlookup AD_Obj_Group WHERE cn="$group$" AND domain="$domain$"\ | fields member\ | mvexpand member\ | eval emb_group=member\ | fields emb_group, group_members\ | join type=left emb_group [| inputlookup AD_Obj_Group | fields distinguishedName,member| eval emb_group=distinguishedName | eval group_members_emb="####".mvjoin(member,"####") | table emb_group,group_members_emb]\ | eval group_members_comb=if(isnull(group_members_emb),group_members,group_members."".group_members_emb)\ | makemv delim="####" group_members_comb\ | mvexpand group_members_comb\ | eval member_dn=trim(group_members_comb)\ | table member_dn \ | join type=left member_dn[| inputlookup AD_Obj_Group | fields distinguishedName | eval member_dn=distinguishedName | eval group_account="True" | table member_dn, group_account] \ | join type=left member_dn[| inputlookup AD_Obj_User | fields distinguishedName | eval member_dn=distinguishedName | eval user_account=sAMAccountName | table member_dn, user_account] \ | join type=left member_dn[| inputlookup AD_Obj_Computer | fields distinguishedName | eval member_dn=distinguishedName | eval user_account=sAMAccountName | table member_dn, user_account] \ | search NOT group_account="True" \ | table user_account\ | dedup user_account iseval = 0 ###-------------------------------------------------------------------------------### #--- Macro's Used for Building Object KV Store Lookups ---# ###-------------------------------------------------------------------------------### ##- admon - Filter Macros ## - Example Filters: ## - `ms_obj_admon_flt_obj_type(ms_obj_admon_user,ms_obj_admon_base_a_type)` ## - Resulting search Example: ## - index=idx_msad_win sourcetype=ActiveDirectory "objectClass=top|person|organizationalPerson|user" NOT "objectClass=top|person|organizationalPerson|user|computer" ("admonEventType=Sync" OR "admonEventType=Update" OR "admonEventType=Deleted") [ms_obj_admon_flt_obj_type(2)] args = tok_tgt_obj_macro,tok_tgt_type_macro definition = `$tok_tgt_obj_macro$` `$tok_tgt_type_macro$` iseval = 0 ## Replaced with ms_obj_admon_get_begin_sync_t ## Get the day before the first Sync time was ran for a specified object type. Will use the search time for where the first sync event is.## ##[ms_obj_admon_last_sync(2)] ##args = tok_tgt_obj_macro,tok_tgt_type_macro ##definition = `$tok_tgt_obj_macro$` `$tok_tgt_type_macro$`\ ##| fields _time\ ##| tail 2\ ##| stats min(_time) AS earliest\ ##| eval earliest=earliest-86400\ ##| table earliest ##iseval = 0 ## Replaced with ms_obj_admon_get_begin_sync_t_val ## Get the days for the last Sync Counts - Using the admonEventType="Start" for getting the earliest/latest time ranges by day ## ##[ms_obj_admon_last_start_sync] ##definition = `ms__obj_win_ad_index` `ms_obj_admon_base_sync_type` [search `ms__obj_win_ad_index` `ms_obj_admon_base_start_type`\ ##| fields _time\ ##| eval s_time=strftime(_time,"%m/%d/%y")\ ##| stats count by s_time\ ##| eval earliest=strptime(s_time,"%m/%d/%y")\ ##| eval latest=earliest+86400\ ##| eval search="earliest=".earliest." latest=".latest\ ##| stats values(search) AS search\ ##| eval search="(".mvjoin(search,") OR (").")"]\ ##| fields _time\ ##| eval Sync_Day=strftime(_time,"%m/%d/%y")\ ##| stats min(_time) AS first_time,max(_time) AS last_time,count AS Sync_Count by Sync_Day\ ##| search Sync_Count>10\ ##| eventstats min(first_time) AS first_time,max(last_time) AS last_time\ ##| eval First_Sync_Day=strftime(first_time,"%m/%d/%y")\ ##| eval Last_Sync_Day=strftime(last_time,"%m/%d/%y")\ ##| table Sync_Day,First_Sync_Day,Last_Sync_Day,Sync_Count\ ##| sort -Sync_Count ##iseval = 0 ## Macro for getting Powershell Script data that contains the AD Details [ms_obj_admon_get_ad_health_cnt] definition = `ms__obj_win_ad_index` source=powershell sourcetype="MSAD:*:Health"\ | fields _time,DomainDNSName \ | stats max(_time) AS l_evt_time by DomainDNSName\ | stats max(l_evt_time) AS l_evt_time, dc(DomainDNSName) AS count\ | eval ObjectType="Domain Details",s_evt_time="",domain_count=count\ | table s_evt_time,l_evt_time,count,ObjectType,domain_count ## Macro for getting the Sync Start (for earliest) timestamp for building or a range, Sync Start and Last Sync timestamp for counting objects. ## Variables: ## tok_target_obj = Use for specifying an object type to get sync time rang. This will determine the objects specific macro to use. ## Use ms_obj_admon_(ou/gpo/user/group/computer) ## Use ms_obj_admon_base_a_obj for all objects ## Note fastest would be to use ms_obj_admon_gpo since there should be less gpo's then the other objects ## tok_time_type = Use "sync_count" for getting the count, Use "build" for using to build lookup. [ms_obj_admon_get_begin_sync_t(2)] args = tok_target_obj,tok_time_type definition = `ms__obj_win_ad_index` `ms_obj_admon_base_sync_type` `$tok_target_obj$`\ | fields _time,dc_val\ | eval r_time=round(_time,0)\ | stats max(r_time) AS ls_time by dc_val\ | eval s_time=ls_time-864000\ | stats min(s_time) AS e_time,max(s_time) AS l_time\ | eval e_time_str=strftime(e_time,"%m/%d/%y"),l_time=l_time+864000\ | eval search=if("$tok_time_type$"=="none","",if("$tok_time_type$"=="sync_count","earliest=\"".e_time."\" latest=\"".l_time."\"","earliest=\"".e_time."\""))\ | table search ## Macro for getting the Sync Time Values - Helper Tool. [ms_obj_admon_get_begin_sync_t_val] args = tok_target_obj,tok_time_type definition = `ms__obj_win_ad_index` `ms_obj_admon_base_sync_type` `ms_obj_admon_base_a_obj` [search `ms_obj_admon_get_begin_sync_t(ms_obj_admon_gpo,"sync_count")`]\ | fields _time,dc_val\ | eval r_time=round(_time,0)\ | stats max(r_time) AS ls_time,count by dc_val\ | eval s_time=ls_time-864000\ | stats min(s_time) AS e_time,max(s_time) AS l_time,sum(count) AS Sync_Count\ | eval l_time=l_time+864000\ | eval Recommended_Sync_Start_Day=strftime(e_time,"%m/%d/%y")\ | eval Last_Sync_Day=strftime(l_time,"%m/%d/%y")\ | table Recommended_Sync_Start_Day,First_Sync_Day,Last_Sync_Day,Sync_Count ## Combined Macro for Checking admon Baseline (Sync) Object (User/Groups/Computers/OU/GPO) counts using an auto time setting ## Variables: ## tok_target_obj = Use for specifying an object type to get sync time rang. This will determine the objects specific macro to use. ## Use ms_obj_admon_(ou/gpo/user/group/computer) ## Use ms_obj_admon_base_a_obj for all objects [ms_obj_admon_get_sync_cnt(1)] args = tok_target_obj definition = `ms__obj_win_ad_index` `ms_obj_admon_base_sync_type` `$tok_target_obj$` [search `ms_obj_admon_get_begin_sync_t(ms_obj_admon_gpo,"sync_count")`]\ | fields _time,objectClass, objectGUID,dc_val\ | stats dc(objectGUID) AS count, min(_time) AS s_evt_time,max(_time) AS l_evt_time,dc(dc_val) AS domain_count by objectClass\ | eval ObjectType=case(objectClass="top|person|organizationalPerson|user","User",objectClass="top|group","Group",objectClass="top|person|organizationalPerson|user|computer","Computer",objectClass="top|organizationalUnit","Organization Units",objectClass="top|container","Containers",objectClass="top|container|groupPolicyContainer","Group Policies")\ | where isnotnull(ObjectType)\ | append [search `ms_obj_admon_get_ad_health_cnt`]\ | eval min_l_evt = (now()-l_evt_time)/60\ | eval completion_check=if(ObjectType="Domain Details",if(count>0,"OK: Domain ms-dc-health data Collected","Warning - Missing eventtype=\"ms_ad_obj_msad-dc-health\" Data, Please review the Getting Data In to ensure the AD Domain Data is either collected or manually added"),if(count>0 AND min_l_evt>5,"OK: Baseline Collection Completed (".round(min_l_evt,0)." Minutes Ago".")","Wait for Baseline Collection to Complete before building Lookups"))\ | eval last_event_event_time=strftime(l_evt_time,"%m/%d/%y %H:%M:%S")\ | eval sync_start_event_time=strftime(s_evt_time,"%m/%d/%y %H:%M:%S")\ | sort -count\ | eval min_l_evt = round(min_l_evt,0)." Minutes Ago",count=tostring(count,"commas")\ | table domain_count,ObjectType,count,sync_start_event_time,last_event_event_time,completion_check ## Combined Macro for Checking admon Baseline (Sync) Object (User/Groups/Computers/OU/GPO) counts using the time selector ## Variables: ## tok_target_obj = Use for specifying an object type to get sync time rang. This will determine the objects specific macro to use. ## Use ms_obj_admon_(ou/gpo/user/group/computer) ## Use ms_obj_admon_base_a_obj for all objects [ms_obj_admon_get_sync_cnt_nt(1)] args = tok_target_obj definition = `ms__obj_win_ad_index` `ms_obj_admon_base_sync_type` `$tok_target_obj$`\ | fields _time,objectClass, objectGUID,dc_val\ | stats dc(objectGUID) AS count, min(_time) AS s_evt_time,max(_time) AS l_evt_time,dc(dc_val) AS domain_count by objectClass\ | eval ObjectType=case(objectClass="top|person|organizationalPerson|user","User",objectClass="top|group","Group",objectClass="top|person|organizationalPerson|user|computer","Computer",objectClass="top|organizationalUnit","Organization Units",objectClass="top|container","Containers",objectClass="top|container|groupPolicyContainer","Group Policies")\ | where isnotnull(ObjectType)\ | append [search `ms_obj_admon_get_ad_health_cnt`]\ | eval min_l_evt = (now()-l_evt_time)/60\ | eval completion_check=if(ObjectType="Domain Details",if(count>0,"OK: Domain ms-dc-health data Collected","Warning - Missing eventtype=\"ms_ad_obj_msad-dc-health\" Data, Please review the Getting Data In to ensure the AD Domain Data is either collected or manually added"),if(count>0 AND min_l_evt>5,"OK: Baseline Collection Completed (".round(min_l_evt,0)." Minutes Ago".")","Wait for Baseline Collection to Complete before building Lookups"))\ | eval last_event_event_time=strftime(l_evt_time,"%m/%d/%y %H:%M:%S")\ | eval sync_start_event_time=strftime(s_evt_time,"%m/%d/%y %H:%M:%S")\ | sort -count\ | eval min_l_evt = round(min_l_evt,0)." Minutes Ago",count=tostring(count,"commas")\ | table domain_count,ObjectType,count,sync_start_event_time,last_event_event_time,completion_check ###-----------------------------------------### #--- Initial Build Macros ---# ###-----------------------------------------### ## - AD_Obj_Domain Lookup - Initial Build and Update## [ms_obj_admon_bld_domain] definition = `ms__obj_win_ad_index` eventtype="ms_ad_obj_msad-dc-health"\ | fields host, DomainNetBIOSName,DomainDNSName,ForestName,Site\ | stats count by host, DomainNetBIOSName,DomainDNSName,ForestName,Site\ | eval domain=lower(DomainNetBIOSName),DomainDNSName=lower(DomainDNSName),ForestName=lower(ForestName),Site=lower(Site),host=lower(host),DomainNetBIOSName=lower(DomainNetBIOSName)\ | join type=left host [| inputlookup AD_Obj_Domain | table host,domain,multi_lkps_enabled,kv_suffix,dc_val,user_lookup,group_lookup,computer_lookup]\ | eval multi_lkps_enabled=if(isnull(multi_lkps_enabled),"f",multi_lkps_enabled)\ | eval kv_suffix=if(isnull(kv_suffix),lower(domain),kv_suffix)\ | eval dc_val=if(isnull(dc_val),DomainDNSName,dc_val)\ | eval user_lookup=if(isnull(user_lookup),"AD_Obj_User",if(multi_lkps_enabled="f","AD_Obj_User","AD_Obj_User_".kv_suffix))\ | eval group_lookup=if(isnull(group_lookup),"AD_Obj_Group",if(multi_lkps_enabled="f","AD_Obj_Group","AD_Obj_Group_".kv_suffix))\ | eval computer_lookup=if(isnull(computer_lookup),"AD_Obj_Computer",if(multi_lkps_enabled="f","AD_Obj_Computer","AD_Obj_Computer_".kv_suffix))\ | table host,domain,DomainNetBIOSName,DomainDNSName,ForestName,Site,multi_lkps_enabled,kv_suffix,dc_val,user_lookup,group_lookup,computer_lookup\ | sort ForestName,Site,DomainDNSName,host\ | stats values(*) AS * by host\ | eval _key=host\ | outputlookup AD_Obj_Domain append=true iseval = 0 ## - Consolidated Build, Update and Migrate - AD Object Lookups ## - Initial Build and Output ## - Example - Init User - `ms_obj_admon_bld_init_out(user,User)` ## - Example - Init Group - `ms_obj_admon_bld_init_out(group,Group)` ## - Example - Init Computer - `ms_obj_admon_bld_init_out(computer,Computer)` ## - Example - Init OU - `ms_obj_admon_bld_init_out(ou,OU)` ## - Example - Init GPO - `ms_obj_admon_bld_init_out(gpo,GPO)` [ms_obj_admon_bld_init_out_no_sync(2)] args = tok_obj_l_abrv,tok_obj_u_abrv definition = `ms_obj_admon_flt_obj_type(ms_obj_admon_$tok_obj_l_abrv$,ms_obj_admon_base_a_type)` \ | `ms_obj_admon_base_out_$tok_obj_l_abrv$`\ | eval _key=key_val\ | outputlookup AD_Obj_$tok_obj_u_abrv$ append=true iseval = 0 [ms_obj_admon_bld_init_out(2)] args = tok_obj_l_abrv,tok_obj_u_abrv definition = `ms_obj_admon_flt_obj_type(ms_obj_admon_$tok_obj_l_abrv$,ms_obj_admon_base_a_type)` [search `ms_obj_admon_get_begin_sync_t(ms_obj_admon_$tok_obj_l_abrv$,"build")`]\ | `ms_obj_admon_base_out_$tok_obj_l_abrv$`\ | eval _key=key_val\ | outputlookup AD_Obj_$tok_obj_u_abrv$ iseval = 0 ## - Initial Admin Audit Lookup [ms_obj_winevt_init_admin_audit] definition = `ms_obj_winevt_base_out_admin_audit`\ | stats values(*) AS * by key_val\ | eval _key=key_val\ | outputlookup AD_Obj_Admin_Audit append=true iseval = 0 ## UAC Details - Build New using the ms_ad_obj_uac_temp.csv - Only during first time [ms_obj_UAC_new] definition = inputlookup ms_ad_obj_uac_temp\ | table userAccountControl,uac_details,uac_bin_map\ | eval key_val=userAccountControl\ | stats values(*) AS * by key_val\ | eval _key=key_val\ | outputlookup AD_Obj_UAC append=true iseval = 0 ## Migrate the Previous csv Version(AD_UAC_Details) and Output to new KV Store ## Ex: | `ms_obj_UAC_migrate` [ms_obj_UAC_migrate] definition = inputlookup AD_UAC_Details\ | table userAccountControl,uac_details,uac_bin_map\ | eval key_val=userAccountControl\ | stats values(*) AS * by key_val\ | eval _key=key_val\ | outputlookup AD_Obj_UAC append=true iseval = 0 ## - First Build - Update OU Lookup with GPO Links ## Examples - First Build: | `ms_ad_admon_upd_ou_wgpo` [ms_ad_admon_upd_ou_wgpo] definition = inputlookup AD_Obj_OU WHERE gpo_link!=""\ | mvexpand gpo_link\ | lookup AD_Obj_GPO gpo_link AS gpo_link, domain AS domain OUTPUT displayName AS Linked_GPO\ | stats values(Linked_GPO) AS Linked_GPO,values(*) AS * by objectGUID,domain\ | eval _key=objectGUID."#".DomainDNSName\ | outputlookup AD_Obj_OU append=true iseval = 0 ## - First Build - Update GPO Lookup with OU Links ## Examples - First Build: | `ms_ad_admon_upd_gpo_wou` [ms_ad_admon_upd_gpo_wou] definition = inputlookup AD_Obj_GPO WHERE gpo_link!=""\ | lookup AD_Obj_OU gpo_link AS gpo_link, domain AS domain OUTPUT distinguishedName AS lc\ | makemv delim="####" lc\ | eval key=objectGUID."#".DomainDNSName\ | outputlookup AD_Obj_GPO append=true iseval = 0 ###-----------------------------------------### #--- Scheduled Update Macros ---# ###-----------------------------------------### ## - Update Build and Output ## Arguments = target object lowercase,target Object uppercase ## - Example - Update User = `ms_obj_admon_bld_upd_out(user,User)` ## - Example - Update Group = `ms_obj_admon_bld_upd_out(group,Group)` ## - Example - Update Computer = `ms_obj_admon_bld_upd_out(computer,Computer)` [ms_obj_admon_bld_upd_out(2)] args = tok_obj_l_abrv,tok_obj_u_abrv definition = `ms_obj_admon_flt_obj_type(ms_obj_admon_$tok_obj_l_abrv$,ms_obj_admon_base_a_type)`\ | `ms_obj_admon_base_out_$tok_obj_l_abrv$`\ | `ms_obj_admon_base_hist_$tok_obj_l_abrv$`\ | eval _key=key_val\ | outputlookup AD_Obj_$tok_obj_u_abrv$ append=true iseval = 0 ## - Update History for Object lookup_usr/grp/cmp ## ## - Update Admin Audit Lookup [ms_obj_winevt_upd_admin_audit] definition = `ms_obj_winevt_base_out_admin_audit`\ | stats values(*) AS * by key_val\ | eval _key=key_val\ | outputlookup AD_Obj_Admin_Audit append=true iseval = 0 [ms_obj_admon_base_hist_user] definition = lookup AD_Obj_User domain,objectGUID OUTPUT lookup_usr AS p_lookup_usr\ | eval lookup_usr=if(isnull(p_lookup_usr),mvjoin(lookup_usr,"|"),mvjoin(lookup_usr,"|")."|".mvjoin(p_lookup_usr,"|"))\ | eval key_val=((objectGUID . "#") . DomainDNSName)\ | makemv delim="|" lookup_usr\ | fields - p_lookup_usr\ | stats values(*) AS * by key_val iseval = 0 [ms_obj_admon_base_hist_ou] definition = lookup AD_Obj_OU domain objectGUID OUTPUT lookup_ou AS p_lookup_ou\ | eval lookup_oup=if(isnull(p_lookup_ou),mvjoin(lookup_ou,"|"),mvjoin(lookup_ou,"|")."|".mvjoin(p_lookup_ou,"|"))\ | eval key_val=((objectGUID . "#") . DomainDNSName)\ | makemv delim="|" lookup_ou\ | fields - p_lookup_ou\ | stats values(*) AS * by key_val iseval = 0 [ms_obj_admon_base_hist_group] definition = lookup AD_Obj_Group domain,objectGUID OUTPUT lookup_grp AS p_lookup_grp\ | eval lookup_grp=if(isnull(p_lookup_grp),mvjoin(lookup_grp,"|"),mvjoin(lookup_grp,"|")."|".mvjoin(p_lookup_grp,"|"))\ | eval key_val=((objectGUID . "#") . DomainDNSName)\ | makemv delim="|" lookup_grp\ | fields - p_lookup_grp\ | stats values(*) AS * by key_val iseval = 0 [ms_obj_admon_base_hist_gpo] definition = stats values(*) AS * by key_val iseval = 0 [ms_obj_admon_base_hist_computer] definition = lookup AD_Obj_Computer domain objectGUID OUTPUT lookup_cmp AS p_lookup_cmp\ | eval lookup_cmp=if(isnull(p_lookup_cmp),mvjoin(lookup_cmp,"|"),mvjoin(lookup_cmp,"|")."|".mvjoin(p_lookup_cmp,"|"))\ | eval key_val=((objectGUID . "#") . DomainDNSName)\ | makemv delim="|" lookup_cmp\ | fields - p_lookup_cmp\ | stats values(*) AS * by key_val iseval = 0 ## - AD Domain Lookup - Update Build## [ms_obj_admon_upd_domain] definition = `ms__obj_win_ad_index` eventtype="ms_ad_obj_msad-dc-health"\ | fields host, DomainNetBIOSName,DomainDNSName,ForestName,Site\ | stats count by host, DomainNetBIOSName,DomainDNSName,ForestName,Site\ | eval domain=lower(DomainNetBIOSName),DomainDNSName=lower(DomainDNSName),ForestName=lower(ForestName),Site=lower(Site),host=lower(host),DomainNetBIOSName=lower(DomainNetBIOSName)\ | join type=left host [| inputlookup AD_Obj_Domain | table host,domain,multi_lkps_enabled,kv_suffix,dc_val,user_lookup,group_lookup,computer_lookup]\ | eval multi_lkps_enabled=if(isnull(multi_lkps_enabled),"f",multi_lkps_enabled)\ | eval kv_suffix=if(isnull(kv_suffix),lower(domain),kv_suffix)\ | eval dc_val=if(isnull(dc_val),DomainDNSName,dc_val)\ | eval user_lookup=if(isnull(user_lookup),"AD_Obj_User",if(multi_lkps_enabled="f","AD_Obj_User","AD_Obj_User_".kv_suffix))\ | eval group_lookup=if(isnull(group_lookup),"AD_Obj_Group",if(multi_lkps_enabled="f","AD_Obj_Group","AD_Obj_Group_".kv_suffix))\ | eval computer_lookup=if(isnull(computer_lookup),"AD_Obj_Computer",if(multi_lkps_enabled="f","AD_Obj_Computer","AD_Obj_Computer_".kv_suffix))\ | table host,domain,DomainNetBIOSName,DomainDNSName,ForestName,Site,multi_lkps_enabled,kv_suffix,dc_val,user_lookup,group_lookup,computer_lookup\ | sort ForestName,Site,DomainDNSName,host\ | eval _key = host\ | outputlookup AD_Obj_Domain append=true iseval = 0 ###-----------------------------------------### #--- Migrate from csv to Kvstore Macros ---# ###-----------------------------------------### ## - Migrate CSV Lookup to KVStore Lookups ## - Example - Migrate User - `ms_obj_admon_migrate_out(user,User)` ## - Example - Migrate Group - `ms_obj_admon_migrate_out(group,Group)` ## - Example - Migrate Computer - `ms_obj_admon_migrate_out(computer,Computer)` ## - Example - Migrate OU - `ms_obj_admon_migrate_out(ou,OU)` ## - Example - Migrate GPO - `ms_obj_admon_migrate_out(gpo,GPO)` [ms_obj_admon_migrate_out(2)] args = tok_obj_l_abrv,tok_obj_u_abrv definition = `ms_obj_$tok_obj_l_abrv$_base_migrate`\ | stats values(*) AS * by key_val\ | eval _key=key_val\ | outputlookup AD_Obj_$tok_obj_u_abrv$ append=true iseval = 0 ## Migrate AD_User_LDAP_list to AD_Obj_User kvstore [ms_obj_user_base_migrate] definition = inputlookup AD_User_LDAP_list\ | fields _time,DomainDNSName,OU,accountExpires,adminCount,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dSCorePropagationData,dcName,deletedDate,department,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,givenName,guid_lookup,initials,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,admonEventType,lockoutTime,logonCount,logonHours,managedBy,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,physicalDeliveryOfficeName,postalCode,primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType,servicePrincipalName,showInAdvancedViewOnly,sid_lookup,sn,st,streetAddress,title,uac_details,uSNChanged,uSNCreated,userAccountControl,userPrincipalName,userWorkstations,whenChanged,whenCreated\ | eval objectGUID=lower(objectGUID),domain=lower(domain),DomainDNSName=lower(DomainDNSName),distinguishedName=lower(distinguishedName),dn=lower(dn),dn_hist=lower(dn_hist),dn_path=lower(dn_path),sAMAccountName=lower(sAMAccountName),userPrincipalName=lower(userPrincipalName)\ | join type=left DomainDNSName [|inputlookup AD_Obj_Domain | stats count by DomainDNSName,domain | table DomainDNSName,domain]\ | rex field=distinguishedName "(?si)(?:(cn|ou)\=)(?[^\,]+)\,dc\="\ | eval OU=if(isnull(OU),lower(other_ou),lower(OU))\ | eval d_dn=if(dn_hist=="",dn,mvjoin(dn_hist,"|")),d_cn=if(orig_cn=="",cn,cn."|".orig_cn),d_sam=if(sAMAccountName=cn,"",lower(sAMAccountName)),d_princ=if(userPrincipalName=="","",userPrincipalName)\ | eval lookup_usr=lower(d_cn)."|".lower(d_dn)."|".d_sam."|".d_princ\ | eval user_type="user"\ | makemv delim="|" lookup_usr\ | eval key_val=objectGUID."#".DomainDNSName\ | table key_val,DomainDNSName,OU,accountExpires,adminCount,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dSCorePropagationData,dcName,deletedDate,department,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,givenName,guid_lookup,initials,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,last_evt_flg,lockoutTime,logonCount,logonHours,lookup_usr,managedBy,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,orig_evt_dn,physicalDeliveryOfficeName,postalCode,primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType,servicePrincipalName,showInAdvancedViewOnly,sid_lookup,sn,st,streetAddress,title,uac_details,uSNChanged,uSNCreated,userAccountControl,userPrincipalName,userWorkstations,whenChanged,whenCreated,user_type,time iseval = 0 ## Migrate AD_Groups_LDAP_list to AD_Obj_Group kvstore [ms_obj_group_base_migrate] definition = inputlookup AD_Groups_LDAP_list\ | fields DomainDNSName,OU,adminCount,c,cn,orig_cn,dSCorePropagationData,dcName,deletedDate,description,displayName,distinguishedName,dn,dn_path,dn_hist,domain,groupType,groupType_Name,guid_lookup,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,last_evt_flg,managedBy,member,name,objectCategory,objectClass,objectGUID,objectSid,primaryGroupToken,sAMAccountName,sAMAccountType,showInAdvancedViewOnly,sid_lookup,st,systemFlags,uSNChanged,uSNCreated,whenChanged,whenCreated\ | eval displayName=if(isnull(displayName),cn,displayName)\ | eval d_dn=if(dn_hist=="",dn,mvjoin(dn_hist,"|")),d_cn=if(orig_cn=="",cn,cn."|".orig_cn),d_sam=sAMAccountName\ | rex field=distinguishedName "(?si)(?:(cn|ou)\=)(?[^\,]+)\,dc\="\ | eval OU=if(isnull(OU),lower(other_ou),lower(OU))\ | eval objectGUID=lower(objectGUID),domain=lower(domain),DomainDNSName=lower(DomainDNSName),distinguishedName=lower(distinguishedName),dn=lower(dn),dn_hist=lower(dn_hist),dn_path=lower(dn_path),sAMAccountName=lower(sAMAccountName),member=lower(member),cn=lower(cn)\ | lookup AD_Audit_Group_Details groupType,sAMAccountType OUTPUT groupType_Name,MSADGroupType,MSADGroupClass\ | eval isDistributionList=if(sAMAccountType="268435457","TRUE","FALSE"),lookup_grp=lower(d_cn)."|".lower(d_dn)."|".lower(d_sam)\ | join type=left DomainDNSName [|inputlookup AD_Obj_Domain | stats count by DomainDNSName,domain | table DomainDNSName,domain]\ | makemv delim="####" member\ | makemv delim="|" member\ | eval membercount=mvcount(member)\ | fillnull value="0" membercount\ | makemv delim="|" lookup_grp\ | eval key_val=objectGUID."#".DomainDNSName\ | table key_val,DomainDNSName,OU,adminCount,c,cn,orig_cn,dSCorePropagationData,dcName,deletedDate,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,groupType,groupType_Name,guid_lookup,instanceType,isCriticalSystemObject,isDeleted,isDistributionList,isRecycled,l,lastKnownParent,last_evt_flg,lookup_grp,managedBy,member,membercount,MSADGroupType,MSADGroupClass,name,objectCategory,objectClass,objectGUID,objectSid,orig_evt_dn,primaryGroupToken,sAMAccountName,sAMAccountType,showInAdvancedViewOnly,sid_lookup,src_nt_domain,st,systemFlags,uSNChanged,uSNCreated,whenChanged,whenCreated,time iseval = 0 ## Migrate AD_Computer_LDAP_list to AD_Obj_Computer kvstore [ms_obj_computer_base_migrate] definition = inputlookup AD_Computer_LDAP_list\ | fields DomainDNSName,OU,accountExpires,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dNSHostName,dSCorePropagationData,dcName,deletedDate,description,displayName,distinguishedName,dn,dn_path,dn_hist,domain,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,last_evt_flg,localPolicyFlags,logonCount,managedBy,msDFSR-ComputerReferenceBL,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,operatingSystem,operatingSystemServicePack,operatingSystemVersion,primaryGroupID,pwdLastSet,rIDSetReferences,sAMAccountName,sAMAccountType,serverReferenceBL,servicePrincipalName,sid_lookup,st,uac_details,uSNChanged,uSNCreated,userAccountControl,whenChanged,whenCreated\ | fillnull value="FALSE" isRecycled,isDeleted,isCriticalSystemObject,showInAdvancedViewOnly \ | fillnull value="" \ | rex field=distinguishedName "(?si)(?:(cn|ou)\=)(?[^\,]+)\,dc\="\ | eval OU=if(isnull(OU),lower(other_ou),lower(OU))\ | eval objectGUID=lower(objectGUID),domain=lower(domain),dNSHostName=lower(dNSHostName),DomainDNSName=lower(DomainDNSName),distinguishedName=lower(distinguishedName),dn=lower(dn),dn_hist=lower(dn_hist),dn_path=lower(dn_path),sAMAccountName=lower(sAMAccountName)\ | eval d_dn=if(dn_hist=="",dn,mvjoin(dn_hist,"|")),d_cn=if(orig_cn=="",cn,cn."|".orig_cn),d_sam=sAMAccountName\ | eval deletedDate=if(match(lower(last_evt_flg), "deleted") OR match(lower(isDeleted), "true"), strptime(whenChanged, "%I:%M.%S %p, %a %m/%d/%Y"), 0)\ | join type=left DomainDNSName [|inputlookup AD_Obj_Domain | stats count by DomainDNSName,domain | table DomainDNSName,domain] \ | eval src_nt_domain=domain,lookup_cmp=lower(d_cn)."|".lower(d_dn)."|".lower(d_sam)\ | makemv delim="|" lookup_cmp\ | eval key_val=objectGUID."#".DomainDNSName\ | table key_val,DomainDNSName,OU,accountExpires,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dNSHostName,dSCorePropagationData,dcName,deletedDate,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,last_evt_flg,localPolicyFlags,logonCount,lookup_cmp,managedBy,msDFSR-ComputerReferenceBL,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,operatingSystem,operatingSystemServicePack,operatingSystemVersion,orig_evt_dn,primaryGroupID,pwdLastSet,rIDSetReferences,sAMAccountName,sAMAccountType,serverReferenceBL,servicePrincipalName,sid_lookup,src_nt_domain,st,uac_details,uSNChanged,uSNCreated,userAccountControl,whenChanged,whenCreated,time iseval = 0 ## OU - Migrate from csv AD_OU_LDAP_list to AD_Obj_OU kvstore [ms_obj_ou_base_migrate] definition = inputlookup AD_OU_LDAP_list\ | fields DomainDNSName,Linked_GPO,c,cn,orig_cn,dSCorePropagationData,deletedDate,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,gPLink,gpo_link,guid_lookup,host,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,admonEventType,managedBy,name,objectCategory,objectClass,objectGUID,ou,revision,showInAdvancedViewOnly,st,systemFlags,uSNChanged,uSNCreated,versionNumber,whenChanged,whenCreated \ | eval DomainDNSName=lower(DomainDNSName)\ | eval d_dn=if(dn_hist=="",dn,mvjoin(dn_hist,"|")),d_cn=if(orig_cn="" OR isnull(orig_cn),if(cn="" OR isnull(cn),if(displayName="" OR isnull(displayName),"",lower(displayName)),lower(cn)),lower(orig_cn))\ | fillnull value=""\ | join type=left DomainDNSName [|inputlookup AD_Obj_Domain | stats count by DomainDNSName,domain | table DomainDNSName,domain]\ | rex field=gPLink max_match=0 "(?msi)(?:\[LDAP\:\/\/cn\=\{)(?[^\}]+)"\ | eval objectGUID=lower(objectGUID),domain=lower(domain),dNSHostName=lower(dNSHostName),Linked_GPO=lower(Linked_GPO),gPLink=lower(gPLink),gpo_link=lower(gpo_link),OU=lower(OU),distinguishedName=lower(distinguishedName),dn=lower(dn),dn_hist=lower(dn_hist),dn_path=lower(dn_path),OU=lower(ou)\ | eval key_val=objectGUID."#".DomainDNSName,lookup_ou=lower(d_cn)."|".lower(d_dn)\ | makemv delim="|" lookup_ou\ | table key_val,c,cn,deletedDate,description,displayName,distinguishedName,dn,dn_hist,domain,DomainDNSName,dSCorePropagationData,gPLink,gpo_link,guid_lookup,host,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,last_evt_flg,Linked_GPO,lookup_ou,managedBy,name,objectCategory,objectClass,objectGUID,orig_cn,orig_evt_dn,OU,q,revision,showInAdvancedViewOnly,st,systemFlags,uSNChanged,uSNCreated,versionNumber,whenChanged,whenCreated,time iseval = 0 ## GPO - Migrate from csv AD_GroupPolicies_LDAP_list to AD_Obj_GPO kvstore [ms_obj_gpo_base_migrate] definition = inputlookup AD_GroupPolicies_LDAP_list\ | fields DomainDNSName,Linked_GPO,c,cn,orig_cn,dSCorePropagationData,deletedDate,description,displayName,distinguishedName,dn,dn_path,dn_hist,domain,gPLink,gpo_link,guid_lookup,host,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lc,admonEventType,managedBy,name,objectCategory,objectClass,objectGUID,ou,revision,showInAdvancedViewOnly,st,systemFlags,uSNChanged,uSNCreated,versionNumber,whenChanged,whenCreated\ | eval DomainDNSName=lower(DomainDNSName)\ | rex field=distinguishedName "(?msi)(?:CN\=\{)(?[^\}]+)\}\,CN\=Policies"\ | eval objectGUID=lower(objectGUID),domain=lower(domain),dNSHostName=lower(dNSHostName),DomainDNSName=lower(DomainDNSName),gPLink=lower(gPLink),gpo_link=lower(gpo_link),lc=lower(lc),OU=lower(OU),distinguishedName=lower(distinguishedName),cn=lower(cn),dn=lower(dn),dn_hist=lower(dn_hist),dn_path=lower(dn_path),ou=lower(ou)\ | makemv delim="####" lc\ | lookup AD_Obj_Domain DomainDNSName OUTPUT domain\ | eval key_val=objectGUID."#".DomainDNSName\ | table key_val,cn,dSCorePropagationData,displayName,distinguishedName,dn,dn_hist,dn_path,flags,gpo_link,gPCFileSysPath,gPCFunctionalityVersion,gPCMachineExtensionNames,instanceType,isCriticalSystemObject,name,objectCategory,objectClass,objectGUID,showInAdvancedViewOnly,systemFlags,uSNChanged,uSNCreated,versionNumber,whenChanged,whenCreated,lastKnownParent,isRecycled,isDeleted,domain,src_nt_domain,DomainDNSName,lc,last_evt_flg,deletedDate,time iseval = 0 [ms_obj_domain_base_migrate] definition = inputlookup AD_Domain_Selector\ | fields host,DomainNetBIOSName,DomainDNSName,ForestName,Site,domain\ | eval host=lower(host),DomainNetBIOSName=lower(DomainNetBIOSName),DomainDNSName=lower(DomainDNSName),ForestName=lower(ForestName),Site=lower(Site),domain=lower(domain)\ | stats count by host, DomainNetBIOSName,DomainDNSName,ForestName,Site,domain\ | eval domain=if(isnull(domain),DomainNetBIOSName,domain)\ | join type=left host [| inputlookup AD_Obj_Domain | table host,domain,multi_lkps_enabled,kv_suffix,dc_val,user_lookup,group_lookup,computer_lookup]\ | eval multi_lkps_enabled=if(isnull(multi_lkps_enabled),"f",multi_lkps_enabled)\ | eval kv_suffix=if(isnull(kv_suffix),lower(domain),kv_suffix)\ | eval dc_val=if(isnull(dc_val),DomainDNSName,dc_val)\ | eval user_lookup=if(isnull(user_lookup),"AD_Obj_User",if(multi_lkps_enabled="f","AD_Obj_User","AD_Obj_User_".kv_suffix))\ | eval group_lookup=if(isnull(group_lookup),"AD_Obj_Group",if(multi_lkps_enabled="f","AD_Obj_Group","AD_Obj_Group_".kv_suffix))\ | eval computer_lookup=if(isnull(computer_lookup),"AD_Obj_Computer",if(multi_lkps_enabled="f","AD_Obj_Computer","AD_Obj_Computer_".kv_suffix))\ | sort ForestName,Site,DomainDNSName,host\ | eval key_val = lower(host)\ | table host,domain,DomainNetBIOSName,DomainDNSName,ForestName,Site,multi_lkps_enabled,kv_suffix,dc_val,user_lookup,group_lookup,computer_lookup iseval = 0 [ms_obj_winevt_migrate_admin_audit] definition = inputlookup AD_Audit_Admin_list\ | eval last_time_string=strftime(last_time_utc,"%m/%d/%y %H:%M:%S") \ | fillnull value="" admin_dn,admin_dn_hist,admin_dn_path,admin_cn,admin_userPrincipalName \ | eval key_val=lower(admin_objectGUID)."#".lower(admin_domain)\ | eval admin_user=lower(admin_user), admin_domain=lower(admin_domain), admin_dn=lower(admin_dn), admin_dn_history=lower(admin_dn_history), admin_dn_path=lower(admin_dn_path),admin_objectGUID=lower(admin_objectGUID),admin_userPrincipalName=lower(admin_userPrincipalName)\ | table key_val,admin_user, admin_domain, admin_dn, admin_dn_history, admin_dn_path,admin_cn,admin_objectGUID,last_time_string,last_time_utc,admin_userPrincipalName\ | stats values(*) AS * by key_val\ | eval _key=key_val\ | outputlookup AD_Obj_Admin_Audit append=true iseval = 0 ###-----------------------------------------### #--- Format Output Macros - ---# #--- Updates, Builds, and Migrate ---# #--- Also used for Multi-Domain Split KVs ---# ###-----------------------------------------### ## - User Base admon Lookup Formatting Output ## [ms_obj_admon_base_out_user] definition = fields _time,DomainDNSName,OU,accountExpires,adminCount,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dSCorePropagationData,dcName,deletedDate,department,description,displayName,distinguishedName,dn,dn_path,domain,givenName,guid_lookup,initials,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,admonEventType,lockoutTime,logonCount,logonHours,managedBy,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,physicalDeliveryOfficeName,postalCode,primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType,servicePrincipalName,showInAdvancedViewOnly,sid_lookup,sn,st,streetAddress,title,uSNChanged,uSNCreated,userAccountControl,userPrincipalName,userWorkstations,whenChanged,whenCreated\ | rex max_match=0 field=distinguishedName "\,DC\=(?[^(\,|$)]+)"\ | eval DomainDNSName=mvjoin(lower(DomainDNSName),".")\ | stats max(_time) AS time,earliest(distinguishedName) AS orig_evt_dn,values(distinguishedName) AS dn_hist_hold,latest(*) AS * by objectGUID\ | rex field=cn "(?[a-zA-Z0-9._\-\s,\$(.+\x5C{1}.+)[^\sDEL:]+)\sDEL:"\ | rex field=distinguishedName "(?i)(?:\,(?[^\,]+)"\ | eval OU=if(isnull(other_ou),lower(OU),lower(other_ou))\ | eval distinguishedName=lower(distinguishedName),displayName=if(isnull(displayName),if(isnull(cn),orig_cn,cn),displayName),dn=lower(distinguishedName),last_evt_flg=admonEventType,cn=lower(cn),lastKnownParent=lower(lastKnownParent),user_type="user",objectGUID=lower(objectGUID),DomainDNSName=lower(DomainDNSName),sAMAccountName=lower(sAMAccountName),userPrincipalName=lower(userPrincipalName),orig_evt_dn=lower(orig_evt_dn)\ | rex field=distinguishedName "(?i)(?:\,(?(cn|ou|dc)\=[^$]+)"\ | fillnull value="FALSE" isRecycled,isDeleted,isCriticalSystemObject,showInAdvancedViewOnly\ | eval deletedDate=if(match(lower(last_evt_flg), "deleted") OR match(lower(isDeleted), "true"), strptime(whenChanged, "%I:%M.%S %p, %a %m/%d/%Y"), 0)\ | lookup AD_Obj_UAC userAccountControl OUTPUT uac_bin_map, uac_details\ | makemv delim=":" uac_details\ | join type=left DomainDNSName [|inputlookup AD_Obj_Domain | stats count by DomainDNSName,domain | table DomainDNSName,domain]\ | eval dn_hist_cnt=mvcount(dn_hist_hold)\ | eval dn_hist=if(dn_hist_cnt>1,lower(dn_hist_hold),"")\ | fillnull value=0 adminCount,badPwdCount,lastLogonTimestamp,logonCount,primaryGroupID,pwdLastSet,uSNChanged,uSNCreated,userAccountControl,whenChanged,whenCreated\ | fillnull value="" OU,accountExpires,badPasswordTime,c,cn,orig_cn,codePage,countryCode,dSCorePropagationData,dcName,department,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,givenName,guid_lookup,initials,instanceType,l,lastKnownParent,last_evt_flg,lockoutTime,logonHours,managedBy,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,orig_evt_dn,physicalDeliveryOfficeName,postalCode,primaryGroupID,sAMAccountName,sAMAccountType,servicePrincipalName,sid_lookup,sn,st,streetAddress,title,uSNChanged,uSNCreated,uac_details,userPrincipalName,userWorkstations,uac_bin_map\ | eval d_dn=if(dn_hist=="",dn,mvjoin(dn_hist,"|")),d_cn=if(orig_cn=="",cn,cn."|".orig_cn),d_sam=if(sAMAccountName=cn,"",lower(sAMAccountName)),d_princ=if(userPrincipalName=="","",userPrincipalName)\ | eval key_val=objectGUID."#".DomainDNSName,lookup_usr=lower(d_cn)."|".lower(d_dn)."|".d_sam."|".d_princ\ | makemv delim="|" lookup_usr\ | eventstats values(lookup_usr) AS lookup_usr by key_val\ | table key_val,DomainDNSName,OU,accountExpires,adminCount,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dSCorePropagationData,dcName,deletedDate,department,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,givenName,guid_lookup,initials,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,last_evt_flg,lockoutTime,logonCount,logonHours,lookup_usr,managedBy,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,orig_evt_dn,physicalDeliveryOfficeName,postalCode,primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType,servicePrincipalName,showInAdvancedViewOnly,sid_lookup,sn,st,streetAddress,title,uac_details,uSNChanged,uSNCreated,userAccountControl,userPrincipalName,userWorkstations,whenChanged,whenCreated,user_type,time iseval = 0 ## - Group Base admon Lookup Formatting Output ## [ms_obj_admon_base_out_group] definition = fields DomainDNSName, OU, admonEventType, adminCount, c, cn, orig_cn, dSCorePropagationData, dcName, deletedDate, description, displayName, distinguishedName, dn, dn_hist, dn_path, domain, groupType, groupType_Name, guid_lookup, instanceType, isCriticalSystemObject, isDeleted, isRecycled, l, lastKnownParent, managedBy, member, name, objectCategory, objectClass, objectGUID, objectSid, primaryGroupToken, sAMAccountName, sAMAccountType, showInAdvancedViewOnly, sid_lookup, st, systemFlags, uSNChanged, uSNCreated, whenChanged, whenCreated \ | rex field=distinguishedName max_match=0 "\\,DC\\=(?[^(\\,|$)]+)" \ | eval DomainDNSName=mvjoin(lower(DomainDNSName),".") \ | stats max(_time) AS time,earliest(distinguishedName) AS orig_evt_dn,values(distinguishedName) AS dn_hist_hold,latest(*) AS * by objectGUID \ | rex field=cn "(?[a-zA-Z0-9._\\-\\s,\\$(.+\\x5C{1}.+)[^\\sDEL:]+)\\sDEL:" \ | rex field=objectSid "\\d+\\-(?\\d+)$"\ | rex field=distinguishedName "(?i)(?:\,(?[^\,]+)"\ | eval distinguishedName=lower(distinguishedName), displayName=if(isnull(displayName),if(isnull(cn),orig_cn,cn),displayName), dn=lower(distinguishedName), last_evt_flg=admonEventType, cn=lower(cn), lastKnownParent=lower(lastKnownParent), objectGUID=lower(objectGUID), DomainDNSName=lower(DomainDNSName), sAMAccountName=lower(sAMAccountName), dNSHostName=if(isnull(dNSHostName),if(isnull(orig_cn),((displayName . ".") . DomainDNSName),((orig_cn . ".") . DomainDNSName)),dNSHostName), orig_evt_dn=lower(orig_evt_dn), member=lower(member), adminCount=if(isnull(adminCount),0,adminCount) \ | rex field=distinguishedName "(?i)(?:\\,(?(cn|ou|dc)\\=[^$]+)" \ | rex field=distinguishedName "(?i)(?:\\,(?[^\\,]+)" \ | fillnull value="FALSE" isRecycled,isDeleted,isCriticalSystemObject,showInAdvancedViewOnly \ | eval deletedDate=if((match(lower(last_evt_flg),"deleted") OR match(lower(isDeleted),"true")),strptime(whenChanged,"%I:%M.%S %p, %a %m/%d/%Y"),0), OU=if(isnull(other_ou),if(isnull(orig_ou),lower(OU),lower(orig_ou)),lower(other_ou))\ | join type=left DomainDNSName \ [| inputlookup AD_Obj_Domain \ | stats count by DomainDNSName,domain \ | table DomainDNSName, domain] \ | lookup AD_Audit_Group_Details groupType,sAMAccountType OUTPUT groupType_Name,MSADGroupType,MSADGroupClass \ | eval isDistributionList=if((sAMAccountType == "268435457"),"TRUE","FALSE") \ | eval dn_hist_cnt=mvcount(dn_hist_hold) \ | eval dn_hist=if((dn_hist_cnt > 1),lower(dn_hist_hold),""), src_nt_domain=domain \ | fillnull value=0 uSNChanged,uSNCreated,whenChanged,whenCreated \ | fillnull value="" OU,c,orig_cn,dSCorePropagationData,dcName,description,displayName,distinguishedName,dn,dn_path,groupType,groupType_Name,MSADGroupType,MSADGroupClass,guid_lookup,instanceType,l,lastKnownParent,last_evt_flg,managedBy,member,name,objectCategory,objectSid,primaryGroupToken,sAMAccountName,sAMAccountType,sid_lookup,st,systemFlags,uSNChanged,uSNCreated \ | eval d_dn=if(dn_hist=="",dn,mvjoin(dn_hist,"|")),d_cn=if(orig_cn=="",cn,cn."|".orig_cn),d_sam=if(sAMAccountName==cn,"",sAMAccountName) \ | eval lookup_grp=lower(d_cn)."|".lower(d_dn)."|".lower(d_sam) \ | makemv delim="|" lookup_grp \ | eval member=replace(member,"####","|")\ | makemv delim="|" member \ | eval membercount=if((member == ""),0,mvcount(member)) \ | eval key_val=((objectGUID . "#") . DomainDNSName) \ | table key_val, DomainDNSName, OU, adminCount, c, cn, orig_cn, dSCorePropagationData, dcName, deletedDate, description, displayName, distinguishedName, dn, dn_hist, dn_path, domain, groupType, groupType_Name, guid_lookup, instanceType, isCriticalSystemObject, isDeleted, isDistributionList, isRecycled, l, lastKnownParent, last_evt_flg, lookup_grp, managedBy, member, membercount, MSADGroupType, MSADGroupClass, name, objectCategory, objectClass, objectGUID, objectSid, orig_evt_dn, primaryGroupToken, sAMAccountName, sAMAccountType, showInAdvancedViewOnly, sid_lookup, src_nt_domain, st, systemFlags, uSNChanged, uSNCreated, whenChanged, whenCreated, time iseval = 0 ## - Computer Base admon Lookup Formatting Output ## [ms_obj_admon_base_out_computer] definition = fields DomainDNSName,OU,admonEventType,accountExpires,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dNSHostName,dSCorePropagationData,dcName,deletedDate,description,displayName,distinguishedName,dn,dn_path,domain,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,localPolicyFlags,logonCount,managedBy,msDFSR-ComputerReferenceBL,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,operatingSystem,operatingSystemServicePack,operatingSystemVersion,primaryGroupID,pwdLastSet,rIDSetReferences,sAMAccountName,sAMAccountType,serverReferenceBL,servicePrincipalName,sid_lookup,st,uSNChanged,uSNCreated,userAccountControl,whenChanged,whenCreated\ | rex max_match=0 field=distinguishedName "\,DC\=(?[^(\,|$)]+)"\ | eval DomainDNSName=mvjoin(lower(DomainDNSName),".")\ | stats max(_time) AS time,earliest(distinguishedName) AS orig_evt_dn,values(distinguishedName) AS dn_hist_hold,latest(*) AS * by objectGUID\ | rex field=cn "(?[a-zA-Z0-9._\-\s,\$(.+\x5C{1}.+)[^\sDEL:]+)\sDEL:"\ | rex field=distinguishedName "(?i)(?:\,(?[^\,]+)"\ | eval OU=if(isnull(other_ou),lower(OU),lower(other_ou))\ | eval distinguishedName=lower(distinguishedName),displayName=if(isnull(displayName),if(isnull(cn),orig_cn,cn),displayName),dn=lower(distinguishedName),last_evt_flg=admonEventType,cn=lower(cn),lastKnownParent=lower(lastKnownParent),objectGUID=lower(objectGUID),DomainDNSName=lower(DomainDNSName),sAMAccountName=lower(sAMAccountName),dNSHostName=if(isnull(dNSHostName),if(isnull(orig_cn),displayName.".".DomainDNSName,orig_cn.".".DomainDNSName),dNSHostName),orig_evt_dn=lower(orig_evt_dn)\ | rex field=distinguishedName "(?i)(?:\,(?(cn|ou|dc)\=[^$]+)"\ | fillnull value="FALSE" isRecycled,isDeleted,isCriticalSystemObject,showInAdvancedViewOnly\ | eval deletedDate=if(match(lower(last_evt_flg), "deleted") OR match(lower(isDeleted), "true"), strptime(whenChanged, "%I:%M.%S %p, %a %m/%d/%Y"), 0)\ | lookup AD_Obj_UAC userAccountControl OUTPUT uac_bin_map, uac_details\ | makemv delim=":" uac_details\ | join type=left DomainDNSName [|inputlookup AD_Obj_Domain | stats count by DomainDNSName,domain | table DomainDNSName,domain]\ | eval dn_hist_cnt=mvcount(dn_hist_hold)\ | eval dn_hist=if(dn_hist_cnt>1,lower(dn_hist_hold),""),src_nt_domain=domain\ | fillnull value=0 badPwdCount,lastLogonTimestamp,logonCount,primaryGroupID,pwdLastSet,uSNChanged,uSNCreated,userAccountControl,whenChanged,whenCreated\ | fillnull value="" OU,accountExpires,badPasswordTime,c,cn,orig_cn,codePage,countryCode,dNSHostName,dSCorePropagationData,dcName,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,instanceType,isCriticalSystemObject,l,lastKnownParent,lastLogon,last_evt_flg,localPolicyFlags,managedBy,msDFSR-ComputerReferenceBL,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,operatingSystem,operatingSystemServicePack,operatingSystemVersion,orig_evt_dn,rIDSetReferences,sAMAccountName,sAMAccountType,serverReferenceBL,servicePrincipalName,sid_lookup,src_nt_domain,st\ | eval d_dn=if(dn_hist=="",dn,mvjoin(dn_hist,"|")),d_cn=if(orig_cn=="",cn,cn."|".orig_cn),d_sam=if(sAMAccountName=cn,"",lower(sAMAccountName))\ | eval key_val=objectGUID."#".DomainDNSName,lookup_cmp=lower(d_cn)."|".lower(d_dn)."|".d_sam\ | makemv delim="|" lookup_cmp\ | eventstats values(lookup_cmp) AS lookup_cmp by key_val\ | table key_val,DomainDNSName,OU,accountExpires,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dNSHostName,dSCorePropagationData,dcName,deletedDate,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,last_evt_flg,localPolicyFlags,logonCount,lookup_cmp,managedBy,msDFSR-ComputerReferenceBL,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,operatingSystem,operatingSystemServicePack,operatingSystemVersion,orig_evt_dn,primaryGroupID,pwdLastSet,rIDSetReferences,sAMAccountName,sAMAccountType,serverReferenceBL,servicePrincipalName,sid_lookup,src_nt_domain,st,uac_details,uSNChanged,uSNCreated,userAccountControl,whenChanged,whenCreated,time iseval = 0 ## - OU Base admon Lookup Formatting Output ## [ms_obj_admon_base_out_ou] definition = fields DomainDNSName,Linked_GPO,c,cn,orig_cn,dSCorePropagationData,deletedDate,description,displayName,distinguishedName,dn,dn_hist,domain,gPLink,gpo_link,guid_lookup,host,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,admonEventType,managedBy,name,objectCategory,objectClass,objectGUID,ou,revision,showInAdvancedViewOnly,st,systemFlags,uSNChanged,uSNCreated,versionNumber,whenChanged,whenCreated\ | rex max_match=0 field=distinguishedName "\,DC\=(?[^(\,|$)]+)"\ | eval DomainDNSName=mvjoin(DomainDNSName,".")\ | stats max(_time) AS time,earliest(distinguishedName) AS orig_evt_dn,values(distinguishedName) AS dn_hist_hold,latest(*) AS * by objectGUID\ | rex field=distinguishedName "(?i)^(CN|OU)\=(?[^\,]+)"\ | rex field=name "(?i)(?[^\sDEL]+)\sDEL\:"\ | rex field=gPLink max_match=0 "(?msi)(?:\[LDAP\:\/\/cn\=\{)(?[^\}]+)"\ | eval distinguishedName=lower(distinguishedName),OU=if(isnull(ou),if(isnull(ou_del),name,ou_del),name), displayName=if(isnull(displayName),if(isnull(cn),if(isnull(ou_del),name,ou_del),cn),displayName),dn=lower(distinguishedName),last_evt_flg=admonEventType,cn=lower(cn),orig_cn=if(isnull(ou_del),cn,ou_del),lastKnownParent=lower(lastKnownParent),objectGUID=lower(objectGUID),DomainDNSName=lower(DomainDNSName),orig_evt_dn=lower(orig_evt_dn),gpo_link=lower(gpo_link)\ | fillnull value="FALSE" isRecycled,isDeleted,isCriticalSystemObject,showInAdvancedViewOnly\ | eval deletedDate=if(match(lower(last_evt_flg), "deleted") OR match(lower(isDeleted), "true"), strptime(whenChanged, "%I:%M.%S %p, %a %m/%d/%Y"), 0),OU=if(isnull(OU),orig_ou,OU)\ | join type=left DomainDNSName [|inputlookup AD_Obj_Domain | stats count by DomainDNSName,domain | table DomainDNSName,domain]\ | eval dn_hist_cnt=mvcount(dn_hist_hold)\ | eval dn_hist=if(dn_hist_cnt>1,lower(dn_hist_hold),"")\ | fillnull value=0 uSNChanged,uSNCreated,whenChanged,whenCreated\ | fillnull value="" displayName,distinguishedName,dn,dn_hist,domain,DomainDNSName,dSCorePropagationData,flags,gpo_link,gPCFileSysPath,gPCFunctionalityVersion,gPCMachineExtensionNames,instanceType,lastKnownParent,lc,last_evt_flg,name,objectCategory,objectClass,objectGUID,orig_cn,systemFlags,uSNChanged,uSNCreated,versionNumber\ | eval d_dn=if(dn_hist=="",dn,mvjoin(dn_hist,"|")),d_cn=if(orig_cn="" OR isnull(orig_cn),if(cn="" OR isnull(cn),if(displayName="" OR isnull(displayName),"",lower(displayName)),lower(cn)),lower(orig_cn))\ | eval key_val=objectGUID."#".DomainDNSName,lookup_ou=lower(d_cn)."|".lower(d_dn)\ | makemv delim="|" lookup_ou\ | table key_val,c,cn,deletedDate,description,displayName,distinguishedName,dn,dn_hist,domain,DomainDNSName,dSCorePropagationData,gPLink,gpo_link,guid_lookup,host,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,last_evt_flg,Linked_GPO,lookup_ou,managedBy,name,objectCategory,objectClass,objectGUID,orig_cn,orig_evt_dn,OU,q,revision,showInAdvancedViewOnly,st,systemFlags,uSNChanged,uSNCreated,versionNumber,whenChanged,whenCreated,time iseval = 0 ## - GPO Base admon Lookup Formatting Output ## [ms_obj_admon_base_out_gpo] definition = fields admonEventType,cn,deletedDate,displayName,distinguishedName,dn,dn_hist,domain,DomainDNSName,dSCorePropagationData,flags,gpo_link,gPCFileSysPath,gPCFunctionalityVersion,gPCMachineExtensionNames,instanceType,isCriticalSystemObject,isRecycled,isDeleted,lastKnownParent,lc,last_evt_flg,name,objectCategory,objectClass,objectGUID,orig_cn,showInAdvancedViewOnly,systemFlags,uSNChanged,uSNCreated,versionNumber,whenChanged,whenCreated,_time\ | rex max_match=0 field=distinguishedName "\,DC\=(?[^(\,|$)]+)"\ | eval DomainDNSName=mvjoin(DomainDNSName,".")\ | stats max(_time) AS time,earliest(distinguishedName) AS orig_evt_dn,values(distinguishedName) AS dn_hist_hold,latest(*) AS * by objectGUID\ | rex field=cn "(?[a-zA-Z0-9._\-\s,\$(.+\x5C{1}.+)[^\sDEL:]+)\sDEL:"\ | rex field=distinguishedName "(?msi)(?:CN\=\{)(?[^\}]+)\}\,CN\=Policies"\ | eval distinguishedName=lower(distinguishedName),displayName=if(isnull(displayName),if(isnull(cn),orig_cn,cn),displayName),dn=lower(distinguishedName),last_evt_flg=admonEventType,cn=lower(cn),orig_cn=lower(orig_cn),lastKnownParent=lower(lastKnownParent),objectGUID=lower(objectGUID),DomainDNSName=lower(DomainDNSName),orig_evt_dn=lower(orig_evt_dn),gpo_link=lower(gpo_link)\ | rex field=distinguishedName "(?i)(?:\,(?[^\,]+)"\ | fillnull value="FALSE" isRecycled,isDeleted,isCriticalSystemObject,showInAdvancedViewOnly\ | eval deletedDate=if(match(lower(last_evt_flg), "deleted") OR match(lower(isDeleted), "true"), strptime(whenChanged, "%I:%M.%S %p, %a %m/%d/%Y"), 0),OU=if(isnull(OU),orig_ou,OU)\ | join type=left DomainDNSName [|inputlookup AD_Obj_Domain | stats count by DomainDNSName,domain | table DomainDNSName,domain]\ | eval dn_hist_cnt=mvcount(dn_hist_hold)\ | eval dn_hist=if(dn_hist_cnt>1,lower(dn_hist_hold),"")\ | fillnull value=0 uSNChanged,uSNCreated,whenChanged,whenCreated\ | fillnull value="" displayName,distinguishedName,dn,dn_hist,domain,DomainDNSName,dSCorePropagationData,flags,gpo_link,gPCFileSysPath,gPCFunctionalityVersion,gPCMachineExtensionNames,instanceType,lastKnownParent,lc,last_evt_flg,name,objectCategory,objectClass,objectGUID,orig_cn,systemFlags,uSNChanged,uSNCreated,versionNumber\ | eval key_val=objectGUID."#".DomainDNSName\ | table key_val,cn,deletedDate,displayName,distinguishedName,dn,dn_hist,domain,DomainDNSName,dSCorePropagationData,flags,gpo_link,gPCFileSysPath,gPCFunctionalityVersion,gPCMachineExtensionNames,instanceType,isCriticalSystemObject,isRecycled,isDeleted,lastKnownParent,lc,last_evt_flg,name,objectCategory,objectClass,objectGUID,orig_cn,showInAdvancedViewOnly,systemFlags,uSNChanged,uSNCreated,versionNumber,whenChanged,whenCreated,time iseval = 0 ## - Admin Audit Lookup - Build and Update ## [ms_obj_winevt_base_out_admin_audit] definition = `ms_obj_changes_base_all`\ | fields src_user, _time, src_nt_domain,dest_nt_domain\ | eval admin_domain=if(isnull(src_nt_domain),if(isnull(dest_nt_domain),"",lower(dest_nt_domain)),lower(src_nt_domain))\ | eval admin_user=lower(src_user)\ | stats latest(_time) as last_time_utc by admin_user,admin_domain\ | eval last_time_string=strftime(last_time_utc,"%m/%d/%y %H:%M:%S")\ | stats values(*) AS * by admin_user,admin_domain\ | eval key_val=lower(admin_user)."#".lower(admin_domain) iseval=0 ## - Replaced for supporting MULTI-DOMAIN SPLIT KVS removed lookup dn_path,dn,cn,userPrincipalName ## ##[ms_obj_winevt_base_out_admin_audit] ##definition = `ms_obj_changes_base_all`\ ##| fields src_user, _time\ ##| eval src_user=lower(src_user)\ ##| stats latest(_time) as last_time_utc by src_user\ ##| lookup AD_Obj_User sAMAccountName as src_user OUTPUT sAMAccountName as admin_user,domain as admin_domain,dn as admin_dn,dn_path as admin_dn_path,cn as admin_cn,objectGUID as admin_objectGUID,userPrincipalName AS admin_userPrincipalName\ ##| eval last_time_string=strftime(last_time_utc,"%m/%d/%y %H:%M:%S")\ ##| fillnull value="" admin_dn,admin_dn_hist,admin_dn_path,admin_cn,admin_userPrincipalName\ ##| stats values(*) AS * by admin_objectGUID,admin_domain\ ##| eval key_val=lower(admin_objectGUID)."#".lower(admin_domain) ##iseval = 0 [ms_obj_default_ugc_count] definition = fields domain \ | join type=left domain [| inputlookup AD_Obj_User | fields domain | stats count as user_count by domain]\ | join type=left domain [| inputlookup AD_Obj_Group | fields domain | stats count as group_count by domain]\ | join type=left domain [| inputlookup AD_Obj_Computer | fields domain | stats count as user_computer by domain]\ | eval user_count=if(isnull(user_count),0,tostring(user_count,"commas")),group_count=if(isnull(group_count),0,tostring(group_count,"commas")),computer_count=if(isnull(computer_count),0,tostring(computer_count,"commas"))\ | table domain,user_count,group_count,computer_count iseval = 0 ## - UAC Output for Updating AD_Obj_UAC lookup ## [ms_obj_admon_base_out_uac] definition = `ms_obj_admon_base` ("objectClass=top|person|organizationalPerson|user" OR "objectClass=top|group") NOT [| inputlookup AD_Obj_UAC | fields userAccountControl | stats count by userAccountControl | table userAccountControl | format]\ | fields userAccountControl iseval = 0 ###----------------------------------------------### #--- Optional User Lookup Update - Logon Times ---# #--- Macro that can be used for updating the User ---# #--- lookup with lastLogon,lastLogonTimestamp ---# ###----------------------------------------------### [ms_obj_upd_user_last_logon(2)] args = user_lookup,domain definition = `ms_obj_success_logons_user` (dest_nt_domain="$domain$" OR src_nt_domain="$domain$"\ | fields _time, dest_nt_domain, user_obj_lkp\ | eval user_obj_lkp=lower(user_obj_lkp)\ | stats max(_time) as l_logon by dest_nt_domain,user_obj_lkp\ | lookup $user_lookup$ lookup_usr AS user_obj_lkp OUTPUT _key AS key_val,DomainDNSName,OU,accountExpires,adminCount,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dSCorePropagationData,dcName,deletedDate,department,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,givenName,guid_lookup,initials,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,last_evt_flg,lockoutTime,logonCount,logonHours,lookup_usr,managedBy,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,orig_evt_dn,physicalDeliveryOfficeName,postalCode,primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType,servicePrincipalName,showInAdvancedViewOnly,sid_lookup,sn,st,streetAddress,title,uac_details,uSNChanged,uSNCreated,userAccountControl,userPrincipalName,userWorkstations,whenChanged,whenCreated,user_type,time\ | where isnotnull(lastLogonTimestamp) AND l_logon>lastLogonTimestamp\ | eval lastLogon=strftime(l_logon,"%I:%M.%S %P, %a %m/%d/%Y"),lastLogonTimestamp=l_logon\ | table key_val,DomainDNSName, OU, accountExpires, adminCount, badPasswordTime, badPwdCount, c, cn, orig_cn, codePage, countryCode, dSCorePropagationData, dcName, deletedDate, department, description, displayName, distinguishedName, dn, dn_hist, dn_path, domain, givenName, guid_lookup, initials, instanceType, isCriticalSystemObject, isDeleted, isRecycled, l, lastKnownParent, lastLogon, lastLogonTimestamp, last_evt_flg, lockoutTime, logonCount, logonHours, lookup_usr, managedBy, "msDS-SupportedEncryptionTypes", name, objectCategory, objectClass, objectGUID, objectSid, orig_evt_dn, physicalDeliveryOfficeName, postalCode, primaryGroupID, pwdLastSet, sAMAccountName, sAMAccountType, servicePrincipalName, showInAdvancedViewOnly, sid_lookup, sn, st, streetAddress, title, uac_details, uSNChanged, uSNCreated, userAccountControl, userPrincipalName, userWorkstations, whenChanged, whenCreated, user_type, time\ | eval _key=objectGUID."#".DomainDNSName\ | outputlookup $user_lookup$ append=true iseval = 0 ###-----------------------------------------### #--- Converting UserAccountControl Macros ---# #--- Also used for Multi-Domain Split KVs ---# ###-----------------------------------------### ## User Access Control Bitmask Conversion Macros ## [ms_obj_uac_to_details] definition = eval octet = userAccountControl \ | eval rank = split("1", ",") \ | eval octet_rank = mvzip(rank, octet) \ | fields - octet, rank \ | mvexpand octet_rank \ | eval octet_rank_split = split(octet_rank, ",") \ | eval rank = mvindex(octet_rank_split, 0) \ | eval octet = mvindex(octet_rank_split, 1) \ | fields - octet_rank, octet_rank_split \ | eval power = mvrange(0,32) \ | mvexpand power \ | eval base2 = pow(2, power) \ | eval mydiv = floor(octet / base2) \ | eval octet_bin = mydiv % 2 \ | fields - mydiv, base2 \ | sort limit=0 IP, rank, octet, - power \ | stats list(octet_bin) as octet_bin by userAccountControl\ | eval uac_bin_map = mvjoin(octet_bin, "")\ | rex field=uac_bin_map "00000(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})" \ | eval uac_details="" \ | eval uac_details=if(uacf_account_state=1,uac_details."Disabled",uac_details."Enabled") \ | eval uac_details=if(uacf_script_account=1,uac_details.":Logon script is executed",uac_details) \ | eval uac_details=if(uacf_temp_dup_account=1,uac_details.":Temp Duplicate Account",uac_details) \ | eval uac_details=if(uacf_home_dir_req=1,uac_details.":Home Directory Required",uac_details) \ | eval uac_details=if(uacf_pwd_not_req=1,uac_details.":Password Not Required",uac_details) \ | eval uac_details=if(uacf_pwd_cant_change=1,uac_details.":Cant Change Password",uac_details) \ | eval uac_details=if(uacf_pwd_store_rev=1,uac_details.":Store Password using reversible encryption",uac_details) \ | eval uac_details=if(uacf_normal_account=1,uac_details.":Normal User Account",uac_details) \ | eval uac_details=if(uacf_trust_account=1,uac_details.":InterDomain Trust Account",uac_details) \ | eval uac_details=if(uacf_wkstn_trust_account=1,uac_details.":Workstation Trust Account",uac_details) \ | eval uac_details=if(uacf_srvr_trust_account=1,uac_details.":Server Trust Account",uac_details) \ | eval uac_details=if(uacf_pwd_not_expire=1,uac_details.":Password Does Not Expire",uac_details) \ | eval uac_details=if(uacf_mns_account=1,uac_details.":Majority Node Set (MNS) account",uac_details) \ | eval uac_details=if(uacf_smartcard_req=1,uac_details.":Smart Card Required",uac_details) \ | eval uac_details=if(uacf_trust_for_delegation=1,uac_details.":Trusted for Delegation",uac_details) \ | eval uac_details=if(uacf_sensitive=1,uac_details.":Sensitive - Not Delegated",uac_details) \ | eval uac_details=if(uacf_pwd_kerb_des=1,uac_details.":Kerberos authentication DES only",uac_details) \ | eval uac_details=if(uacf_pwd_kerb_pre_auth=1,uac_details.":Kerberos Does Not Require Pre-Auth",uac_details) \ | eval uac_details=if(uacf_pwd_expired=1,uac_details.":Password has Expired",uac_details) \ | eval uac_details=if(uacf_trust_auth_for_delegation=1,uac_details.":Can request a Kerberos ticket on behalf of another user",uac_details) \ | eval uac_details=if(uacf_kerb_no_pac=1,uac_details.":Request Kerberos Ticket without PAC data",uac_details) \ | eval uac_details=if(uacf_dc_account=1,uac_details.":Read Only Domain Controller Account",uac_details) \ | fields - octet_bin, - uacf* iseval = 0 ## uac_details (bit flag definitions for uac binary) fields to a target lookup -## [ms_obj_uac_to_binary(1)] args = target_lookup definition = join type=left userAccountControl [| inputlookup $target_lookup$\ | fields userAccountControl\ | dedup userAccountControl\ | eval octet = userAccountControl\ | eval rank = split("1", ",")\ | eval octet_rank = mvzip(rank, octet)\ | fields - octet, rank\ | mvexpand octet_rank\ | eval octet_rank_split = split(octet_rank, ",")\ | eval rank = mvindex(octet_rank_split, 0)\ | eval octet = mvindex(octet_rank_split, 1)\ | fields - octet_rank, octet_rank_split\ | eval power = mvrange(0,32)\ | mvexpand power\ | eval base2 = pow(2, power)\ | eval mydiv = floor(octet / base2)\ | eval octet_bin = mydiv % 2\ | fields - mydiv, base2\ | sort limit=0 IP, rank, octet, - power\ | stats list(octet_bin) as octet_bin by userAccountControl\ | eval uac_bin_map = mvjoin(octet_bin, "")\ | rex field=uac_bin_map "00000(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})" \ | eval uac_details="" \ | eval uac_details=if(uac_account_state=1,uac_details."Disabled",uac_details."Enabled") \ | eval uac_details=if(uac_script_account=1,uac_details.":Logon script is executed",uac_details) \ | eval uac_details=if(uac_temp_dup_account=1,uac_details.":Temp Duplicate Account",uac_details) \ | eval uac_details=if(uac_home_dir_req=1,uac_details.":Home Directory Required",uac_details) \ | eval uac_details=if(uac_pwd_not_req=1,uac_details.":Password Not Required",uac_details) \ | eval uac_details=if(uac_pwd_cant_change=1,uac_details.":Cant Change Password",uac_details) \ | eval uac_details=if(uac_pwd_store_rev=1,uac_details.":Store Password using reversible encryption",uac_details) \ | eval uac_details=if(uac_normal_account=1,uac_details.":Normal User Account",uac_details) \ | eval uac_details=if(uac_trust_account=1,uac_details.":InterDomain Trust Account",uac_details) \ | eval uac_details=if(uac_wkstn_trust_account=1,uac_details.":Workstation Trust Account",uac_details) \ | eval uac_details=if(uac_srvr_trust_account=1,uac_details.":Server Trust Account",uac_details) \ | eval uac_details=if(uac_pwd_not_expire=1,uac_details.":Password Does Not Expire",uac_details) \ | eval uac_details=if(uac_mns_account=1,uac_details.":Majority Node Set (MNS) account",uac_details) \ | eval uac_details=if(uac_smartcard_req=1,uac_details.":Smart Card Required",uac_details) \ | eval uac_details=if(uac_trust_for_delegation=1,uac_details.":Trusted for Delegation",uac_details) \ | eval uac_details=if(uac_sensitive=1,uac_details.":Sensitive - Not Delegated",uac_details) \ | eval uac_details=if(uac_pwd_kerb_des=1,uac_details.":Kerberos authentication DES only",uac_details) \ | eval uac_details=if(uac_pwd_kerb_pre_auth=1,uac_details.":Kerberos Does Not Require Pre-Auth",uac_details) \ | eval uac_details=if(uac_pwd_expired=1,uac_details.":Password has Expired",uac_details) \ | eval uac_details=if(uac_trust_auth_for_delegation=1,uac_details.":Can request a Kerberos ticket on behalf of another user",uac_details) \ | eval uac_details=if(uac_kerb_no_pac=1,uac_details.":Request Kerberos Ticket without PAC data",uac_details) \ | eval uac_details=if(uac_dc_account=1,uac_details.":Read Only Domain Controller Account",uac_details) \ | table userAccountControl,uac_bin_map,uac_details]\ | outputlookup $target_lookup$ iseval = 0 ##- Extract UAC Binary Fields -## [ms_obj_uac_bin_fields] definition = rex field=uac_bin_map "00000(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})" iseval = 0 [ms_obj_uac_details] definition = join type=left userAccountControl [| inputlookup AD_Obj_UAC | fields userAccountControl | dedup userAccountControl | eval octet = userAccountControl | eval rank = split("1", ",") | eval octet_rank = mvzip(rank, octet) | fields - octet, rank | mvexpand octet_rank | eval octet_rank_split = split(octet_rank, ",") | eval rank = mvindex(octet_rank_split, 0) | eval octet = mvindex(octet_rank_split, 1) | fields - octet_rank, octet_rank_split | eval power = mvrange(0,32) | mvexpand power | eval base2 = pow(2, power) | eval mydiv = floor(octet / base2) | eval octet_bin = mydiv % 2 | fields - mydiv, base2 | sort limit=0 IP, rank, octet, - power | stats list(octet_bin) as octet_bin by userAccountControl | eval uac_bin_map = mvjoin(octet_bin, "") | rex field=uac_bin_map "00000(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})" | eval uac_details="" | eval uac_details=if(uac_account_state=1,uac_details."Disabled",uac_details."Enabled") | eval uac_details=if(uac_script_account=1,uac_details.":Logon script is executed",uac_details) | eval uac_details=if(uac_temp_dup_account=1,uac_details.":Temp Duplicate Account",uac_details) | eval uac_details=if(uac_home_dir_req=1,uac_details.":Home Directory Required",uac_details) | eval uac_details=if(uac_pwd_not_req=1,uac_details.":Password Not Required",uac_details) | eval uac_details=if(uac_pwd_cant_change=1,uac_details.":Cant Change Password",uac_details) | eval uac_details=if(uac_pwd_store_rev=1,uac_details.":Store Password using reversible encryption",uac_details) | eval uac_details=if(uac_normal_account=1,uac_details.":Normal User Account",uac_details) | eval uac_details=if(uac_trust_account=1,uac_details.":InterDomain Trust Account",uac_details) | eval uac_details=if(uac_wkstn_trust_account=1,uac_details.":Workstation Trust Account",uac_details) | eval uac_details=if(uac_srvr_trust_account=1,uac_details.":Server Trust Account",uac_details) | eval uac_details=if(uac_pwd_not_expire=1,uac_details.":Password Does Not Expire",uac_details) | eval uac_details=if(uac_mns_account=1,uac_details.":Majority Node Set (MNS) account",uac_details) | eval uac_details=if(uac_smartcard_req=1,uac_details.":Smart Card Required",uac_details) | eval uac_details=if(uac_trust_for_delegation=1,uac_details.":Trusted for Delegation",uac_details) | eval uac_details=if(uac_sensitive=1,uac_details.":Sensitive - Not Delegated",uac_details) | eval uac_details=if(uac_pwd_kerb_des=1,uac_details.":Kerberos authentication DES only",uac_details) | eval uac_details=if(uac_pwd_kerb_pre_auth=1,uac_details.":Kerberos Does Not Require Pre-Auth",uac_details) | eval uac_details=if(uac_pwd_expired=1,uac_details.":Password has Expired",uac_details) | eval uac_details=if(uac_trust_auth_for_delegation=1,uac_details.":Can request a Kerberos ticket on behalf of another user",uac_details) | eval uac_details=if(uac_kerb_no_pac=1,uac_details.":Request Kerberos Ticket without PAC data",uac_details) | eval uac_details=if(uac_dc_account=1,uac_details.":Read Only Domain Controller Account",uac_details) | table userAccountControl,uac_bin_map,uac_*] iseval = 0 [ms_obj_uac_get_details_join] definition = join userAccountControl [| inputlookup AD_Obj_UAC\ | fields userAccountControl,uac_bin_map,uac_details\ | stats count by userAccountControl,uac_bin_map,uac_details\ | table userAccountControl,uac_bin_map,uac_details] iseval = 0 [ms_obj_uac_get_details_lkup] definition = lookup AD_Obj_UAC userAccountControl OUTPUT uac_bin_map,uac_details iseval = 0 ###-------------------------------------------------------------------------------### #--- Macro's Used for Basic Searching - Used Often ---# #--- Also used for Multi-Domain Split KVs ---# ###-------------------------------------------------------------------------------### ##Basic AD Domain Selector [ms_obj_domain-selector] definition = inputlookup AD_Obj_Domain\ |table host,domain,DomainNetBIOSName,DomainDNSName,ForestName,Site,dc_val,kv_suffix,user_lookup,group_lookup,computer_lookup iseval = 0 ##Grouped AD Domain Selector [ms_obj_domain_list] definition = inputlookup AD_Obj_Domain\ | fields + domain, kv_suffix, user_lookup, group_lookup, computer_lookup, multi_lkps_enabled, dc_val, DomainDNSName \ | eval multi_lkps_enabled=if(isnull(multi_lkps_enabled),"f",multi_lkps_enabled), kv_suffix=if(isnull(kv_suffix),domain,kv_suffix), user_lookup=if(isnull(user_lookup),"AD_Obj_User",user_lookup), group_lookup=if(isnull(group_lookup),"AD_Obj_Group",group_lookup), computer_lookup=if(isnull(computer_lookup),"AD_Obj_Computer",computer_lookup), dc_val=if(isnull(dc_val),DomainDNSName,dc_val) \ | stats count by domain,kv_suffix,user_lookup,group_lookup,computer_lookup,dc_val iseval = 0 ##Windows EventLog Specific Searches [ms_obj_quick_wineventlog_list] definition = `ms_obj_win_events_all`\ | fields _raw,host,_time\ | rex "(?msi)(?:(LogName(\=\s+|\=)|\))(?[^(\r|\n|\<]+)"\ | rex "(?msi)(?:(EventCode(\=\s+|\=)|\|\s+Qualifiers\=\'\d+\'\>)))(?[^\r|\n|\<]+)"\ | eval EventCode=if(isnull(EventCode),_raw,EventCode),LogName=if(isnull(LogName),_raw,LogName)\ | stats max(_time) AS last_time,dc(host) AS host_count,count by LogName,EventCode iseval = 0 ## Quick Computer Logins [ms_ad_obj_qck_succ_comp_logins(1)] args = domain definition = (`ms_obj_win_events_security`) ("4624" "$" "$domain$")\ | fields _time,_raw\ | rex "(?msi)(?:EventID.*?\>(?[^\<]+))\<"\ | rex "(?msi)(?:EventCode\=)(?\d+)"\ | rex field=_raw "(?msi)(?:Account\s+Name\:.*?(Account\s+Name\:)|(?:Account\s+Name\:))\s+(?\S+\$)" \ | rex field=_raw "(?msi)(?:TargetUserName\'\>(?!\-)(?\S+\$))" \ | where EventCode="4624"\ | stats max(_time) as lastLogonTime by comp_obj_sam iseval = 0 ###-----------------------------------------### #--- Windows Authentication Search Macros ---# #--- Also used for Multi-Domain Split KVs ---# ###-----------------------------------------### ## Base Model - Authentication - Search with fields (_time,user,action,src,dest) [ms_obj_srch_auth_model_basic(1)] args = tok_ena_sum definition = tstats summariesonly=$tok_ena_sum$ allow_old_summaries=true count from datamodel=Authentication.Authentication where Authentication.action=* Authentication.user=* (Authentication.src=* OR Authentication.dest=*) by _time,Authentication.src,Authentication.dest,Authentication.user,Authentication.action,Authentication.signature,Authentication.signature_id,Authentication.app,host\ | rename "Authentication.*" as "*" ## - Search - WinEventLog - Authentication - Failed and Successful ## - Example - System Accounts - `ms_obj_failed_success_logons("user")` ## - Example - System Accounts - `ms_obj_failed_success_logons("system")` ## - Example - System Accounts - `ms_obj_failed_success_logons("computer")` [ms_obj_failed_success_logons(1)] args = tok_src_obj_type definition = `ms_obj_win_events_security` EventCode=4624 OR (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) status="failure")) user_type="$tok_src_obj_type$" iseval = 0 ## - Search - WinEventLog - Authentication - Successful [ms_obj_success_logons(1)] args = tok_src_obj_type definition = `ms_obj_win_events_security` EventCode=4624 user_type="$tok_src_obj_type$" iseval = 0 ## - Search - WinEventLog - Authentication - Failed [ms_obj_failed_logons(1)] args = tok_src_obj_type definition = `ms_obj_win_events_security` (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) status="failure")) user_type="$tok_src_obj_type$" iseval = 0 ## - Search - WinEventLog - All Object Authentication - Failed [ms_obj_failed_logons_all] definition = `ms_obj_win_events_security` (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) status="failure")) iseval = 0 ## - Search - WinEventLog - User Authentication - Successful [ms_obj_success_logons_user] definition = `ms_obj_win_events_security` EventCode=4624 user_type="user" iseval = 0 ## - Search - WinEventLog - User Authentication - Failed [ms_obj_failed_logons_user] definition = `ms_obj_win_events_security` (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) status="failure")) user_type="user" iseval = 0 ## - Search - Wineventlog - User Authentications - Failed and Successful [ms_obj_failed_success_logons_user] definition = `ms_obj_win_events_security` EventCode=4624 OR (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) status="failure")) user_type="user" iseval = 0 ## - Search - WinEventLog - Computer Authentication - Successful [ms_obj_success_logons_computer] definition = `ms_obj_win_events_security` EventCode=4624 user_type="computer" iseval = 0 ## - Search - WinEventLog - Computer Authentication - Failed [ms_obj_failed_logons_computer] definition = `ms_obj_win_events_security` (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) status="failure")) user_type="computer" iseval = 0 ## - Search - Wineventlog - Computer Authentications - Failed and Successful [ms_obj_failed_success_logons_computer] definition = `ms_obj_win_events_security` EventCode=4624 OR (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) status="failure")) user_type="computer" iseval = 0 ## - Search - WinEventLog - System Authentication - Failed [ms_obj_failed_logons_system] definition = `ms_obj_win_events_security` (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) status="failure")) user_type="system" iseval = 0 ###-------------------------------------------------------------------------------### #--- Macro's Used for Retrieving values from lookups ---# #--- NOT used for Multi-Domain Split KVs ---# ###-------------------------------------------------------------------------------### [ms_obj_get_full_group_membership(1)] args = tok_member_dn definition = join type=left dn [| inputlookup AD_Obj_Group where member="$tok_member_dn$"\ | fields + cn, displayName, dn, member\ | rename dn as memberOf, cn as Group_cn, displayName as Group_Name\ | rename member as dn\ | stats values(memberOf) AS memberOf,values(Group_cn) AS Group_cn,values(Group_Name) AS Group_Name by dn\ | table dn, Group_cn, Group_Name, memberOf]\ | lookup AD_Obj_Group primaryGroupToken AS primaryGroupID OUTPUT dn AS primaryGroupdn,cn AS primaryGroupcn,displayName AS primaryGroupName\ | eval memberOf=mvappend(memberOf,primaryGroupdn), Group_Name=mvappend(Group_Name,primaryGroupName),Group_cn=mvappend(Group_cn,primaryGroupcn) iseval = 0 [ms_obj_get_full_group_membership_prev(1)] args = tok_member_dn definition = join type=left dn [| inputlookup AD_Obj_Group where member="$tok_member_dn$"\ | fields + cn, displayName, dn, member\ | rename dn as memberOf, cn as Group_cn, displayName as Group_Name\ | rename member as dn\ | stats values(memberOf) AS memberOf,values(Group_cn) AS Group_cn,values(Group_Name) AS Group_Name by dn\ | table dn, Group_cn, Group_Name, memberOf]\ | lookup AD_Obj_Group primaryGroupToken AS primaryGroupID OUTPUT dn AS primaryGroupdn,cn AS primaryGroupcn,displayName AS primaryGroupName\ | eval memberOf=mvappend(memberOf,primaryGroupdn), Group_Name=mvappend(Group_Name,primaryGroupName),Group_cn=mvappend(Group_cn,primaryGroupcn) iseval = 0 ## Full Group Membership - With passed Object Lookup Name, Attribute Value, Member Domain, and Member Attribute Value ## Example - | inputlookup AD_Object_User | `ms_obj_get_full_group_membership_attr(User,"sedemo",sAMAccountName,"Administrator")` [ms_obj_get_full_group_membership_attr(4)] args = tok_obj_lkp,tok_member_domain,tok_member_attr,tok_member_val definition = join type=left dn [| inputlookup AD_Obj_Group where [| inputlookup AD_Obj_$tok_obj_lkp$ WHERE domain="$tok_member_domain$" AND $tok_member_attr$="$tok_member_val$" | fields dn | rename dn AS member | table member|format]\ | fields dn, displayName,cn,member\ | eval displayName=if(isnull(displayName),cn,displayName)\ | rename dn as memberOf\ | rename member as dn\ | stats values(memberOf) AS memberOf by dn\ | search [| inputlookup AD_Obj_$tok_obj_lkp$ WHERE domain="$tok_member_domain$" AND $tok_member_attr$="$tok_member_val$" | fields dn | table dn|format]\ | table dn, memberOf]\ | lookup AD_Obj_Group primaryGroupToken AS primaryGroupID OUTPUT dn AS primaryGroupdn\ | eval memberOf=mvappend(memberOf,primaryGroupdn) iseval = 0 ## Full Group Membership - With passed Object Lookup Name, Attribute Value, Member Domain, and Member Attribute Value ## Example - | inputlookup AD_Object_User | `ms_obj_get_full_group_membership_attr(User,"sedemo",sAMAccountName,"Administrator")` [ms_obj_get_full_group_membership_attr_tmp(4)] args = tok_obj_lkp,tok_member_domain,tok_member_attr,tok_member_val definition = join dn type=left[| inputlookup AD_Obj_Group WHERE [| inputlookup AD_Obj_$tok_obj_lkp$ WHERE domain="$tok_member_domain$" AND $tok_member_attr$="$tok_member_val$" | fields dn | stats values(dn) AS member |format]\ | fields dn, member,displayName,cn\ | eval displayName=if(isnull(displayName),cn,displayName)\ | mvexpand member\ | search [| inputlookup AD_Obj_$tok_obj_lkp$ WHERE domain="$tok_member_domain$" AND $tok_member_attr$="$tok_member_val$" | fields dn | stats values(dn) AS member |format]\ | rename dn as memberOf\ | rename member as dn\ | eval memberOf=displayName."|".memberOf\ | stats values(memberOf) AS memberOf by dn\ | eval memberOf=mvjoin(memberOf,"####")]\ | lookup AD_Obj_Group primaryGroupToken AS primaryGroupID OUTPUT dn AS primarygroupDN,displayName AS primarygroupName\ | eval memberOf=if(isnull(memberOf),primarygroupName."|".primarygroupDN,primarygroupName."|".primarygroupDN."####".memberOf) iseval = 0 ##Macro to receive Group Membership for designated object [ms_obj_get_group_membership(1)] args = tok_member_dn definition = inputlookup AD_Obj_Group WHERE member="$tok_member_dn$"\ | fields cn,displayName,dn,member\ | rename dn AS memberOf,cn AS Group_cn,displayName AS Group_Name\ | rename member AS dn\ | table dn,Group_cn,Group_Name,memberOf ##Get: INLINE - Specific Lookup Member by AD Group - Macro to receive inline the Group Membership for an object's specified field ## Example - | `ms_obj_get_l_group_membership("dn")` ## = | lookup AD_Obj_Group member AS dn OUTPUT cn AS Group_cn,dn AS Group_dn [ms_obj_get_l_group_membership(1)] args = tok_field_data definition = lookup AD_Obj_Group member AS $tok_field_data$ OUTPUT cn AS Group_cn,dn AS Group_dn ##Filter: Specific Lookup Member by AD Group - Macro to filter a lookup (ie. AD_Obj_User, AD_Obj_Group, AD_Obj_Computer) for a specific AD Group ##Note: Add the | before the macro, can't embed in the macro and Can't Be NULL. ## Example - | `ms_obj_filter_lkup_group_members("AD_Obj_User","TestDomain","CN=Administrators,CN=Builtin,DC=testdomain,DC=local")` [ms_obj_filter_lkup_group_members(3)] args = tok_tgt_lkup,tok_tgt_domain,tok_tgt_group_dn definition = inputlookup $tok_tgt_lkup$ WHERE domain="$tok_tgt_domain$" AND [|inputlookup AD_Obj_Group WHERE dn="$tok_tgt_group_dn$" | fields member | rename member AS dn | table dn] ##Filter: Specific Lookup Object by OU Path - Macro to filter a lookup (ie. AD_Obj_User, AD_Obj_Group, AD_Obj_Computer, AD_Obj_OU, AD_Obj_GPO) for a specific AD OU Path ##Note: Add the | before the macro, can't embed in the macro. ## Example - | `ms_obj_filter_lkup_dn_path("AD_Obj_Computer","TestDomain","OU=vers_test_bed,OU=splunktel-users,DC=testdomain,DC=local")` [ms_obj_filter_lkup_dn_path(3)] args = tok_tgt_lkup,tok_tgt_domain,tok_tgt_dn_path definition = inputlookup $tok_tgt_lkup$ WHERE domain="$tok_tgt_domain$"\ | where match(dn_path,"$tok_tgt_dn_path$") ##FUll OU-User Filter - Model: Specific Lookup Object by OU Path - Macro to filter a lookup (ie. AD_Obj_User, AD_Obj_Group, AD_Obj_Computer, AD_Obj_OU, AD_Obj_GPO) for a specific AD OU Path ##Note: Add the | before the macro, can't embed in the macro. ## Example - STANDARD INDEXED - sourcetype=WinEventLog `ms_obj_filter_user_by_dn_path("","*","OU=vers_test_bed,OU=splunktel-users,DC=testdomain,DC=local","search","|format")` ## EXAMPLE - DATA MODEL: ## | tstats summariesonly=true allow_old_summaries=true count from datamodel=Authentication.Authentication where Authentication.action=* Authentication.user=* (Authentication.src=* OR Authentication.dest=*) by _time,Authentication.src,Authentication.dest,Authentication.user,Authentication.action ## | rename "Authentication.*" as "*" ## | `ms_obj_filter_user_by_dn_path("join user","*","OU=vers_test_bed,OU=splunktel-users,DC=testdomain,DC=local","user","|table user")` [ms_obj_filter_dn_path_fields(6)] args = tok_lookup,tok_tgt_domain,tok_filt_ou,tok_link_field,tok_src_field,tok_part_post definition = [| inputlookup AD_Obj_User WHERE domain="$tok_tgt_domain$"\ | fields sAMAccountName,domain,cn,userPrincipalName,dn_path\ | WHERE match(dn_path, "$tok_filt_ou$")\ | eval $tok_link_field$=$tok_src_field$\ $tok_part_post$] iseval = 0 ##Filter: Subsearch - Member by AD Group - Macro to filter a lookup (ie. AD_Obj_User, AD_Obj_Group, AD_Obj_Computer) for a specific AD Group [ms_obj_filter_sub_group_members(2)] args = tok_tgt_domain,tok_tgt_group_dn definition = [| inputlookup AD_Obj_Group WHERE domain="$tok_tgt_domain$" AND dn="$tok_tgt_group_dn$" | fields member | rename member AS dn | table dn] ##Filter: Where Filter - Object by OU Path - Macro to filter a lookup (ie. AD_Obj_User, AD_Obj_Group, AD_Obj_Computer, AD_Obj_OU, AD_Obj_GPO) for a specific AD OU Path ##Note: Add the | before the macro, can't embed in the macro. ## Example - | inputlookup AD_Obj_user | `ms_obj_filter_part_dn_path("OU=vers_test_bed,OU=splunktel-users,DC=testdomain,DC=local")` ## Example - | inputlookup AD_Obj_user | `ms_obj_filter_part_dn_path("Sales")` [ms_obj_filter_part_dn_path(1)] args = tok_tgt_dn_path definition = where match(dn_path,"$tok_tgt_dn_path$") ## - Filter - Admin Audit ## - By Group Membership [ms_obj_filter_admin_field_group(4)] args = tok_domain,tok_user_field,tok_admin_group,tok_format_option definition = [| inputlookup AD_Obj_Admin_Audit WHERE admin_domain="$tok_domain$" \ | fields admin_user, admin_cn,admin_dn,admin_userPrincipalName\ | lookup AD_Obj_Group member AS admin_dn OUTPUT dn AS memberOf\ | WHERE match(memberOf,"$tok_admin_group$")\ | eval $tok_user_field$=admin_user\ | eval $tok_user_field$=mvappend($tok_user_field$,admin_userPrincipalName,admin_cn,admin_dn)\ | stats count by $tok_user_field$\ | fields $tok_user_field$\ | $tok_format_option$] iseval = 0 ## - By Admin User ## - Updated for Multi-Domain Support [ms_obj_filter_admin_field_user(4)] args = tok_domain,tok_user_field,tok_admin_user,tok_format_option definition = [| inputlookup AD_Obj_Admin_Audit WHERE admin_domain="$tok_domain$" AND admin_user="$tok_admin_user$"\ | fields admin_user, admin_cn,admin_dn,admin_userPrincipalName\ | eval $tok_user_field$=admin_user,admin_cn=if(admin_cn=="",NULL,admin_cn),admin_dn=if(admin_dn=="",NULL,admin_dn),admin_userPrincipalName=if(admin_userPrincipalName=="",NULL,admin_userPrincipalName)\ | eval $tok_user_field$=mvappend($tok_user_field$,admin_userPrincipalName,admin_cn,admin_dn)\ | stats count by $tok_user_field$\ | fields $tok_user_field$\ | $tok_format_option$] iseval = 0 ###-------------------------------------------------------------------------------### #--- Future Use - Macros for retrieving Wizard Steps ---# ###-------------------------------------------------------------------------------### # Configuration Wizard ## [ms_obj_wiz_base_srch(1)] args = tok_tut_id definition = inputlookup ms_ad_obj_cfg_wiz_nav where tut_id="$tok_tut_id$" iseval = 0 [ms_obj_wiz_part_details] definition = eval cmb=((("part_" . part_id) . ":") . label_part) \ | stats values(cmb) AS cmb, values(uc_id) AS uc_id,values(pre_build_emb_vid) AS pre_build_emb_vid,values(pre_build_emb_view) AS pre_build_emb_view,values(pre_build_emb_srch) AS pre_build_emb_srch,values(pre_build_emb_dash) AS pre_build_emb_dash,,values(pre_build_emb_rpt) AS pre_build_emb_rpt,values(pre_build_show) AS pre_build_show\ | eval _raw=mvjoin(cmb,",")\ | extract pairdelim=",", kvdelim=":"\ | fillnull value="undefined" part_0,part_1,part_2,part_3,part_4,part_5,part_6,part_7,pre_build_emb_vid,pre_build_emb_view,pre_build_emb_srch,pre_build_emb_dash,pre_build_emb_rpt,pre_build_show\ | table uc_id,part_0,part_1,part_2,part_3,part_4,part_5,part_6,part_7,pre_build_emb_vid,pre_build_emb_view,pre_build_emb_srch,pre_build_emb_dash,pre_build_emb_rpt,pre_build_show iseval = 0 [ms_obj_wiz_step_details(2)] args = tok_part_current,tok_step_current definition = search part_id=$tok_part_current$ step_id=$tok_step_current$\ | eval next_step=if(step_id=total_steps,0,step_id+1)\ | eval previous_step=if(step_id=0,0,step_id-1)\ | eval show_prev_button=if(showPreviousButton="T","enabled","disabled")\ | eval show_next_button=if(showNextButton="T","display: inline-block;","display:none;")\ | eval show_next_step_part_button=if(showNextPartButton="T","display: inline-block;","display:none;")\ | eval label_next_step_part_button=if(showNextPartButton="T" AND part_id=(total_parts-1),"Finish","Next Part")\ | fillnull value=0 next_step,previous_step,total_steps\ | fillnull value="undefined" next_step,previous_step,show_sub_panels,show_panel_left,show_panel_single,show_right_page,show_right_object,show_sub_steps,panel_left,panel_right,panel_single,emb_object_src,emb_object_type,emb_object_title,combo_right_object,show_next_step_part_button,show_next_button,show_prev_button,step_0_state,step_1_state,step_2_state,step_3_state,step_4_state,step_5_state,step_6_state,step_7_state,step_8_state,data_panels_only\ | table next_step,previous_step,show_sub_panels,show_panel_left,show_panel_single,show_right_page,show_right_object,show_sub_steps,panel_left,panel_right,panel_single,emb_object_src,emb_object_type,emb_object_title,combo_right_object,show_next_step_part_button,show_next_button,show_prev_button,step_0_state,step_1_state,step_2_state,step_3_state,step_4_state,step_5_state,step_6_state,step_7_state,step_8_state,data_panels_only iseval = 0 ###-----------------------------------------------------### #--- Macro's Used for Security Reports for each Object ---# ###-----------------------------------------------------### ## Computer Search Macros that point to AD_Obj_Computer Lookup: [ms_obj_secrpt-new-computers_raw(1)] args = domain definition = `ms_obj_changes_base_cat_act("Computer","created")` dest_nt_domain="$domain$"\ | table _time,src_user,src_nt_domain,dest_nt_domain,user\ | eval adminuser=src_nt_domain."\\".src_user\ | eval sAMAccountName=$user$ \ | join sAMAccountName [|inputlookup AD_Obj_Computer WHERE sAMAccountName=$user$ | table dNSHostName,operatingSystem,operatingSystemServicePack]\ | table _time,cn,dNSHostName,operatingSystem,operatingSystemServicePack,adminuser\ | rename cn as "Added Computer",operatingSystem as "Operating System",operatingSystemServicePack as "ServicePack",adminuser as "Added By" iseval = 0 [ms_obj_secrpt-all-computers(1)] args = domain definition = inputlookup AD_Obj_Computer WHERE domain="$domain$"\ | `ms_obj_uac_get_details_lkup`\ | sort cn\ | table cn,dNSHostName,uac_details,operatingSystem,operatingSystemServicePack,whenChanged,whenCreated iseval = 0 [ms_obj_secrpt-all-domain-controllers(1)] args = domain definition = inputlookup AD_Obj_Computer WHERE domain="$domain$" AND primaryGroupID=516\ | `ms_obj_uac_get_details_lkup`\ | sort cn\ | table cn,dNSHostName,uac_details,operatingSystem,operatingSystemServicePack,whenChanged,whenCreated iseval = 0 [ms_obj_secrpt-disabled-computers(1)] args = domain definition = inputlookup AD_Obj_Computer WHERE domain="$domain$"\ | `ms_obj_uac_get_details_lkup`\ | eval uac_filter=mvfilter(match(uac_details, "Disabled"))\ | search uac_filter=*\ | sort sAMAccountName\ | makemv delim=":" uac_details\ | table cn,dNSHostName,uac_details,userAccountControl,whenChanged iseval = 0 [ms_obj_secrpt-inactive-computers(1)] args = domain definition = inputlookup AD_Obj_Computer WHERE domain="$domain$"\ | table sAMAccountName,cn,dNSHostName,operatingSystem,operatingSystemServicePack,userAccountControl \ |join type=outer sAMAccountName [search `ms_obj_success_logons("computer")` dest_nt_domain="$domain$"|stats max(_time) as lastLogonTime by user|rename user as sAMAccountName]\ | where isnull(lastLogonTime)\ | `ms_obj_uac_get_details_lkup`\ | table cn,dNSHostName,uac_details,operatingSystem,operatingSystemServicePack,userAccountControl\ | rename cn as Computer,operatingSystem as "Operating System",operatingSystemServicePack as "Service Pack" iseval = 0 [ms_obj_secrpt-trusted-computers(1)] args = domain definition = inputlookup AD_Obj_Computer WHERE domain="$domain$" \ | `ms_obj_uac_get_details_lkup`\ | eval uac_filter=mvfilter(match(uac_details, "Server Trust Account|Workstation Trust Account")) \ | search uac_filter=* \ | makemv delim=":" uac_details\ | table cn,dNSHostName,uac_details,userAccountControl,operatingSystem,operatingSystemServicePack iseval = 0 [ms_obj_secrpt-unmanaged-computers(1)] args = domain definition = inputlookup AD_Obj_Computer WHERE domain="$domain$" AND NOT managedBy="*" OR managedBy=""\ | sort sAMAccountName\ | `ms_obj_uac_get_details_lkup`\ | makemv delim=":" uac_details\ | table cn,dNSHostName,uac_details, userAccountControl,operatingSystem,operatingSystemServicePack iseval = 0 [ms_obj_secrpt-managed-computers(1)] args = domain definition = inputlookup AD_Obj_Computer WHERE domain="$domain$" AND managedBy="*" AND NOT managedBy=""\ | sort sAMAccountName\ | `ms_obj_uac_get_details_lkup`\ | makemv delim=":" uac_details\ | table cn,dNSHostName,managedBy,uac_details, operatingSystem,operatingSystemServicePack iseval = 0 [ms_obj_secrpt-unused-computers(1)] args = domain definition = inputlookup AD_Obj_Computer WHERE domain="$domain$" AND logonCount=0\ | `ms_obj_uac_get_details_lkup`\ | makemv delim=":" uac_details\ | table cn,dNSHostName,uac_details, userAccountControl,operatingSystem,operatingSystemServicePack iseval = 0 [ms_obj_secrpt-active-computers(1)] args = domain definition = `ms_obj_success_logons("computer")` dest_nt_domain="$domain$"\ | fields _time, dest_nt_domain, user\ | stats max(_time) as lastLogonTime by dest_nt_domain,user\ | rex field=user "^(?[^\$]+)"\ | join cn\ [| inputlookup AD_Obj_Computer\ | `ms_obj_uac_get_details_lkup`\ | makemv delim=":" uac_details\ | table cn,dNSHostName,uac_details,operatingSystem,operatingSystemServicePack]\ | eval lastLogonTime=strftime(lastLogonTime,"%c")\ | table cn,dNSHostName,uac_details,operatingSystem,operatingSystemServicePack,lastLogonTime\ | rename cn as Computer,operatingSystem as "Operating System",operatingSystemServicePack as "Service Pack",lastLogonTime as "Last Logon Time" iseval = 0 [ms_obj_secrpt-deleted-computers_raw(1)] args = domain definition = `ms_obj_changes_base_cat_act("Computer","deleted")` dest_nt_domain="$domain$"\ |eval adminuser=src_nt_domain."\\".src_user\ |table _time,user,adminuser\ |rename user as "Deleted Computer",adminuser as "Deleted By" iseval = 0 [ms_obj_secrpt-new-computers(3)] args = domain,starttime,endtime definition = inputlookup AD_Obj_Computer WHERE domain="$domain$"\ | eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\ | eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\ | eval whenCreated_epoch=strptime(whenCreated, "%I:%M.%S %P, %a %m/%d/%Y")\ | where whenCreated_epoch>begintime AND whenCreated_epochbegintime AND deletedDatebegintime AND whenChanged_epoch$minsize$ \ | sort -membercount, cn\ | table cn,groupType_Name,membercount,whenChanged,whenCreated\ | rename cn as "Group Name",groupType_Name as "Type",membercount as "# Members" iseval = 0 [ms_obj_secrpt-nested-groups(1)] args = domain definition = inputlookup AD_Obj_Group WHERE domain="$domain$"\ | lookup AD_Obj_Group member AS dn OUTPUT dn AS memberOf\ | table distinguishedName,cn,groupType_Name,memberOf,whenChanged,whenCreated\ | search memberOf!=""\ | rename cn as "Group Name",groupType_Name as "Type" iseval = 0 [ms_obj_secrpt-unmanaged-groups(1)] args = domain definition = inputlookup AD_Obj_Group WHERE domain="$domain$" NOT managedBy="*" OR managedBy=""\ | sort cn\ | eval membercount=if(membercount=="",0,membercount)\ | table cn,groupType_Name,membercount,whenChanged,whenCreated\ | rename cn as "Group Name",groupType_Name as "Type",membercount as "# Members" iseval = 0 [ms_obj_secrpt-managed-groups(1)] args = domain definition = inputlookup AD_Obj_Group WHERE domain="$domain$" AND managedBy="*" AND NOT managedBy=""\ | sort cn\ | eval membercount=if(membercount=="",0,membercount)\ | table cn,managedBy,groupType_Name,membercount,whenChanged,whenCreated\ | rename cn as "Group Name",groupType_Name as "Type",membercount as "# Members" iseval = 0 [ms_obj_secrpt-new-groups_raw(1)] args = domain definition = `ms_obj_changes_base_cat_act("Group","created")` dest_nt_domain="$domain$"\ |lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass\ | eval objectGUID=lower(objectGUID)\ | lookup AD_Obj_Group objectGUID OUTPUT cn AS user_group,MSADGroupType,MSADGroupClass\ |eval adminuser=src_nt_domain."\\".src_user\ |table _time,user_group,MSADGroupClass,MSADGroupType,adminuser\ |rename user_group as "Group Name",MSADGroupClass as "Class",MSADGroupType as "Type",adminuser as "Added By" iseval = 0 [ms_obj_secrpt-new-groups(3)] args = domain,starttime,endtime definition = inputlookup AD_Obj_Group WHERE domain="$domain$"\ | eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\ | eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\ | eval whenCreated_epoch=strptime(whenCreated, "%I:%M.%S %P, %a %m/%d/%Y")\ | where whenCreated_epoch>begintime AND whenCreated_epochbegintime AND deletedDatebegintime AND whenChanged_epoch=$days_old$ OR days_since_password_set=="Never"\ | table sAMAccountName,cn,uac_details,pwdLastSet,days_since_password_set iseval = 0 [ms_obj_secrpt-new-users(3)] args = domain,starttime,endtime definition = inputlookup AD_Obj_User WHERE domain="$domain$"\ | eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\ | eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\ | eval whenCreated_epoch=strptime(whenCreated, "%I:%M.%S %P, %a %m/%d/%Y")\ | where whenCreated_epoch>begintime AND whenCreated_epochbegintime AND deletedDatebegintime AND whenChanged_epoch0\ | fields cn,flags,displayName,versionNumber,lc,whenChanged\ | eval Status=case(flags==1,"User Settings Disabled",flags==2,"Computer Settings Disabled",flags==3,"All Settings Disabled",flags==0,"Enabled")\ | table cn,displayName,versionNumber,Status,whenChanged,lc\ | rename cn as "Group Policy ID",displayName as "Group Policy Name",versionNumber as "Version",lc as "Linked Containers" iseval = 0 [ms_obj_secrpt-deleted-group-policies_raw(1)] args = domain definition = `ms_obj_admon_flt_obj_type(ms_obj_admon_gpo,ms_obj_admon_base_del_type)`\ | eval deletedDate=if(match(lower(admonEventType), "deleted") OR match(lower(isDeleted), "true"), strptime(whenChanged, "%I:%M.%S %p, %a %m/%d/%Y"), 0)\ | fillnull value=""\ | stats max(deletedDate) as deletedDate, first(cn) as cn,first(uSNChanged) as uSNChanged, first(instanceType) as instanceType, first(lastKnownParent) as lastKnownParent, first(whenChanged) as whenChanged by distinguishedName, objectGUID,isDeleted,isRecycled\ | join objectGUID [|inputlookup AD_Obj_GPO | table objectGUID,src_nt_domain,displayName,versionNumber]\ | eval When_Deleted=strftime(deletedDate,"%m/%d/%y %H:%M:%S")\ | table displayName,src_nt_domain,When_Deleted,cn\ | sort cn\ | rename cn as "Group Policy ID",displayName as "Group Policy Name",src_nt_domain AS "Group Policy Domain" iseval = 0 [ms_obj_secrpt-gpo-not-linked(1)] args = domain definition = inputlookup AD_Obj_GPO WHERE domain="$domain$" AND NOT lc="*"\ | fields cn,displayName,versionNumber,lc,whenChanged\ | table cn,displayName,versionNumber,lc,whenChanged\ | sort cn\ | rename cn as "Group Policy ID",displayName as "Group Policy Name",versionNumber as "Version",lc as "Linked Containers" iseval = 0 [ms_obj_secrpt-gpo-linked(1)] args = domain definition = inputlookup AD_Obj_GPO WHERE domain="$domain$" AND lc="*"\ | fields cn,displayName,versionNumber,lc,whenChanged\ | table cn,displayName,versionNumber,lc\ | sort cn\ | rename cn as "Group Policy ID",displayName as "Group Policy Name",versionNumber as "Version",lc as "Linked Containers" iseval = 0 [ms_obj_secrpt-new-group-policies(3)] args = domain,starttime,endtime definition = `ms_obj_admon_gpo`\ | eval begintime=strptime("$starttime$","%m/%d/%y %I:%M %P"),finishtime=strptime("$endtime$","%m/%d/%y %I:%M %P"), when_cr=strptime(whenCreated,"%I:%M.%S %P, %a %m/%d/%Y")\ | where whenCreated==whenChanged AND when_cr>begintime AND when_crbegintime AND whenChanged_epoch\{.*\})"\ | join type=left gpo [| inputlookup AD_Obj_OU\ | search domain="$domain$" gpo=* NOT gpo=""\ | makemv delim="####" gpo\ | mvexpand gpo\ | eval ou_linked="####".ou." (".distinguishedName.")"\ | stats values(ou_linked) AS ou_linked by gpo\ | table gpo,ou_linked]\ | makemv delim="####" ou_linked\ | fillnull value="Not Linked" ou_linked\ | stats count by displayName,whenChanged,gpo,versionNumber,ou_linked\ | table displayName,whenChanged,gpo,versionNumber,ou_linked\ | rename displayName AS "Group Policy", gpo as "GPO_ID",ou_linked as "Linked OU" iseval = 0 [ms_obj_secrpt-deleted-group-policies(3)] args = domain,starttime,endtime definition = `ms_obj_admon_gpo` `ms_obj_admon_base_del_type`\ | eval deletedDate=if(match(lower(admonEventType), "Deleted") OR match(lower(isDeleted), "true"), strptime(whenChanged, "%I:%M.%S %p, %a %m/%d/%Y"), 0)\ | fillnull value=""\ | stats max(deletedDate) as deletedDate, first(cn) as cn,first(uSNChanged) as uSNChanged, first(instanceType) as instanceType, first(lastKnownParent) as lastKnownParent, first(whenChanged) as whenChanged by distinguishedName, objectGUID,isDeleted,isRecycled\ | join objectGUID [|inputlookup AD_Obj_GPO WHERE domain="$domain$"| table objectGUID,src_nt_domain,displayName,versionNumber]\ | eval When_Deleted=strftime(deletedDate,"%m/%d/%y %H:%M:%S")\ | table displayName,src_nt_domain,When_Deleted,cn\ | sort cn\ | rename cn as "Group Policy ID",displayName as "Group Policy Name",src_nt_domain AS "Group Policy Domain" iseval = 0 [ms_obj_gpo_action_events(3)] args = domain,gpo_guid,action definition = `ms_obj_changes_base_cat("Group Policy")` msad_action="$action$" src_nt_domain="$domain$"\ | eval adminuser=src_user\ | eval Object_Lookup_Name="{" . upper(Object_Name_Guid) . "}"\ | search Object_Lookup_Name="$gpo_guid$"\ | join Object_Lookup_Name [|inputlookup AD_Obj_GPO | eval Object_Lookup_Name=upper(cn)| search Object_Lookup_Name="$gpo_guid$" | table Object_Lookup_Name,displayName] \ | transaction maxspan=10m Object_Lookup_Name,adminuser,session_id\ | table _time, displayName,msad_action,Object_Lookup_Name,src_nt_domain,adminuser, session_id\ | rename msad_action AS "Action", src_nt_domian as "Domain",adminuser as "Administrator", displayName as "Group Policy Name" iseval = 0 [ms_obj_secrpt-deleted-lkp-gpo(3)] args = domain,starttime,endtime definition = inputlookup AD_Obj_GPO WHERE domain="$domain$" AND isDeleted="TRUE"\ | fields cn,Object_Lookup_Name,displayName,versionNumber,lc,distinguishedName,isDeleted,dateDeleted,whenChanged,description\ | eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\ | eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\ | eval whenChanged_epoch=strptime(whenChanged, "%I:%M.%S %P, %a %m/%d/%Y")\ | eval dateDeleted_epoch=strptime(dateDeleted, "%I:%M.%S %P, %a %m/%d/%Y")\ | where dateDeleted_epoch>begintime AND dateDeleted_epochbegintime AND whenCreated_epochbegintime AND whenChanged_epoch[^(\\,|$)]+)" \ | eval DomainDNSName=mvjoin(lower(DomainDNSName),".") \ | eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\ | eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\ | eval whenCreated_epoch=strptime(whenCreated, "%I:%M.%S %P, %a %m/%d/%Y")\ | lookup AD_Obj_Domain DomainDNSName AS DomainDNSName OUTPUT domain AS domain\ | sort -whenCreated_epoch\ | where domain="$domain$" AND ((whenCreated_epoch>begintime AND whenCreated_epoch[^\sDEL]+)"\ | dedup objectGUID\ | table _time,Name,name,dn,lastKnownParent,description\ | rename name as Object_Name,dn AS distinguishedName iseval = 0 [ms_obj_secrpt-changed-orgunits(3)] args = domain,starttime,endtime definition = inputlookup AD_Obj_OU WHERE domain="$domain$"\ | fields domain,OU,name,distinguishedName,displayName,isDeleted,whenChanged,description,gPLink\ | eval OU=if(isnull(name) OR name=="",if(isnull(OU) OR OU=="",displayName,OU),name)\ | eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\ | eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\ | eval whenChanged_epoch=strptime(whenChanged, "%I:%M.%S %P, %a %m/%d/%Y")\ | sort -whenChanged_epoch\ | where whenChanged_epoch>begintime AND whenChanged_epochbegintime AND dateDeleted_epochbegintime AND whenCreated_epoch0\ | lookup AD_Obj_GPO lc AS distinguishedName,domain AS domain OUTPUT displayName AS Linked_GPO\ | table OU,dn,dn_hist,Linked_GPO,whenCreated,whenChanged,isDeleted\ | sort OU\ | rename Linked_GPO as "Linked GPO",dn_hist AS "DN History" iseval = 0 [ms_obj_secrpt-changed-lkp-orgunits(3)] args = domain,starttime,endtime definition = inputlookup AD_Obj_OU WHERE domain="$domain$"\ | fields domain,OU,name,displayName,distinguishedName,whenChanged,isDeleted,description,gPLink\ | eval OU=if(isnull(name) OR name=="",if(isnull(OU) OR OU=="",displayName,OU),name)\ | eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\ | eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\ | eval whenChanged_epoch=strptime(whenChanged, "%I:%M.%S %P, %a %m/%d/%Y")\ | where whenChanged_epoch>begintime AND whenChanged_epoch(^CN|####CN))"\ | eval membercount=mvcount(mb_cnt)\ | fillnull value="0" membercount\ | lookup AD_Obj_Group member AS admin_dn OUTPUT dn AS memberOf\ | rename member AS member_hist,memberOf AS memberOf_hist\ | lookup AD_Audit_Group_Details groupType,sAMAccountType OUTPUT groupType_Name,MSADGroupType,MSADGroupClass\ | fillnull value="FALSE" isCriticalSystemObject\ | table objectGUID,MSADGroupClass,MSADGroupType,adminCount,c,dSCorePropagationData,description,displayName,dn_hist,dn_path,domain,groupType_Name,isCriticalSystemObject,l,managedBy,member_hist,memberOf_hist,membercount,objectCategory,q_link_id,sAMAccountType,src_nt_domain,st,sync_dn_chg,systemFlags iseval = 0 [ms_obj_admon_user_base_deletes] definition = `ms_obj_admon_flt_obj_type(ms_obj_admon_user,ms_obj_admon_base_del_type)`\ | stats latest(*) AS * by objectGUID\ | fields objectGUID,c,codePage,countryCode,department,description,displayName,dn_path,domain,givenName,initials,isCriticalSystemObject,l,lastLogon,lastLogonTimestamp,lockoutTime,logonCount,logonHours,managedBy,msDS-SupportedEncryptionTypes,objectCategory,physicalDeliveryOfficeName,postalCode,primaryGroupID,pwdLastSet,sAMAccountType,servicePrincipalName,showInAdvancedViewOnly,sn,st,streetAddress,title,userPrincipalName,userWorkstations\ | fillnull value = "FALSE" isCriticalSystemObject,showInAdvancedViewOnly\ | table objectGUID,c,codePage,countryCode,department,description,displayName,dn_path,domain,givenName,initials,isCriticalSystemObject,l,lastLogon,lastLogonTimestamp,lockoutTime,logonCount,logonHours,managedBy,msDS-SupportedEncryptionTypes,objectCategory,physicalDeliveryOfficeName,postalCode,primaryGroupID,pwdLastSet,sAMAccountType,servicePrincipalName,showInAdvancedViewOnly,sn,st,streetAddress,title,userPrincipalName,userWorkstations]\ | fillnull value="0" badPasswordTime,badPwdCount,codePage,countryCode,lastLogon,lockoutTime,logonCount,pwdLastSet iseval = 0 [ms_obj_admon_computer_base_deletes] definition = `ms_obj_admon_flt_obj_type(ms_obj_admon_computer,ms_obj_admon_base_del_type)`\ | stats latest(*) AS * by objectGUID\ | fields objectGUID,accountExpires,badPasswordTime,badPwdCount,c,codePage,countryCode,dNSHostName,dSCorePropagationData,description,displayName,dn_hist,dn_path,domain,isCriticalSystemObject,l,lastLogon,lastLogonTimestamp,localPolicyFlags,logonCount,managedBy,objectCategory,operatingSystem,operatingSystemServicePack,operatingSystemVersion,primaryGroupID,pwdLastSet,q_link_id,rIDSetReferences,sAMAccountType,serverReferenceBL,servicePrincipalName,src_nt_domain,st,sync_dn_chg\ | fillnull value="FALSE" isCriticalSystemObject\ | table objectGUID,accountExpires,badPasswordTime,badPwdCount,c,codePage,countryCode,dNSHostName,dSCorePropagationData,description,displayName,dn_hist,dn_path,domain,isCriticalSystemObject,l,lastLogon,lastLogonTimestamp,localPolicyFlags,logonCount,managedBy,objectCategory,operatingSystem,operatingSystemServicePack,operatingSystemVersion,primaryGroupID,pwdLastSet,q_link_id,rIDSetReferences,sAMAccountType,serverReferenceBL,servicePrincipalName,src_nt_domain,st,sync_dn_chg iseval = 0 [ms_obj_admon_ou_base_deletes] definition = `ms_obj_admon_flt_obj_type(ms_obj_admon_ou,ms_obj_admon_base_del_type)`\ | fields objectGUID,c,description,domain,isCriticalSystemObject,l,objectCategory,revision,showInAdvancedViewOnly,src_nt_domain,st,systemFlags,versionNumber\ | stats latest(*) AS * by objectGUID\ | fillnull value = "FALSE" isCriticalSystemObject,showInAdvancedViewOnly\ | table objectGUID,c,description,domain,isCriticalSystemObject,l,objectCategory,revision,showInAdvancedViewOnly,src_nt_domain,st,systemFlags,versionNumber iseval = 0 [ms_obj_admon_gpo_base_deletes] definition = `ms_obj_admon_flt_obj_type(ms_obj_admon_gpo,ms_obj_admon_base_del_type)`\ | fields objectGUID,cn_link,displayName,domain,flags,gPCFileSysPath,gPCFunctionalityVersion,gPCMachineExtensionNames,isCriticalSystemObject,lc,objectCategory,showInAdvancedViewOnly,src_nt_domain,systemFlags,versionNumber\ | stats latest(*) AS * by objectGUID\ | fillnull value = "FALSE" isCriticalSystemObject,showInAdvancedViewOnly\ | table objectGUID,cn_link,displayName,domain,flags,gPCFileSysPath,gPCFunctionalityVersion,gPCMachineExtensionNames,isCriticalSystemObject,lc,objectCategory,showInAdvancedViewOnly,src_nt_domain,systemFlags,versionNumber iseval = 0 ## | eval groupType_Name=case(groupType="2","Global distribution group",groupType="4","Domain local distribution group",groupType="8","Universal distribution group",groupType="-2147483646","Global security group",groupType="-2147483644","Domain local security group",groupType="-2147483640","Universal security group",groupType="2147483653","Built-In Domain Group",groupType="-2147483643","Built-In Domain Group") \ ###-------------------------------------------### ### Misc Macros Used by MS Windows AD Objects ### ###-------------------------------------------### [ms_obj_time_modifier(1)] args = time_modifier definition = tostring(relative_time(time(), "$time_modifier$")) iseval = 1 [ms_obj_msad-changed-attributes] definition = fillnull value="" signature,Correlation_IDs\ | eval f=replace(mvjoin(MSADChangedAttributes,"########"), "(?msi)\r\s+|\n\s+", "########")\ | makemv delim="########" f\ | eval MSADChangedAttributes=mvfilter(NOT match(f, ":(\s*\-\s*|)$"))\ | eval MSADChanges=if(isnull(MSADChangedAttributes),if(isnull(AttributeLDAPDisplayName),if(msad_action="moved","Moved:########--From: ".Old_DN."########--To: ".New_DN,""),if(isnull(AttributeValue) OR AttributeValue="-" OR AttributeValue="",NULL,dir_svcs_action." (".AttributeLDAPDisplayName.": ".AttributeValue.")")),MSADChangedAttributes) iseval = 0 [ms_obj_msad_changed_attr_sum] definition = eval change_action=if(isnull(msad_action),if(isnull(dir_svcs_action),"NA",dir_svcs_action),if(isnull(dir_svcs_action) OR dir_svcs_action=="Unknown",trim(msad_action),msad_action." (".dir_svcs_action.")"))\ | eval signature=if(isnull(change_signature),signature,change_signature)\ | eval Correlation_ID_sum=if(isnull(Correlation_ID),"",if(mvcount(Correlation_ID)>1,"Correlation IDs:######## - ".replace(mvjoin(Correlation_ID,"######## - "), "(?msi)\r\s+|\n\s+", "######## - "),"Correlation ID: ".Correlation_ID))\ | eval Signature=if(Correlation_ID_sum=="","######## - Signature: ".signature,"######## - Signature: ".signature."######## - ".Correlation_ID_sum)\ | eval Change_Summary="########(".strftime(_time,"%m/%d/%y %I:%M %P").") ".Signature\ | eval ad_chg=if(isnull(AttributeLDAPDisplayName),if(msad_action=="moved","mv",if(isnull(member_obj_lkp),0,"memb")),len(AttributeLDAPDisplayName)),ln_chg_attr=if(isnull(MSADChangedAttributes),0,len(MSADChangedAttributes))\ | eval mvd=if(ad_chg=="mv","######## - Action: Moved:######## - From: ".Old_DN."######## - To: ".New_DN,"")\ | eval MSADChanges=if(ad_chg=="0","",if(ad_chg=="mv",mvd,if(ad_chg=="memb","######## - Action: ".change_action."######## - Group: ".group_obj_lkp."######## - Member: ".member_obj_lkp,if(isnull(AttributeValue) OR AttributeValue="-" OR AttributeValue="","","######## - Action: ".change_action."######## - ".AttributeLDAPDisplayName.": ".AttributeValue))))\ | eval MSADChangedAttributes=if(ln_chg_attr=0,"",replace(replace(mvjoin(MSADChangedAttributes,"######## - "), "(?msi)\r\s+|\n\s+", "######## - "),"(?:\:)(\s\s+|\t)",": "))\ | eval Change_Details=if(ad_chg=0 AND ln_chg_attr=0,Change_Summary,if(ln_chg_attr=0,Change_Summary."########".MSADChanges,if(ad_chg=0,Change_Summary."######## - ".MSADChangedAttributes,"Signature: ".signature."######## - ".MSADChangedAttributes."########".MSADChanges)))\ | makemv delim="########" Change_Details\ | makemv delim="########" Change_Summary\ | eval Change_Details=mvfilter(NOT match(Change_Details, ":(\s*\-\s*|)$")) iseval = 0 ########################################################################################################## ## Splunk App for Windows Infrastructure/Microsoft Exchange App macros - since not shared globally in app: ########################################################################################################## [group-changes-for-group(2)] args = domain,group definition = `ms_obj_group_all_changes_base` dest_nt_domain="$domain$" user_group="$group$"\ | fields _time, objectGUID, src_nt_domain, src_user, member_id, msad_action\ | eval objectGUID=lower(objectGUID)\ | lookup AD_Obj_Group objectGUID OUTPUT cn AS user_group\ | search user_group="$group$"\ | eval adminuser=src_nt_domain."\\".src_user\ | table _time,adminuser,msad_action,member_id\ | rename adminuser as "Administrator",msad_action as "Action", member_id as "User" iseval = 0 [fix-localhost] definition = eval src_host=if(src_ip=="127.0.0.1" OR src_ip=="-",upper(host),src_host)|eval src_host=src_nt_domain."\\".src_host iseval = 0 [ip-to-host] definition = lookup tHostInfo local=true src_ip OUTPUTNEW src_host,src_nt_domain iseval = 0 ##[lockouts-for-user(2)] ##args = domain,user ##definition = eventtype=ms_ad_obj_msad-failed-user-logons src_nt_domain="$domain$" user="$user$"|stats min(_time) as mintime,max(_time) as maxtime,count by src,src_ip,signature|eval mintime=strftime(mintime,"%F %T")|eval maxtime=strftime(maxtime,"%F %T")|lookup tHostInfo local=true src_ip OUTPUT src_host,src_nt_domain [ms_obj_win_dir_acl] definition = `ms__obj_win_api_index` sourcetype="WinDirAcl" iseval = 0 [ms_obj_chk_macro_idx(5)] definition = makeresults\ | eval macro_title="$all_idxs$"\ | makemv delim="|" macro_title\ | eval fnd_flg="0"\ | mvexpand macro_title\ | join type=left macro_title [| rest /servicesNS/-/-/data/indexes count=0 splunk_server=local\ | eval fnd_flg="1",macro_title=title\ | fields macro_title,title,TotalEvents,fnd_flg]\ | join type=left macro_title [|makeresults | eval winevt_idx="$winevt_idxs$" | makemv delim="," winevt_idx | mvexpand winevt_idx | eval macro_title=winevt_idx,type="winevt_idx" | table macro_title,type,winevt_idx]\ | join type=left macro_title [|makeresults | eval perfmon_idx="$perfmon_idxs$" | makemv delim="," perfmon_idx | mvexpand perfmon_idx | eval macro_title=perfmon_idx,type="perfmon_idx" | table macro_title,type,perfmon_idx]\ | join type=left macro_title [|makeresults | eval msad_idx="$msad_idxs$" | makemv delim="," msad_idx | mvexpand msad_idx | eval macro_title=msad_idx,type="msad_idx" | table macro_title,type,msad_idx]\ | join type=left macro_title [|makeresults | eval winapi_idx="$winapi_idxs$" | makemv delim="," winapi_idx | mvexpand winapi_idx | eval macro_title=winapi_idx,type="winapi_idx" | table macro_title,type,winapi_idx]\ | eval TotalEvents=if(isnull(TotalEvents),0,TotalEvents)\ | eval winevt_fnd=if(type="winevt_idx",if(fnd_flg="1",1,0),"NULL"),perfmon_fnd=if(type="perfmon_idx",if(fnd_flg="1",1,0),"NULL"),msad_fnd=if(type="msad_idx",if(fnd_flg="1",1,0),"NULL"),winapi_fnd=if(type="winapi_idx",if(fnd_flg="1",1,0),"NULL")\ | eval winevt_mb=if(type="winevt_idx",TotalEvents,0),perfmon_mb=if(type="perfmon_idx",TotalEvents,0),msad_mb=if(type="msad_idx",TotalEvents,0),winapi_mb=if(type="winapi_idx",TotalEvents,0)\ | stats dc(winevt_fnd) AS winevt_fnd_cnt,max(winevt_mb) AS winevt_mb,min(winevt_fnd) AS winevt_fnd,dc(perfmon_fnd) AS perfmon_fnd_cnt,max(perfmon_mb) AS perfmon_mb,min(perfmon_fnd) AS perfmon_fnd,dc(msad_fnd) AS msad_fnd_cnt,max(msad_mb) AS msad_mb,min(msad_fnd) AS msad_fnd,dc(winapi_fnd) AS winapi_fnd_cnt,max(winapi_mb) AS winapi_mb,min(winapi_fnd) AS winapi_fnd\ | eval all_index_check=if(winevt_fnd=1 AND perfmon_fnd=1 AND msad_fnd=1 AND winapi_fnd=1,"All Indexes Available",if(winevt_fnd!=1 AND perfmon_fnd!=1 AND msad_fnd!=1 AND winapi_fnd!=1,"None of the indexes are available","Not all of the indexes are available"))\ | eval all_index_check_flg=if(winevt_fnd=1 AND perfmon_fnd=1 AND msad_fnd=1 AND winapi_fnd=1,"0",if(winevt_fnd!=1 AND perfmon_fnd!=1 AND msad_fnd!=1 AND winapi_fnd!=1,"2","1"))\ | eval all_index_check_icon=case(all_index_check_flg="0","check",all_index_check_flg=2,"error",all_index_check_flg=1,"warning")\ | eval all_index_check_color=case(all_index_check_flg="0","#40A540",all_index_check_flg="2","#DC4E41;",all_index_check_flg="1","#f99d1c;")\ | eval winevt_mb=if(isnull(winevt_mb) OR winevt_mb=0,"Not Available",winevt_mb." MB"),perfmon_mb=if(isnull(perfmon_mb) OR perfmon_mb=0,"Not Available",perfmon_mb." MB"),msad_mb=if(isnull(msad_mb) OR msad_mb=0,"Not Available",msad_mb." MB"),winapi_mb=if(isnull(winapi_mb) OR winapi_mb=0,"Not Available",winapi_mb." MB")\ | eval winevt_fnd=if(winevt_fnd=1,"Available (".winevt_mb.")",if(winevt_fnd_cnt>1,"Not All Available","Not Available")),perfmon_fnd=if(perfmon_fnd=1,"Available (".perfmon_mb.")",if(perfmon_fnd_cnt>1,"Not All Available","Not Available")),msad_fnd=if(msad_fnd=1,"Available (".msad_mb.")",if(msad_fnd_cnt>1,"Not All Available","Not Available")),winapi_fnd=if(winapi_fnd=1,"Available (".winapi_mb.")",if(winapi_fnd_cnt>1,"Not All Available","Not Available"))\ | eval chk_auto_create_idx=if(all_index_check_flg=="0",if("$tok_obj_env_type_arch$"="dist","chk_auto_create_idx_na","chk_auto_create_idx_y"),"chk_auto_create_idx_n")\ | table all_index_check,all_index_check_icon,all_index_check_color,all_index_check_flg,winevt_fnd,perfmon_fnd,msad_fnd,winapi_fnd,chk_auto_create_idx [ms_obj_cfg_macro_chk] definition = `ms_ad_obj_cfg_idx_base` \ | mvexpand index \ | join type=left index \ [|`ms_ad_obj_cfg_idx_avail`]\ | eval flag=if(isnull(index_flag),2,if(isnull(Total_Events),2,if(Total_Events>1,0,1)))\ | fillnull value=0 Total_Events\ | eval flag_msg=case(flag=2,"index Not Created: ".index,flag=1,"Missing Index Data: ".index,flag=0,"OK: ".index) \ | rename index as macro_index\ | eval missing_indexes=if(flag="2",macro_index,NULL),missing_data_indexes=if(flag="1",macro_index,NULL) \ | sort -flag macro_name \ | stats values(macro_index) AS macro_indexes,values(missing_indexes) AS missing_indexes,values(missing_data_indexes) AS missing_data_indexes,max(flag) AS flag,max(Total_Events) AS Total_Events by macro_name,macro_definition\ | eval flag_macro=flag,all_indexes=macro_indexes,macro_indexes=mvjoin(macro_indexes,","),missing_indexes=mvjoin(missing_indexes,","),missing_data_indexes=mvjoin(missing_data_indexes,",") \ | eval flag_macro_msg=case(flag_macro=="2","Warning: Missing Indexes (".missing_indexes.")",flag_macro=="1","Warning: Missing Data (".missing_data_indexes.")",flag_macro=="0","Ok: Indexes Created and have Data") \ | eval winevents_def=if(macro_name=="ms__obj_win_events_index",macro_definition,NULL),winevents_idxs=if(macro_name=="ms__obj_win_events_index",macro_indexes,NULL),winevents_mb=if(macro_name=="ms__obj_win_events_index",Total_Events,NULL),winevents_flag=if(macro_name=="ms__obj_win_events_index",flag_macro,NULL),winevents_flag_msg=if(macro_name=="ms__obj_win_events_index",flag_macro_msg,NULL) \ | eval winapi_def=if(macro_name=="ms__obj_win_api_index",macro_definition,NULL),winapi_idxs=if(macro_name=="ms__obj_win_api_index",macro_indexes,NULL),winapi_mb=if(macro_name=="ms__obj_win_api_index",Total_Events,NULL),winapi_flag=if(macro_name=="ms__obj_win_api_index",flag_macro,NULL),winapi_flag_msg=if(macro_name=="ms__obj_win_api_index",flag_macro_msg,NULL) \ | eval winad_def=if(macro_name=="ms__obj_win_ad_index",macro_definition,NULL),winad_idxs=if(macro_name=="ms__obj_win_ad_index",macro_indexes,NULL),winad_mb=if(macro_name=="ms__obj_win_ad_index",Total_Events,NULL),winad_flag=if(macro_name=="ms__obj_win_ad_index",flag_macro,NULL),winad_flag_msg=if(macro_name=="ms__obj_win_ad_index",flag_macro_msg,NULL) \ | eval winperf_def=if(macro_name=="ms__obj_win_perfmon_index",macro_definition,NULL),winperf_idxs=if(macro_name=="ms__obj_win_perfmon_index",macro_indexes,NULL),winperf_mb=if(macro_name=="ms__obj_win_perfmon_index",Total_Events,NULL),winperf_flag=if(macro_name=="ms__obj_win_perfmon_index",flag_macro,NULL),winperf_flag_msg=if(macro_name=="ms__obj_win_perfmon_index",flag_macro_msg,NULL) \ | stats values(all_indexes) AS all_indexes,values(winevents_*) AS winevents_*,values(winperf_*) AS winperf_*,values(winad_*) AS winad_*,values(winapi_*) AS winapi_*, max(flag_macro) AS flag_all \ | eval flag_all_msg=case(flag_all="2","Warning: Some or all indexes are missing",flag_all="1","Warning: Indexes created but some or all missing data",flag_all="0","OK: All Indexes Created and have some Data") \ | eval flag_chk_ko=if(flag_all="0","chk_d_ko_n","chk_d_ko_y") \ | eval flag_chk_idx=if(flag_all="0","chk_d_crt_idx_n","chk_d_crt_idx_y") \ | eval idx_filt="^".mvjoin(all_indexes,"$|^")."$" \ | table flag_all,flag_all_msg,flag_chk_ko,flag_chk_idx,winevents_*,winperf_*,winapi_*,winad_*,idx_filt iseval = 0 [ms_ad_obj_cfg_idx_filter] definition = `ms_ad_obj_cfg_idx_base`\ | stats values(index) AS index iseval = 0 [ms_ad_obj_cfg_idx_base] definition = rest /servicesNS/nobody/ms_windows_ad_objects/configs/conf-macros/ splunk_server=local \ | fields title,eai:acl.app,definition\ | search eai:acl.app="ms_windows_ad_objects" title IN("ms__obj_win_perfmon_index","ms__obj_win_ad_index","ms__obj_win_events_index","ms__obj_win_api_index")\ | rex field=definition max_match=0 "index(\\=|\\=\\s+|\\s+\\=|\\s+\\=\\s+)(\"|)(?[^(\"|\s|$)]+)"\ | rename title AS macro_name,definition as macro_definition iseval = 0 [ms_ad_obj_cfg_idx_avail] definition = eventcount summarize=false index=[| `ms_ad_obj_cfg_idx_filter`] \ | eval link="link"\ | join type=left link [| rest /servicesNS/nobody/ splunk_server=local | search title="splunkclouduf" | eval link="link",cld="t"]\ | eval svr_filt=if(isnull(cld),".+","^(idx|si)"),index_flag=0\ | where match(server, svr_filt)\ | stats sum(count) AS Total_Events by index,index_flag # Old - rest /servicesNS/-/-/data/indexes splunk_server=local \ ##| fields title,currentDBSizeMB\ ##| rename title AS index\ ##| search [|`ms_ad_obj_cfg_idx_filter`|format| table search] \ ##| eval index_flag="0"\ ##| table index,currentDBSizeMB,index_flag iseval = 0 [ms_ad_obj_cfg_idx_data] definition = tstats count WHERE [|`ms_ad_obj_cfg_idx_filter`|format| table search] BY index, sourcetype \ | eval cmb=(((sourcetype . "(") . tostring(count,"commas")) . ")")\ | stats sum(count) AS Total_Events,values(cmb) AS cmb by index \ | eval cmb=mvjoin(cmb,"|"),data_flag="0"\ | table index,Total_Events,cmb,data_flag iseval = 0 [ms_ad_obj_cfg_idx_data(1)] args = ms_obj_indexes definition = tstats count WHERE [|makeresults | eval index="$ms_obj_indexes$"| makemv delim="|" index | stats values(index) AS index | table index | format] BY index, sourcetype \ | eval cmb=(((sourcetype . "(") . tostring(count,"commas")) . ")")\ | stats sum(count) AS Total_Events,values(cmb) AS cmb by index \ | eval cmb=mvjoin(cmb,"|"),data_flag="0"\ | table index,Total_Events,cmb,data_flag iseval = 0 [ms_ad_obj_cfg_idx_avail(1)] args = ms_obj_indexes definition = eventcount summarize=false index=[| `ms_ad_obj_cfg_idx_filter`]\ | eval link="link"\ | join type=left link [| rest /servicesNS/nobody/ splunk_server=local | search title="splunkclouduf" | eval link="link",cld="t"]\ | eval svr_filt=if(isnull(cld),".+","^(idx|si)"),index_flag=0\ | where match(server, svr_filt) AND match(index,"$ms_obj_indexes$")\ | stats sum(count) AS Total_Events by index,index_flag iseval = 0 [ms_obj_cfg_macro_chk_filter(1)] args = ms_obj_indexes definition = join type=left index [| `ms_ad_obj_cfg_idx_avail("$ms_obj_indexes$")` ]\ | join type=left index [| `ms_ad_obj_cfg_idx_data("$ms_obj_indexes$")` ]\ | sort flag,-Total_Events\ | eval Total_Sourcetypes=if(isnull(cmb),0,mvcount(cmb))\ | eval flag=if(isnull(index_flag),2,if(isnull(Total_Events),2,if(Total_Events>1,if(isnull(data_flag),1,0),1)))\ | fillnull 0 Total_Events\ | eval flag_msg=case(flag=2,"index Not Created: ".index,flag=1,"Missing Index Data: ".index,flag=0,"OK: ".index)\ | rename index as macro_index, cmb as sourcetypes\ | fillnull value=0 Total_Events\ | eval sourcetypes=if(isnull(sourcetypes),flag_msg,sourcetypes)\ | makemv delim="|" sourcetypes\ | sort -flag macro_name\ | table macro_name,macro_definition,macro_index,flag,flag_msg,Total_Events,sourcetypes iseval = 0 [ms_obj_cfg_macro_chk(1)] args = idx_filt definition = `ms_ad_obj_cfg_idx_base` \ | mvexpand index \ | join type=left index \ [| `ms_ad_obj_cfg_idx_avail("$idx_filt$")` ]\ | eval flag=if(isnull(index_flag),2,if(isnull(Total_Events),2,if(Total_Events>1,0,1)))\ | fillnull value=0 Total_Events\ | eval flag_msg=case(flag=2,"index Not Created: ".index,flag=1,"Missing Index Data: ".index,flag=0,"OK: ".index) \ | rename index as macro_index\ | eval missing_indexes=if(flag="2",macro_index,NULL),missing_data_indexes=if(flag="1",macro_index,NULL)\ | sort -flag macro_name \ | stats values(macro_index) AS macro_indexes,values(missing_indexes) AS missing_indexes,values(missing_data_indexes) AS missing_data_indexes,max(flag) AS flag,max(Total_Events) AS Total_Events by macro_name,macro_definition\ | eval flag_macro=flag,all_indexes=macro_indexes,macro_indexes=mvjoin(macro_indexes,","),missing_indexes=mvjoin(missing_indexes,","),missing_data_indexes=mvjoin(missing_data_indexes,",")\ | eval flag_macro_msg=case(flag_macro=="2","Warning: Missing Indexes (".missing_indexes.")",flag_macro=="1","Warning: Missing Data (".missing_data_indexes.")",flag_macro=="0","Ok: Indexes Created and have Data")\ | eval winevents_def=if(macro_name=="ms__obj_win_events_index",macro_definition,NULL),winevents_idxs=if(macro_name=="ms__obj_win_events_index",macro_indexes,NULL),winevents_mb=if(macro_name=="ms__obj_win_events_index",Total_Events,NULL),winevents_flag=if(macro_name=="ms__obj_win_events_index",flag_macro,NULL),winevents_flag_msg=if(macro_name=="ms__obj_win_events_index",flag_macro_msg,NULL)\ | eval winapi_def=if(macro_name=="ms__obj_win_api_index",macro_definition,NULL),winapi_idxs=if(macro_name=="ms__obj_win_api_index",macro_indexes,NULL),winapi_mb=if(macro_name=="ms__obj_win_api_index",Total_Events,NULL),winapi_flag=if(macro_name=="ms__obj_win_api_index",flag_macro,NULL),winapi_flag_msg=if(macro_name=="ms__obj_win_api_index",flag_macro_msg,NULL)\ | eval winad_def=if(macro_name=="ms__obj_win_ad_index",macro_definition,NULL),winad_idxs=if(macro_name=="ms__obj_win_ad_index",macro_indexes,NULL),winad_mb=if(macro_name=="ms__obj_win_ad_index",Total_Events,NULL),winad_flag=if(macro_name=="ms__obj_win_ad_index",flag_macro,NULL),winad_flag_msg=if(macro_name=="ms__obj_win_ad_index",flag_macro_msg,NULL)\ | eval winperf_def=if(macro_name=="ms__obj_win_perfmon_index",macro_definition,NULL),winperf_idxs=if(macro_name=="ms__obj_win_perfmon_index",macro_indexes,NULL),winperf_mb=if(macro_name=="ms__obj_win_perfmon_index",Total_Events,NULL),winperf_flag=if(macro_name=="ms__obj_win_perfmon_index",flag_macro,NULL),winperf_flag_msg=if(macro_name=="ms__obj_win_perfmon_index",flag_macro_msg,NULL)\ | stats values(all_indexes) AS all_indexes,values(winevents_*) AS winevents_*,values(winperf_*) AS winperf_*,values(winad_*) AS winad_*,values(winapi_*) AS winapi_*, max(flag_macro) AS flag_all\ | eval flag_all_msg=case(flag_all="2","Warning: Some or all indexes are missing",flag_all="1","Warning: Indexes created but some or all missing data",flag_all="0","OK: All Indexes Created and have some Data")\ | eval flag_chk_ko=if(flag_all="0","chk_d_ko_n","chk_d_ko_y")\ | eval flag_chk_idx=if(flag_all="0","chk_d_crt_idx_n","chk_d_crt_idx_y")\ | eval idx_filt="^".mvjoin(all_indexes,"$|^")."$"\ | table flag_all,flag_all_msg,flag_chk_ko,flag_chk_idx,winevents_*,winperf_*,winapi_*,winad_*,idx_filt iseval = 0 [ms_obj_cfg_macro_chk(2)] args = idx_filt,srch_trigger definition = `ms_ad_obj_cfg_idx_base` \ | mvexpand index \ | join type=left index \ [| `ms_ad_obj_cfg_idx_avail("$idx_filt$")` ] \ | sort flag \ | eval srch_trigger="$srch_trigger$"\ | eval flag=if(isnull(index_flag),2,if(isnull(Total_Events),2,if(Total_Events>1,0,1)))\ | fillnull value=0 Total_Events\ | eval flag_msg=case(flag=2,"index Not Created: ".index,flag=1,"Missing Index Data: ".index,flag=0,"OK: ".index) \ | rename index as macro_index\ | eval missing_indexes=if(flag="2",macro_index,NULL),missing_data_indexes=if(flag="1",macro_index,NULL)\ | sort -flag macro_name \ | stats values(macro_index) AS macro_indexes,values(missing_indexes) AS missing_indexes,values(missing_data_indexes) AS missing_data_indexes,max(flag) AS flag,max(Total_Events) AS Total_Events by macro_name,macro_definition\ | eval flag_macro=flag,all_indexes=macro_indexes,macro_indexes=mvjoin(macro_indexes,","),missing_indexes=mvjoin(missing_indexes,","),missing_data_indexes=mvjoin(missing_data_indexes,",")\ | eval flag_macro_msg=case(flag_macro=="2","Warning: Missing Indexes (".missing_indexes.")",flag_macro=="1","Warning: Missing Data (".missing_data_indexes.")",flag_macro=="0","Ok: Indexes Created and have Data")\ | eval winevents_def=if(macro_name=="ms__obj_win_events_index",macro_definition,NULL),winevents_idxs=if(macro_name=="ms__obj_win_events_index",macro_indexes,NULL),winevents_mb=if(macro_name=="ms__obj_win_events_index",Total_Events,NULL),winevents_flag=if(macro_name=="ms__obj_win_events_index",flag_macro,NULL),winevents_flag_msg=if(macro_name=="ms__obj_win_events_index",flag_macro_msg,NULL)\ | eval winapi_def=if(macro_name=="ms__obj_win_api_index",macro_definition,NULL),winapi_idxs=if(macro_name=="ms__obj_win_api_index",macro_indexes,NULL),winapi_mb=if(macro_name=="ms__obj_win_api_index",Total_Events,NULL),winapi_flag=if(macro_name=="ms__obj_win_api_index",flag_macro,NULL),winapi_flag_msg=if(macro_name=="ms__obj_win_api_index",flag_macro_msg,NULL)\ | eval winad_def=if(macro_name=="ms__obj_win_ad_index",macro_definition,NULL),winad_idxs=if(macro_name=="ms__obj_win_ad_index",macro_indexes,NULL),winad_mb=if(macro_name=="ms__obj_win_ad_index",Total_Events,NULL),winad_flag=if(macro_name=="ms__obj_win_ad_index",flag_macro,NULL),winad_flag_msg=if(macro_name=="ms__obj_win_ad_index",flag_macro_msg,NULL)\ | eval winperf_def=if(macro_name=="ms__obj_win_perfmon_index",macro_definition,NULL),winperf_idxs=if(macro_name=="ms__obj_win_perfmon_index",macro_indexes,NULL),winperf_mb=if(macro_name=="ms__obj_win_perfmon_index",Total_Events,NULL),winperf_flag=if(macro_name=="ms__obj_win_perfmon_index",flag_macro,NULL),winperf_flag_msg=if(macro_name=="ms__obj_win_perfmon_index",flag_macro_msg,NULL)\ | stats values(all_indexes) AS all_indexes,values(winevents_*) AS winevents_*,values(winperf_*) AS winperf_*,values(winad_*) AS winad_*,values(winapi_*) AS winapi_*, max(flag_macro) AS flag_all\ | eval flag_all_msg=case(flag_all="2","Warning: Some or all indexes are missing",flag_all="1","Warning: Indexes created but some or all missing data",flag_all="0","OK: All Indexes Created and have some Data")\ | eval flag_chk_ko=if(flag_all="0","chk_d_ko_n","chk_d_ko_y")\ | eval flag_chk_idx=if(flag_all="0","chk_d_crt_idx_n","chk_d_crt_idx_y")\ | eval idx_filt="^".mvjoin(all_indexes,"$|^")."$"\ | table flag_all,flag_all_msg,flag_chk_ko,flag_chk_idx,winevents_*,winperf_*,winapi_*,winad_*,idx_filt iseval = 0 [ms_obj_cfg_macro_chk_h] definition = `ms_ad_obj_cfg_idx_base`\ | mvexpand index\ | join type=left index\ [|`ms_ad_obj_cfg_idx_avail`]\ | fillnull value=0 Total_Events\ | fillnull value=1 index_flag\ | eval miss_idx=if(index_flag=0,NULL,index),nd_idx=if(Total_Events=0,index,NULL)\ | eval h_mac_flg=case(index_flag=0 AND Total_Events>0,"0",index_flag=0 AND Total_Events=0,"1",index_flag!=0,"2")\ | eval h_idx_val=case(h_mac_flg=0,index." (".tostring(Total_Events,"commas").")",h_mac_flg=1,index." (0)",h_mac_flg=2,index." (missing)")\ | stats values(miss_idx) AS miss_idx,values(nd_idx) AS nd_idx,max(h_mac_flg) AS h_mac_flg,max(index_flag) AS index_flag,sum(Total_Events) AS Total_Events,values(h_idx_val) AS h_idx_val,values(index) AS index by macro_name,macro_definition\ | eval h_mac_st=case(h_mac_flg=0,"idxs_ok",h_mac_flg=1,"idxs_nd",h_mac_flg==2,"idxs_m")\ | eval h_icon_st=case(h_mac_flg=0,"check-circle idxs_icon_ok",h_mac_flg!=0,"warning idxs_icon_warn")\ | eval h_mac_label=case(macro_name=="ms__obj_win_events_index","Eventlogs",macro_name=="ms__obj_win_perfmon_index","Performance",macro_name=="ms__obj_win_api_index","API/Scripts",macro_name=="ms__obj_win_ad_index","Active Directory")\ | eval h_mac_msg=case(h_mac_flg="0","Ok: Indexes Created and Have Data",h_mac_flg="1","Warning: Indexes Created but missing data (".mvjoin(nd_idx,", ").")",h_mac_flg="2","Warning: Missing Indexes (".mvjoin(miss_idx,", ").")")\ | eval h_res_row="".macro_name."".h_mac_label."(".tostring(Total_Events,"commas").")".macro_definition."".mvjoin(h_idx_val,", ")."".h_mac_msg.""\ | eval h_mac_nts="
  • Indexes: ".mvjoin(index,", ")." - Stores Windows ".h_mac_label." Data ( AutoCheck: ".h_mac_msg." )
    • "\ | stats values(miss_idx) AS miss_idx,values(nd_idx) AS nd_idx,max(h_mac_flg) AS h_mac_flg,values(h_res_row) AS h_res_row,values(h_mac_nts) AS h_mac_nts\ | eval all_mac_st=case(h_mac_flg=0,"a_idxs_o",h_mac_flg=1,"idxs_nd",h_mac_flg=2,"idxs_m")\ | eval all_mac_msg=case(h_mac_flg=0,"Ok: All Indexes Created and Have Data",h_mac_flg=1,"Warning: Indexes missing data (".mvjoin(nd_idx,", ").")",h_mac_flg=2,"Warning: Missing Indexes (".mvjoin(miss_idx,", ").")")\ | eval h_all_msg="Autocheck: ".all_mac_msg.""\ | eval h_table="

    Macro to Index Definitions: ( Autocheck: ".all_mac_msg." )

    Use the below table for verifying the indexes defined in the following macros have been created and are receiving data.

    ".mvjoin(h_res_row,"")."
    Macro NameData TypeDefinitionIndexes DefinedIndexes Status
    "\ | eval h_nt_list="
      ".mvjoin(h_mac_nts,"")."
    "\ | table all_mac_st,h_all_msg,h_table,h_nt_list iseval = 0 [ms_obj_cfg_macro_chk_h(1)] args = srch_trigger definition = `ms_ad_obj_cfg_idx_base`\ | mvexpand index\ | join type=left index\ [|`ms_ad_obj_cfg_idx_avail`]\ | fillnull value=0 Total_Events\ | fillnull value=1 index_flag\ | eval srch_trigger="$srch_trigger$"\ | eval miss_idx=if(index_flag=0,NULL,index),nd_idx=if(Total_Events=0,index,NULL)\ | eval h_mac_flg=case(index_flag=0 AND Total_Events>0,"0",index_flag=0 AND Total_Events=0,"1",index_flag!=0,"2")\ | eval h_idx_val=case(h_mac_flg=0,index." (".tostring(Total_Events,"commas").")",h_mac_flg=1,index." (0)",h_mac_flg=2,index." (missing)")\ | stats values(miss_idx) AS miss_idx,values(nd_idx) AS nd_idx,max(h_mac_flg) AS h_mac_flg,max(index_flag) AS index_flag,sum(Total_Events) AS Total_Events,values(h_idx_val) AS h_idx_val,values(index) AS index by macro_name,macro_definition\ | eval h_mac_st=case(h_mac_flg=0,"idxs_ok",h_mac_flg=1,"idxs_nd",h_mac_flg==2,"idxs_m")\ | eval h_icon_st=case(h_mac_flg=0,"check-circle idxs_icon_ok",h_mac_flg!=0,"warning idxs_icon_warn")\ | eval h_mac_label=case(macro_name=="ms__obj_win_events_index","Eventlogs",macro_name=="ms__obj_win_perfmon_index","Performance",macro_name=="ms__obj_win_api_index","API/Scripts",macro_name=="ms__obj_win_ad_index","Active Directory")\ | eval h_mac_msg=case(h_mac_flg="0","Ok: Indexes Created and Have Data",h_mac_flg="1","Warning: Indexes Created but missing data (".mvjoin(nd_idx,", ").")",h_mac_flg="2","Warning: Missing Indexes (".mvjoin(miss_idx,", ").")")\ | eval h_res_row="".macro_name."".h_mac_label."(".tostring(Total_Events,"commas").")".macro_definition."".mvjoin(h_idx_val,", ")."".h_mac_msg.""\ | eval h_mac_nts="
  • Indexes: ".mvjoin(index,", ")." - Stores Windows ".h_mac_label." Data ( AutoCheck: ".h_mac_msg." )
    • "\ | stats values(miss_idx) AS miss_idx,values(nd_idx) AS nd_idx,max(h_mac_flg) AS h_mac_flg,values(h_res_row) AS h_res_row,values(h_mac_nts) AS h_mac_nts\ | eval all_mac_st=case(h_mac_flg=0,"a_idxs_o",h_mac_flg=1,"idxs_nd",h_mac_flg=2,"idxs_m")\ | eval all_mac_msg=case(h_mac_flg=0,"Ok: All Indexes Created and Have Data",h_mac_flg=1,"Warning: Indexes missing data (".mvjoin(nd_idx,", ").")",h_mac_flg=2,"Warning: Missing Indexes (".mvjoin(miss_idx,", ").")")\ | eval h_all_msg="Autocheck: ".all_mac_msg.""\ | eval h_table="

    Macro to Index Definitions: ( Autocheck: ".all_mac_msg." )

    Use the below table for verifying the indexes defined in the following macros have been created and are receiving data.

    ".mvjoin(h_res_row,"")."
    Macro NameData TypeDefinitionIndexes DefinedIndexes Status
    "\ | eval h_nt_list="
      ".mvjoin(h_mac_nts,"")."
    "\ | table all_mac_st,h_all_msg,h_table,h_nt_list iseval = 0 ##============================================================## ##---------------- MULTI-DOMAIN - SPLIT KV Macros ------------## ##============================================================## ##--- Used for splitting User, Group, Computer Lookups out ---## ##--- by AD Domain ---## ##============================================================## ##============================================================## ###-----------------------------------------### #--- Initial Lookup Build Macros ---# #--- MULTI-DOMAIN - KV Split ---# #--- Only for User, Groups, Computers ---# ###-----------------------------------------### ## - Initial Build and Output ## Arguments = Domain NetBIOS Name, Domain's DC Value (from objectCategory), target object lowercase,target Object uppercase ## - Example - Update User - Domain 1 = `ms_obj_md_admon_bld_init_out("sedemo","sedemo.local",user,User)` ## - Example - Update User - Domain 2 = `ms_obj_md_admon_bld_init_out("hdq_corp","hdq_corp.sedemo.local",user,User)` ## - Example - Update Group - Domain 1 = `ms_obj_md_admon_bld_init_out("sedemo","sedemo.local",group,Group)` ## - Example - Update Group - Domain 2 = `ms_obj_md_admon_bld_init_out("hdq_corp","hdq_corp.sedemo.local",group,Group)` ## - Example - Update Computer - Domain 1 = `ms_obj_md_admon_bld_init_out("sedemo","sedemo.local",computer,Computer)` ## - Example - Update Computer - Domain 2 = `ms_obj_md_admon_bld_init_out("hdq_corp","hdq_corp.sedemo.local",computer,Computer)` [ms_obj_md_admon_bld_init_out_no_sync(4)] args = tgt_kv_suffix,tgt_dc_val,tok_obj_l_abrv,tok_obj_u_abrv definition = `ms_obj_admon_flt_obj_type(ms_obj_md_admon_$tok_obj_l_abrv$("$tgt_dc_val$"),ms_obj_admon_base_a_type)` \ | `ms_obj_admon_base_out_$tok_obj_l_abrv$`\ | stats values(*) AS * by key_val\ | eval _key=key_val\ | outputlookup AD_Obj_$tok_obj_u_abrv$_$tgt_kv_suffix$ iseval = 0 [ms_obj_admon_bld_init_out(4)] args = tgt_kv_suffix,tgt_dc_val,tok_obj_l_abrv,tok_obj_u_abrv definition = `ms_obj_admon_flt_obj_type(ms_obj_md_admon_$tok_obj_l_abrv$("$tgt_dc_val$"),ms_obj_admon_base_a_type)` [search `ms_obj_admon_get_begin_sync_t(ms_obj_admon_$tok_obj_l_abrv$("$tgt_dc_val$"),"build")`]\ | `ms_obj_admon_base_out_$tok_obj_l_abrv$`\ | stats values(*) AS * by key_val\ | eval _key=key_val\ | outputlookup AD_Obj_$tok_obj_u_abrv$_$tgt_kv_suffix$ append=true iseval = 0 ## - Initial Admin Audit Lookup ##[ms_obj_md_winevt_init_admin_audit(2)] ##args = tgt_domain,tgt_kv_suffix ##definition = `ms_obj_md_winevt_base_out_admin_audit("$tgt_domain$","$tgt_kv_suffix$")`\ ##| stats values(*) AS * by key_val\ ##| eval _key=key_val\ ##| outputlookup AD_Obj_Admin_Audit ##iseval = 0 ###-----------------------------------------### #--- Scheduled Update Macros ---# #--- MULTI-DOMAIN - KV Split ---# ###-----------------------------------------### ## - MULTI-DOMAIN SPLIT - Update Build and Output ## Arguments = Domain NetBIOS Name, Domain's DC Value (from objectCategory), target object lowercase,target Object uppercase ## - Example - Update User - Domain 1 = `ms_obj_md_admon_bld_upd_out("sedemo","sedemo.local",user,User)` ## - Example - Update User - Domain 2 = `ms_obj_md_admon_bld_upd_out("hdq_corp","hdq_corp.sedemo.local",user,User)` ## - Example - Update Group - Domain 1 = `ms_obj_md_admon_bld_upd_out("sedemo","sedemo.local",group,Group)` ## - Example - Update Group - Domain 2 = `ms_obj_md_admon_bld_upd_out("hdq_corp","hdq_corp.sedemo.local",group,Group)` ## - Example - Update Computer - Domain 1 = `ms_obj_md_admon_bld_upd_out("sedemo","sedemo.local",computer,Computer)` ## - Example - Update Computer - Domain 2 = `ms_obj_md_admon_bld_upd_out("hdq_corp","hdq_corp.sedemo.local",computer,Computer)` [ms_obj_md_admon_bld_upd_out(4)] args = tgt_kv_suffix,tgt_dc_val,tok_obj_l_abrv,tok_obj_u_abrv definition = `ms_obj_admon_flt_obj_type(ms_obj_md_admon_$tok_obj_l_abrv$("$tgt_dc_val$"),ms_obj_admon_base_a_type)`\ | `ms_obj_admon_base_out_$tok_obj_l_abrv$`\ | `ms_obj_md_admon_base_hist_$tok_obj_l_abrv$("$tgt_kv_suffix$")`\ | eval _key=objectGUID."#".DomainDNSName\ | outputlookup AD_Obj_$tok_obj_u_abrv$_$tgt_kv_suffix$ append=true iseval = 0 ## - MULTI-DOMAIN SPLIT - Update Admin Audit Lookup ##[ms_obj_md_winevt_upd_admin_audit(2)] ##args = tgt_domain,tgt_kv_suffix ##definition = `ms_obj_md_winevt_base_out_admin_audit("$tgt_domain$","$tgt_kv_suffix$")`\ ##| stats values(*) AS * by key_val\ ##| eval _key=key_val\ ##| outputlookup AD_Obj_Admin_Audit append=true ##iseval = 0 ## - Multi-Domain Split - Admin Audit Lookup - Build and Update ## ##[ms_obj_md_winevt_base_out_admin_audit(2)] ##args = tgt_domain,tgt_kv_suffix ##definition = `ms_obj_changes_base_all` "$tgt_domain$"\ ##| fields src_user, _time, src_nt_domain,dest_nt_domain\ ##| eval domain=if(isnull(src_nt_domain),if(isnull(dest_nt_domain),"",lower(dest_nt_domain)),lower(src_nt_domain))\ ##| search (domain="$tgt_domain$" OR domain="") ##| eval src_user=lower(src_user)\ ##| stats latest(_time) as last_time_utc by src_user,domain\ ##| lookup AD_Obj_User_$tgt_kv_suffix$ sAMAccountName as src_user OUTPUT sAMAccountName as admin_user,domain as admin_domain,dn as admin_dn,dn_path as admin_dn_path,cn as admin_cn,objectGUID as admin_objectGUID,userPrincipalName AS admin_userPrincipalName\ ##| eval last_time_string=strftime(last_time_utc,"%m/%d/%y %H:%M:%S")\ ##| fillnull value="" admin_dn,admin_dn_hist,admin_dn_path,admin_cn,admin_userPrincipalName\ ##| stats values(*) AS * by admin_objectGUID,admin_domain\ ##| eval key_val=lower(admin_objectGUID)."#".lower(admin_domain) ##iseval = 0 ##- - MULTI-DOMAIN SPLIT - admon - Filter components - Object Type [ms_obj_md_admon_base_a_obj(1)] args = tgt_dc_val definition = `ms_obj_admon_base` dc_val="$tgt_dc_val$" ("objectClass=top|person|organizationalPerson|user" OR "objectClass=top|group" OR "objectClass=top|container|groupPolicyContainer" OR (("objectClass=top|organizationalUnit") OR ("objectClass=top|container" NOT "CN=Policies," NOT "CN=DomainUpdates"))) iseval = 0 [ms_obj_md_admon_user(1)] args = tgt_dc_val definition = `ms_obj_admon_base` dc_val="$tgt_dc_val$" "objectClass=top|person|organizationalPerson|user" NOT "objectClass=top|person|organizationalPerson|user|computer" iseval = 0 [ms_obj_md_admon_group(1)] args = tgt_dc_val definition = `ms_obj_admon_base` dc_val="$tgt_dc_val$" "objectClass=top|group" iseval = 0 [ms_obj_md_admon_computer(1)] args = tgt_dc_val definition = `ms_obj_admon_base` dc_val="$tgt_dc_val$" "objectClass=top|person|organizationalPerson|user|computer" iseval = 0 ## MULTI-DOMAIN - History Update ## [ms_obj_md_admon_base_hist_user(1)] args = tgt_kv_suffix definition = lookup AD_Obj_User_$tgt_kv_suffix$ domain,objectGUID OUTPUT lookup_usr AS p_lookup_usr\ | eval lookup_usr=if(isnull(p_lookup_usr),mvjoin(lookup_usr,"|"),mvjoin(lookup_usr,"|")."|".mvjoin(p_lookup_usr,"|"))\ | eval key_val=((objectGUID . "#") . DomainDNSName)\ | makemv delim="|" lookup_usr\ | fields - p_lookup_usr\ | stats values(*) AS * by key_val iseval = 0 [ms_obj_md_admon_base_hist_group(1)] args = tgt_kv_suffix definition = lookup AD_Obj_Group_$tgt_kv_suffix$ domain,objectGUID OUTPUT lookup_grp AS p_lookup_grp\ | eval lookup_grp=if(isnull(p_lookup_grp),mvjoin(lookup_grp,"|"),mvjoin(lookup_grp,"|")."|".mvjoin(p_lookup_grp,"|"))\ | eval key_val=((objectGUID . "#") . DomainDNSName)\ | makemv delim="|" lookup_grp\ | fields - p_lookup_grp\ | stats values(*) AS * by key_val iseval = 0 [ms_obj_md_admon_base_hist_computer(1)] args = tgt_kv_suffix definition = lookup AD_Obj_Computer_$tgt_kv_suffix$ domain objectGUID OUTPUT lookup_cmp AS p_lookup_cmp\ | eval lookup_cmp=if(isnull(p_lookup_cmp),mvjoin(lookup_cmp,"|"),mvjoin(lookup_cmp,"|")."|".mvjoin(p_lookup_cmp,"|"))\ | eval key_val=((objectGUID . "#") . DomainDNSName)\ | makemv delim="|" lookup_cmp\ | fields - p_lookup_cmp\ | stats values(*) AS * by key_val iseval = 0 ###-----------------------------------------### #--- User,Group,Computer Changes Macros ---# #--- MULTI-DOMAIN - KV Split ---# ###-----------------------------------------### [ms_obj_md_admin_chg_all(2)] args = tgt_domain,tgt_user_lookup definition = `ms_obj_changes_base_all` "$tgt_domain$"\ | fields src_user, _time, src_nt_domain,dest_nt_domain\ | eval domain=if(isnull(src_nt_domain),if(isnull(dest_nt_domain),"",lower(dest_nt_domain)),lower(src_nt_domain))\ | eval src_user=lower(src_user)\ | stats latest(_time) as last_time_utc by src_user,domain\ | lookup $tgt_user_lookup$ sAMAccountName as src_user OUTPUT sAMAccountName as admin_user,domain as admin_domain,dn as admin_dn,dn_path as admin_dn_path,cn as admin_cn,objectGUID as admin_objectGUID,userPrincipalName AS admin_userPrincipalName\ | eval last_time_string=strftime(last_time_utc,"%m/%d/%y %H:%M:%S")\ | fillnull value="" admin_dn,admin_dn_hist,admin_dn_path,admin_cn,admin_userPrincipalName\ | stats values(*) AS * by admin_objectGUID,admin_domain\ | eval key_val=lower(admin_objectGUID)."#".lower(admin_domain) iseval = 0 [ms_obj_md_admin_chg_all(1)] args = tgt_user_lookup definition = `ms_obj_changes_base_all`\ | fields src_user, _time, src_nt_domain,dest_nt_domain\ | eval domain=if(isnull(src_nt_domain),if(isnull(dest_nt_domain),"",lower(dest_nt_domain)),lower(src_nt_domain))\ | eval src_user=lower(src_user)\ | stats latest(_time) as last_time_utc by src_user,domain\ | lookup $tgt_user_lookup$ sAMAccountName as src_user OUTPUT sAMAccountName as admin_user,domain as admin_domain,dn as admin_dn,dn_path as admin_dn_path,cn as admin_cn,objectGUID as admin_objectGUID,userPrincipalName AS admin_userPrincipalName\ | eval last_time_string=strftime(last_time_utc,"%m/%d/%y %H:%M:%S")\ | fillnull value="" admin_dn,admin_dn_hist,admin_dn_path,admin_cn,admin_userPrincipalName\ | stats values(*) AS * by admin_objectGUID,admin_domain\ | eval key_val=lower(admin_objectGUID)."#".lower(admin_domain) [ms_obj_md_user_change_out(1)] args = user_lookup definition = fields _time,src_user,user,user_type,user_obj_lkp,msad_action,MSADChanges,src_nt_domain,dest_nt_domain,signature,change_signature,MSADChangedAttributes,Correlation_ID,AttributeLDAPDisplayName,AttributeValue,DN,Old_DN,New_DN,dir_svcs_action\ | eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\ | eval user_obj_lkp=if(user_type="computer",NULL,if(isnull(user_obj_lkp),if(isnull(DN),if(isnull(Old_DN),if(isnull(New_DN),lower(user),lower(New_DN)),lower(Old_DN)),lower(DN)),lower(user_obj_lkp)))\ | lookup $user_lookup$ lookup_usr AS user_obj_lkp OUTPUT sAMAccountName AS b_user_obj_sam,cn AS b_user_obj_cn\ | eval user=if(isnull(b_user_obj_sam),if(isnull(b_user_obj_cn),if(isnull(user_obj_lkp),if(isnull(user),"NA",lower(user)),lower(user_obj_lkp)),lower(b_user_obj_cn)),lower(b_user_obj_sam))\ | eval dest_user_subject=if(isnull(dest_nt_domain),user,dest_nt_domain."\\".lower(user))\ | `ms_obj_msad_changed_attr_sum`\ | stats count, list(Change_Summary) AS Change_Summary, list(Change_Details) AS Change_Details,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,msad_action,dest_user_subject,user\ | eval Change_Details=if(isnull(Change_Details),"Unknown Changes",Change_Details)\ | table _time,src_user,adminuser,msad_action,user,dest_user_subject,Correlation_IDs,Change_Summary,Change_Details iseval = 0 [ms_obj_md_user_change_cmb(1)] args = user_lookup definition = fields _time,src_user,obj_type,user,user_type,user_obj_lkp,user_obj_dn,msad_action,MSADChanges,src_nt_domain,dest_nt_domain,signature,change_signature,MSADChangedAttributes,Correlation_ID,AttributeLDAPDisplayName,AttributeValue,DN,Old_DN,New_DN,dir_svcs_action,Old_Account_Name,New_Account_Name\ | eval time_group=strftime(_time,"%m/%d/%y %I:%M %P") \ | eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user) \ | eval user_obj_lkp=if(isnull(user_obj_lkp),if(isnull(DN),if(isnull(Old_DN),if(isnull(New_DN),lower(user),lower(New_DN)),lower(Old_DN)),lower(DN)),lower(user_obj_lkp))\ | lookup $user_lookup$ lookup_usr AS user_obj_lkp OUTPUT sAMAccountName AS b_user_obj_sam,cn AS b_user_obj_cn \ | eval user=if(isnull(b_user_obj_sam),if(isnull(b_user_obj_cn),if(isnull(user_obj_lkp),if(isnull(user),"NA",lower(user)),lower(mvindex(user_obj_lkp,0))),lower(mvindex(b_user_obj_cn,0))),lower(mvindex(b_user_obj_sam,0))) \ | eval dest_user_subject=if(isnull(dest_nt_domain),lower(user),lower(dest_nt_domain)."\\".lower(user)) \ | eval change_action=if(isnull(msad_action),if(isnull(dir_svcs_action),"NA",dir_svcs_action),if(isnull(dir_svcs_action) OR dir_svcs_action=="Unknown",trim(msad_action),msad_action." (".dir_svcs_action.")")) \ | eval signature=if(isnull(change_signature),signature,change_signature) \ | eval ad_chg=if(isnull(AttributeLDAPDisplayName),if(isnotnull(New_Account_Name),"renm",if(msad_action=="moved","mv",if(isnull(MSADChanges),0,"MSADChanges"))),len(AttributeLDAPDisplayName)),ln_chg_attr=if(isnull(MSADChangedAttributes),0,len(MSADChangedAttributes)) \ | eval mvd=if(ad_chg=="mv","From: ".Old_DN."######## - To: ".New_DN,"") \ | eval renm=if(ad_chg=="renm","Account Rename:######## - From: ".Old_Account_Name."######## - To: ".New_Account_Name,"") \ | eval MSADChanges=if(ad_chg=="0","",if(ad_chg=="renm",renm,if(ad_chg=="mv",mvd,if(ad_chg=="MSADChanges",MSADChanges,if(isnull(AttributeValue) OR AttributeValue="-" OR AttributeValue="","",AttributeLDAPDisplayName.": ".AttributeValue))))) \ | eval MSADChangedAttributes=if(ln_chg_attr=0,"",replace(replace("######## - ".mvjoin(MSADChangedAttributes,"######## - "), "(?msi)\r\s+|\n\s+", "######## - "),"(?:\:)(\s\s+|\t)",": ")) \ | eval MSADChanges=if(ad_chg=0 AND ln_chg_attr=0,"",if(ln_chg_attr=0,"######## - ".MSADChanges,if(ad_chg=0,MSADChangedAttributes,MSADChangedAttributes."######## - ".MSADChanges))) \ | eval MSADChanges=replace(MSADChanges,"\:(\s+|\t+|)########\s+\-",":######## -")\ | stats count, values(MSADChanges) AS MSADChanges,values(MSADChangedAttributes) AS MSADChangedAttributes,values(Correlation_ID) AS Correlation_IDs,values(msad_action) AS msad_action,values(signature) AS Signature by time_group,src_user,adminuser,dest_user_subject,user,change_action\ | eval Change_Details=if(len(MSADChanges)=0 OR mvcount(MSADChanges)=0 OR isnull(MSADChanges),NULL,"######## - Action: ".change_action."".mvjoin(MSADChanges,""))\ | stats count, values(Change_Details) AS Change_Details,values(msad_action) AS msad_action,values(change_action) AS change_action,values(Correlation_IDs) AS Correlation_IDs,values(Signature) AS Signature by time_group,src_user,adminuser,dest_user_subject,user \ | where src_user!=user \ | eval Correlation_ID_sum=if(isnull(Correlation_IDs),"",if(mvcount(Correlation_IDs)>1,"######## - Correlation IDs:######## - ".mvjoin(Correlation_IDs,"######## - "),"######## - Correlation IDs:######## - ".Correlation_IDs)) \ | eval Change_Actions=if(mvcount(msad_action)>1,"Actions:######## - ".mvjoin(msad_action,"######## - "),"Actions:######## - ".msad_action) \ | eval Change_Summary="########(".time_group.")######## - Signatures:######## - ".mvjoin(Signature,"######## - ")."".Correlation_ID_sum \ | eval Change_Details=if(isnull(Change_Details),Change_Summary,Change_Summary."######## Change_Details:########".mvjoin(Change_Details,"")) \ | makemv delim="########" Change_Details \ | eval Change_Details=mvfilter(NOT match(Change_Details, ":(\s*\-\s*)$"))\ | makemv delim="########" Change_Summary \ | makemv delim="########" Change_Actions \ | table time_group,src_user,adminuser,msad_action,user,dest_user_subject,Correlation_IDs,Change_Actions,Change_Summary,Change_Details iseval = 0 [ms_obj_md_computer_change_out(1)] args = computer_lookup definition = fields _time,src_user,user,user_type,comp_obj_dn,comp_obj_sam,msad_action,src_nt_domain,dest_nt_domain,signature,change_signature,MSADChanges,MSADChangedAttributes,Correlation_ID,AttributeLDAPDisplayName,AttributeValue,DN,Old_DN,New_DN,dir_svcs_action\ | eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\ | eval comp_obj_lkp=if(isnull(comp_obj_dn),if(isnull(DN),if(isnull(Old_DN),if(isnull(New_DN),if(isnull(comp_obj_sam),lower(user),lower(comp_obj_sam)),lower(New_DN)),lower(Old_DN)),lower(DN)),lower(comp_obj_dn))\ | lookup $computer_lookup$ lookup_cmp AS comp_obj_lkp OUTPUT sAMAccountName AS c_comp_obj_sam\ | eval computer=if(isnull(c_comp_obj_sam),comp_obj_lkp,lower(c_comp_obj_sam))\ | eval dest_comp_subject=if(isnull(dest_nt_domain),computer,dest_nt_domain."\\".lower(computer))\ | `ms_obj_msad_changed_attr_sum`\ | stats count, list(Change_Summary) AS Change_Summary, list(Change_Details) AS Change_Details,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,change_action,dest_comp_subject,computer\ | eval Change_Details=if(isnull(Change_Details),"Unknown Changes",Change_Details)\ | table _time,src_user,adminuser,change_action,computer,dest_comp_subject,Correlation_IDs,Change_Summary,Change_Details iseval = 0 [ms_obj_md_computer_change_cmb(1)] args = computer_lookup definition = fields _time,src_user,obj_type,user,comp_obj_lkp,ComputerName,comp_obj_dn,comp_obj_sam,comp_obj_id,ObjectGuid,msad_action,MSADChanges,src_nt_domain,dest_nt_domain,signature,change_signature,MSADChangedAttributes,Correlation_ID,AttributeLDAPDisplayName,AttributeValue,DN,Old_DN,New_DN,dir_svcs_action,Old_Account_Name,New_Account_Name\ | eval time_group=strftime(_time,"%m/%d/%y %I:%M %P")\ | eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\ | eval comp_obj_lkp=if(isnull(comp_obj_dn),if(isnull(comp_obj_sam),if(isnull(comp_obj_id),if(isnull(comp_obj_lkp),if(isnull(DN),if(isnull(Old_DN),if(isnull(New_DN),if(isnull(user),lower(ComputerName),lower(user)),lower(New_DN)),lower(Old_DN)),lower(DN)),lower(comp_obj_lkp)),lower(comp_obj_id)),lower(comp_obj_sam)),lower(comp_obj_dn))\ | lookup $computer_lookup$ lookup_cmp AS comp_obj_lkp OUTPUT sAMAccountName AS b_comp_obj_sam,cn AS b_comp_obj_cn \ | eval comp_obj_lkp=if(isnull(b_comp_obj_sam),if(isnull(b_comp_obj_cn),if(isnull(comp_obj_lkp),"NA",lower(comp_obj_lkp)),lower(b_comp_obj_cn)),lower(b_comp_obj_sam)) \ | eval change_action=if(isnull(msad_action),if(isnull(dir_svcs_action),"NA",dir_svcs_action),if(isnull(dir_svcs_action) OR dir_svcs_action=="Unknown",trim(msad_action),msad_action." (".dir_svcs_action.")")) \ | eval signature=if(isnull(change_signature),signature,change_signature) \ | eval ad_chg=if(isnull(AttributeLDAPDisplayName),if(isnotnull(New_Account_Name),"renm",if(msad_action=="moved","mv",if(isnull(MSADChanges),0,"MSADChanges"))),len(AttributeLDAPDisplayName)),ln_chg_attr=if(isnull(MSADChangedAttributes),0,len(MSADChangedAttributes)) \ | eval mvd=if(ad_chg=="mv","From: ".Old_DN."######## - To: ".New_DN,"") \ | eval renm=if(ad_chg=="renm","Computer Rename:######## - From: ".Old_Account_Name."######## - To: ".New_Account_Name,"") \ | eval MSADChanges=if(ad_chg=="0","",if(ad_chg=="renm",renm,if(ad_chg=="mv",mvd,if(ad_chg=="MSADChanges",MSADChanges,if(isnull(AttributeValue) OR AttributeValue="-" OR AttributeValue="","",AttributeLDAPDisplayName.": ".AttributeValue))))) \ | eval MSADChangedAttributes=if(ln_chg_attr=0,"",replace(replace("######## - ".mvjoin(MSADChangedAttributes,"######## - "), "(?msi)\r\s+|\n\s+", "######## - "),"(?:\:)(\s\s+|\t)",": ")) \ | eval MSADChanges=if(ad_chg=0 AND ln_chg_attr=0,"",if(ln_chg_attr=0,"######## - ".MSADChanges,if(ad_chg=0,MSADChangedAttributes,MSADChangedAttributes."######## - ".MSADChanges))) \ | eval MSADChanges=replace(MSADChanges,"\:(\s+|\t+|)########\s+\-",":######## -") \ | stats count, values(MSADChanges) AS MSADChanges,values(MSADChangedAttributes) AS MSADChangedAttributes,values(Correlation_ID) AS Correlation_IDs,values(msad_action) AS msad_action,values(signature) AS Signature by time_group,src_user,adminuser,comp_obj_lkp,change_action\ | eval Change_Details=if(len(MSADChanges)=0 OR mvcount(MSADChanges)=0 OR isnull(MSADChanges),NULL,"######## - Action: ".change_action."".mvjoin(MSADChanges,""))\ | stats count, values(Change_Details) AS Change_Details,values(msad_action) AS msad_action,values(change_action) AS change_action,values(Correlation_IDs) AS Correlation_IDs,values(Signature) AS Signature by time_group,src_user,adminuser,comp_obj_lkp\ | eval Correlation_ID_sum=if(isnull(Correlation_IDs),"",if(mvcount(Correlation_IDs)>1,"######## - Correlation IDs:######## - ".mvjoin(Correlation_IDs,"######## - "),"######## - Correlation IDs:######## - ".Correlation_IDs)) \ | eval Change_Actions=if(mvcount(msad_action)>1,"Actions:######## - ".mvjoin(msad_action,"######## - "),"Actions:######## - ".msad_action) \ | eval Change_Summary="########(".time_group.")######## - Signatures:######## - ".mvjoin(Signature,"######## - ")."".Correlation_ID_sum \ | eval Change_Details=if(isnull(Change_Details),Change_Summary,Change_Summary."######## Change_Details:########".mvjoin(Change_Details,"")) \ | makemv delim="########" Change_Details \ | eval Change_Details=mvfilter(NOT match(Change_Details, ":(\s*\-\s*)$"))\ | makemv delim="########" Change_Summary \ | makemv delim="########" Change_Actions \ | table time_group,src_user,adminuser,msad_action,comp_obj_lkp,Correlation_IDs,Change_Actions,Change_Summary,Change_Details iseval = 0 [ms_obj_md_group_change_out(1)] args = group_lookup definition = fields _time,src_user,group_obj_lkp,member_obj_lkp,MSADGroupClass,MSADGroupClassID,MSADGroupType,msad_action,src_nt_domain,dest_nt_domain,signature,change_signature,MSADChanges,MSADChangedAttributes,Correlation_ID,AttributeLDAPDisplayName,AttributeValue,DN,Old_DN,New_DN,dir_svcs_action\ | eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\ | eval group_obj_lkp=trim(group_obj_lkp)\ | lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass\ | lookup $group_lookup$ lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\ | eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\ | eval MSADGroupClass=if(isnull(MSADGroupClass),if(isnull(MSADGroupClass_u),"NA",MSADGroupClass_u),MSADGroupClass)\ | eval MSADGroupType=if(isnull(MSADGroupType),if(isnull(MSADGroupType_u),"NA",MSADGroupType_u),MSADGroupType)\ | `ms_obj_msad_changed_attr_sum`\ | stats count, list(Change_Summary) AS Change_Summary, list(Change_Details) AS Change_Details,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,change_action,group_obj_nm,MSADGroupType,MSADGroupClass\ | eval Change_Details=if(isnull(Change_Details),"Unknown Changes",Change_Details)\ | table _time,src_user,adminuser,change_action,group_obj_nm,MSADGroupType,MSADGroupClass,Correlation_IDs,Change_Summary,Change_Details iseval = 0 [ms_obj_md_group_change_cmb(1)] args = group_lookup definition = fields _time,src_user,obj_type,Group_Name,group_obj_lkp,group_obj_dn,msad_action,MSADChanges,src_nt_domain,dest_nt_domain,signature,change_signature,MSADChangedAttributes,Correlation_ID,AttributeLDAPDisplayName,AttributeValue,DN,Old_DN,New_DN,dir_svcs_action,Old_Account_Name,New_Account_Name,member_obj_lkp\ | eval time_group=strftime(_time,"%m/%d/%y %I:%M %P")\ | eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\ | eval group_obj_lkp=if(isnull(group_obj_lkp),if(isnull(DN),if(isnull(Old_DN),if(isnull(New_DN),lower(Group_Name),lower(New_DN)),lower(Old_DN)),lower(DN)),lower(group_obj_lkp))\ | eval member_obj_lkp=if(isnull(member_obj_lkp),"",member_obj_lkp)\ | lookup $group_lookup$ lookup_grp AS group_obj_lkp OUTPUT sAMAccountName AS b_group_obj_sam,cn AS b_group_obj_cn\ | eval group=if(isnull(b_user_obj_sam),if(isnull(b_group_obj_cn),if(isnull(group_obj_lkp),if(isnull(group_obj_lkp),"NA",lower(group_obj_lkp)),lower(mvindex(group_obj_lkp,0))),lower(mvindex(b_group_obj_cn,0))),lower(mvindex(b_group_obj_sam,0)))\ | eval change_action=if(isnull(msad_action),if(isnull(dir_svcs_action),"NA",dir_svcs_action),if(isnull(dir_svcs_action) OR dir_svcs_action=="Unknown",trim(msad_action),msad_action." (".dir_svcs_action.")"))\ | eval signature=if(isnull(change_signature),signature,change_signature)\ | eval ad_chg=if(isnull(AttributeLDAPDisplayName),if(isnotnull(New_Account_Name),"renm",if(msad_action=="moved","mv",if(isnull(MSADChanges),0,"MSADChanges"))),len(AttributeLDAPDisplayName)),ln_chg_attr=if(isnull(MSADChangedAttributes),0,len(MSADChangedAttributes))\ | eval mvd=if(ad_chg=="mv","From: ".Old_DN."######## - To: ".New_DN,"")\ | eval renm=if(ad_chg=="renm","Group Rename:######## - From: ".Old_Account_Name."######## - To: ".New_Account_Name,"")\ | eval MSADChanges=if(ad_chg=="0","",if(ad_chg=="renm",renm,if(ad_chg=="mv",mvd,if(ad_chg=="MSADChanges",MSADChanges,if(isnull(AttributeValue) OR AttributeValue="-" OR AttributeValue="","",AttributeLDAPDisplayName.": ".AttributeValue)))))\ | eval MSADChangedAttributes=if(ln_chg_attr=0,"",replace(replace("######## - ".mvjoin(MSADChangedAttributes,"######## - "), "(?msi)\r\s+|\n\s+", "######## - "),"(?:\:)(\s\s+|\t)",": "))\ | eval MSADChanges=if(ad_chg=0 AND ln_chg_attr=0,"",if(ln_chg_attr=0,"######## - ".MSADChanges,if(ad_chg=0,MSADChangedAttributes,MSADChangedAttributes."######## - ".MSADChanges)))\ | eval MSADChanges=replace(MSADChanges,"\:(\s+|\t+|)########\s+\-",":######## -")\ | stats count, values(MSADChanges) AS MSADChanges,values(MSADChangedAttributes) AS MSADChangedAttributes,values(Correlation_ID) AS Correlation_IDs,values(msad_action) AS msad_action,values(signature) AS Signature,values(member_obj_lkp) AS member_obj_lkp,values(group_obj_lkp) AS group_obj_lkp by time_group,src_user,adminuser,group,change_action\ | eval Change_Details=if(len(MSADChanges)=0 OR mvcount(MSADChanges)=0 OR isnull(MSADChanges),NULL,"######## - Action: ".change_action."".mvjoin(MSADChanges,""))\ | stats count, values(Change_Details) AS Change_Details,values(msad_action) AS msad_action,values(change_action) AS change_action,values(Correlation_IDs) AS Correlation_IDs,values(Signature) AS Signature,values(member_obj_lkp) AS member_obj_lkp,values(group_obj_lkp) AS group_obj_lkp by time_group,src_user,adminuser,group\ | eval Correlation_ID_sum=if(isnull(Correlation_IDs),"",if(mvcount(Correlation_IDs)>1,"######## - Correlation IDs:######## - ".mvjoin(Correlation_IDs,"######## - "),"######## - Correlation IDs:######## - ".Correlation_IDs))\ | eval Change_Actions=if(mvcount(msad_action)>1,"Actions:######## - ".mvjoin(msad_action,"######## - "),"Actions:######## - ".msad_action)\ | eval Change_Summary="########(".time_group.")######## - Signatures:######## - ".mvjoin(Signature,"######## - ")."".Correlation_ID_sum\ | eval Change_Details=if(isnull(Change_Details),Change_Summary,Change_Summary."######## Change_Details:########".mvjoin(Change_Details,""))\ | makemv delim="########" Change_Details\ | eval Change_Details=mvfilter(NOT match(Change_Details, ":(\s*\-\s*)$"))\ | makemv delim="########" Change_Summary\ | makemv delim="########" Change_Actions\ | table time_group,src_user,adminuser,msad_action,group,Correlation_IDs,Change_Actions,Change_Summary,Change_Details,group_obj_lkp,member_obj_lkp iseval = 0 [ms_obj_md_group_change_det(1)] args = group_lookup definition = fields _time,src_user,adminuser,msad_action,signature,group_obj_lkp,member_obj_lkp,MSADGroupClass,MSADGroupClassID,MSADGroupType,MSADChanges,MSADChangedAttributes,Correlation_ID,Change_Actions\ | eval Correlation_ID_sum=if(isnull(Correlation_ID),"",if(mvcount(Correlation_ID)>1,"Correlation IDs:######## - ".replace(mvjoin(Correlation_ID,"######## - "), "(?msi)\r\s+|\n\s+", "######## - "),"Correlation ID: ".Correlation_ID))\ | lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass\ | lookup $group_lookup$ lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\ | eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\ | eval MSADGroupClass=if(isnull(MSADGroupClass),if(isnull(MSADGroupClass_u),"NA",MSADGroupClass_u),MSADGroupClass)\ | eval MSADGroupType=if(isnull(MSADGroupType),if(isnull(MSADGroupType_u),"NA",MSADGroupType_u),MSADGroupType)\ | eval Signature=if(Correlation_ID_sum=="","######## - Signature: ".signature,"######## - Signature: ".signature."######## - ".Correlation_ID_sum)\ | eval Change_Summary="########(".strftime(_time,"%m/%d/%y %I:%M %P").")".Signature\ | eval f=replace(mvjoin(replace(MSADChangedAttributes, "(?msi)\r\s+|\n\s+", "######## - "),"######## - "),"(\t|\s\s+)"," ")\ | makemv delim="########" f\ | eval MSADChangedAttributes=if(isnull(f),if(isnull(AttributeLDAPDisplayName) OR AttributeValue=="-" OR AttributeValue==" - ",if(isnull(member_obj_lkp),if(msad_action="moved","Moved:######## - From: ".Old_DN."######## - To: ".New_DN,NULL),"member: ".member_obj_lkp),mvzip(AttributeLDAPDisplayName,AttributeValue,": ")),mvfilter(NOT match(f, ":(\s*\-\s*|)$")))\ | eval Change_Details=if(isnull(MSADChangedAttributes) OR mvcount(MSADChangedAttributes)=0,"########(".strftime(_time,"%m/%d/%y %I:%M %P").")######## - Action: ".change_action.Signature,"########(".strftime(_time,"%m/%d/%y %I:%M %P").")######## - Action: ".Change_Actions.Signature."######## - Details:######## - ".mvjoin(MSADChangedAttributes,"######## - "))\ | stats list(MSADChangedAttributes) AS MSADChangedAttributes,list(Change_Details) AS Change_Details,values(Correlation_ID) AS Correlation_IDs,values(Change_Summary) AS Change_Summary,min(_time) AS First_Change_Time,values(msad_action) AS msad_actions,values(member_obj_lkp) AS member_obj_lkp by src_user,adminuser,group_obj_nm,MSADGroupType,MSADGroupClass\ | eval First_Change_Time=strftime(First_Change_Time,"%m/%d/%y %I:%M %P")\ | eval Change_Details=if(isnull(Change_Details),if(isnull(Change_Summary),"Unknown Changes",mvjoin(Change_Summary, "########")),mvjoin(Change_Details, "########"))\ | makemv delim="########" Change_Details\ | makemv delim="########" Change_Summary iseval = 0 [ms_obj_md_group-changes-for-group(3)] args = group_lookup,domain,group definition = `ms_obj_group_all_changes_base` dest_nt_domain="$domain$" user_group="$group$"\ | fields _time, objectGUID, src_nt_domain, src_user, member_id, msad_action\ | eval objectGUID=lower(objectGUID)\ | lookup $group_lookup$ objectGUID OUTPUT cn AS user_group\ | search user_group="$group$"\ | eval adminuser=src_nt_domain."\\".src_user\ | table _time,adminuser,msad_action,member_id\ | rename adminuser as "Administrator",msad_action as "Action", member_id as "User" iseval = 0 ## Group Membership Changes - Output Part - Basic(User,Group,Computer - ie ugc) Group Membership Changes Output ## [ms_obj_md_group_m_ugc_change_out(3)] args = group_lookup,user_lookup,computer_lookup definition = fields _time, _raw, src_user, src_nt_domain, dest_nt_domain, msad_action, signature,DN,New_DN,Old_DN,group_obj_lkp,member_obj_domain,member_obj_id,member_obj_lkp,MSADGroupClass,MSADGroupClassID,MSADGroupType,MSADChanges,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,dir_svcs_action,Correlation_ID,change_signature\ | eval msad_action=if(isnull(msad_action),if(isnull(dir_svcs_action),"NA",dir_svcs_action),if(isnull(dir_svcs_action) OR dir_svcs_action=="Unknown",msad_action,msad_action." (".dir_svcs_action.")"))\ | eval member_obj_lkp=if(isnull(member_obj_lkp),member_obj_id,member_obj_lkp)\ | eval signature=if(isnull(change_signature),signature,change_signature)\ | eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\ | fillnull value="N/A" Correlation_ID,MSADGroupType,MSADGroupClass,MSADGroupClassID\ | `ms_obj_msad-changed-attributes`\ | stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,msad_action,group_obj_lkp,member_obj_lkp,MSADGroupType,MSADGroupClass,MSADGroupClassID,signature\ | lookup $group_lookup$ lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\ | eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\ | eval MSADGroupClass=if(isnull(MSADGroupClass) OR MSADGroupClass="N/A",if(isnull(MSADGroupClass_u),"NA",MSADGroupClass_u),MSADGroupClass)\ | eval MSADGroupType=if(isnull(MSADGroupType) OR MSADGroupType="N/A",if(isnull(MSADGroupType_u),"NA",MSADGroupType_u),MSADGroupType)\ | eval MSADChanges=mvjoin(MSADChanges, "########")\ | eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\ | makemv delim="########" MSADChanges\ | lookup $user_lookup$ lookup_usr AS member_obj_lkp OUTPUT cn AS u_cn, dn AS u_dn,sAMAccountName AS u_sam,domain AS u_dom\ | lookup $group_lookup$ lookup_grp AS member_obj_lkp OUTPUT cn AS g_cn, dn AS g_dn,sAMAccountName AS g_sam,domain AS g_dom\ | lookup $computer_lookup$ lookup_cmp AS member_obj_lkp OUTPUT cn AS c_cn, dn AS c_dn,sAMAccountName AS c_sam,domain AS c_dom\ | eval member_obj_cn=if(isnull(u_cn),if(isnull(g_cn),if(isnull(c_cn),member_obj_lkp,c_cn),g_cn),u_cn)\ | eval member_obj_dn=if(isnull(u_dn),if(isnull(g_dn),if(isnull(c_dn),member_obj_lkp,c_dn),g_dn),u_dn)\ | eval member=if(isnull(u_sam),if(isnull(g_sam),if(isnull(c_sam),member_obj_lkp,c_dom."\\".c_sam),g_dom."\\".g_sam),u_dom."\\".u_sam)\ | eval Member_Type=if(isnull(u_cn),if(isnull(g_cn),"Computer","Group"),"User")\ | table _time,src_user,adminuser,group_obj_lkp,group_obj_nm,msad_action,MSADGroupType,MSADGroupClass,Member_Type,member_obj_lkp,member,member_obj_cn,member_obj_dn,MSADChanges,Correlation_IDs ## Group Membership Changes - Output Part - Basic(User Only - ie _u_) Changes Output ## [ms_obj_md_group_m_u_change_out(2)] args = group_lookup,user_lookup definition = fields _time,src_user,group_obj_lkp,member_obj_lkp,MSADGroupClass,MSADGroupClassID,MSADGroupType,msad_action,src_nt_domain,dest_nt_domain,signature,change_signature,MSADChanges,MSADChangedAttributes,Correlation_ID,AttributeLDAPDisplayName,AttributeValue,DN,Old_DN,New_DN,dir_svcs_action\ | eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\ | eval group_obj_lkp=trim(group_obj_lkp)\ | lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass\ | lookup $group_lookup$ lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\ | eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\ | eval MSADGroupClass=if(isnull(MSADGroupClass),if(isnull(MSADGroupClass_u),"NA",MSADGroupClass_u),MSADGroupClass)\ | eval MSADGroupType=if(isnull(MSADGroupType),if(isnull(MSADGroupType_u),"NA",MSADGroupType_u),MSADGroupType)\ | `ms_obj_msad_changed_attr_sum`\ | stats count, list(Change_Summary) AS Change_Summary, list(Change_Details) AS Change_Details,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,change_action,group_obj_nm,member_obj_lkp,MSADGroupType,MSADGroupClass\ | lookup $user_lookup$ lookup_usr AS member_obj_lkp OUTPUT cn AS u_cn\ | eval member=if(isnull(u_cn),member_obj_lkp,u_cn)\ | eval Member_Type="User"\ | eval Change_Details=if(isnull(Change_Details),"Unknown Changes",Change_Details)\ | table _time,src_user,adminuser,change_action,group_obj_nm,member,Member_Type,MSADGroupType,MSADGroupClass,Correlation_IDs,Change_Summary,Change_Details iseval = 0 [ms_obj_md_group_m_change_det(3)] args = group_lookup,user_lookup,computer_lookup definition = fields _time, _raw, adminuser,src_user, src_nt_domain, dest_nt_domain, msad_action, signature,DN,New_DN,Old_DN,group_obj_lkp,member_obj_domain,member_obj_secid,member_obj_cn,member_obj_dn,member_obj_lkp,member_obj_id,member_obj_sam,MSADGroupClass,MSADGroupClassID,MSADGroupType,MSADChanges,MSADChangedAttributes,Correlation_ID,Change_Actions\ | eval Correlation_ID_sum=if(isnull(Correlation_ID),"",if(mvcount(Correlation_ID)>1,"Correlation IDs:######## - ".replace(mvjoin(Correlation_ID,"######## - "), "(?msi)\r\s+|\n\s+", "######## - "),"Correlation ID: ".Correlation_ID))\ | lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass\ | lookup $group_lookup$ lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\ | eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\ | eval MSADGroupClass=if(isnull(MSADGroupClass),if(isnull(MSADGroupClass_u),"NA",MSADGroupClass_u),MSADGroupClass)\ | eval MSADGroupType=if(isnull(MSADGroupType),if(isnull(MSADGroupType_u),"NA",MSADGroupType_u),MSADGroupType)\ | eval Signature=if(Correlation_ID_sum=="","######## - Signature: ".signature,"######## - Signature: ".signature."######## - ".Correlation_ID_sum)\ | eval Change_Summary="########(".strftime(_time,"%m/%d/%y %I:%M %P").")".Signature\ | eval f=replace(mvjoin(replace(MSADChangedAttributes, "(?msi)\r\s+|\n\s+", "######## - "),"######## - "),"(\t|\s\s+)"," ")\ | makemv delim="########" f\ | eval MSADChangedAttributes=if(isnull(f),NULL,mvfilter(NOT match(f, ":(\s*\-\s*|)$")))\ | eval Change_Details=if(isnull(MSADChangedAttributes) OR mvcount(MSADChangedAttributes)=0,"########(".strftime(_time,"%m/%d/%y %I:%M %P").")######## - Action: ".Change_Actions.Signature,"########(".strftime(_time,"%m/%d/%y %I:%M %P").")######## - Action: ".Change_Actions.Signature."######## - Details:######## - ".mvjoin(MSADChangedAttributes,"######## - "))\ | stats list(MSADChangedAttributes) AS MSADChangedAttributes,list(Change_Details) AS Change_Details,values(Correlation_ID) AS Correlation_IDs,values(Change_Summary) AS Change_Summary,min(_time) AS First_Change_Time by src_user,adminuser,group_obj_nm,msad_action,member_obj_lkp,MSADGroupType,MSADGroupClass\ | lookup $user_lookup$ lookup_usr AS member_obj_lkp OUTPUT cn AS u_cn\ | lookup $group_lookup$ lookup_grp AS member_obj_lkp OUTPUT cn AS g_cn\ | lookup $computer_lookup$ lookup_cmp AS member_obj_lkp OUTPUT cn AS c_cn\ | eval member=if(isnull(u_cn),if(isnull(g_cn),if(isnull(c_cn),member_obj_lkp,c_cn),g_cn),u_cn)\ | eval Member_Type=if(isnull(u_cn),if(isnull(g_cn),"Computer","Group"),"User")\ | eval First_Change_Time=strftime(First_Change_Time,"%m/%d/%y %I:%M %P")\ | eval Change_Details=if(isnull(Change_Details),if(isnull(Change_Summary),"Unknown Changes",mvjoin(Change_Summary, "########")),mvjoin(Change_Details, "########"))\ | makemv delim="########" Change_Details\ | makemv delim="########" Change_Summary iseval = 0 [ms_obj_md_group_m_change_out(3)] args = group_lookup,user_lookup,computer_lookup definition = fields _time,src_user,group_obj_lkp,member_obj_lkp,MSADGroupClass,MSADGroupClassID,MSADGroupType,msad_action,src_nt_domain,dest_nt_domain,signature,change_signature,MSADChanges,MSADChangedAttributes,Correlation_ID,AttributeLDAPDisplayName,AttributeValue,DN,Old_DN,New_DN,dir_svcs_action\ | eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\ | eval group_obj_lkp=trim(group_obj_lkp)\ | lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass\ | lookup $group_lookup$ lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\ | eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\ | eval MSADGroupClass=if(isnull(MSADGroupClass),if(isnull(MSADGroupClass_u),"NA",MSADGroupClass_u),MSADGroupClass)\ | eval MSADGroupType=if(isnull(MSADGroupType),if(isnull(MSADGroupType_u),"NA",MSADGroupType_u),MSADGroupType)\ | `ms_obj_msad_changed_attr_sum`\ | stats count, list(Change_Summary) AS Change_Summary, list(Change_Details) AS Change_Details,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,change_action,group_obj_nm,member_obj_lkp,MSADGroupType,MSADGroupClass\ | lookup $user_lookup$ lookup_usr AS member_obj_lkp OUTPUT cn AS u_cn\ | lookup $group_lookup$ lookup_grp AS member_obj_lkp OUTPUT cn AS g_cn\ | lookup $computer_lookup$ lookup_cmp AS member_obj_lkp OUTPUT cn AS c_cn\ | eval member=if(isnull(u_cn),if(isnull(g_cn),if(isnull(c_cn),member_obj_lkp,c_cn),g_cn),u_cn)\ | eval Member_Type=if(isnull(u_cn),if(isnull(g_cn),"Computer","Group"),"User")\ | eval Change_Details=if(isnull(Change_Details),"Unknown Changes",Change_Details)\ | table _time,src_user,adminuser,change_action,group_obj_nm,member,Member_Type,MSADGroupType,MSADGroupClass,Correlation_IDs,Change_Summary,Change_Details iseval = 0 ## Group Membership Changes - Output Part - Basic(Embedded Groups Only - ie _g_) Output ## [ms_obj_md_group_m_g_change_out(1)] args = group_lookup definition = fields _time, _raw, src_user, src_nt_domain, dest_nt_domain, msad_action, signature,DN,New_DN,Old_DN,group_obj_lkp,member_obj_domain,member_obj_id,member_obj_lkp,MSADGroupClass,MSADGroupClassID,MSADGroupType,MSADChanges,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,dir_svcs_action,Correlation_ID,change_signature\ | eval msad_action=if(isnull(msad_action),if(isnull(dir_svcs_action),"NA",dir_svcs_action),if(isnull(dir_svcs_action) OR dir_svcs_action=="Unknown",msad_action,msad_action." (".dir_svcs_action.")"))\ | eval member_obj_lkp=if(isnull(member_obj_lkp),member_obj_id,member_obj_lkp)\ | eval signature=if(isnull(change_signature),signature,change_signature)\ | eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\ | fillnull value="N/A" Correlation_ID,MSADGroupType,MSADGroupClass,MSADGroupClassID\ | `ms_obj_msad-changed-attributes`\ | stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,msad_action,group_obj_lkp,member_obj_lkp,MSADGroupType,MSADGroupClass,MSADGroupClassID,signature\ | lookup $group_lookup$ lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\ | eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\ | eval MSADGroupClass=if(isnull(MSADGroupClass) OR MSADGroupClass="N/A",if(isnull(MSADGroupClass_u),"NA",MSADGroupClass_u),MSADGroupClass)\ | eval MSADGroupType=if(isnull(MSADGroupType) OR MSADGroupType="N/A",if(isnull(MSADGroupType_u),"NA",MSADGroupType_u),MSADGroupType)\ | eval MSADChanges=mvjoin(MSADChanges, "########")\ | eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\ | makemv delim="########" MSADChanges\ | lookup $group_lookup$ lookup_grp AS member_obj_lkp OUTPUT cn AS g_cn, dn AS g_dn,sAMAccountName AS g_sam,domain AS g_dom\ | eval member_obj_cn=if(isnull(g_cn),member_obj_lkp,g_cn)\ | eval member_obj_dn=if(isnull(g_dn),member_obj_lkp,g_dn)\ | eval member=if(isnull(g_sam),member_obj_lkp,g_dom."\\".g_sam)\ | eval Member_Type="Group"\ | table _time,src_user,adminuser,group_obj_lkp,group_obj_nm,msad_action,MSADGroupType,MSADGroupClass,Member_Type,member_obj_lkp,member,member_obj_cn,member_obj_dn,MSADChanges,Correlation_IDs ## Group Membership Changes - Output Part - Basic(Computer Only - ie _c_) Changes Output ## [ms_obj_md_group_m_c_change_out(2)] args = group_lookup,computer_lookup definition = fields _time, _raw, src_user, src_nt_domain, dest_nt_domain, msad_action, signature,DN,New_DN,Old_DN,group_obj_lkp,member_obj_domain,member_obj_id,member_obj_lkp,MSADGroupClass,MSADGroupClassID,MSADGroupType,MSADChanges,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,dir_svcs_action,Correlation_ID,change_signature\ | eval msad_action=if(isnull(msad_action),if(isnull(dir_svcs_action),"NA",dir_svcs_action),if(isnull(dir_svcs_action) OR dir_svcs_action=="Unknown",msad_action,msad_action." (".dir_svcs_action.")"))\ | eval member_obj_lkp=if(isnull(member_obj_lkp),member_obj_id,member_obj_lkp)\ | eval signature=if(isnull(change_signature),signature,change_signature)\ | eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\ | fillnull value="N/A" Correlation_ID,MSADGroupType,MSADGroupClass,MSADGroupClassID\ | `ms_obj_msad-changed-attributes`\ | stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,msad_action,group_obj_lkp,member_obj_lkp,MSADGroupType,MSADGroupClass,MSADGroupClassID,signature\ | lookup $group_lookup$ lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\ | eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\ | eval MSADGroupClass=if(isnull(MSADGroupClass) OR MSADGroupClass="N/A",if(isnull(MSADGroupClass_u),"NA",MSADGroupClass_u),MSADGroupClass)\ | eval MSADGroupType=if(isnull(MSADGroupType) OR MSADGroupType="N/A",if(isnull(MSADGroupType_u),"NA",MSADGroupType_u),MSADGroupType)\ | eval MSADChanges=mvjoin(MSADChanges, "########")\ | eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\ | makemv delim="########" MSADChanges\ | lookup $computer_lookup$ lookup_cmp AS member_obj_lkp OUTPUT cn AS c_cn, dn AS c_dn,sAMAccountName AS c_sam,domain AS c_dom\ | eval member_obj_cn=if(isnull(c_cn),member_obj_lkp,c_cn)\ | eval member_obj_dn=if(isnull(c_dn),member_obj_lkp,c_dn)\ | eval member=if(isnull(c_sam),member_obj_lkp,c_dom."\\".c_sam)\ | eval Member_Type="User"\ | table _time,src_user,adminuser,group_obj_lkp,group_obj_nm,msad_action,MSADGroupType,MSADGroupClass,Member_Type,member_obj_lkp,member,member_obj_cn,member_obj_dn,MSADChanges,Correlation_IDs [ms_obj_md_groupmembership_change_out(3)] args = group_lookup,user_lookup,computer_lookup definition = fields _time, _raw, src_user, src_nt_domain, dest_nt_domain, msad_action, signature,DN,New_DN,Old_DN,group_obj_lkp,member_obj_domain,member_obj_id,member_obj_lkp,MSADGroupClass,MSADGroupClassID,MSADGroupType,MSADChanges,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,dir_svcs_action\ | eval msad_action=if(isnull(msad_action),if(isnull(dir_svcs_action),"NA",dir_svcs_action),if(isnull(dir_svcs_action) OR dir_svcs_action=="Unknown",msad_action,msad_action." (".dir_svcs_action.")"))\ | eval member=if(isnull(member_obj_domain),member_obj_id,member_obj_domain."\\".member_obj_id) \ | eval member=if(isnull(member),if(isnull(member_obj_dn),"NA",member_obj_dn),member) \ | eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\ | lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass\ | lookup $group_lookup$ lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\ | eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\ | eval MSADGroupClass=if(isnull(MSADGroupClass),if(isnull(MSADGroupClass_u),"NA",MSADGroupClass_u),MSADGroupClass)\ | eval MSADGroupType=if(isnull(MSADGroupType),if(isnull(MSADGroupType_u),"NA",MSADGroupType_u),MSADGroupType)\ | fillnull value="N/A" Correlation_ID,member_obj_lkp\ | `ms_obj_msad-changed-attributes`\ | stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,msad_action,group_obj_nm,member,MSADGroupType,MSADGroupClass,member_obj_lkp,signature\ | eval MSADChanges=mvjoin(MSADChanges, "########")\ | eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\ | makemv delim="########" MSADChanges\ | lookup $user_lookup$ lookup_usr AS member_obj_lkp OUTPUT cn AS u_cn, dn AS u_dn \ | lookup $group_lookup$ lookup_grp AS member_obj_lkp OUTPUT cn AS g_cn, dn AS g_dn \ | lookup $computer_lookup$ lookup_cmp AS member_obj_lkp OUTPUT cn AS c_cn, dn AS c_dn \ | eval member_obj_dn=if(isnull(u_dn),if(isnull(g_dn),if(isnull(c_dn),member_obj_dn,c_dn),g_dn),u_dn) \ | eval Member_Type=if(isnull(u_cn),if(isnull(g_cn),"Computer","Group"),"User") \ | table _time,src_user,adminuser,group_obj_nm,msad_action,MSADGroupType,MSADGroupClass,Member_Type,member_obj_lkp,member,MSADChanges iseval = 0 [ms_obj_md_groupmembership_change_events(3)] args = domain,group,group_lookup definition = `ms_obj_changes_base_cat("Group Membership")` "$group$"\ | fields _time,_raw,member_obj_dn,member_obj_id,member_obj_domain,member_obj_class,src_user,src_nt_domain,group_obj_id,group_obj_dn,group_obj_nm,user_group,group_id,Group_Name,msad_action,MSADGroupClassID,MSADGroupType,MSADGroupClass,signature,Correlation_ID,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action,Old_DN,New_DN\ | eval msad_action=if(isnull(msad_action),if(isnull(dir_svcs_action),"NA",dir_svcs_action),if(isnull(dir_svcs_action) OR dir_svcs_action=="Unknown",msad_action,msad_action." (".dir_svcs_action.")"))\ | search (group_obj_dn="$group$" OR user_group="$group$" OR group_id="$group$" OR Group_Name="$group$") (src_nt_domain="$domain$" OR dest_nt_domain="$domain$") \ | eval adminuser=if(isnull(src_nt_domain),lower(src_user),lower(src_nt_domain)."\\".lower(src_user)\ | eval group_obj_dn=if(isnull(group_obj_dn),if(isnull(user_group),if(isnull(group_id),"",lower(group_id)),lower(user_group)),lower(group_obj_dn))\ | eval group_obj_cn=if(isnull(Group_Name),"",lower(Group_Name))\ | eval member=if(isnull(member_obj_domain),replace(member_obj_id,"\x5C{1}",""),member_obj_domain."\\".lower(replace(member_obj_id,"\x5C{1}","")))\ | eval member=if(isnull(member),if(isnull(member_obj_dn),"NA",lower(member_obj_dn)),member)\ | lookup $group_lookup$ dn AS group_obj_dn OUTPUT cn AS group_obj_nm,MSADGroupType,MSADGroupClass\ | lookup $group_lookup$ cn AS group_obj_cn OUTPUT cn AS c_group_obj_nm,MSADGroupType AS c_MSADGroupType,MSADGroupClass AS c_MSADGroupClass\ | eval group_obj_nm=if(isnull(group_obj_nm),if(isnull(c_group_obj_nm),if(isnull(group_obj_id),if(isnull(user_group),lower(group_obj_dn),lower(user_group)),lower(group_obj_id)),lower(c_group_obj_nm)),lower(group_obj_nm)),MSADGroupType = if(isnull(MSADGroupType),c_MSADGroupType,MSADGroupType),MSADGroupClass=if(isnull(MSADGroupClass),c_MSADGroupClass,MSADGroupClass)\ | `ms_obj_msad-changed-attributes`\ | stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,src_user,msad_action,group_obj_nm,MSADGroupType,MSADGroupClass,member,signature\ | eval MSADChanges=mvjoin(MSADChanges, "########")\ | eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\ | makemv delim="########" MSADChanges\ | table _time,src_user,adminuser,msad_action,group_obj_nm,MSADGroupType,MSADGroupClass,member,MSADChanges, src_user iseval = 0 [ms_obj_md_group_change_events(3)] args = domain,group,group_lookup definition = `ms_obj_changes_base_cat("Group")` "$group$"\ | fields _time,_raw,member_obj_dn,member_obj_id,member_obj_domain,member_obj_class,src_user,src_nt_domain,dest_nt_domain,group_obj_id,group_obj_dn,group_obj_nm,user_group,Group_Name,group_id,msad_action,MSADGroupClassID,MSADGroupType,MSADGroupClass,signature,change_signature,Correlation_ID,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action,Old_DN,New_DN \ | eval msad_action=if(isnull(msad_action),if(isnull(dir_svcs_action),"NA",dir_svcs_action),if(isnull(dir_svcs_action) OR dir_svcs_action=="Unknown",msad_action,msad_action." (".dir_svcs_action.")"))\ | search (group_obj_dn="$group$" OR user_group="$group$" OR group_id="$group$" OR Group_Name="$group$") (src_nt_domain="$domain$" OR dest_nt_domain="$domain$") NOT AttributeLDAPDisplayName="member"\ | eval group_obj_dn=if(isnull(group_obj_dn),if(isnull(user_group),if(isnull(group_id),"",lower(group_id)),lower(user_group)),lower(group_obj_dn))\ | eval group_obj_cn=if(isnull(Group_Name),"",lower(Group_Name))\ | eval adminuser=if(isnull(src_nt_domain),lower(src_user),lower(src_nt_domain)."\\".lower(src_user)) \ | eval signature=if(isnull(change_signature),signature,change_signature)\ | eval member=if(isnull(member_obj_domain),replace(member_obj_id,"\x5C{1}",""),member_obj_domain."\\".lower(replace(member_obj_id,"\x5C{1}",""))) \ | eval member=if(isnull(member),"NA",member) \ | lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass \ | eval objectGUID=lower(objectGUID)\ | lookup $group_lookup$ dn AS group_obj_dn OUTPUT cn AS group_obj_nm,MSADGroupType,MSADGroupClass\ | lookup $group_lookup$ cn AS group_obj_cn OUTPUT cn AS c_group_obj_nm,MSADGroupType AS c_MSADGroupType,MSADGroupClass AS c_MSADGroupClass\ | eval group_obj_nm=if(isnull(group_obj_nm),c_group_obj_nm,group_obj_nm),MSADGroupType = if(isnull(MSADGroupType),c_MSADGroupType,MSADGroupType),MSADGroupClass=if(isnull(MSADGroupClass),c_MSADGroupClass,MSADGroupClass)\ | eval dir_svcs_action=if(isnull(dir_svcs_action) OR dir_svcs_action="Unknown","","Action: ".dir_svcs_action."########") \ | eval MSADChangedAttributes=mvfilter(NOT match(MSADChangedAttributes, ":(\s*\-\s*|)$")) \ | fillnull value="" signature,Correlation_IDs \ | eval MSADChanges=if(isnull(MSADChangedAttributes),if(isnull(AttributeLDAPDisplayName),if(msad_action="moved","Moved:########--From: ".Old_DN."########--To: ".New_DN,dir_svcs_action.""),if(isnull(AttributeValue) OR AttributeValue="-" OR AttributeValue="",NULL,dir_svcs_action."-- ".AttributeLDAPDisplayName.": ".AttributeValue)),dir_svcs_action."".MSADChangedAttributes) \ | stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,msad_action,group_obj_nm,MSADGroupType,MSADGroupClass,member,signature \ | eval MSADChanges=mvjoin(MSADChanges, "########") \ | eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges) \ | makemv delim="########" MSADChanges \ | table _time,src_user,adminuser,msad_action,group_obj_nm,MSADGroupType,MSADGroupClass,member,MSADChanges iseval = 0 [ms_obj_md_group_members_list_all(3)] args = domain,group,group_lookup definition = inputlookup $group_lookup$ WHERE cn="$group$" AND domain="$domain$"\ | eval group_members="####".mvjoin(member,"####")\ | rex mode=sed field=group_members "s/####/####(Direct)/g"\ | makemv delim="####" member \ | mvexpand member\ | eval emb_group=member\ | fields cn, description, emb_group, emb_group_name, group_members_emb,member,group_members\ | join type=left emb_group [| inputlookup $group_lookup$| eval emb_group=distinguishedName | eval emb_group_name=cn | makemv delim="|" member | mvexpand member | eval group_members_emb="####(Embedded Group -".emb_group_name.")".member | stats values(group_members_emb) AS group_members_emb by emb_group, emb_group_name | mvcombine group_members_emb | table emb_group,emb_group_name,group_members_emb]\ | table cn, description,member,emb_group,emb_group_name,group_members,group_members_emb\ | eval group_members_comb=if(isnull(group_members_emb),group_members,group_members."".group_members_emb)\ | table cn, description, group_members,group_members_emb,group_members_comb\ | makemv delim="####" group_members_comb\ | mvexpand group_members_comb\ | table cn, description, group_members_comb\ | rex field=group_members_comb "\((?Direct|Embedded Group)"\ | rex field=group_members_comb "\(Embedded Group\s\-(?[^\)]+)"\ | rex field=group_members_comb "\)(?.*)"\ | rex field=member_dn "^CN\=(?[^\,]+)\,(OU|DC|CN)"\ | eval member_emb_assoc_group=case(member_assoc_type="Embedded Group",member_assoc_type."( ".embedded_group." )")\ | eval member_dn=trim(member_dn)\ | table cn, description, member_assoc_type,embedded_group,member_dn,member_name,member_emb_assoc_group iseval = 0 [ms_obj_md_member_groupmembership_change_events(4)] args = domain,member,group_lookup,user_lookup definition = `ms_obj_changes_base_cat("Group Membership")` (src_nt_domain="$domain$" OR dest_nt_domain="$domain$") [|inputlookup $user_lookup$ WHERE lookup_usr="$member$" | fields lookup_usr | stats values(lookup_usr) AS member_obj_lkp | format]\ | fields _raw,_time,member_obj_domain, member_obj_sam,member_obj_lkp,member_obj_dn,member_obj_cn,src_user, group_obj_id,src_nt_domain,MSADGroupClassID,msad_action,signature,group_obj_dn\ | eval member_obj_dn=lower(replace(member_obj_dn,"\x5C{1}",""))\ | eval adminuser=if(isnull(src_nt_domain),lower(src_user),lower(src_nt_domain)."\\".lower(src_user))\ | eval member=if(isnull(member_obj_domain),if(isnull(member_obj_sam),lower(member_obj_lkp),lower(member_obj_sam)),if(isnull(member_obj_sam),member_obj_domain."\\".lower(member_obj_lkp),member_obj_domain."\\".lower(member_obj_sam)))\ | lookup $group_lookup$ cn AS group_obj_id OUTPUT MSADGroupType,MSADGroupClass,dn AS group_obj_dn\ | eval group_obj_dn=lower(group_obj_dn)\ | join type=left group_obj_dn [|inputlookup $group_lookup$ | search NOT dn_hist="" |eval group_obj_dn=lower(dn_hist)| rename cn AS group_obj_nm| table group_obj_dn, group_obj_nm, MSADGroupClass, MSADGroupType,orig_cn]\ | eval group_obj_nm=if(isnull(group_obj_nm),if(isnull(group_obj_id),if(isnull(user_group),group_obj_dn,user_group),group_obj_id),group_obj_nm)\ | `ms_obj_msad-changed-attributes`\ | fillnull value="N/A" \ | stats values(MSADChanges) AS MSADChanges by _time,group_obj_nm,msad_action,src_user,adminuser,member, member_obj_dn, signature,MSADGroupClass,MSADGroupType\ | table _time,src_user,adminuser,msad_action,member,member_obj_dn,group_obj_nm,MSADGroupClass,MSADGroupType,MSADChanges\ | rename group_obj_nm as "Group Name",MSADGroupClass as "Class",msad_action AS "Action",member AS "Target Member",member_obj_dn AS "Target MemberDN",MSADGroupType as "Type",adminuser as "Admin User" iseval = 0 [ms_obj_md_user_action_events(4)] args = domain,user,action,user_lookup definition = `ms_obj_changes_base_cat("User")` ([| inputlookup $user_lookup$ WHERE lookup_usr="$user$" | fields lookup_usr | stats values(lookup_usr) AS search | eval search="\"".mvjoin(search,"\" OR \"")."\""]) (src_nt_domain="$domain$" OR dest_nt_domain="$domain$") ($action$)\ | `ms_obj_user_change_out`\ | rename adminuser as "Administrator",msad_action as "Action",dest_user_subject as "Target User ID",MSADChanges as "Changes" iseval = 0 [ms_obj_md_user_change_events(4)] args = domain,user,action,user_lookup definition = `ms_obj_win_events_security` \ [| inputlookup AD_Audit_Change_EventCodes WHERE change_category="User" \ | stats values(EventCode) AS EventCode by obj_type \ | format \ | table search] src_user_type="user" [|inputlookup $user_lookup$ WHERE sAMAccountName="$user$" | fields cn,sAMAccountName,userPrincipalName,distinguishedName | eval search="\"".cn."\" OR \"".sAMAccountName."\" OR \"".userPrincipalName."\" OR \"".distinguishedName."\"" | table search]\ | eval user_obj_dn=lower(user_obj_dn)\ | lookup $user_lookup$ distinguishedName AS user_obj_dn OUTPUTNEW cn AS user_cn sAMAccountName AS user\ | eval adminuser=if(isnull(src_nt_domain),lower(src_user),lower(src_nt_domain)."\\".lower(src_user))\ | eval signature=if(isnull(change_signature),signature,change_signature)\ | eval user=if(isnull(user),user_obj_dn,lower(user))\ | search (user="$user$" OR New_Account_Name="$user$" OR Old_Account_Name="$user$") (src_nt_domain="$domain$" OR dest_nt_domain="$domain$") msad_action=$action$\ | eval dest_user_subject=if(isnull(dest_nt_domain) OR match(user,"(?si)cn\="),user,upper(dest_nt_domain)."\\".user)\ | `ms_obj_msad-changed-attributes`\ | fillnull value="" adminuser,msad_action,dest_user_subject,Correlation_ID,signature,MSADChanges\ | stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,msad_action,dest_user_subject,signature,src_user\ | eval MSADChanges=mvjoin(MSADChanges, "########")\ | eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\ | makemv delim="########" MSADChanges\ | table _time,src_user,adminuser,msad_action,dest_user_subject,MSADChanges,src_user iseval = 0 [ms_obj_md_user_change_summary(4)] args = domain,user,action,user_lookup definition = `ms_obj_changes_base_cat("User")` [|inputlookup $user_lookup$ WHERE sAMAccountName="$user$" | fields cn,sAMAccountName,userPrincipalName,distinguishedName | eval search="\"".cn."\" OR \"".sAMAccountName."\" OR \"".userPrincipalName."\" OR \"".distinguishedName."\"" | table search]\ | eval user_lkp=if(isnull(user_obj_lkp),if(isnull(member_obj_lkp),NULL,lower(member_obj_lkp)),lower(user_obj_lkp))\ | lookup $user_lookup$ lookup_usr AS user_lkp OUTPUTNEW cn AS user_cn sAMAccountName AS user\ | eval adminuser=if(isnull(src_nt_domain),lower(src_user),lower(src_nt_domain)."\\".lower(src_user))\ | eval signature=if(isnull(change_signature),signature,change_signature)\ | eval user=if(isnull(user),user_obj_lkp,lower(user))\ | search (user="$user$" OR New_Account_Name="$user$" OR Old_Account_Name="$user$") (src_nt_domain="$domain$" OR dest_nt_domain="$domain$") msad_action=$action$\ | eval dest_user_subject=if(isnull(dest_nt_domain) OR match(user,"(?si)cn\="),user,upper(dest_nt_domain)."\\".user)\ | `ms_obj_msad-changed-attributes`\ | fillnull value="" adminuser,msad_action,dest_user_subject,Correlation_ID,signature,MSADChanges\ | stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,src_user,adminuser,msad_action,dest_user_subject,signature,src_user\ | eval MSADChanges=mvjoin(MSADChanges, "########")\ | eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\ | makemv delim="########" MSADChanges\ | table _time,src_user,adminuser,msad_action,dest_user_subject,MSADChanges,src_user iseval = 0 [ms_obj_md_group_members_user_accounts(5)] args = domain,group,user_lookup,group_lookup,computer_lookup definition = inputlookup $group_lookup$ WHERE cn="$group$" AND domain="$domain$"\ | fields member\ | mvexpand member\ | eval emb_group=member\ | fields emb_group, group_members\ | join type=left emb_group [| inputlookup $group_lookup$ | fields distinguishedName,member| eval emb_group=distinguishedName | eval group_members_emb="####".mvjoin(member,"####") | table emb_group,group_members_emb]\ | eval group_members_comb=if(isnull(group_members_emb),group_members,group_members."".group_members_emb)\ | makemv delim="####" group_members_comb\ | mvexpand group_members_comb\ | eval member_dn=trim(group_members_comb)\ | table member_dn \ | join type=left member_dn[| inputlookup $group_lookup$ | fields distinguishedName | eval member_dn=distinguishedName | eval group_account="True" | table member_dn, group_account] \ | join type=left member_dn[| inputlookup $user_lookup$ | fields distinguishedName | eval member_dn=distinguishedName | eval user_account=sAMAccountName | table member_dn, user_account] \ | join type=left member_dn[| inputlookup $computer_lookup$ | fields distinguishedName | eval member_dn=distinguishedName | eval user_account=sAMAccountName | table member_dn, user_account] \ | search NOT group_account="True" \ | table user_account\ | dedup user_account iseval = 0 ###-------------------------------------------------------------------------------### #--- Macro's Used for Retrieving values from lookups ---# #--- MULTI-DOMAIN - KV Split ---# ###-------------------------------------------------------------------------------### [ms_obj_md_get_full_group_membership(2)] args = group_lookup,tok_member_dn definition = join type=left dn [| inputlookup $group_lookup$ where member="$tok_member_dn$"\ | fields + cn, displayName, dn, member\ | rename dn as memberOf, cn as Group_cn, displayName as Group_Name\ | rename member as dn\ | stats values(memberOf) AS memberOf,values(Group_cn) AS Group_cn,values(Group_Name) AS Group_Name by dn\ | table dn, Group_cn, Group_Name, memberOf]\ | lookup AD_Obj_Group_$tgt_kv_suffix$ primaryGroupToken AS primaryGroupID OUTPUT dn AS primaryGroupdn,cn AS primaryGroupcn,displayName AS primaryGroupName\ | eval memberOf=mvappend(memberOf,primaryGroupdn), Group_Name=mvappend(Group_Name,primaryGroupName),Group_cn=mvappend(Group_cn,primaryGroupcn) iseval = 0 [ms_obj_md_get_full_group_membership_prev(2)] args = group_lookup,tok_member_dn definition = join type=left dn [| inputlookup $group_lookup$ where member="$tok_member_dn$"\ | fields + cn, displayName, dn, member\ | rename dn as memberOf, cn as Group_cn, displayName as Group_Name\ | rename member as dn\ | stats values(memberOf) AS memberOf,values(Group_cn) AS Group_cn,values(Group_Name) AS Group_Name by dn\ | table dn, Group_cn, Group_Name, memberOf]\ | lookup AD_Obj_Group_$tgt_kv_suffix$ primaryGroupToken AS primaryGroupID OUTPUT dn AS primaryGroupdn,cn AS primaryGroupcn,displayName AS primaryGroupName\ | eval memberOf=mvappend(memberOf,primaryGroupdn), Group_Name=mvappend(Group_Name,primaryGroupName),Group_cn=mvappend(Group_cn,primaryGroupcn) iseval = 0 ## Full Group Membership - With passed Object Lookup Name, Attribute Value, Member Domain, and Member Attribute Value ## Example - | inputlookup AD_Object_User | `ms_obj_md_get_full_group_membership_attr("sedemo",User,"sedemo",sAMAccountName,"Administrator")` [ms_obj_md_get_full_group_membership_attr(5)] args = group_lookup,tok_obj_lkp,tok_member_domain,tok_member_attr,tok_member_val definition = join type=left dn [| inputlookup $group_lookup$ where [| inputlookup $tok_obj_lkp$ WHERE domain="$tok_member_domain$" AND $tok_member_attr$="$tok_member_val$" | fields dn | rename dn AS member | table member|format]\ | fields dn, displayName,cn,member\ | eval displayName=if(isnull(displayName),cn,displayName)\ | rename dn as memberOf\ | rename member as dn\ | stats values(memberOf) AS memberOf by dn\ | search [| inputlookup $tok_obj_lkp$ WHERE domain="$tok_member_domain$" AND $tok_member_attr$="$tok_member_val$" | fields dn | table dn|format]\ | table dn, memberOf]\ | lookup $group_lookup$ primaryGroupToken AS primaryGroupID OUTPUT dn AS primaryGroupdn\ | eval memberOf=mvappend(memberOf,primaryGroupdn) iseval = 0 ## Full Group Membership - With passed Object Lookup Name, Attribute Value, Member Domain, and Member Attribute Value ## Example - | inputlookup AD_Object_User | `ms_obj_md_get_full_group_membership_attr("sedemo",User,"sedemo",sAMAccountName,"Administrator")` [ms_obj_md_get_full_group_membership_attr_tmp(5)] args = group_lookup,tok_obj_lkp,tok_member_domain,tok_member_attr,tok_member_val definition = join dn type=left[| inputlookup $group_lookup$ WHERE [| inputlookup $tok_obj_lkp$ WHERE domain="$tok_member_domain$" AND $tok_member_attr$="$tok_member_val$" | fields dn | stats values(dn) AS member |format]\ | fields dn, member,displayName,cn\ | eval displayName=if(isnull(displayName),cn,displayName)\ | mvexpand member\ | search [| inputlookup $tok_obj_lkp$ WHERE domain="$tok_member_domain$" AND $tok_member_attr$="$tok_member_val$" | fields dn | stats values(dn) AS member |format]\ | rename dn as memberOf\ | rename member as dn\ | eval memberOf=displayName."|".memberOf\ | stats values(memberOf) AS memberOf by dn\ | eval memberOf=mvjoin(memberOf,"####")]\ | lookup $group_lookup$ primaryGroupToken AS primaryGroupID OUTPUT dn AS primarygroupDN,displayName AS primarygroupName\ | eval memberOf=if(isnull(memberOf),primarygroupName."|".primarygroupDN,primarygroupName."|".primarygroupDN."####".memberOf) iseval = 0 ##Macro to receive Group Membership for designated object [ms_obj_md_get_group_membership(2)] args = group_lookup,tok_member_dn definition = inputlookup $group_lookup$ WHERE member="$tok_member_dn$"\ | fields cn,displayName,dn,member\ | rename dn AS memberOf,cn AS Group_cn,displayName AS Group_Name\ | rename member AS dn\ | table dn,Group_cn,Group_Name,memberOf ##Get: INLINE - Specific Lookup Member by AD Group - Macro to receive inline the Group Membership for an object's specified field ## Example - | `ms_obj_md_get_l_group_membership("sedemo","dn")` ## = | lookup AD_Obj_Group member AS dn OUTPUT cn AS Group_cn,dn AS Group_dn [ms_obj_md_get_l_group_membership(2)] args = group_lookup,tok_field_data definition = lookup $group_lookup$ member AS $tok_field_data$ OUTPUT cn AS Group_cn,dn AS Group_dn ##Filter: Specific Lookup Member by AD Group - Macro to filter a lookup (ie. AD_Obj_User, AD_Obj_Group, AD_Obj_Computer) for a specific AD Group ##Note: Add the | before the macro, can't embed in the macro and Can't Be NULL. ## Example - | `ms_obj_md_filter_lkup_group_members("sedemo","AD_Obj_User","TestDomain","CN=Administrators,CN=Builtin,DC=testdomain,DC=local")` [ms_obj_md_filter_lkup_group_members(4)] args = group_lookup,tok_tgt_lkup,tok_tgt_domain,tok_tgt_group_dn definition = inputlookup $tok_tgt_lkup$ WHERE domain="$tok_tgt_domain$" AND [|inputlookup $group_lookup$ WHERE dn="$tok_tgt_group_dn$" | fields member | rename member AS dn | table dn] ##Filter: Specific Lookup Object by OU Path - Macro to filter a lookup (ie. AD_Obj_User, AD_Obj_Group, AD_Obj_Computer, AD_Obj_OU, AD_Obj_GPO) for a specific AD OU Path ##Note: Add the | before the macro, can't embed in the macro. ## Example - | `ms_obj_md_filter_lkup_dn_path("sedemo","AD_Obj_Computer","TestDomain","OU=vers_test_bed,OU=splunktel-users,DC=testdomain,DC=local")` [ms_obj_md_filter_lkup_dn_path(4)] args = tgt_kv_suffix,tok_tgt_lkup,tok_tgt_domain,tok_tgt_dn_path definition = inputlookup $tok_tgt_lkup$ WHERE domain="$tok_tgt_domain$"\ | where match(dn_path,"$tok_tgt_dn_path$") ##FUll OU-User Filter - Model: Specific Lookup Object by OU Path - Macro to filter a lookup (ie. AD_Obj_User, AD_Obj_Group, AD_Obj_Computer, AD_Obj_OU, AD_Obj_GPO) for a specific AD OU Path ##Note: Add the | before the macro, can't embed in the macro. ## Example - STANDARD INDEXED - sourcetype=WinEventLog `ms_obj_filter_user_by_dn_path("sedemo","","*","OU=vers_test_bed,OU=splunktel-users,DC=testdomain,DC=local","search","|format")` ## EXAMPLE - DATA MODEL: ## | tstats summariesonly=true allow_old_summaries=true count from datamodel=Authentication.Authentication where Authentication.action=* Authentication.user=* (Authentication.src=* OR Authentication.dest=*) by _time,Authentication.src,Authentication.dest,Authentication.user,Authentication.action ## | rename "Authentication.*" as "*" ## | `ms_obj_md_filter_user_by_dn_path("sedemo","join user","*","OU=vers_test_bed,OU=splunktel-users,DC=testdomain,DC=local","user","|table user")` [ms_obj_md_filter_dn_path_fields(7)] args = user_lookup,tok_lookup,tok_tgt_domain,tok_filt_ou,tok_link_field,tok_src_field,tok_part_post definition = [| inputlookup $user_lookup$ WHERE domain="$tok_tgt_domain$"\ | fields sAMAccountName,domain,cn,userPrincipalName,dn_path\ | WHERE match(dn_path, "$tok_filt_ou$")\ | eval $tok_link_field$=$tok_src_field$\ $tok_part_post$] iseval = 0 ##Filter: Subsearch - Member by AD Group - Macro to filter a lookup (ie. AD_Obj_User, AD_Obj_Group, AD_Obj_Computer) for a specific AD Group [ms_obj_md_filter_sub_group_members(3)] args = group_lookup,tok_tgt_domain,tok_tgt_group_dn definition = [| inputlookup $group_lookup$ WHERE domain="$tok_tgt_domain$" AND dn="$tok_tgt_group_dn$" | fields member | rename member AS dn | table dn] ## - Filter - Admin Audit ## - By Group Membership ##[ms_obj_md_filter_admin_field_group(5)] ##args = group_lookup,tok_domain,tok_user_field,tok_admin_group,tok_format_option ##definition = [| inputlookup AD_Obj_Admin_Audit WHERE admin_domain="$tok_domain$" \ ##| fields admin_user, admin_cn,admin_dn,admin_userPrincipalName\ ##| lookup $group_lookup$ member AS admin_dn OUTPUT dn AS memberOf\ ##| WHERE match(memberOf,"$tok_admin_group$")\ ##| eval $tok_user_field$=admin_user\ ##| eval $tok_user_field$=mvappend($tok_user_field$,admin_userPrincipalName,admin_cn,admin_dn)\ ##| stats count by $tok_user_field$\ ##| fields $tok_user_field$\ ##| $tok_format_option$] ##iseval = 0 ###-----------------------------------------------------### #--- Macro's Used for Security Reports for each Object ---# #--- MULTI-DOMAIN - KV Split ---# ###-----------------------------------------------------### ## Computer Search Macros that point to AD_Obj_Computer Lookup: [ms_obj_md_secrpt-new-computers_raw(2)] args = computer_lookup,domain definition = `ms_obj_changes_base_cat_act("Computer","created")` dest_nt_domain="$domain$"\ | table _time,src_user,src_nt_domain,dest_nt_domain,user\ | eval adminuser=src_nt_domain."\\".src_user\ | eval sAMAccountName=$user$ \ | join sAMAccountName [|inputlookup $computer_lookup$ WHERE sAMAccountName=$user$ | table dNSHostName,operatingSystem,operatingSystemServicePack]\ | table _time,cn,dNSHostName,sAMAccountName,operatingSystem,operatingSystemServicePack,adminuser iseval = 0 [ms_obj_md_secrpt-all-computers(2)] args = computer_lookup,domain definition = inputlookup $computer_lookup$ WHERE domain="$domain$"\ | fields sAMAccountName,cn,dNSHostName,whenChanged,whenCreated,isDeleted,deletedDate,userAccountControl,operatingSystem,operatingSystemServicePack\ | eval whenDeleted=if(isDeleted=="TRUE",strftime(deletedDate, "%m/%d/%Y %a, %I:%M %P"),"")\ | `ms_obj_uac_get_details_lkup`\ | makemv delim=":" uac_details\ | sort cn\ | table cn,dNSHostName,sAMAccountName,uac_details,operatingSystem,operatingSystemServicePack,whenChanged,whenCreated,whenDeleted iseval = 0 [ms_obj_md_secrpt-all-domain-controllers(2)] args = computer_lookup,domain definition = inputlookup $computer_lookup$ WHERE domain="$domain$"\ | fields sAMAccountName,cn,dNSHostName,whenChanged,whenCreated,userAccountControl,operatingSystem,operatingSystemServicePack,dn,primaryGroupID\ | where (primaryGroupID=516 OR match(dn,"(?si)ou\=domain\scontrollers"))\ | `ms_obj_uac_get_details_lkup`\ | makemv delim=":" uac_details\ | sort sAMAccountName\ | table cn,dNSHostName,sAMAccountName,uac_details,operatingSystem,operatingSystemServicePack,whenChanged,whenCreated iseval = 0 [ms_obj_md_secrpt-disabled-computers(2)] args = computer_lookup,domain definition = inputlookup $computer_lookup$ WHERE domain="$domain$"\ | fields sAMAccountName,cn,dNSHostName,whenChanged,userAccountControl,operatingSystem,operatingSystemServicePack,dn\ | `ms_obj_uac_get_details_lkup`\ | makemv delim=":" uac_details\ | eval uac_filter=mvfilter(match(uac_details, "Disabled"))\ | search uac_filter=*\ | sort sAMAccountName\ | table cn,dNSHostName,sAMAccountName,uac_details,whenChanged,operatingSystem,operatingSystemServicePack,dn iseval = 0 [ms_obj_md_secrpt-inactive-computers(2)] args = computer_lookup,domain definition = inputlookup $computer_lookup$ WHERE domain="$domain$"\ | fields sAMAccountName,cn,dNSHostName,userAccountControl,operatingSystem,operatingSystemServicePack,dn\ | table sAMAccountName,cn,dNSHostName,userAccountControl,operatingSystem,operatingSystemServicePack \ |join type=left sAMAccountName [search `ms_ad_obj_qck_succ_comp_logins(1)`|eval sAMAccountName=lower(comp_obj_sam) | table sAMAccountName,lastLogonTime]\ | where isnull(lastLogonTime)\ | `ms_obj_uac_get_details_lkup`\ | makemv delim=":" uac_details\ | table cn,dNSHostName,sAMAccountName,uac_details,operatingSystem,operatingSystemServicePack,userAccountControl,dn iseval = 0 [ms_obj_md_secrpt-trusted-computers(2)] args = computer_lookup,domain definition = inputlookup $computer_lookup$ WHERE domain="$domain$" \ | fields sAMAccountName,cn,managedBy,dNSHostName,uac_details,userAccountControl,operatingSystem,operatingSystemServicePack,dn\ | `ms_obj_uac_get_details_lkup`\ | eval uac_filter=mvfilter(match(uac_details, "Server Trust Account|Workstation Trust Account")) \ | search uac_filter=* \ | makemv delim=":" uac_details\ | table cn,dNSHostName,sAMAccountName,uac_details,operatingSystem,operatingSystemServicePack,dn iseval = 0 [ms_obj_md_secrpt-unmanaged-computers(2)] args = computer_lookup,domain definition = inputlookup $computer_lookup$ WHERE domain="$domain$" AND NOT managedBy="*" OR managedBy=""\ | fields sAMAccountName,cn,dNSHostName,uac_details,userAccountControl,operatingSystem,operatingSystemServicePack,dn\ | sort sAMAccountName\ | `ms_obj_uac_get_details_lkup`\ | makemv delim=":" uac_details\ | table cn,dNSHostName,sAMAccountName,uac_details,operatingSystem,operatingSystemServicePack,dn iseval = 0 [ms_obj_md_secrpt-managed-computers(2)] args = computer_lookup,domain definition = inputlookup $computer_lookup$ WHERE domain="$domain$" AND managedBy="*" AND NOT managedBy=""\ | fields sAMAccountName,cn,managedBy,dNSHostName,uac_details,userAccountControl,operatingSystem,operatingSystemServicePack\ | sort sAMAccountName\ | `ms_obj_uac_get_details_lkup`\ | makemv delim=":" uac_details\ | table cn,dNSHostName,sAMAccountName,managedBy,uac_details,operatingSystem,operatingSystemServicePack iseval = 0 [ms_obj_md_secrpt-unused-computers(2)] args = computer_lookup,domain definition = inputlookup $computer_lookup$ WHERE (domain="$domain$" AND logonCount="0")\ | fields sAMAccountName,cn,dNSHostName,uac_details,userAccountControl,operatingSystem,operatingSystemServicePack,dn\ | `ms_obj_uac_get_details_lkup`\ | makemv delim=":" uac_details\ | table cn,sAMAccountName,dNSHostName,uac_details,operatingSystem,operatingSystemServicePack,dn iseval = 0 [ms_obj_md_secrpt-active-computers(2)] args = computer_lookup,domain definition = `ms_ad_obj_qck_succ_comp_logins("$domain$")`\ | search comp_obj_sam="*"\ | eval sAMAccountName=lower(comp_obj_sam)\ | fields sAMAccountName,lastLogonTime\ | join sAMAccountName\ [| inputlookup $computer_lookup$\ | `ms_obj_uac_get_details_lkup`\ | makemv delim=":" uac_details\ | table cn,sAMAccountName,dNSHostName,uac_details,operatingSystem,operatingSystemServicePack]\ | eval lastLogonTime=strftime(lastLogonTime,"%c")\ | table cn,dNSHostName,uac_details,operatingSystem,operatingSystemServicePack,lastLogonTime iseval = 0 [ms_obj_md_secrpt-deleted-computers_raw(2)] args = computer_lookup,domain definition = `ms_obj_changes_base_cat_act("Computer","deleted")` dest_nt_domain="$domain$"\ | fields _time,_raw,user,src_nt_domain,src_user\ | eval adminuser=src_nt_domain."\\".src_user\ | table _time,user,adminuser,_raw\ | rename user as "Deleted Computer",adminuser as "Deleted By" iseval = 0 [ms_obj_md_secrpt-new-computers(4)] args = computer_lookup,domain,starttime,endtime definition = inputlookup $computer_lookup$ WHERE domain="$domain$"\ | fields sAMAccountName,cn,whenCreated,dNSHostName,uac_details,userAccountControl,operatingSystem,operatingSystemServicePack,dn\ | eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\ | eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\ | eval whenCreated_epoch=strptime(whenCreated, "%I:%M.%S %P, %a %m/%d/%Y")\ | where whenCreated_epoch>begintime AND whenCreated_epochbegintime AND deletedDate begintime)) OR ((whenChanged_epoch < finishtime) AND (whenChanged_epoch > begintime))) OR ((whenCreated_epoch < finishtime) AND (whenCreated_epoch > begintime))) \ | eval whenDeleted=if(isDeleted="FALSE","",strftime(deletedDate,"%m/%d/%Y %a, %I:%M %P"))\ | sort dNSHostName \ | lookup AD_Obj_UAC userAccountControl OUTPUT uac_bin_map,uac_details \ | makemv delim=":" uac_details \ | table cn, sAMAccountName, dNSHostName,uac_details,operatingSystem,operatingSystemServicePack,whenCreated,whenChanged,whenDeleted,dn iseval = 0 ## Groups Search Macros that point to AD_Obj_Group Lookup: [ms_obj_md_secrpt-all-groups(2)] args = group_lookup,domain definition = inputlookup $group_lookup$ WHERE domain="$domain$"\ | fields sAMAccountName,cn,groupType_Name,membercount,whenChanged,whenCreated,member,dn\ | eval group=if(isnull(cn) OR cn=="",sAMAccountName,cn) \ | sort group\ | makemv delim="|" member\ | eval membercount=if(isnull(membercount) OR membercount=="",mvcount(member),membercount)\ | eval whenChanged=strftime(strptime(whenChanged,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\ | eval whenCreated=strftime(strptime(whenCreated,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\ | table group,groupType_Name,dn,membercount,whenChanged,whenCreated\ | rename group as "Group Name",groupType_Name as "Type",dn AS distinguishedName,membercount as "# Members" iseval = 0 [ms_obj_md_secrpt-empty-groups(2)] args = group_lookup,domain definition = inputlookup $group_lookup$ where membercount="0" AND domain="$domain$"\ | fields sAMAccountName,dn,cn,groupType,groupType_Name,member,membercount,whenChanged,whenCreated\ | eval group=if(isnull(cn) OR cn=="",sAMAccountName,cn)\ | sort group\ | lookup $group_lookup$ member AS dn OUTPUT sAMAccountName AS memberOf\ | eval whenChanged=strftime(strptime(whenChanged,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\ | eval whenCreated=strftime(strptime(whenCreated,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\ | table group,groupType,groupType_Name,membercount,memberOf,whenChanged,whenCreated\ | rename group as "Group_Name",groupType_Name as "Type",membercount as "# Members" iseval = 0 [ms_obj_md_secrpt-large-groups(3)] args = group_lookup,domain,minsize definition = inputlookup $group_lookup$ WHERE domain="$domain$"\ | fields sAMAccountName,cn,groupType_Name,membercount,whenChanged,whenCreated,member\ | eval group=if(isnull(cn),sAMAccountName,cn)\ | eval membercount=if(isnull(membercount) OR membercount=="",mvcount(member),membercount)\ | search membercount>$minsize$ \ | sort -membercount, group\ | eval whenChanged=strftime(strptime(whenChanged,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\ | eval whenCreated=strftime(strptime(whenCreated,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\ | table group,groupType_Name,membercount,whenChanged,whenCreated\ | rename group as "Group_Name",groupType_Name as "Type",membercount as "# Members" iseval = 0 [ms_obj_md_secrpt-nested-groups(2)] args = group_lookup,domain definition = inputlookup $group_lookup$ where domain="$domain$" \ | fields + distinguishedName,cn,dn, sAMAccountName, groupType_Name, memberOf, whenChanged, whenCreated\ | eval group=if(isnull(cn),sAMAccountName,cn)\ | lookup $group_lookup$ member AS dn OUTPUT sAMAccountName AS memberOf \ | search memberOf!="" \ | eval nested_group_count=mvcount(memberOf)\ | eval whenChanged=strftime(strptime(whenChanged,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\ | eval whenCreated=strftime(strptime(whenCreated,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\ | table group,distinguishedName,groupType_Name,memberOf,nested_group_count,whenChanged,whenCreated\ | sort -nested_group_count\ | rename group as "Group_Name", groupType_Name as Type iseval = 0 [ms_obj_md_secrpt-unmanaged-groups(2)] args = group_lookup,domain definition = inputlookup $group_lookup$ WHERE domain="$domain$" NOT managedBy="*" OR managedBy=""\ | fields sAMAccountName,cn,groupType_Name,membercount,whenChanged,whenCreated,member\ | eval group=if(isnull(cn),sAMAccountName,cn)\ | eval membercount=if(isnull(membercount) OR membercount=="",mvcount(member),membercount)\ | sort group\ | eval whenChanged=strftime(strptime(whenChanged,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\ | eval whenCreated=strftime(strptime(whenCreated,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\ | table group,groupType_Name,membercount,whenChanged,whenCreated\ | rename group as "Group_Name",groupType_Name as "Type",membercount as "# Members" iseval = 0 [ms_obj_md_secrpt-managed-groups(2)] args = group_lookup,domain definition = inputlookup $group_lookup$ WHERE domain="$domain$" AND managedBy="*" AND NOT managedBy=""\ | fields sAMAccountName,cn,groupType_Name,membercount,whenChanged,whenCreated,member,managedBy\ | eval group=if(isnull(cn),sAMAccountName,cn)\ | sort group\ | eval membercount=if(isnull(membercount) OR membercount=="",mvcount(member),membercount)\ | eval whenChanged=strftime(strptime(whenChanged,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\ | eval whenCreated=strftime(strptime(whenCreated,"%I:%M.%S %P, %a %m/%d/%Y"),"%m/%d/%y %a %I:%M %P")\ | table group,managedBy,groupType_Name,membercount,whenChanged,whenCreated\ | rename group as "Group_Name",groupType_Name as "Type",membercount as "# Members" iseval = 0 [ms_obj_md_secrpt-new-groups_raw(2)] args = group_lookup,domain definition = `ms_obj_changes_base_cat_act("Group","created")` dest_nt_domain="$domain$"\ | lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass\ | eval objectGUID=lower(objectGUID)\ | lookup $group_lookup$ objectGUID OUTPUT cn AS user_group,MSADGroupType,MSADGroupClass\ | eval adminuser=src_nt_domain."\\".src_user\ | table _time,user_group,MSADGroupClass,MSADGroupType,adminuser\ | rename user_group as "Group Name",MSADGroupClass as "Class",MSADGroupType as "Type",adminuser as "Added By" iseval = 0 [ms_obj_md_secrpt-new-groups(4)] args = group_lookup,domain,starttime,endtime definition = inputlookup $group_lookup$ WHERE domain="$domain$"\ | fields sAMAccountName,cn,whenCreated,distinguishedName,groupType_Name,memberOf,whenChanged,member,membercount\ | eval group=if(isnull(cn),sAMAccountName,cn)\ | eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\ | eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\ | eval whenCreated_epoch=strptime(whenCreated, "%I:%M.%S %P, %a %m/%d/%Y")\ | where whenCreated_epoch>begintime AND whenCreated_epochbegintime AND deletedDate begintime) OR (whenCreated_epoch < finishtime) AND (whenCreated_epoch > begintime) OR (deletedDate_epoch < finishtime) AND (deletedDate_epoch > begintime)) \ | sort group \ | eval membercount=if((isnull(membercount) OR (membercount == "")),mvcount(member),membercount) \ | table group,sAMAccountName,groupType_Name,distinguishedName,membercount,whenCreated,whenChanged, whenDeleted,\ | rename group as Group_Name, groupType_Name as Type,membercount as "# Members" iseval = 0 [ms_obj_md_group_action_events(4)] args = group_lookup,domain,group,action definition = `ms_obj_group_all_changes_base` ([| inputlookup $group_lookup$ WHERE lookup_grp="$group$" | fields lookup_grp | stats values(lookup_grp) AS search | eval search="\"".mvjoin(search,"\" OR \"")."\""]) (src_nt_domain="$domain$" OR dest_nt_domain="$domain$") ($action$)\ | fields _time,_raw,member_obj_dn,member_obj_id,member_obj_domain,member_obj_class,src_user,src_nt_domain,dest_nt_domain,group_obj_id,group_obj_dn,group_obj_nm,user_group,Group_Name,group_id,msad_action,MSADGroupClassID,MSADGroupType,MSADGroupClass,signature,Correlation_ID,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action,Old_DN,New_DN\ | eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user),member=if(isnull(member_obj_domain),replace(member_obj_id,"\x5C{1}",""),member_obj_domain."\\".replace(member_obj_id,"\x5C{1}",""))\ | eval member=if(isnull(member),if(isnull(member_obj_dn),"NA",member_obj_dn),member)\ | eval group_obj_lkp=if(isnull(group_obj_dn),if(isnull(New_DN),if(isnull(Old_DN),if(isnull(DN),if(isnull(user_group),if(isnull(Group_Name),if(isnull(group_obj_id),"NA",lower(replace(group_obj_id,"\x5C{1}",""))),lower(replace(Group_Name,"\x5C{1}",""))),lower(replace(user_group,"\x5C{1}",""))),lower(replace(DN,"\x5C{1}",""))),lower(replace(Old_DN,"\x5C{1}",""))),lower(replace(New_DN,"\x5C{1}",""))),lower(replace(group_obj_dn,"\x5C{1}","")))\ | lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass\ | lookup $group_lookup$ lookup_grp AS group_obj_lkp OUTPUT cn AS group_obj_cn, orig_cn AS group_obj_o_cn,MSADGroupClass AS MSADGroupClass_u, MSADGroupType AS MSADGroupType_u\ | eval MSADGroupClass=if(isnull(MSADGroupClass),MSADGroupClass_u,MSADGroupClass),MSADGroupType=if(isnull(MSADGroupType),MSADGroupType_u,MSADGroupType)\ | eval group_obj_nm=if(isnull(group_obj_o_cn) OR group_obj_o_cn="",if(isnull(group_obj_cn) OR group_obj_cn="",if(isnull(group_obj_lkp),"NA",group_obj_lkp),lower(group_obj_cn)),lower(group_obj_o_cn))\ | search group_obj_nm="$group$" OR group_obj_lkp="$group$"\ | `ms_obj_msad-changed-attributes`\ | stats list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by _time,adminuser,msad_action,group_obj_nm,MSADGroupType,MSADGroupClass,member,signature\ | eval MSADChanges=mvjoin(MSADChanges, "########")\ | eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\ | makemv delim="########" MSADChanges\ | table _time,adminuser,msad_action,group_obj_nm,MSADGroupType,MSADGroupClass,member,MSADChanges iseval = 0 ## User Search Macros that point to AD_Obj_User Lookup: ## Filter search for critical objects ## Ex: `ms_obj_win_events_security` `ms_obj_md_critical_obj_filter("sedemo",User,src_user)` ## Ex: `ms_obj_win_events_security` `ms_obj_md_critical_obj_filter("sedemo",User,user)` ## Ex: `ms_obj_win_events_security` `ms_obj_md_critical_obj_filter("sedemo",Computer,user)` [ms_obj_md_critical_filter_field(3)] args = tgt_kv_suffix,obj_lookup,evt_field definition = search $evt_field$ IN([| inputlookup AD_Audit_Default_Critical_Objects WHERE obj_type="group" | fields cn | lookup AD_Obj_Group_$tgt_kv_suffix$ cn OUTPUT member | lookup AD_Obj_$obj_lookup$ dn AS member OUTPUT sAMAccountName AS user, cn AS user_cn | eventstats values(user) AS users | eval users=if(users="" OR isnull(users),"NO_Obj_Found",users) | stats values(users) AS users\ | eval search="\"".mvjoin(users,"\",\"")."\"" | table search]) iseval = 0 [ms_obj_md_critical_filter_raw(2)] args = group_lookup,tgt_obj_lookup definition = [| inputlookup AD_Audit_Default_Critical_Objects WHERE obj_type="group"\ | fields cn\ | lookup $group_lookup$ cn OUTPUT member\ | search member!=""\ | lookup $tgt_obj_lookup$ dn AS member OUTPUT sAMAccountName AS user, cn AS user_cn\ | search user!=""\ | stats values(user) AS users\ | eval search="\"".mvjoin(users,"\" OR \"")."\""\ | table search] iseval = 0 [ms_obj_md_critical_filter_raw(3)] args = group_lookup,obj_lookup,evt_field definition = [| inputlookup AD_Audit_Default_Critical_Objects WHERE obj_type="group"\ | fields cn\ | lookup $group_lookup$ cn OUTPUT member\ | search member!=""\ | lookup $tgt_obj_lookup$ dn AS member OUTPUT sAMAccountName AS user, cn AS user_cn\ | search user!=""\ | stats values(user) AS users\ | eval search="$evt_field$=\"".mvjoin(users,"\" OR $evt_field$=\"")."\""\ | table search] iseval = 0 [ms_obj_md_secrpt-all-users(2)] args = user_lookup,domain definition = inputlookup $user_lookup$ append=true WHERE domain="$domain$"\ | `ms_obj_uac_get_details_lkup`\ | makemv delim=":" uac_details\ | table domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\ | sort sAMAccountName\ | rename sAMAccountName AS "user", uac_details AS userAccountControl_Details iseval = 0 [ms_obj_md_secrpt-disabled-users(2)] args = user_lookup,domain definition = inputlookup $user_lookup$ append=true WHERE domain="$domain$" \ | `ms_obj_uac_get_details_lkup`\ | eval uac_filter=mvfilter(match(uac_details, "Disabled")) \ | search uac_filter=*\ | makemv delim=":" uac_details\ | table domain, sAMAccountName, userPrincipalName,userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated\ | sort sAMAccountName\ | rename sAMAccountName AS "user", uac_details AS userAccountControl_Details iseval = 0 [ms_obj_md_secrpt-disabled-users(4)] args = user_lookup,domain,starttime,endtime definition = inputlookup $user_lookup$ WHERE domain="$domain$" AND uac_details="Disabled"\ | eval begintime=strptime("$starttime$", "%m/%d/%y %I:%M %P")\ | eval finishtime=strptime("$endtime$", "%m/%d/%y %I:%M %P")\ | eval whenChanged_epoch=strptime(whenChanged, "%I:%M.%S %P, %a %m/%d/%Y")\ | where whenChanged_epoch>begintime AND whenChanged_epochbegintime AND whenCreated_epochbegintime AND deletedDatebegintime AND whenChanged_epoch(^CN|####CN))"\ | eval membercount=mvcount(mb_cnt)\ | fillnull value="0" membercount\ | lookup AD_Obj_Group_$tgt_kv_suffix$ member_$tgt_kv_suffix$ AS admin_dn OUTPUT dn AS memberOf\ | rename member AS member_hist,memberOf AS memberOf_hist\ | lookup AD_Audit_Group_Details groupType,sAMAccountType OUTPUT groupType_Name,MSADGroupType,MSADGroupClass\ | fillnull value="FALSE" isCriticalSystemObject\ | table objectGUID,MSADGroupClass,MSADGroupType,adminCount,c,dSCorePropagationData,description,displayName,dn_hist,dn_path,domain,groupType_Name,isCriticalSystemObject,l,managedBy,member_hist,memberOf_hist,membercount,objectCategory,q_link_id,sAMAccountType,src_nt_domain,st,sync_dn_chg,systemFlags iseval = 0 [ms_obj_md_admon_user_base_deletes(1)] args = tgt_dc_val definition = `ms_obj_admon_flt_obj_type(ms_obj_admon_user("$tgt_dc_val$"),ms_obj_admon_base_del_type)`\ | stats latest(*) AS * by objectGUID\ | fields objectGUID,c,codePage,countryCode,department,description,displayName,dn_path,domain,givenName,initials,isCriticalSystemObject,l,lastLogon,lastLogonTimestamp,lockoutTime,logonCount,logonHours,managedBy,msDS-SupportedEncryptionTypes,objectCategory,physicalDeliveryOfficeName,postalCode,primaryGroupID,pwdLastSet,sAMAccountType,servicePrincipalName,showInAdvancedViewOnly,sn,st,streetAddress,title,userPrincipalName,userWorkstations\ | fillnull value = "FALSE" isCriticalSystemObject,showInAdvancedViewOnly\ | table objectGUID,c,codePage,countryCode,department,description,displayName,dn_path,domain,givenName,initials,isCriticalSystemObject,l,lastLogon,lastLogonTimestamp,lockoutTime,logonCount,logonHours,managedBy,msDS-SupportedEncryptionTypes,objectCategory,physicalDeliveryOfficeName,postalCode,primaryGroupID,pwdLastSet,sAMAccountType,servicePrincipalName,showInAdvancedViewOnly,sn,st,streetAddress,title,userPrincipalName,userWorkstations]\ | fillnull value="0" badPasswordTime,badPwdCount,codePage,countryCode,lastLogon,lockoutTime,logonCount,pwdLastSet iseval = 0 [ms_obj_md_admon_computer_base_deletes(1)] args = tgt_dc_val definition = `ms_obj_admon_flt_obj_type(ms_obj_md_admon_computer("$tgt_dc_val$"),ms_obj_admon_base_del_type)`\ | stats latest(*) AS * by objectGUID\ | fields objectGUID,accountExpires,badPasswordTime,badPwdCount,c,codePage,countryCode,dNSHostName,dSCorePropagationData,description,displayName,dn_hist,dn_path,domain,isCriticalSystemObject,l,lastLogon,lastLogonTimestamp,localPolicyFlags,logonCount,managedBy,objectCategory,operatingSystem,operatingSystemServicePack,operatingSystemVersion,primaryGroupID,pwdLastSet,q_link_id,rIDSetReferences,sAMAccountType,serverReferenceBL,servicePrincipalName,src_nt_domain,st,sync_dn_chg\ | fillnull value="FALSE" isCriticalSystemObject\ | table objectGUID,accountExpires,badPasswordTime,badPwdCount,c,codePage,countryCode,dNSHostName,dSCorePropagationData,description,displayName,dn_hist,dn_path,domain,isCriticalSystemObject,l,lastLogon,lastLogonTimestamp,localPolicyFlags,logonCount,managedBy,objectCategory,operatingSystem,operatingSystemServicePack,operatingSystemVersion,primaryGroupID,pwdLastSet,q_link_id,rIDSetReferences,sAMAccountType,serverReferenceBL,servicePrincipalName,src_nt_domain,st,sync_dn_chg iseval = 0 ########################################################################################################## ## HTML Building Macros: ########################################################################################################## [ms_obj_cfg_kv_split_h] definition = inputlookup AD_Obj_Domain\ | fields domain,DomainDNSName,Site,multi_lkps_enabled,kv_suffix,dc_val,user_lookup,group_lookup,computer_lookup\ | stats count by domain,DomainDNSName,Site,multi_lkps_enabled,kv_suffix,dc_val,user_lookup,group_lookup,computer_lookup\ | join type=left domain [| inputlookup AD_Obj_User | fields domain | stats count as user_count by domain]\ | join type=left domain [| inputlookup AD_Obj_Group | fields domain | stats count as group_count by domain]\ | join type=left domain [| inputlookup AD_Obj_Computer | fields domain | stats count as computer_count by domain]\ | eval user_count=if(isnull(user_count),0,tostring(user_count,"commas")),group_count=if(isnull(group_count),0,tostring(group_count,"commas")),computer_count=if(isnull(computer_count),0,tostring(computer_count,"commas"))\ | eval ena_lst=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),NULL,domain)\ | eventstats values(ena_lst) AS ena_lst\ | eval ena_lst=mvjoin(ena_lst,",")\ | eval kv_suff_cls_inp=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"hidden",""),kv_suff_cls_def=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"","hidden")\ | eval dc_val_cls_inp=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"hidden",""),dc_val_cls_def=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"","hidden")\ | eval lkp_cls_ena=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"hidden",""),lkp_cls_def=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"","hidden")\ | eval dom_btn_state=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"btn-danger off","btn-success")\ | eval h_enable="
    "\ | eval h_suff="

    Not Enabled

    "\ | eval h_lkp="
    Default
    AD_Obj_User (".user_count.")
    AD_Obj_Group (".group_count.")
    AD_Obj_Computer (".computer_count.")
    AD_Obj_User_".kv_suffix."
    AD_Obj_Group_".kv_suffix."
    AD_Obj_Computer_".kv_suffix."
    "\ | eval h_dc="

    Not Enabled

    "\ | eval rws="".h_enable."".domain."
    ".DomainDNSName."
    ".h_suff."".h_lkp."".h_dc.""\ | stats values(rws) AS rws\ | eval table_vl="".mvjoin(rws," ")."
    Enable
    		DomainLookup SuffixLookup Names (Count)admon Domain filter (field: dc_val)
    "\ | table table_vl,ena_lst iseval = 0 [ms_obj_cfg_kv_split_ha] definition = join type=left domain [| inputlookup AD_Obj_User | fields domain | stats count as user_count by domain]\ | join type=left domain [| inputlookup AD_Obj_Group | fields domain | stats count as group_count by domain]\ | join type=left domain [| inputlookup AD_Obj_Computer | fields domain | stats count as user_computer by domain]\ | eval user_count=if(isnull(user_count),0,tostring(user_count,"commas")),group_count=if(isnull(group_count),0,tostring(group_count,"commas")),computer_count=if(isnull(computer_count),0,tostring(computer_count,"commas"))\ | eval ena_lst=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),NULL,domain)\ | eventstats values(ena_lst) AS ena_lst\ | eval ena_lst=mvjoin(ena_lst,",")\ | eval kv_suff_cls_inp=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"hidden",""),kv_suff_cls_def=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"","hidden")\ | eval dc_val_cls_inp=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"hidden",""),dc_val_cls_def=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"","hidden")\ | eval lkp_cls_ena=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"hidden",""),lkp_cls_def=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"","hidden")\ | eval dom_btn_state=if(multi_lkps_enabled=="f" OR isnull(multi_lkps_enabled),"btn-danger off","btn-success")\ | eval h_enable="
    "\ | eval h_suff="

    Not Enabled

    "\ | eval h_lkp="
    Default
    AD_Obj_User (".user_count.")
    AD_Obj_Group (".group_count.")
    AD_Obj_Computer (".computer_count.")
    AD_Obj_User_".kv_suffix."
    AD_Obj_Group_".kv_suffix."
    AD_Obj_Computer_".kv_suffix."
    "\ | eval h_dc="

    Not Enabled

    "\ | eval rws="".h_enable."".domain."
    ".DomainDNSName."
    ".h_suff."".h_lkp."".h_dc.""\ | stats values(rws) AS rws\ | eval table_vl="".mvjoin(rws," ")."
    Enable
    		DomainLookup SuffixLookup Names (Count)admon Domain filter (field: dc_val)
    "\ | table table_vl,ena_lst iseval = 0 [ms_obj_cfg_filter_md_inp(3)] args = ena_array,kv_suffix_array,dc_val_array definition = makeresults\ | eval kv_suffix="n_a",dc_val="n_a",user_lookup="n_a",group_lookup="n_a",computer_lookup="n_a"\ | eval ena_array="$ena_array$"\ | makemv delim="," ena_array\ | eval domain=mvfilter(match(ena_array,"^\S+"))\ | mvexpand domain\ | eval kv_suff_array="$kv_suffix_array$"\ | eval kv_suff_array=if(kv_suff_array=="",kv_suffix,kv_suff_array)\ | makemv delim="|" kv_suff_array\ | mvexpand kv_suff_array\ | rex field=kv_suff_array "(?[^\:]+)\:kv_suffix\=(?.+)"\ | eval n_kv_suffix=if(isnull(kv_suff_array) OR kv_suff_array="","n_a",if(kvsuff_dom==domain,kvsuff_val,NULL))\ | eval dc_val_array="$dc_val_array$"\ | eval dc_val_array=if(dc_val_array=="",dc_val,dc_val_array)\ | makemv delim="|" dc_val_array\ | mvexpand dc_val_array\ | rex field=dc_val_array "(?[^\:]+)\:dc_val\=(?.+)"\ | eval n_dc_val=if(isnull(dc_val_array) OR dc_val_array="","n_a",if(dcval_dom==domain,dcval_val,NULL))\ | stats values(n_dc_val) AS n_dc_val, values(n_kv_suffix) AS n_kv_suffix by domain\ | eval multi_lkps_enabled="t",updated="1"\ | fillnull value="n_a" n_dc_val,n_kv_suffix iseval = 0 [ms_obj_cfg_filter_md_h_tbls] definition = eval collections_conf="\ ##-----------------------------------------------------------##\ ## Domain: ".domain." - KVStores\ ##-----------------------------------------------------------##\ ## Domain - ".domain." - User KVStore ##\ [".user_lookup."_kv]\ enforceTypes = false\ accelerated_fields.dn = { \"dn\" : 1 }\ ## Domain - ".domain." - Group KVStore ##\ [".group_lookup."_kv]\ enforceTypes = false\ accelerated_fields.dn = { \"dn\" : 1 }\ accelerated_fields.member = { \"member\" : 1 }\ ## Domain - ".domain." - Computer KVStore ##\ [".computer_lookup."_kv]\ enforceTypes = false\ accelerated_fields.dn = { \"dn\" : 1 }"\ | eval transforms_conf="\ ##---------------------------------------------------##\ ## Domain: ".domain." - Lookup Definition\ ##---------------------------------------------------##\ ## Domain - ".domain." - User Definition ##\ [".user_lookup."]\ external_type = kvstore\ collection = ".user_lookup."_kv\ fields_list = _key,accountExpires,adminCount,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dSCorePropagationData,dcName,deletedDate,department,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,DomainDNSName,givenName,guid_lookup,initials,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,last_evt_flg,location,lockoutTime,logonCount,logonHours,lookup_usr,managedBy,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,orig_evt_dn,OU,physicalDeliveryOfficeName,postalCode,primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType,servicePrincipalName,showInAdvancedViewOnly,sid_lookup,sn,st,streetAddress,title,uac_details,uac_bin_map,uSNChanged,uSNCreated,userAccountControl,userPrincipalName,userWorkstations,whenChanged,whenCreated,user_type,time\ case_sensitive_match = false\ ## Domain - ".domain." - Group Definition ##\ [".group_lookup."]\ external_type = kvstore\ collection = ".group_lookup."_kv\ fields_list = _key,adminCount,c,cn,orig_cn,dSCorePropagationData,dcName,deletedDate,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,DomainDNSName,groupType,groupType_Name,guid_lookup,instanceType,isCriticalSystemObject,isDeleted,isDistributionList,isRecycled,l,lastKnownParent,last_evt_flg,lookup_grp,managedBy,member,membercount,MSADGroupType,MSADGroupClass,name,objectCategory,objectClass,objectGUID,objectSid,orig_evt_dn,OU,primaryGroupToken,sAMAccountName,sAMAccountType,showInAdvancedViewOnly,sid_lookup,src_nt_domain,st,systemFlags,uSNChanged,uSNCreated,whenChanged,whenCreated,time\ case_sensitive_match = false\ ## Domain - ".domain." - Computer Definition ##\ [".computer_lookup."]\ external_type = kvstore\ collection = ".computer_lookup."_kv\ fields_list = _key,accountExpires,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dNSHostName,dSCorePropagationData,dcName,deletedDate,description,displayName,distinguishedName,dn,dn_hist,dn_path,domain,DomainDNSName,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,last_evt_flg,localPolicyFlags,logonCount,lookup_cmp,managedBy,msDFSR-ComputerReferenceBL,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,operatingSystem,operatingSystemServicePack,operatingSystemVersion,orig_evt_dn,OU,primaryGroupID,pwdLastSet,rIDSetReferences,sAMAccountName,sAMAccountType,serverReferenceBL,servicePrincipalName,sid_lookup,src_nt_domain,st,uSNChanged,uSNCreated,userAccountControl,whenChanged,whenCreated,time\ case_sensitive_match = false"\ | eval new_sched_search_list="

    Domain (".domain.")

    • User Scheduled Sync Search:

      • New Report Settings
        • Title: AD_Obj_User_".domain."_Update
        • Search: `ms_obj_md_admon_bld_upd_out(\"".kv_suffix."\",\"".dc_val."\",user,User)`
        • Earliest: -15m@m
        • Latest: now
        • App: MS Windows AD Objects
      • Scheduling Settings
        • Cron Expression: 09,19,29,39,49,59 * * * *

    • Group Scheduled Sync Search:

      • New Report Settings
        • Title: AD_Obj_Group_".domain."_Update
        • Search: `ms_obj_md_admon_bld_upd_out(\"".kv_suffix."\",\"".dc_val."\",group,Group)`
        • Earliest: -15m@m
        • Latest: now
        • App: MS Windows AD Objects
      • Scheduling Settings
        • Cron Expression: 05,18,28,38,48,58 * * * *

    • Computer Scheduled Sync Search:

      • New Report Settings
        • Title: AD_Obj_Computer_".domain."_Update
        • Search: `ms_obj_md_admon_bld_upd_out(\"".kv_suffix."\",\"".dc_val."\",computer,Computer)`
        • Earliest: -15m@m
        • Latest: now
        • App: MS Windows AD Objects
      • Scheduling Settings
        • Cron Expression: 07,17,27,37,47,57 * * * *
    "\ | stats values(new_sched_search_list) AS new_sched_search_list,values(collections_conf) AS collections_conf,values(transforms_conf) AS transforms_conf,max(dis_def_srch_flg) AS dis_def_srch_flg\ | eval default_searches="
    • Name: AD_Obj_User_Update
    • Name: AD_Obj_Group_Update
    • Name: AD_Obj_Computer_Update
    "\ | eval disable_default_searches=if(dis_def_srch_flg==1,"

    Configuration Steps:

    NO ACTION NEEDED

    • Do NOT Disable the Searches in the right column
    • Some domains are still using default lookups, so they need these scheduled searches enabled
    ".default_searches."","

    Configuration Steps:

    DISABLE Default Scheduled Searches

    1. Click Here to open the Scheduled Search Views
    2. Disable the scheduled searches listed in the right column
      • Since no domains will be using the default lookups, these default Scheduled Searches are no longer needed.
    ".default_searches."")\ | eval def_sched_searches="".disable_default_searches."
    5. Default Scheduled Search Actions
    "\ | eval new_sched_searches="
    4. Create New Scheduled Searches

    Configuration Steps:

    Make sure the Kv Store and Lookup Definition steps have been completed before creating the New Saved Searches


    Create New Scheduled Searches

    1. Click Here to open the Search Management view in a separate tab.
    2. Click on the New Report in the top right corner.
    3. Use the list to the right for putting in the New Report Settings
      • Note: Repeat steps 2 and 3 for each of the New Report listed before proceeding to the next step
    4. Now that all of the reports have been created, you need to enable and configure the scheduling by selecting Edit Scheduling from the Edit dropdown for the newly created reports
    5. Click the option box Schedule Report to enable scheduling.
    6. From the Schedule dropdown, select Run on Cron Schedule
    7. Use the Scheduling Settings Cron Expression value for the report listed in the right panel.
      • Note: You might need to adjust the cron schedules initiation Minute Value to best stagger the scheduled searches for your environment
    8. Click Save
    		".mvjoin(new_sched_search_list,"")."
    "\ | eval transforms_conf="
    3. Create New Lookup Definitions (transforms.conf)

    Configuration Steps:

    1. Add the transforms.conf settings in the right column into the $SPLUNK_HOME/etc/apps/ms_windows_ad_objects/local/transforms.conf file
    • Note: Click More Info for more information on creating a KV Store
    • Important Splunk Cloud Note: Splunk Web currently does not support the creation of KV Store collections. If you use Splunk Cloud you need to file a support ticket to add a unique KV Store collection to your Splunk deployment.
    ".mvjoin(transforms_conf,"")."
    "\ | eval collections_conf="
    2. Create New KV Stores (collections.conf)

    Configuration Steps:

    1. Add the collections.conf settings in the right column into the $SPLUNK_HOME/etc/apps/ms_windows_ad_objects/local/collections.conf file
    • Note: Click More Info for more information on creating a KV Store
    • Important Splunk Cloud Note: Splunk Web currently does not support the creation of KV Store collections. If you use Splunk Cloud you need to file a support ticket to add a unique KV Store collection to your Splunk deployment.
    ".mvjoin(collections_conf,"")."
    "\ | table collections_conf,transforms_conf,new_sched_searches,def_sched_searches iseval = 0 [ms_obj_kv_cfg_ppl_h] definition = eval user_mgt_srch="
    Migrate Users
    | inputlookup AD_Obj_User WHERE domain=\"".domain."\" \
| eval _key=objectGUID.\"#\".DomainDNSName\
| outputlookup ".user_lookup." append=true
    "\ | eval group_mgt_srch="
    Migrate Groups
    | inputlookup AD_Obj_Group WHERE domain=\"".domain."\" \
| eval _key=objectGUID.\"#\".DomainDNSName\
| outputlookup ".group_lookup." append=true
    "\ | eval computer_mgt_srch="
    Migrate Computers
    | inputlookup AD_Obj_Computer WHERE domain=\"".domain."\" \
| eval _key=objectGUID.\"#\".DomainDNSName \
| outputlookup ".computer_lookup." append=true
    "\ | eval user_bld_srch="
    Build Users
    `ms_obj_md_admon_bld_upd_out(\"".domain."\",\"".dc_val."\",user,User)`
    "\ | eval group_bld_srch="
    Build Groups
    `ms_obj_md_admon_bld_upd_out(\"".domain."\",\"".dc_val."\",group,Group)`
    "\ | eval computer_bld_srch="
    Build Computers
    `ms_obj_md_admon_bld_upd_out(\"".domain."\",\"".dc_val."\",computer,Computer)`
    "\ | eval migrate_tbl="".user_mgt_srch."".group_mgt_srch."".computer_mgt_srch."

    Domain ".domain." - Populate User, Groups and Computers from data from old lookup to new one.

    "\ | eval build_tbl="".user_bld_srch."".group_bld_srch."".computer_bld_srch."

    Domain ".domain." - Populate User, Groups and Computers New Lookups using admon data.

    "\ | stats values(migrate_tbl) AS migrate_tbl,values(build_tbl) AS build_tbl\ | eval populate_tbls="

    Populating Searches

    Choose one of the below options, Migrate Recommended Or Build to populate the new lookups with data.

    Make Sure all of the Configuration Steps have been completed before Saving

    Migrate Searches Recommended

    OR admon Build Searches

    ".mvjoin(migrate_tbl,"")."".mvjoin(build_tbl,"")."
    "\ | table populate_tbls iseval = 0 [ms_obj_kv_cfg_ppl_rem_h] definition = eval link="link"\ | join type=left link [| rest /servicesNS/-/-/data/transforms/lookups/\ | search eai:acl.app="ms_windows_ad_objects" type=kvstore (title="AD_Obj_User*" OR title="AD_Obj_Group*" OR title="AD_Obj_Computer*")\ | stats values(title) AS title\ | eval kvstore_chk="(^".mvjoin(title,"$|^")."$)",link="link"\ | table link,kvstore_chk]\ | eval kv_chk_u=if(match(user_lookup,kvstore_chk),"t","f"),kv_chk_g=if(match(group_lookup,kvstore_chk),"t","f"),kv_chk_c=if(match(computer_lookup,kvstore_chk),"t","f")\ | eval ppl_btn_h_u=if(kv_chk_u=="f","

    Warning: Populate Users Searches: Unavailable

    Warning: Lookup (".user_lookup.") has not been created.

    The KV Store Collection and Lookup Definition has to be created before you can migrate or add User Objects to it.

    ","
    Populate Users Searches: (Click Only 1)
    ... Please Wait.
    OR
    Remove Users Search:
    ... Please Wait.
    ")\ | eval ppl_btn_h_g=if(kv_chk_g=="f","

    Warning: Populate Groups Searches: Unavailable

    Warning: Lookup (".group_lookup.") has not been created.

    The KV Store Collection and Lookup Definition has to be created before you can migrate or add Group Objects to it.

    ","
    Populate Groups Searches: (Click Only 1)
    ... Please Wait.
    OR
    Remove Groups Search:
    Running... Please Wait.
    ")\ | eval ppl_btn_h_c=if(kv_chk_c=="f","

    Warning: Populate Computers Searches: Unavailable

    Warning: Lookup (".computer_lookup.") has not been created.

    The KV Store Collection and Lookup Definition has to be created before you can migrate or add Computer Objects to it.

    ","
    Populate Computer Searches: ( Click Only 1 )
    ... Please Wait.
    OR
    Remove Computers Search:
    Running... Please Wait.
    ")\ | eval dis_def_srch_flg=if(multi_lkps_enabled="f",1,0)\ | eval dom_srchs="\ ".ppl_btn_h_u."\ \ \ ".ppl_btn_h_g."\ \ \ ".ppl_btn_h_c."\ \

    Domain: ".domain."

    1. Click on ONE of the Populate User Searches options:
      • Migrate from default(Recommended): This search will copy the ".domain." Users values from the default AD_Obj_User lookup and paste them into the new AD_Obj_User_".kv_suffix." lookup.
      • OR Use admon Data: This search will search through the sourcetype=ActiveDirectory data to find the last admon sync time, admon admonEventType=\"Sync\", for user objects in the ".domain." domain. It then uses this data to populate the AD_Obj_User_".kv_suffix." lookup with the admon event data from that starting sync point till now.
    2. After the selected Populate User Search has completed, click the Remove User Search button to remove the ".domain." domain's User values from the default AD_Obj_User lookup.
    3. Repeat Steps 1 and 2 for Groups and Computers
    Click to View the Search Text:

    • Users:

      • Populate ".domain." Users:

        • Migrate from default - AD_Obj_User:
          • | inputlookup AD_Obj_User WHERE domain=\"".domain."\" \
| eval _key=objectGUID.\"#\".DomainDNSName\
| outputlookup AD_Obj_User_".domain." append=true
          • \
        • OR Use admon Data - Users:\
            \ 
          • `ms_obj_md_admon_bld_upd_out(\"".domain."\",\"".domain.".local\",user,User)`
            • \
          \
          • \
        \
        • \

      • Remove ".domain." Users from AD_Obj_User lookup:

        \ 
        | inputlookup AD_Obj_User WHERE domain!=\"".domain."\" \
| eval _key=objectGUID.\"#\".DomainDNSName \
| outputlookup AD_Obj_User
        \
        • \
      \
      • \

    • Groups:

      \
        \

      • Populate Groups:

        \
          \
        • Migrate from default - AD_Obj_Group: \
            \ 
          • | inputlookup AD_Obj_Group WHERE domain=\"".domain."\" \
| eval _key=objectGUID.\"#\".DomainDNSName \
| outputlookup AD_Obj_Group_".domain." append=true
            • \
          \
          • \
        • OR Use admon Data - Groups:\
            \ 
          • `ms_obj_md_admon_bld_upd_out(\"".domain."\",\"".domain.".local\",group,Group)`
            • \
          \
          • \
        \
        • \

      • Remove Groups from AD_Obj_Group lookup:

        \ 
        | inputlookup AD_Obj_Group WHERE domain!=\"".domain."\" \
| eval _key=objectGUID.\"#\".DomainDNSName \
| outputlookup AD_Obj_Group
        \
        • \
      \
      • \

    • Computers:

      \
        \

      • Populate Computers:

        \
          \
        • Migrate from default - AD_Obj_Computers: \
            \ 
          • | inputlookup AD_Obj_Computer WHERE domain=\"".domain."\" \
| eval _key=objectGUID.\"#\".DomainDNSName \
| outputlookup AD_Obj_Computer_".domain." append=true
            • \
          \
          • \
        • OR Use admon Data - Computers:\
            \ 
          • `ms_obj_md_admon_bld_upd_out(\"".domain."\",\"".domain.".local\",computer,Computer)`
            • \
          \
          • \
        \
        • \

      • Remove Computers from AD_Obj_Computer lookup:

        \ 
        | inputlookup AD_Obj_Computer WHERE domain!=\"".domain."\" \
| eval _key=objectGUID.\"#\".DomainDNSName\
| outputlookup AD_Obj_Computer
        \
        • \
      \
      • \
    \
    \
    \ \ "\ | stats values(dom_srchs) AS dom_srchs\ | eval populate_tbls="

    Make Sure all of the Configuration Steps have been completed before Saving

    \ \ \ \ ".mvjoin(dom_srchs,"")."

    Complete the following steps for each of the selected AD Domains.

    "\ | table populate_tbls iseval = 0 [ms_obj_kvs_split_rem(2)] args = ppl_src,ppl_dom definition = inputlookup $ppl_src$ WHERE domain!="$ppl_dom$" \ | eval _key=objectGUID."#".DomainDNSName \ | outputlookup $ppl_src$ iseval = 0 [ms_obj_config_st_upd(1)] args = cfg_st definition = inputlookup AD_Obj_Config_State\ | eval key_val=_key\ | append [\ | makeresults\ | eval version="4.1.1", state="$cfg_st$",last_run=now()\ | table state,version,last_run]\ | stats max(last_run) AS last_run by state,version\ | table state,version,last_run\ | eval _key=version\ | outputlookup AD_Obj_Config_State iseval = 0 ##============================================================## ##--- Raw Text and Search In Filters ---## ##============================================================## [ms_obj_ss_filt_pre_base(2)] args = pre_filt_val,pre_filt_fields definition = makeresults \ | eval filt="$pre_filt_val$",filt_flds="$pre_filt_fields$"\ | eval search="(".replace(filt_flds,",","=\"".filt."\" OR ")."=\"".filt."\")"\ | table search iseval = 0 [ms_obj_ss_filt_pre_lkp(5)] args = tgt_lookup,tgt_domain,pre_filt_val,pre_filt_fields,out_fields definition = inputlookup $tgt_lookup$ WHERE domain="$tgt_domain$" AND [| `ms_obj_ss_filt_pre_base("$pre_filt_val$","$pre_filt_fields$")`]\ | fields $out_fields$ iseval = 0 [ms_obj_ss_filt_pre_cnt_chk(2)] args = bypass_limit,max_limit definition = stats count\ | eval show_bypass_option=if(count>$bypass_limit$ AND count<$max_limit$,"true","false")\ | eval show_lg_message=if(count>$bypass_limit$ AND count<$max_limit$,"true","false")\ | eval show_too_lg_message=if(count>$max_limit$,"true","false")\ | eval exec_srch_trigger=if(count>$bypass_limit$,"false","true")\ | table count,show_bypass_option,show_lg_message,show_too_lg_message,exec_srch_trigger iseval = 0 [ms_obj_ss_filt_raw_txt_lkp_key(3)] args = tgt_lookup,tgt_key,filt_fields definition = inputlookup AD_Obj_$tgt_lookup$ WHERE _key="$tgt_key$"\ | `ms_obj_md_admin_lkp_info($filt_fields$)` iseval = 0 [ms_obj_ss_filt_link_lkp_key(4)] args = tgt_lookup,tgt_key,filt_fields,link_field definition = search $link_field$ IN([|inputlookup AD_Obj_$tgt_lookup$ WHERE _key="$tgt_key$"\ | `ms_obj_ss_filt_flds_in($filt_fields$)``]) iseval = 0 [ms_obj_ss_filt_raw_link(5)] args = tgt_lookup,tgt_domain,src_filt_val,tgt_filt_fields,filt_type definition = inputlookup $tgt_lookup$ WHERE domain="$tgt_domain$" AND [| `ms_obj_ss_filt_pre_base("$src_filt_val$","$tgt_filt_fields$")`]\ | fields $tgt_filt_fields$\ | eval filt_vals=mvappend($tgt_filt_fields$)\ | stats values(filt_vals) AS filt_vals\ | eval filt_vals=mvfilter(match(filt_vals,"^\S+"))\ | eval raw_txt_filt=if(mvcount(filt_vals)==1,"\"".filt_vals."\"","\"".mvjoin(filt_vals,"\" OR \"")."\"") \ | eval link_in_filt=if(mvcount(filt_vals)==1,"\"".filt_vals."\"",replace("\"".mvjoin(filt_vals,"\",\"")."\"","(^\"\",|,\"\"$)",""))\ | eval search=if("$filt_type$"=="raw_txt",raw_txt_filt,link_in_filt)\ | table search iseval = 0 [ms_obj_md_admin_lkp_info(1)] args = tgt_lkp definition = lookup $tgt_lkp$ sAMAccountName as src_user OUTPUT sAMAccountName as admin_user,domain as admin_domain,dn as admin_dn,dn_path as admin_dn_path,cn as admin_cn,objectGUID as admin_objectGUID,userPrincipalName AS admin_userPrincipalName iseval = 0 [ms_obj_ss_filt_raw_link(7)] args = pre_filt_val,pre_filt_fields,tgt_lookup,tgt_domain,src_filt_val,tgt_filt_fields,filt_type definition = inputlookup $tgt_lookup$ WHERE domain="$tgt_domain$" AND [| `ms_obj_ss_filt_pre_base("$pre_filt_val$","$pre_filt_fields$")`]\ | fields $tgt_filt_fields$\ | eval filt_vals=mvappend($tgt_filt_fields$)\ | stats values(filt_vals) AS filt_vals\ | eval filt_vals=mvfilter(match(filt_vals,"^\S+"))\ | eval raw_txt_filt=if(mvcount(filt_vals)==1,"\"".filt_vals."\"","\"".mvjoin(filt_vals,"\" OR \"")."\"") \ | eval link_in_filt=if(mvcount(filt_vals)==1,"\"".filt_vals."\"",replace("\"".mvjoin(filt_vals,"\",\"")."\"","(^\"\",|,\"\"$)",""))\ | eval search=if("$filt_type$"=="raw_txt",raw_txt_filt,link_in_filt)\ | table search iseval = 0 [ms_obj_ss_filt_flds_raw(1)] args = filt_fields definition = fields $filt_fields$\ | eval search=mvappend($filt_fields$)\ | stats values(search) AS search\ | eval search=mvfilter(match(search,"^\S"))\ | eval search=if(mvcount(search)==1,"\"".search."\"","\"".mvjoin(search,"\" OR \"")."\"") \ | table search iseval = 0 [ms_obj_ss_filt_flds_in(1)] args = filt_fields definition = fields $filt_fields$\ | eval search=mvappend($filt_fields$)\ | stats values(search) AS search\ | eval search=mvfilter(match(search,"^\S"))\ | eval search=if(mvcount(search)==1,"\"".search."\"","\"".mvjoin(search,"\",\"")."\"") \ | table search iseval = 0 [ms_ad_obj_lkp_filt_cnts(1)] args = sel_field definition = fields $sel_field$\ | eval $sel_field$=if(isnull($sel_field$) OR $sel_field$="","#Empty#",$sel_field$)\ | stats count by $sel_field$\ | sort -count\ | eval label=$sel_field$." (".count.")"\ | table $sel_field$,count,label iseval = 0 [ms_obj_fldsum_list] definition = fieldsummary\ | rex max_match=2 field=values "\{\"value\"\:\"(?[^\"]+)"\ | search count>0 Example_Values!=""\ | rename field as fldid\ | table fldid iseval = 0 ## Saving Main Configuration Wizard - Configured Values [ms_obj_cfg_gs_update(70)] args = form_tok_build_type,tok_h_load_details,tok_h_state_completed,tok_h_state_input_1,tok_h_state_input_10,tok_h_state_input_10_s,tok_h_state_input_11,tok_h_state_input_12,tok_h_state_input_2,tok_h_state_input_2_s,tok_h_state_input_3,tok_h_state_input_4,tok_h_state_input_4_s,tok_h_state_input_5,tok_h_state_input_6,tok_h_state_input_6_s,tok_h_state_input_7,tok_h_state_input_7_hold,tok_h_state_input_8,tok_h_state_input_8_hold,tok_h_state_input_9,tok_h_state_input_9_hold,tok_h_state_input_9_s,tok_inp_hold_diff_sys,tok_inp_splk_hf_label,tok_input_10_a_i,tok_input_10_b_i,tok_input_11_a_i,tok_input_11_b_i,tok_input_12_a_i,tok_input_12_b_i,tok_input_1_a_i,tok_input_1_b_i,tok_input_2_a_i,tok_input_2_b_i,tok_input_3_a_i,tok_input_3_b_i,tok_input_4_a_i,tok_input_4_b_i,tok_input_5_a_i,tok_input_5_b_i,tok_input_6_a_i,tok_input_6_b_i,tok_input_7_a_i,tok_input_7_b_i,tok_input_8_a_i,tok_input_8_b_i,tok_input_9_a_i,tok_input_9_b_i,tok_obj_depl_msg,tok_obj_dl_soft_uf,tok_obj_dl_ta_cc,tok_obj_env_type,tok_obj_env_type_arch,tok_obj_inp_core_ds_same,tok_obj_inp_ds_hf_same,tok_obj_inst_ds,tok_obj_inst_ds_wta,tok_obj_inst_hf,tok_obj_inst_hf_cc,tok_obj_inst_hf_wta,tok_obj_inst_uf,tok_obj_inst_uf_wta,tok_obj_upg_app,tok_obj_use_ds,tok_obj_use_hf,tok_state_completed,tok_state_lbl,tok_macro_base_url,last_config definition = makeresults\ | fields form_tok_build_type,tok_h_load_details,tok_h_state_completed,tok_h_state_input_1,tok_h_state_input_10,tok_h_state_input_10_s,tok_h_state_input_11,tok_h_state_input_12,tok_h_state_input_2,tok_h_state_input_2_s,tok_h_state_input_3,tok_h_state_input_4,tok_h_state_input_4_s,tok_h_state_input_5,tok_h_state_input_6,tok_h_state_input_6_s,tok_h_state_input_7,tok_h_state_input_7_hold,tok_h_state_input_8,tok_h_state_input_8_hold,tok_h_state_input_9,tok_h_state_input_9_hold,tok_h_state_input_9_s,tok_inp_hold_diff_sys,tok_inp_splk_hf_label,tok_input_10_a_i,tok_input_10_b_i,tok_input_11_a_i,tok_input_11_b_i,tok_input_12_a_i,tok_input_12_b_i,tok_input_1_a_i,tok_input_1_b_i,tok_input_2_a_i,tok_input_2_b_i,tok_input_3_a_i,tok_input_3_b_i,tok_input_4_a_i,tok_input_4_b_i,tok_input_5_a_i,tok_input_5_b_i,tok_input_6_a_i,tok_input_6_b_i,tok_input_7_a_i,tok_input_7_b_i,tok_input_8_a_i,tok_input_8_b_i,tok_input_9_a_i,tok_input_9_b_i,tok_t_nav_1_btn_next_st,tok_obj_depl_msg,tok_obj_dl_soft_uf,tok_obj_dl_ta_cc,tok_obj_env_type,tok_obj_env_type_arch,tok_obj_inp_core_ds_same,tok_obj_inp_ds_hf_same,tok_obj_inst_ds,tok_obj_inst_ds_wta,tok_obj_inst_hf,tok_obj_inst_hf_cc,tok_obj_inst_hf_wta,tok_obj_inst_uf,tok_obj_inst_uf_wta,tok_obj_upg_app,tok_obj_use_ds,tok_obj_use_hf,tok_state_completed,tok_state_lbl\ | eval form_tok_build_type="$form_tok_build_type$"\ | eval tok_h_load_details="$tok_h_load_details$"\ | eval tok_h_state_completed="$tok_h_state_completed$"\ | eval tok_h_state_input_10="$tok_h_state_input_10$"\ | eval tok_h_state_input_10_s="$tok_h_state_input_10_s$"\ | eval tok_h_state_input_11="$tok_h_state_input_11$"\ | eval tok_h_state_input_12="$tok_h_state_input_12$"\ | eval tok_h_state_input_1="$tok_h_state_input_1$"\ | eval tok_h_state_input_2="$tok_h_state_input_2$"\ | eval tok_h_state_input_2_s="$tok_h_state_input_2_s$"\ | eval tok_h_state_input_3="$tok_h_state_input_3$"\ | eval tok_h_state_input_4="$tok_h_state_input_4$"\ | eval tok_h_state_input_4_s="$tok_h_state_input_4_s$"\ | eval tok_h_state_input_5="$tok_h_state_input_5$"\ | eval tok_h_state_input_6="$tok_h_state_input_6$"\ | eval tok_h_state_input_6_s="$tok_h_state_input_6_s$"\ | eval tok_h_state_input_7="$tok_h_state_input_7$"\ | eval tok_h_state_input_7_hold="$tok_h_state_input_7_hold$"\ | eval tok_h_state_input_8="$tok_h_state_input_8$"\ | eval tok_h_state_input_8_hold="$tok_h_state_input_8_hold$"\ | eval tok_h_state_input_9="$tok_h_state_input_9$"\ | eval tok_h_state_input_9_hold="$tok_h_state_input_9_hold$"\ | eval tok_h_state_input_9_s="$tok_h_state_input_9_s$"\ | eval tok_inp_hold_diff_sys="$tok_inp_hold_diff_sys$"\ | eval tok_inp_splk_hf_label="$tok_inp_splk_hf_label$"\ | eval tok_input_10_a_i="$tok_input_10_a_i$"\ | eval tok_input_10_b_i="$tok_input_10_b_i$"\ | eval tok_input_11_a_i="$tok_input_11_a_i$"\ | eval tok_input_11_b_i="$tok_input_11_b_i$"\ | eval tok_input_12_a_i="$tok_input_12_a_i$"\ | eval tok_input_12_b_i="$tok_input_12_b_i$"\ | eval tok_input_1_a_i="$tok_input_1_a_i$"\ | eval tok_input_1_b_i="$tok_input_1_b_i$"\ | eval tok_input_2_a_i="$tok_input_2_a_i$"\ | eval tok_input_2_b_i="$tok_input_2_b_i$"\ | eval tok_input_3_a_i="$tok_input_3_a_i$"\ | eval tok_input_3_b_i="$tok_input_3_b_i$"\ | eval tok_input_4_a_i="$tok_input_4_a_i$"\ | eval tok_input_4_b_i="$tok_input_4_b_i$"\ | eval tok_input_5_a_i="$tok_input_5_a_i$"\ | eval tok_input_5_b_i="$tok_input_5_b_i$"\ | eval tok_input_6_a_i="$tok_input_6_a_i$"\ | eval tok_input_6_b_i="$tok_input_6_b_i$"\ | eval tok_input_7_a_i="$tok_input_7_a_i$"\ | eval tok_input_7_b_i="$tok_input_7_b_i$"\ | eval tok_input_8_a_i="$tok_input_8_a_i$"\ | eval tok_input_8_b_i="$tok_input_8_b_i$"\ | eval tok_input_9_a_i="$tok_input_9_a_i$"\ | eval tok_input_9_b_i="$tok_input_9_b_i$"\ | eval tok_obj_depl_msg="$tok_obj_depl_msg$"\ | eval tok_obj_dl_soft_uf="$tok_obj_dl_soft_uf$"\ | eval tok_obj_dl_ta_cc="$tok_obj_dl_ta_cc$"\ | eval tok_obj_env_type="$tok_obj_env_type$"\ | eval tok_obj_env_type_arch="$tok_obj_env_type_arch$"\ | eval tok_obj_inp_core_ds_same="$tok_obj_inp_core_ds_same$"\ | eval tok_obj_inp_ds_hf_same="$tok_obj_inp_ds_hf_same$"\ | eval tok_obj_inst_ds="$tok_obj_inst_ds$"\ | eval tok_obj_inst_ds_wta="$tok_obj_inst_ds_wta$"\ | eval tok_obj_inst_hf="$tok_obj_inst_hf$"\ | eval tok_obj_inst_hf_cc="$tok_obj_inst_hf_cc$"\ | eval tok_obj_inst_hf_wta="$tok_obj_inst_hf_wta$"\ | eval tok_obj_inst_uf="$tok_obj_inst_uf$"\ | eval tok_obj_inst_uf_wta="$tok_obj_inst_uf_wta$"\ | eval tok_obj_upg_app="$tok_obj_upg_app$"\ | eval tok_obj_use_ds="$tok_obj_use_ds$"\ | eval tok_obj_use_hf="$tok_obj_use_hf$"\ | eval tok_state_completed="$tok_state_completed$"\ | eval tok_state_lbl="$tok_state_lbl$"\ | eval tok_t_nav_1_btn_next_st=if(tok_state_lbl=="Completed","enabled","disabled")\ | eval tok_auto_chk_lbl="Defined Scope"\ | eval tok_state_lbl_icon=if(tok_state_lbl=="Completed","check","clock")\ | eval tok_state_lbl_color=if(tok_state_lbl=="Completed","#49B849","#F1813F")\ | eval tok_macro_base_url="$tok_macro_base_url$"\ | eval last_config="$last_config$"\ | fillnull value="Skip" tok_h_state_input_1,tok_h_state_input_10,tok_h_state_input_10_s,tok_h_state_input_11,tok_h_state_input_12,tok_h_state_input_2,tok_h_state_input_2_s,tok_h_state_input_3,tok_h_state_input_4,tok_h_state_input_4_s,tok_h_state_input_5,tok_h_state_input_6,tok_h_state_input_6_s,tok_h_state_input_7,tok_h_state_input_7_hold,tok_h_state_input_8,tok_h_state_input_8_hold,tok_h_state_input_9,tok_h_state_input_9_hold,tok_h_state_input_9_s,last_config\ | table form_tok_build_type,tok_h_load_details,tok_h_state_completed,tok_h_state_input_1,tok_h_state_input_10,tok_h_state_input_10_s,tok_h_state_input_11,tok_h_state_input_12,tok_h_state_input_2,tok_h_state_input_2_s,tok_h_state_input_3,tok_h_state_input_4,tok_h_state_input_4_s,tok_h_state_input_5,tok_h_state_input_6,tok_h_state_input_6_s,tok_h_state_input_7,tok_h_state_input_7_hold,tok_h_state_input_8,tok_h_state_input_8_hold,tok_h_state_input_9,tok_h_state_input_9_hold,tok_h_state_input_9_s,tok_inp_hold_diff_sys,tok_inp_splk_hf_label,tok_input_10_a_i,tok_input_10_b_i,tok_input_11_a_i,tok_input_11_b_i,tok_input_12_a_i,tok_input_12_b_i,tok_input_1_a_i,tok_input_1_b_i,tok_input_2_a_i,tok_input_2_b_i,tok_input_3_a_i,tok_input_3_b_i,tok_input_4_a_i,tok_input_4_b_i,tok_input_5_a_i,tok_input_5_b_i,tok_input_6_a_i,tok_input_6_b_i,tok_input_7_a_i,tok_input_7_b_i,tok_input_8_a_i,tok_input_8_b_i,tok_input_9_a_i,tok_input_9_b_i,tok_t_nav_1_btn_next_st,tok_obj_depl_msg,tok_obj_dl_soft_uf,tok_obj_dl_ta_cc,tok_obj_env_type,tok_obj_env_type_arch,tok_obj_inp_core_ds_same,tok_obj_inp_ds_hf_same,tok_obj_inst_ds,tok_obj_inst_ds_wta,tok_obj_inst_hf,tok_obj_inst_hf_cc,tok_obj_inst_hf_wta,tok_obj_inst_uf,tok_obj_inst_uf_wta,tok_obj_upg_app,tok_obj_use_ds,tok_obj_use_hf,tok_state_completed,tok_state_lbl,tok_auto_chk_lbl,tok_state_lbl_icon,tok_state_lbl_color,tok_macro_base_url,last_config\ | outputlookup ms_ad_obj_cfg_gs iseval = 0 [ms_obj_cfg_gs_reset] definition = makeresults\ | eval tok_h_load_details="Pending Scope Definition:",tok_obj_inst_ds_wta="obj_inst_ds_wta_n",form_tok_build_type="build_all",tok_dom_health_trigger="0",tok_dom_lkup_trigger="0",tok_ad_sync_trigger="0",tok_state_lbl="Pending",tok_state_completed="Pending",tok_h_state_completed="pending",tok_h_state_input_1="Next",tok_h_state_input_2="Pending",tok_h_state_input_2_s="Pending",tok_h_state_input_3="Skip",tok_h_state_input_4="Pending",tok_h_state_input_4_s="Pending",tok_h_state_input_5="Skip",tok_h_state_input_6="Pending",tok_h_state_input_6_s="Pending",tok_h_state_input_7="Skip",tok_h_state_input_7_hold="Skip",tok_h_state_input_8="Skip",tok_h_state_input_8_hold="Skip",tok_h_state_input_9="Skip",tok_h_state_input_9_s="Skip",tok_h_state_input_9_hold="Skip",tok_h_state_input_10="Pending",tok_h_state_input_10_s="Pending",tok_h_state_input_11="Skip",tok_h_state_input_12="Skip",ms_ad_obj_ta_ex="ms_ad_obj_ta_ex_y",tok_obj_inst_core_ta_wta="obj_inst_core_ta_wta_y",tok_chk_auto_create_idx="chk_auto_create_idx_y",tok_obj_inst_ds_cc="obj_inst_ds_cc_y",tok_obj_inst_hf_cc="obj_inst_ds_hf_y",tok_inp_hold_diff_sys="",tok_inp_splk_hf_label="Heavy/Gateway",tok_auto_chk_lbl="Defined Scope",tok_input_10_a_i="",tok_input_10_b_i="",tok_input_11_a_i="",tok_input_11_b_i="",tok_input_12_a_i="",tok_input_12_b_i="",tok_input_1_a_i="",tok_input_1_b_i="",tok_input_2_a_i="",tok_input_2_b_i="",tok_input_3_a_i="",tok_input_3_b_i="",tok_input_4_a_i="",tok_input_4_b_i="",tok_input_5_a_i="",tok_input_5_b_i="",tok_input_6_a_i="",tok_input_6_b_i="",tok_input_7_a_i="",tok_input_7_b_i="",tok_input_8_a_i="",tok_input_8_b_i="",tok_input_9_a_i="",tok_input_9_b_i="",tok_t_nav_1_btn_next_st="disabled",tok_auto_chk_lbl="Pending Scope Selections",tok_obj_depl_msg="empty",tok_obj_dl_soft_uf="",tok_obj_dl_ta_cc="",tok_obj_env_type="",tok_obj_env_type_arch="",tok_obj_inp_core_ds_same="",tok_obj_inp_ds_hf_same="",tok_obj_inst_ds="",tok_obj_inst_ds_wta="",tok_obj_inst_hf="",tok_obj_inst_hf_cc="",tok_obj_inst_hf_wta="",tok_obj_inst_uf="",tok_obj_inst_uf_wta="",tok_obj_upg_app="",tok_obj_use_ds="",tok_obj_use_hf="",tok_state_lbl_icon="clock",tok_state_lbl_color="#F1813F",tok_macro_base_url="/manager/ms_windows_ad_objects/admin/macros",last_config="Skip"\ | table form_tok_build_type,tok_h_load_details,tok_h_state_completed,tok_h_state_input_1,tok_h_state_input_10,tok_h_state_input_10_s,tok_h_state_input_11,tok_h_state_input_12,tok_h_state_input_2,tok_h_state_input_2_s,tok_h_state_input_3,tok_h_state_input_4,tok_h_state_input_4_s,tok_h_state_input_5,tok_h_state_input_6,tok_h_state_input_6_s,tok_h_state_input_7,tok_h_state_input_7_hold,tok_h_state_input_8,tok_h_state_input_8_hold,tok_h_state_input_9,tok_h_state_input_9_hold,tok_h_state_input_9_s,tok_inp_hold_diff_sys,tok_inp_splk_hf_label,tok_input_10_a_i,tok_input_10_b_i,tok_input_11_a_i,tok_input_11_b_i,tok_input_12_a_i,tok_input_12_b_i,tok_input_1_a_i,tok_input_1_b_i,tok_input_2_a_i,tok_input_2_b_i,tok_input_3_a_i,tok_input_3_b_i,tok_input_4_a_i,tok_input_4_b_i,tok_input_5_a_i,tok_input_5_b_i,tok_input_6_a_i,tok_input_6_b_i,tok_input_7_a_i,tok_input_7_b_i,tok_input_8_a_i,tok_input_8_b_i,tok_input_9_a_i,tok_input_9_b_i,tok_t_nav_1_btn_next_st,tok_obj_depl_msg,tok_obj_dl_soft_uf,tok_obj_dl_ta_cc,tok_obj_env_type,tok_obj_env_type_arch,tok_obj_inp_core_ds_same,tok_obj_inp_ds_hf_same,tok_obj_inst_ds,tok_obj_inst_ds_wta,tok_obj_inst_hf,tok_obj_inst_hf_cc,tok_obj_inst_hf_wta,tok_obj_inst_uf,tok_obj_inst_uf_wta,tok_obj_upg_app,tok_obj_use_ds,tok_obj_use_hf,tok_state_completed,tok_state_lbl,tok_auto_chk_lbl,tok_state_lbl_icon,tok_state_lbl_color,tok_macro_base_url,last_config\ | outputlookup ms_ad_obj_cfg_gs iseval = 0