[AD Objects - Windows Performance - Process CPU] action.email.useNSSubject = 1 dispatch.earliest_time = -15m dispatch.latest_time = now display.general.type = visualizations display.page.search.mode = verbose display.page.search.tab = visualizations display.statistics.show = 0 display.visualizations.charting.axisTitleX.visibility = collapsed display.visualizations.charting.axisY.maximumNumber = 100 display.visualizations.charting.chart.showDataLabels = all display.visualizations.charting.chart.stackMode = stacked request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms__obj_win_perfmon_index` object="Process" counter="% Processor Time" instance!="_Total" instance!="Idle"\ | fields _time,host,object,counter,instance,Value\ | eventstats sum(Value) AS Total_Host_Value by host,_time\ | eventstats avg(Value) AS Avg_Process_Value,sum(Value) AS Process_Value by _time,host,instance\ | eval True_Process_Percent=(Process_Value/Total_Host_Value)*100\ | eventstats sum(True_Process_Percent) AS Total_Host_Percent by _time\ | eval True_Process_Percent=round(True_Process_Percent,2),True_Percent_Total=round(True_Percent_Total,2),Avg_Process_Value=round(Avg_Process_Value,2),Total_Host_Value=round(Total_Host_Value,2),Process_Value=round(Process_Value,2),Total_Host_Percent=round(Total_Host_Percent,2)\ | rename instance AS Process\ | table _time,host,counter,Process,Total_Host_Percent,Total_Host_Value,True_Process_Percent,Process_Value,,Avg_Process_Value\ | chart span=1m avg(True_Process_Percent) AS Process_Percent over _time by Process\ | sort -_time [AD Objects - Windows Performance - Procces Threads] action.email.useNSSubject = 1 dispatch.earliest_time = -60m@m dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","primaryGroupToken"] display.general.type = visualizations display.page.search.mode = verbose display.page.search.tab = visualizations display.statistics.show = 0 display.visualizations.charting.axisY2.enabled = 1 display.visualizations.charting.chart.stackMode = stacked request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms__obj_win_perfmon_index` (host="*") instance!="idle" ((counter="% Processor Time" instance!="_Total") OR counter="Thread Count")\ | fields _time,host,counter,instance,Value\ | eval threads=if(counter="Thread Count", Value,NULL),proc_time=if(counter="% Processor Time",Value,NULL)\ | table _time,host,counter,instance,threads,proc_time\ | timechart dc(instance) AS Process_Count,avg(proc_time) AS Avg_CPU_Time,max(threads) AS Avg_Threads by host [AD Objects - Audit - Modified - Computers] action.email.useNSSubject = 1 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat_act("Computer","modified")`\ | fields _time, src_user, user, comp_obj_dn, comp_obj_sam,msad_action, MSADChanges, dest_nt_domain, signature, MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action\ | eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\ | `ms_obj_computer_change_out`\ | rename adminuser as "Admin User",user as "Target Computer",msad_action as "Action",dest_user_subject as "Target Computer ID",MSADChanges as "Changes" [AD Objects - Audit - Modified - Users] action.email.useNSSubject = 1 dispatch.earliest_time = -24h@h display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat_act("User","modified")`\ | fields _time,user,src_user,src_nt_domain,dest_nt_domain,user_obj_guid,user_type,msad_action,signature,Correlation_ID,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action,user_obj_dn,Old_DN,New_DN\ | `ms_obj_user_change_out`\ | table _time,adminuser,msad_action,user,dest_user_subject,Correlation_IDs,MSADChanges\ | makemv delim="########" MSADChanges\ | rename adminuser as "Administrator",msad_action as "Action",dest_user_subject as "Target User ID",MSADChanges as "Changes" [AD Objects - Audit - Changes - Group All] action.email.useNSSubject = 1 dispatch.earliest_time = 0 display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat("Group*")`\ | fields _time,_raw,member_obj_dn,member_obj_id,member_obj_domain,member_obj_class,src_user,src_nt_domain,group_obj_id,Group_Name,group_obj_nm,user_group,msad_action,MSADGroupClassID,MSADGroupType,MSADGroupClass,signature,Correlation_ID,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action,Old_DN,New_DN\ | `ms_obj_group_change_out`\ | rename adminuser as "Administrator",msad_action as "Action",group_obj_nm as "Target_Group",MSADGroupType as "Target Group Type",MSADGroupClass AS "Target Group Class",member AS "Target Member",MSADChanges as "Changes" [AD Objects - Audit - Changes - Group Membership Add] action.email.useNSSubject = 1 dispatch.earliest_time = 0 display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat_act("Group Membership","added")`\ | fields _time,_raw,member_obj_dn,member_obj_id,member_obj_domain,member_obj_class,src_user,src_nt_domain,group_obj_id,Group_Name,group_obj_nm,user_group,msad_action,MSADGroupClassID,MSADGroupType,MSADGroupClass,signature,Correlation_ID,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action,Old_DN,New_DN\ | `ms_obj_group_change_out`\ | rename adminuser as "Administrator",msad_action as "Action",group_obj_nm as "Target_Group",MSADGroupType as "Target Group Type",MSADGroupClass AS "Target Group Class",member AS "Target Member",MSADChanges as "Changes" [AD Objects - Audit - Changes - Group Membership Remove] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -30d@d dispatch.latest_time = now display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat_act("Group Membership","removed")`\ | fields _time,_raw,member_obj_dn,member_obj_id,member_obj_domain,member_obj_class,src_user,src_nt_domain,group_obj_id,Group_Name,group_obj_nm,user_group,msad_action,MSADGroupClassID,MSADGroupType,MSADGroupClass,signature,Correlation_ID,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action,Old_DN,New_DN\ | `ms_obj_group_change_out`\ | rename adminuser as "Administrator",msad_action as "Action",group_obj_nm as "Target_Group",MSADGroupType as "Target Group Type",MSADGroupClass AS "Target Group Class",member AS "Target Member",MSADChanges as "Changes" ## Group Membership ## [AD Objects - Membership - All] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.general.type = statistics display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | inputlookup AD_Obj_Group WHERE member!=""\ | fields cn,displayName,distinguishedName,member,objectGUID\ | eval group_displayName=if(displayName="",cn,displayName)\ | makemv delim="####" member\ | rename cn AS group_cn,distinguishedName AS group_dn,objectGUID AS group_obj\ | stats values(cn) AS group_cn,values(group_displayName) AS group_displayName by member,group_dn,group_obj\ | join type=left member [ |inputlookup AD_Obj_User | fields distinguishedName,objectGUID,sAMAccountName,cn,objectClass,userPrincipalName| rename userPrincipalName AS member_email,objectClass AS member_class,distinguishedName AS member,objectGUID as member_obj,sAMAccountName AS member_user,cn AS member_cn | table member,member_obj,member_user,member_cn,member_class,member_email]\ | join type=left member [ |inputlookup AD_Obj_Computer | fields distinguishedName,objectGUID,sAMAccountName,cn,objectClass,userPrincipalName| rename userPrincipalName AS member_email,objectClass AS member_class,distinguishedName AS member,objectGUID as member_obj,sAMAccountName AS member_user,cn AS member_cn | table member,member_obj,member_user,member_cn,member_class,member_email]\ | join type=left member [ |inputlookup AD_Obj_Group | fields distinguishedName,objectGUID,sAMAccountName,cn,objectClass,userPrincipalName| rename userPrincipalName AS member_email,objectClass AS member_class,distinguishedName AS member,objectGUID as member_obj,sAMAccountName AS member_user,cn AS member_cn | table member,member_obj,member_user,member_cn,member_class,member_email] [AD Objects - Membership - User] action.email.useNSSubject = 1 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.general.type = statistics display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search alert.track = 0 search = | inputlookup AD_Obj_User\ | lookup AD_Obj_Group member AS distinguishedName OUTPUT cn AS Group,distinguishedName AS Group_dn\ | lookup AD_Obj_Group primaryGroupToken AS primaryGroupID OUTPUT cn AS PrimaryGroup,distinguishedName AS PrimaryGroup_dn\ | eval Group=mvappend(Group,PrimaryGroup),Group_dn=mvappend(Group_dn,PrimaryGroup_dn)\ | table cn,sAMAccountName,userPrincipalName,distinguishedName,Group,Group_dn [AD Objects - Membership - Computer] action.email.useNSSubject = 1 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.general.type = statistics display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | inputlookup AD_Obj_Computer\ | lookup AD_Obj_Group member AS distinguishedName OUTPUT cn AS Group,distinguishedName AS Group_dn\ | lookup AD_Obj_Group primaryGroupToken AS primaryGroupID OUTPUT cn AS PrimaryGroup,distinguishedName AS PrimaryGroup_dn\ | eval Group=mvappend(Group,PrimaryGroup),Group_dn=mvappend(Group_dn,PrimaryGroup_dn)\ | table cn,sAMAccountName,userPrincipalName,distinguishedName,Group,Group_dn [AD Objects - Membership - Group] action.email.useNSSubject = 1 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.general.type = statistics display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | inputlookup AD_Obj_Group\ | lookup AD_Obj_Group member AS distinguishedName OUTPUT cn AS Group,distinguishedName AS Group_dn\ | lookup AD_Obj_Group primaryGroupToken AS primaryGroupID OUTPUT cn AS PrimaryGroup,distinguishedName AS PrimaryGroup_dn\ | eval Group=mvappend(Group,PrimaryGroup),Group_dn=mvappend(Group_dn,PrimaryGroup_dn)\ | table cn,sAMAccountName,userPrincipalName,distinguishedName,Group,Group_dn\ | search Group!="" [AD Objects - Membership - Individual Group] action.email.useNSSubject = 1 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.general.type = statistics display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | inputlookup AD_Obj_Group\ | lookup AD_Obj_User distinguishedName AS member OUTPUT userPrincipalName AS Member_User_email,sAMAccountName AS Member_User_ID,cn AS Member_User_cn,distinguishedName AS Member_User_dn,objectClass AS Member_User_class\ | lookup AD_Obj_User primaryGroupID AS primaryGroupToken OUTPUT userPrincipalName AS Member_User_email_pg,sAMAccountName AS Member_User_ID_pg,cn AS Member_User_cn,distinguishedName AS Member_User_dn_pg,objectClass AS Member_User_class_pg\ | lookup AD_Obj_Group distinguishedName AS member OUTPUT sAMAccountName AS Member_Group_ID,cn AS Member_Group_cn,distinguishedName AS Member_Group_dn,objectClass AS Member_Group_class\ | lookup AD_Obj_Computer distinguishedName AS member OUTPUT sAMAccountName AS Member_Computer_ID,cn AS Member_Computer_cn,distinguishedName AS Member_Computer_dn,objectClass AS Member_Computer_class\ | lookup AD_Obj_Computer primaryGroupID AS primaryGroupToken OUTPUT sAMAccountName AS Member_Computer_ID_pg,cn AS Member_Computer_cn_pg,distinguishedName AS Member_Computer_dn_pg,objectClass AS Member_Computer_class_pg\ | eval Group=if(displayName="",cn,displayName)\ | eval Member_User_emai=if(Member_User_email_pg="",Member_User_email,mvappend(Member_User_email,Member_User_email_pg)),Member_User_ID=if(Member_User_ID_pg="",Member_User_ID,mvappend(Member_User_ID,Member_User_ID_pg)),Member_User_cn=if(Member_User_cn_pg="",Member_User_cn,mvappend(Member_User_cn,Member_User_cn_pg)),Member_User_dn=if(Member_User_dn_pg="",Member_User_dn,mvappend(Member_User_dn,Member_User_dn_pg)),Member_User_class=if(Member_User_class_pg="",Member_User_class,mvappend(Member_User_class,Member_User_class_pg))\ | eval Member_Computer_ID=if(Member_Computer_ID_pg="",Member_Computer_ID,mvappend(Member_Computer_ID,Member_Computer_ID_pg)),Member_Computer_cn=if(Member_Computer_cn_pg="",Member_User_cn,mvappend(Member_Computer_cn,Member_Computer_cn_pg)),Member_Computer_dn=if(Member_Computer_dn_pg="",Member_Computer_dn,mvappend(Member_Computer_dn,Member_User_dn_pg)),Member_Computer_class=if(Member_Computer_class_pg="",Member_Computer_class,mvappend(Member_Computer_class,Member_Computer_class_pg))\ | table Group,sAMAccountName,distinguishedName,member,Group,Member_User_cn,Member_User_ID,Member_User_dn,Member_User_class,Member_Computer_cn,Member_Computer_ID,Member_Computer_dn,Member_Computer_class,Member_Group_cn,Member_Group_ID,Member_Group_class\ | rename sAMAccountName AS Group_ID, distinguishedName AS Group_dn,member AS Current_Members [temp_build_inputs_lookup] action.email.useNSSubject = 1 dispatch.earliest_time = 0 display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.charting.chart = bar display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = index=temp | rex "(?msi)(?:\[)(?[^\]]+)\](\r|\n)(?.*)(\r|\n|$)"\ | rex "(?msi)(?:##Header##) (?[^(\r|\n|#)]+)"\ | rex "(?msi)(?:##SubHeader(##\s|\s+))(?[^(\r|\n|#)]+)"\ | eval input_setting=replace(input_setting_ex,"(\r|\n)","#DIV#")\ | makemv delim="#DIV#" input_setting_ex\ | rex field=input_stanza "^(?[^(\:|\/)]+)"\ | eval input_type=if(input_type=="Splunk 5.0+ Performance Counters ","Performance Counters",if(input_stanza=="script://.\bin\win_timesync_status.bat","TimeSync Status Script",input_type))\ | eval input_description=if(isnull(input_sub_type),input_stanza_type." - ".input_type,input_stanza_type." - ".input_type." - ".input_sub_type)\ | mvexpand input_setting_ex\ | search input_setting_ex!="##*"\ | rex field=input_setting_ex "^(?[^\=]+)\=(?[^$]+)"\ | eval input_key=trim(input_key),input_value=trim(input_value)\ | eval recommended_value=input_value,can_edit="false",win_vers_filt="",target_group="AD/DNS or Base Windows",special_config_notes=""\ | table input_stanza_type,input_stanza,input_description,input_key,input_value,input_setting_ex,recommended_value,can_edit,win_vers_filt,target_group,special_config_notes\ | outputlookup ms_ad_obj_inputs_vals.csv [AD Objects - File ACL - Full List] action.email.useNSSubject = 1 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.charting.chart = bar display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms__obj_win_api_index` sourcetype="WinDirAcl"\ | rex max_match=0 "(?:\[)(?[^\]]+)"\ | mvexpand object_acls\ | rex "IdentityReference\"\:\"(?[^\"]+)\"\,\"FileSystemRights\"\:\"(?[^\"]+)\"\,\"AccessControlType\"\:\"(?[^\"]+)\"\,\"IsInherited\"\:\"(?[^\"]+)\"\,\"InheritanceFlags\"\:\"(?[^\"]+)\"\,\"PropagationFlags\"\:\"(?[^\"]+)"\ | table object_path,object_last_mod_time,object_size,object_dir_cnt,object_file_cnt,object_acls,IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags,PropagationFlags [AD Objects - File ACL - Summary] action.email.useNSSubject = 1 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.charting.chart = bar display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms__obj_win_api_index` sourcetype="WinDirAcl"\ | rex max_match=0 "(?:\[)(?[^\]]+)"\ | mvexpand object_acls\ | rex "IdentityReference\"\:\"(?[^\"]+)\"\,\"FileSystemRights\"\:\"(?[^\"]+)\"\,\"AccessControlType\"\:\"(?[^\"]+)\"\,\"IsInherited\"\:\"(?[^\"]+)\"\,\"InheritanceFlags\"\:\"(?[^\"]+)\"\,\"PropagationFlags\"\:\"(?[^\"]+)"\ | table object_path,object_last_mod_time,object_size,object_dir_cnt,object_file_cnt,object_acls,IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags,PropagationFlags\ | eval ACL_Type="( ".AccessControlType." ) ".FileSystemRights, Object_Paths=object_path." (SubDir: ".object_dir_cnt.", Files: ".object_file_cnt." )"\ | fillnull value="NA" object_path,object_last_mod_time,object_size,object_dir_cnt,object_file_cnt,object_acls,IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags,PropagationFlags,ACL_Type\ | stats values(Object_Paths) AS Object_Paths,sum(object_size) AS Total_Size,sum(object_dir_cnt) As Total_Directories,sum(object_file_cnt) AS Total_Files by IdentityReference,ACL_Type\ | eval Total_Size=tostring(Total_Size/1024,"commas")." MB" [AD Objects - File Audit - Detailed View] action.email.useNSSubject = 1 dispatch.earliest_time = @d dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","primaryGroupToken"] display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_win_events_security` Object_Server="Security" TaskCategory="File System" Accesses!="Read*" Accesses!="Execute/Traverse" Accesses!="SYNCHRONIZE" user_type="user"\ | fields _time,EventCode,Object_Name,Accesses,Account_Name,RecordNumber,user,src_user,signature\ | eval Object_Path=Object_Name, temp=_time, signature=if(isnull(signature),"NA",signature)\ | eval user=if(isnull(user),lower(src_user),lower(user))\ | convert timeformat="%m-%d-%Y %H:%M:%S" ctime(temp) AS eventtimes \ | eval history=eventtimes."(User: ".Account_Name." Type:".Accesses.")",signature=if(isnull(signature),Message,signature)\ | stats values(history) as Change_History, values(EventCode) as Win_Event_IDs, values(RecordNumber) as Win_Event_Record, min(eventtimes) as First_Change_Time by user,Object_Path,signature \ | lookup AD_Obj_User lookup_usr AS user OUTPUT cn\ | eval user=if(isnull(cn),user,cn." (".user.")")\ | eval Win_Event_Records=mvjoin(Win_Event_Record,", ") \ | eval Win_Event_IDs=mvjoin(Win_Event_IDs,", ") \ | eval Change_Type=mvjoin(Change_Type,", ") \ | table First_Change_Time, Object_Path, signature,user, Win_Event_IDs, Win_Event_Records, Change_History, \ | sort First_Change_Time [AD Objects - File Audit - Top 10 Obj Path] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = @d dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","primaryGroupToken"] display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_win_events_security` Object_Server="Security" TaskCategory="File System" Accesses!="Read*" Accesses!="Execute/Traverse" Accesses!="SYNCHRONIZE" user_type="user"\ | fields _time,EventCode,Object_Name,Accesses,Account_Name,user,src_user\ | eval Object_Path=Object_Name, temp=_time, signature=if(isnull(signature),"NA",signature)\ | eval user=if(isnull(user),lower(src_user),lower(user))\ | stats count by Accesses,Object_Path,user\ | sort -count\ | eval cmb=count." - ".Object_Path." (".Accesses.")"\ | stats sum(count) AS Total_Events,list(cmb) AS Top_10_Object_Details by user\ | lookup AD_Obj_User lookup_usr AS user OUTPUT cn\ | eval user=if(isnull(cn),user,cn." (".user.")"),Top_10_Object_Details=mvindex(Top_10_Object_Details,0,9)\ | table user, Top_10_Object_Details, Total_Events [AD Objects - File Audit - Top 10 User and Obj Path] action.email.useNSSubject = 1 dispatch.earliest_time = @d dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","primaryGroupToken"] display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_win_events_security` Object_Server="Security" TaskCategory="File System" Accesses!="Read*" Accesses!="Execute/Traverse" Accesses!="SYNCHRONIZE" user_type="user"\ | fields Object_Name,Accesses,Account_Name,user,src_user\ | eval Object_Path=Object_Name, temp=_time, signature=if(isnull(signature),"NA",signature)\ | eval user=if(isnull(user),lower(src_user),lower(user))\ | stats count by Accesses,Object_Path,user\ | sort -count\ | lookup AD_Obj_User lookup_usr AS user OUTPUT cn\ | eval user=if(isnull(cn),user,cn." (".user.")")\ | eval cmb=count." - ".user." (".Accesses.")"\ | stats sum(count) AS Total_Events,list(cmb) AS cmb by Object_Path\ | eval Top_10_User_Details=mvindex(cmb,0,9)\ | table Object_Path, Top_10_User_Details, Total_Events\ | sort -Total_Events [AD Objects - File Audit - Top 10 Path and Type] action.email.useNSSubject = 1 dispatch.earliest_time = @d dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","primaryGroupToken"] display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_win_events_security` Object_Server="Security" TaskCategory="File System" Accesses!="Read*" Accesses!="Execute/Traverse" Accesses!="SYNCHRONIZE" user_type="user"\ | fields Object_Name,Accesses,Account_Name,user,src_user\ | eval Object_Path=Object_Name, temp=_time, signature=if(isnull(signature),"NA",signature)\ | eval user=if(isnull(user),lower(src_user),lower(user))\ | stats count by Accesses,Object_Path,user\ | sort -count\ | lookup AD_Obj_User lookup_usr AS user OUTPUT cn\ | eval user=if(isnull(cn),user,cn." (".user.")")\ | eval cmb=count." - ".Object_Path\ | stats sum(count) AS Total_Events,list(cmb) AS cmb by Accesses,user\ | eval Top_10_Type_Details=mvindex(cmb,0,9)\ | table user,Accesses, Top_10_Type_Details, Total_Events\ | sort -Total_Events [AD Objects - Config - KVstore - Configuration] action.email.useNSSubject = 1 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.charting.chart = bar display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | rest /servicesNS/-/ms_windows_ad_objects/storage/collections/config\ | search eai:acl.app="ms_windows_ad_objects"\ | table title,*\ | sort title ################################################################# ##### admon Verify and Viewing data Searches ##### ################################################################# [AD Objects - Verify Baseline Data - Completed] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -6m dispatch.latest_time = 0 display.general.type = visualizations display.page.search.tab = visualizations display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_get_sync_cnt(ms_obj_admon_base_a_obj)`\ | timechart span=30s count [AD Objects - Verify Baseline Data - Overall] action.email.useNSSubject = 1 alert.track = 0 display.general.type = statistics display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_get_sync_cnt(ms_obj_admon_base_a_obj)` [AD Objects - Verify Baseline Data - ManualTime] action.email.useNSSubject = 1 alert.track = 0 display.general.type = statistics display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_get_sync_cnt_nt(ms_obj_admon_base_a_obj)` ################################################################# ##### Object Lookup Build/Update/Migrate Adhoc Searches ##### ################################################################# ## - Migrate CSV Lookup to KVStore Lookups ## - Example - Migrate User - `ms_obj_admon_migrate_out(user,User)` ## - Example - Migrate Group - `ms_obj_admon_migrate_out(group,Group)` ## - Example - Migrate Computer - `ms_obj_admon_migrate_out(computer,Computer)` ## - Example - Migrate OU - `ms_obj_admon_migrate_out(ou,OU)` ## - Example - Migrate GPO - `ms_obj_admon_migrate_out(gpo,GPO)` ################################################################# ##------- Domain Lookup (AD_Obj_Domain) Build/Update/Migrate -------## ## Domain - Adhoc Update [AD_Obj_Domain_Update] alert.suppress = 0 alert.track = 0 cron_schedule = 00,10,20,30,40,50 * * * * description = Scheduled Search for picking up User AD Object Updates, then syncing for User Lookup Table dispatch.earliest_time = -15m@m dispatch.latest_time = now display.general.type = statistics display.page.search.tab = statistics enableSched = 1 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search run_on_startup = 1 search = `ms_obj_admon_upd_domain` ##------- Group Lookup (AD_Obj_Group) Build and Update -------## ## Group - Adhoc Build/Update/Migrate ## [AD_Obj_Group_ReBuild] alert.suppress = 0 alert.track = 0 description = Search for Rebuilding the AD_Obj_Group Lookup in the KV Store. This will replace the data currently in the lookup with all new values from the last time the admon baseline was collected. dispatch.earliest_time = 0 dispatch.latest_time = now enableSched = 0 run_on_startup = false request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_bld_init_out(group,Group)` disabled = 0 ## Group - Adhoc Migrate from CSV ## [AD_Obj_Group_Migrate] alert.suppress = 0 alert.track = 0 description = Search for Migrating from AD_Groups_LDAP_list.csv to the AD_Obj_Group Lookup in the KV Store. dispatch.earliest_time = 0 dispatch.latest_time = now enableSched = 0 run_on_startup = false request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_migrate_out(group,Group)` disabled = 0 #- Group - Scheduled Search - New, Updated, Deleted,Moved -# [AD_Obj_Group_Update] alert.suppress = 0 alert.track = 0 cron_schedule = 05,15,25,35,45,55 * * * * description = Scheduled Search for picking up Group AD Object Updates,New,Deleted,Moved then syncing AD_Obj_Group Lookup Table dispatch.earliest_time = -15m@m dispatch.latest_time = now enableSched = 1 run_on_startup = true request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_bld_upd_out(group,Group)` disabled = 0 ##------- User Lookup (AD_Obj_User) Build/Update/Migrate -------## ## Users - Adhoc Initial/Rebuild ## [AD_Obj_User_ReBuild] alert.suppress = 0 alert.track = 0 description = Search for Rebuilding the AD_Obj_User Lookup in the KV Store. This will replace the data currently in the lookup with all new values from the last time the admon baseline was collected. dispatch.earliest_time = 0 dispatch.latest_time = now enableSched = 0 run_on_startup = false request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_bld_init_out(user,User)` disabled = 0 ## User - Adhoc Migrate from CSV ## [AD_Obj_User_Migrate] alert.suppress = 0 alert.track = 0 description = Search for Migrating from AD_User_LDAP_list.csv to the AD_Obj_User Lookup in the KV Store. dispatch.earliest_time = 0 dispatch.latest_time = now enableSched = 0 run_on_startup = false request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_migrate_out(user,User)` disabled = 0 #- Users - Scheduled Search - New, Updated, Deleted,Moved -# [AD_Obj_User_Update] alert.suppress = 0 alert.track = 0 cron_schedule = 01,11,21,31,41,51 * * * * description = Scheduled Search for picking up Group AD Object Updates,New,Deleted,Moved then syncing AD_Obj_User Lookup Table dispatch.earliest_time = -15m@m dispatch.latest_time = now enableSched = 1 run_on_startup = true request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_bld_upd_out(user,User)` disabled = 0 ##------- Computer Lookup (AD_Obj_Computer) Build and Update -------## ## Computers - Adhoc Initial/Rebuild ## [AD_Obj_Computer_ReBuild] alert.suppress = 0 alert.track = 0 description = Search for Rebuilding the AD_Obj_Computer Lookup in the KV Store. This will replace the data currently in the lookup with all new values from the last time the admon baseline was collected. dispatch.earliest_time = 0 dispatch.latest_time = now enableSched = 0 run_on_startup = false request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_bld_init_out(computer,Computer)` disabled = 0 ## Computer - Adhoc Migrate from CSV ## [AD_Obj_Computer_Migrate] alert.suppress = 0 alert.track = 0 description = Search for Migrating from AD_Computer_LDAP_list.csv to the AD_Obj_Computer Lookup in the KV Store. dispatch.earliest_time = 0 dispatch.latest_time = now enableSched = 0 run_on_startup = false request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_migrate_out(computer,Computer)` disabled = 0 #- Computer - Scheduled Search - New, Updated, Deleted,Moved -# [AD_Obj_Computer_Update] alert.suppress = 0 alert.track = 0 cron_schedule = 03,13,23,33,43,53 * * * * description = Scheduled Search for picking up Computer AD Object Updates,New,Deleted,Moved then syncing AD_Obj_Computer Lookup Table dispatch.earliest_time = -15m@m dispatch.latest_time = now enableSched = 1 run_on_startup = true request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_bld_upd_out(computer,Computer)` disabled = 0 ##------- OU Lookup (AD_Obj_OU) Build and Update -------## ## OUs - Adhoc Initial/Rebuild ## [AD_Obj_OU_ReBuild] alert.suppress = 0 alert.track = 0 description = Search for Rebuilding the AD_Obj_OU Lookup in the KV Store. This will replace the data currently in the lookup with all new values from the last time the admon baseline was collected. dispatch.earliest_time = 0 dispatch.latest_time = now enableSched = 0 run_on_startup = false request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_bld_init_out(ou,OU)` disabled = 0 ## OU - Adhoc Migrate from CSV ## [AD_Obj_OU_Migrate] alert.suppress = 0 alert.track = 0 description = Search for Migrating from AD_OU_LDAP_list.csv to the AD_Obj_OU Lookup in the KV Store. dispatch.earliest_time = 0 dispatch.latest_time = now enableSched = 0 run_on_startup = false request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_migrate_out(ou,OU)` disabled = 0 #- OUs - Scheduled Search - New, Updated, Deleted,Moved -# [AD_Obj_OU_Update] alert.suppress = 0 alert.track = 0 cron_schedule = 07,17,27,37,47,57 * * * * description = Scheduled Search for picking up OU AD Object Updates,New,Deleted,Moved then syncing AD_Obj_OU Lookup Table dispatch.earliest_time = -15m@m dispatch.latest_time = now enableSched = 1 run_on_startup = true request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_bld_upd_out(ou,OU)` disabled = 0 ##------- GPO Lookup (AD_Obj_GPO) Build, Update and GPO Link Update -------## ## GPOs - Adhoc Initial/Rebuild ## [AD_Obj_GPO_ReBuild] alert.suppress = 0 alert.track = 0 description = Search for Rebuilding the AD_Obj_GPO Lookup in the KV Store. This will replace the data currently in the lookup with all new values from the last time the admon baseline was collected. dispatch.earliest_time = 0 dispatch.latest_time = now request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_bld_init_out(gpo,GPO)` ## GPOs - Adhoc Migrate from CSV ## [AD_Obj_GPO_Migrate] alert.suppress = 0 alert.track = 0 description = Search for Migrating from AD_GroupPolicies_LDAP_list.csv to the AD_Obj_GPO Lookup in the KV Store. dispatch.earliest_time = 0 dispatch.latest_time = now enableSched = 0 run_on_startup = false request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_migrate_out(gpo,GPO)` disabled = 0 #- GPOs - Scheduled Search - New, Updated, Deleted,Moved -# [AD_Obj_GPO_Update] alert.suppress = 0 alert.track = 0 cron_schedule = 08,18,28,38,48,58 * * * * description = Scheduled Search for picking up GPO AD Object Updates,New,Deleted,Moved then syncing AD_Obj_GPO Lookup Table dispatch.earliest_time = -15m@m dispatch.latest_time = now enableSched = 1 run_on_startup = true request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_bld_upd_out(gpo,GPO)` disabled = 0 [AD_Obj_GPO_OU_Update] alert.suppress = 0 alert.track = 0 cron_schedule = 09,19,29,39,49,59 * * * * description = Scheduled Search for picking up GPO AD Object Updates, then syncing for GPO Lookup Table dispatch.earliest_time = -10m@m dispatch.latest_time = now enableSched = 1 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search run_on_startup = 1 search = | `ms_ad_admon_upd_gpo_wou` [AD_Obj_OU_GPO_Update] alert.suppress = 0 alert.track = 0 cron_schedule = 02,12,22,32,42,52 * * * * description = Scheduled Search for picking up OU AD Object Updates, then syncing linked GPO's with the AD Obj GPO table. dispatch.earliest_time = -10m@m dispatch.latest_time = now enableSched = 1 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search run_on_startup = 1 search = | `ms_ad_admon_upd_ou_wgpo` ##------- Admin_Audit Lookup (AD_Obj_Admin_Audit) Build, Update, and Migrate -------## ## Admin_Audit - Adhoc Initial/Rebuild ## [AD_Obj_Admin_Audit_Build] alert.suppress = 0 alert.track = 0 description = Search for Rebuilding the AD_Obj_Admin_Audit Lookup in the KV Store. This will replace the data currently in the lookup with all new values from the Windows Security Event Logs. dispatch.earliest_time = 0 dispatch.latest_time = now request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_winevt_init_admin_audit` ## Admin_Audit - Migrate ## [AD_Obj_Admin_Audit_Migrate] alert.suppress = 0 alert.track = 0 description = Search for Rebuilding the AD_Obj_GPO Lookup in the KV Store. This will replace the data currently in the lookup with all new values from the Windows Security Event Logs. dispatch.earliest_time = 0 dispatch.latest_time = now request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_winevt_migrate_admin_audit` #- Admin_Audit - Scheduled Search - New, Updated, Deleted,Moved -# [AD_Obj_Admin_Audit_Update] alert.suppress = 0 alert.track = 0 cron_schedule = 08,18,28,38,48,58 * * * * description = Scheduled Search for picking up Change Management, administrator Details AD_Obj_Admin_Audit Lookup Table dispatch.earliest_time = -15m@m dispatch.latest_time = now display.general.type = statistics display.page.search.tab = statistics enableSched = 1 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search run_on_startup = 1 search = `ms_obj_winevt_upd_admin_audit` ##------- MULTI-DOMAIN - SPLIT - Update Templates ----------## #- Template MULTI-DOMAIN - SPLIT - User - Scheduled Search - New, Updated, Deleted,Moved -# [AD_Obj_md_template_User_Update] alert.suppress = 0 alert.track = 0 cron_schedule = 05,15,25,35,45,55 * * * * description = Template for Splitting KV Stores by AD Domains - Copy and Update search for each AD Domain (Important - replace your_domain and your_dc_val with target domain values) and then schedule for picking up User AD Object Updates,New,Deleted,Moved admon events and syncing with the Domains User Lookup. dispatch.earliest_time = -15m@m dispatch.latest_time = now enableSched = 0 run_on_startup = true request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_md_admon_bld_upd_out("your_domain","your_dc_val",user,User)` disabled = 0 #- Template MULTI-DOMAIN - SPLIT - Group - Scheduled Search - New, Updated, Deleted,Moved -# [AD_Obj_md_template_Group_Update] alert.suppress = 0 alert.track = 0 cron_schedule = 05,15,25,35,45,55 * * * * description = Template for Splitting KV Stores by AD Domains - Copy and Update search for each AD Domain (Important - replace your_domain and your_dc_val with target domain values) and then schedule for picking up Group AD Object Updates,New,Deleted,Moved admon events and syncing with the Domains Group Lookup. dispatch.earliest_time = -15m@m dispatch.latest_time = now enableSched = 0 run_on_startup = true request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_md_admon_bld_upd_out("your_domain","your_dc_val",group,Group)` disabled = 0 #- Template MULTI-DOMAIN - SPLIT - Group - Scheduled Search - New, Updated, Deleted,Moved -# [AD_Obj_md_template_Computer_Update] alert.suppress = 0 alert.track = 0 cron_schedule = 05,15,25,35,45,55 * * * * description = Template for Splitting KV Stores by AD Domains - Copy and Update search for each AD Domain (Important - replace your_domain and your_dc_val with target domain values) and then schedule for picking up Computer AD Object Updates,New,Deleted,Moved admon events and syncing with the Domains Computer Lookup. dispatch.earliest_time = -15m@m dispatch.latest_time = now enableSched = 0 run_on_startup = true request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_md_admon_bld_upd_out("your_domain","your_dc_val",computer,Computer)` disabled = 0 ##------- Macro State Check -------## [ms_ad_obj_cfg_macro_chk] action.email.useNSSubject = 1 alert.track = 0 description = Scheduled Search for Checking the Health of the macro defined indexes. dispatch.earliest_time = -60m dispatch.latest_time = now display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 enableSched = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | `ms_obj_cfg_macro_chk` ################################################# ##### AD Computer Object Specific Searches ##### ################################################# [AD Objects - Computer Lookup - Group List] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = 0 display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | inputlookup AD_Obj_Computer\ | fields cn,dn,primaryGroupID\ | lookup AD_Obj_Group member AS dn output cn AS Group,distinguishedName AS Group_DN\ | lookup AD_Obj_Group primaryGroupToken AS primaryGroupID OUTPUT cn AS p_Group,distinguishedName AS p_Group_DN\ | eval p_Group="(Primary) ".p_Group,p_Group_DN="(Primary) ".p_Group_DN\ | eval Group=mvappend(Group,p_Group),Group_DN=mvappend(Group_DN,p_Group_DN)\ | rename cn AS Computer\ | eval Group_Count=mvcount(Group)\ | sort -Group_Count\ | table Computer, domain, dn,Group_Count,Group,Group_DN ################################################# ##### AD User Object Specific Searches ##### ################################################# [AD Objects - User Lookup - SubSearch txt - Critical Obj Events] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = @d dispatch.latest_time = now display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_win_events_security` (`ms_obj_critical_filter_raw(User)`)\ | fields EventCode,src_user,signature\ | stats values(EventCode) AS EventCode, count by src_user,signature\ | `ms_obj_critical_filter_field(User,src_user)` [AD Objects - User Lookup - SubSearch - Critical Obj Events] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = @d dispatch.latest_time = now display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_win_events_security` (`ms_obj_critical_filter_raw(User,src_user)`)\ | fields EventCode,src_user,signature\ | stats values(EventCode) AS EventCode, count by src_user,signature [AD Objects - User Lookup - UAC to Binary Example] search = | inputlookup AD_Obj_User append=true \ | fields userAccountControl \ | dedup userAccountControl \ | eval octet = userAccountControl \ | eval rank = split("1", ",") \ | eval octet_rank = mvzip(rank, octet) \ | fields - octet, rank \ | mvexpand octet_rank \ | eval octet_rank_split = split(octet_rank, ",") \ | eval rank = mvindex(octet_rank_split, 0) \ | eval octet = mvindex(octet_rank_split, 1) \ | fields - octet_rank, octet_rank_split \ | eval power = mvrange(0,32) \ | mvexpand power \ | eval base2 = pow(2, power) \ | eval mydiv = floor(octet / base2) \ | eval octet_bin = mydiv % 2 \ | fields - mydiv, base2 \ | sort limit=0 IP, rank, octet, - power \ | stats list(octet_bin) as octet_bin by userAccountControl \ | eval uac_bin_map = mvjoin(octet_bin, "") \ | rex field=uac_bin_map "00000(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})(?\d{1})" \ | eval uac_details="" \ | eval uac_details=if(uac_account_state=1,uac_details."Disabled",uac_details."Enabled") \ | eval uac_details=if(uac_script_account=1,uac_details.":Logon script is executed",uac_details) \ | eval uac_details=if(uac_temp_dup_account=1,uac_details.":Temp Duplicate Account",uac_details) \ | eval uac_details=if(uac_home_dir_req=1,uac_details.":Home Directory Required",uac_details) \ | eval uac_details=if(uac_pwd_not_req=1,uac_details.":Password Not Required",uac_details) \ | eval uac_details=if(uac_pwd_cant_change=1,uac_details.":Cant Change Password",uac_details) \ | eval uac_details=if(uac_pwd_store_rev=1,uac_details.":Store Password using reversible encryption",uac_details) \ | eval uac_details=if(uac_normal_account=1,uac_details.":Normal User Account",uac_details) \ | eval uac_details=if(uac_trust_account=1,uac_details.":InterDomain Trust Account",uac_details) \ | eval uac_details=if(uac_wkstn_trust_account=1,uac_details.":Workstation Trust Account",uac_details) \ | eval uac_details=if(uac_srvr_trust_account=1,uac_details.":Server Trust Account",uac_details) \ | eval uac_details=if(uac_pwd_not_expire=1,uac_details.":Password Does Not Expire",uac_details) \ | eval uac_details=if(uac_mns_account=1,uac_details.":Majority Node Set (MNS) account",uac_details) \ | eval uac_details=if(uac_smartcard_req=1,uac_details.":Smart Card Required",uac_details) \ | eval uac_details=if(uac_trust_for_delegation=1,uac_details.":Trusted for Delegation",uac_details) \ | eval uac_details=if(uac_sensitive=1,uac_details.":Sensitive - Not Delegated",uac_details) \ | eval uac_details=if(uac_pwd_kerb_des=1,uac_details.":Kerberos authentication DES only",uac_details) \ | eval uac_details=if(uac_pwd_kerb_pre_auth=1,uac_details.":Kerberos Does Not Require Pre-Auth",uac_details) \ | eval uac_details=if(uac_pwd_expired=1,uac_details.":Password has Expired",uac_details) \ | eval uac_details=if(uac_trust_auth_for_delegation=1,uac_details.":Can request a Kerberos ticket on behalf of another user",uac_details) \ | eval uac_details=if(uac_kerb_no_pac=1,uac_details.":Request Kerberos Ticket without PAC data",uac_details) \ | eval uac_details=if(uac_dc_account=1,uac_details.":Read Only Domain Controller Account",uac_details) \ | makemv delim=":" uac_details\ | table userAccountControl,uac_bin_map,uac_details [AD Objects - User Lookup - User Settings Full] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = 0 display.general.type = statistics display.page.search.mode = fast display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | inputlookup AD_Obj_User append=true\ | `ms_obj_uac_details`\ | table sAMAccountName,userAccountControl, uac* [AD Objects - User Lookup - User Settings Basic] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = 0 display.general.type = statistics display.page.search.mode = fast display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | inputlookup AD_Obj_User append=true \ | `ms_obj_uac_details` \ | makemv delim=":" uac_details\ | table domain, sAMAccountName, userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated \ | sort sAMAccountName \ | rename sAMAccountName AS "user", uac_details AS userAccountControl_Details [AD Objects - User Lookup - Group List] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = 0 display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | inputlookup AD_Obj_User\ | lookup AD_Obj_Group member AS dn output cn AS Group,distinguishedName AS Group_DN\ | lookup AD_Obj_Group primaryGroupToken AS primaryGroupID OUTPUT cn AS p_Group,distinguishedName AS p_Group_DN\ | eval p_Group="(Primary) ".p_Group,p_Group_DN="(Primary) ".p_Group_DN\ | eval Group=mvappend(Group,p_Group),Group_DN=mvappend(Group_DN,p_Group_DN)\ | rename cn AS User\ | eval Group_Count=mvcount(Group)\ | sort -Group_Count\ | table User, domain, distinguishedName,Group_Count,Group,Group_DN ################################################# ##### AD Object Audit Changes ##### ################################################# ## All Objects - AD Audit Changes Searches## [AD Objects - Audit - Changes - User - By Admin Day Summary] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat("User")`\ | fields _time,user,src_user,src_nt_domain,dest_nt_domain,user_obj_guid,user_type,msad_action,signature,Correlation_ID,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action,user_obj_dn,Old_DN,New_DN\ | join type=left src_user [| inputlookup AD_Obj_User | fields cn,sAMAccountName | rename sAMAccountName as src_user,cn AS Admin | table Admin,src_user]\ | eval Admin=if(isnull(Admin),src_user,Admin." (".src_user.")")\ | eval Day=strftime(_time,"%m/%d/%y")\ | stats count by msad_action, Admin,Day\ | eval comb="|".msad_action." (".count.")"\ | sort -count\ | stats list(comb) AS Daily_Change_Summary, sum(count) AS Total_Events by Admin,Day\ | makemv delim="|" Daily_Change_Summary\ | sort -Day \ | xyseries Day Admin Daily_Change_Summary [AD Objects - Audit - Changes - User - By Admin Change Summary] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -30d@d dispatch.latest_time = now display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat("User")`\ | fields _time,user,src_user,src_nt_domain,dest_nt_domain,user_obj_guid,user_type,msad_action,signature,Correlation_ID,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action,user_obj_dn,Old_DN,New_DN\ | join type=left src_user [| inputlookup AD_Obj_User | fields cn,sAMAccountName | rename sAMAccountName as src_user,cn AS Admin | table Admin,src_user]\ | eval Admin=if(isnull(Admin),src_user,Admin." (".src_user.")")\ | eval Day=strftime(_time,"%m/%d/%y")\ | stats count by msad_action, Admin,Day\ | eval comb="|".Day." (".count.")"\ | sort -count\ | stats list(comb) AS Daily_Change_Summary, sum(count) AS Total_Events by Admin,msad_action\ | makemv delim="|" Daily_Change_Summary\ | sort -Day \ | xyseries msad_action Admin Daily_Change_Summary [AD Objects - Audit - Changes - GPO - By Admin Day Summary] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -7d@h dispatch.latest_time = now display.general.type = statistics display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat("Group Policy")`\ | fields _time, session_id, src_nt_domain, src_user,Object_Name_Guid,displayName,dir_svcs_action,AttributeLDAPDisplayName,AttributeValue,MSADChangedAttributes,Correlation_ID,signature,msad_action,Old_DN,New_DN\ | fillnull value="" Correlation_ID,msad_action\ | eval Object_Lookup_Name="{".upper(Object_Name_Guid)."}" \ | lookup AD_Obj_GPO cn AS Object_Lookup_Name OUTPUT displayName \ | join type=left Object_Lookup_Name [| inputlookup AD_Obj_GPO | fields cn,displayName | rename cn AS Object_Lookup_Name | table Object_Lookup_Name,displayName]\ | eval displayName=if(isnull(displayName),Object_Lookup_Name." GPO CN not found",displayName) \ | join type=left src_user [| inputlookup AD_Obj_User | fields cn,sAMAccountName | rename sAMAccountName as src_user,cn AS Admin | table Admin,src_user]\ | eval Admin=if(isnull(Admin),src_user,Admin." (".src_user.")")\ | eval Day=strftime(_time,"%m/%d/%y")\ | stats count by displayName, Admin,Day\ | eval comb="|".displayName." (".count.")"\ | sort -count\ | stats list(comb) AS Daily_Change_Summary, sum(count) AS Total_Events by Admin,Day\ | makemv delim="|" Daily_Change_Summary\ | sort -Day \ | xyseries Day Admin Daily_Change_Summary ##_____ Group Policy Change Searches ______## ##V4.0.0 Updated [AD Objects - Audit - Changes - Group Policies] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat("Group Policy")`\ | fields _time, session_id, src_nt_domain, src_user,Object_Name_Guid,displayName,dir_svcs_action,AttributeLDAPDisplayName,AttributeValue,MSADChangedAttributes,Correlation_ID,signature,msad_action,Old_DN,New_DN\ | fillnull value="" Correlation_ID,msad_action\ | eval adminuser=if(isnull(src_nt_domain),src_user,src_nt_domain."\\".src_user) \ | eval Object_Lookup_Name="{".lower(Object_Name_Guid)."}" \ | join type=left Object_Lookup_Name [| inputlookup AD_Obj_GPO | fields cn, displayName | rename cn AS Object_Lookup_Name | table Object_Lookup_Name, displayName]\ | eval displayName=if(isnull(displayName),"Warning: ".Object_Lookup_Name." GPO CN not found in the AD_Obj_GPO Lookup. If GPO is new wait 15 minutes and run report again, or check that ms_ad_obj_sched_sync_gpo scheduled search is running as scheduled.",displayName) \ | `ms_obj_msad-changed-attributes`\ | stats max(_time) AS last_time, min(_time) AS start_time,list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by session_id,Object_Lookup_Name,displayName,adminuser,signature,msad_action\ | eval MSADChanges=mvjoin(MSADChanges, "########")\ | eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\ | eval Session_Time="Session ID (".session_id.")|Start: ".strftime(start_time,"%m/%d/%y %I:%M:%S %P")."|End: ".strftime(last_time,"%m/%d/%y %I:%M:%S %P")\ | table displayName,adminuser,Session_Time,msad_action,Correlation_IDs,MSADChanges\ | makemv delim="########" MSADChanges\ | makemv delim="|" Session_Time\ | rename adminuser as "Administrator",msad_action as "Action",displayName as "GPO Name",MSADChanges as "Changes" ## V 3.2.4 Updated [AD Objects - Audit - Created - Group Policies] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat_act("Group Policy","created")`\ | fields _time, session_id, src_nt_domain, src_user,Object_Name_Guid,displayName,dir_svcs_action,AttributeLDAPDisplayName,AttributeValue,MSADChangedAttributes,Correlation_ID,signature,msad_action,Old_DN,New_DN\ | fillnull value="" Correlation_ID,msad_action\ | eval adminuser=if(isnull(src_nt_domain),src_user,src_nt_domain."\\".src_user) \ | eval Object_Lookup_Name="{".upper(Object_Name_Guid)."}" \ | join type=left Object_Lookup_Name [| inputlookup AD_Obj_GPO | fields cn_link, displayName | rename cn_link AS Object_Lookup_Name | table Object_Lookup_Name, displayName]\ | eval displayName=if(isnull(displayName),"Warning: ".Object_Lookup_Name." GPO CN not found in the AD_Obj_GPO Lookup. If GPO is new wait 15 minutes and run report again, or check that ms_ad_obj_sched_sync_gpo scheduled search is running as scheduled.",displayName) \ | `ms_obj_msad-changed-attributes`\ | stats max(_time) AS last_time, min(_time) AS start_time,list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by session_id,Object_Lookup_Name,displayName,adminuser,signature,msad_action\ | eval MSADChanges=mvjoin(MSADChanges, "########")\ | eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\ | eval Session_Time="Session ID (".session_id.")|Start: ".strftime(start_time,"%m/%d/%y %I:%M:%S %P")."|End: ".strftime(last_time,"%m/%d/%y %I:%M:%S %P")\ | table displayName,adminuser,Session_Time,msad_action,Correlation_IDs,MSADChanges\ | makemv delim="########" MSADChanges\ | makemv delim="|" Session_Time\ | rename adminuser as "Administrator",msad_action as "Action",displayName as "GPO Name",MSADChanges as "Changes" ##V4.0.0 Updated [AD Objects - Audit - Deleted - Group Policies] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat_act("Group Policy","deleted")`\ | fields _time, session_id, src_nt_domain, src_user,Object_Name_Guid,displayName,dir_svcs_action,AttributeLDAPDisplayName,AttributeValue,MSADChangedAttributes,Correlation_ID,signature,msad_action,Old_DN,New_DN\ | fillnull value="" Correlation_ID,msad_action\ | eval adminuser=if(isnull(src_nt_domain),src_user,src_nt_domain."\\".src_user) \ | eval Object_Lookup_Name="{".upper(Object_Name_Guid)."}" \ | join type=left Object_Lookup_Name [| inputlookup AD_Obj_GPO | fields cn_link, displayName | rename cn_link AS Object_Lookup_Name | table Object_Lookup_Name, displayName]\ | eval displayName=if(isnull(displayName),"Warning: ".Object_Lookup_Name." GPO CN not found in the AD_Obj_GPO Lookup. If GPO is new wait 15 minutes and run report again, or check that ms_ad_obj_sched_sync_gpo scheduled search is running as scheduled.",displayName) \ | `ms_obj_msad-changed-attributes`\ | stats max(_time) AS last_time, min(_time) AS start_time,list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by session_id,Object_Lookup_Name,displayName,adminuser,signature,msad_action\ | eval MSADChanges=mvjoin(MSADChanges, "########")\ | eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\ | eval Session_Time="Session ID (".session_id.")|Start: ".strftime(start_time,"%m/%d/%y %I:%M:%S %P")."|End: ".strftime(last_time,"%m/%d/%y %I:%M:%S %P")\ | table displayName,adminuser,Session_Time,msad_action,Correlation_IDs,MSADChanges\ | makemv delim="########" MSADChanges\ | makemv delim="|" Session_Time\ | rename adminuser as "Administrator",msad_action as "Action",displayName as "GPO Name",MSADChanges as "Changes" ##_____ Organizational Unit Change Searches ______## [AD Objects - Audit - Changes - OU] alert.track = 0 dispatch.earliest_time = -7d@d dispatch.latest_time = now display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.charting.chart = bar display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat("OU")` (src_nt_domain="*" OR dest_nt_domain="*")\ | fields _raw,_time,chg_gp_guid,dir_svcs_action,signature,LDAP_Display_Name,gpo_name,ou_obj_dn,DN,Old_DN,New_DN,Correlation_ID,Value,LDAP_Display_Name,chg_gp_guid,src_user,src_nt_domain,EventCode,msad_action\ | eval dest_ou_dn=if(isnull(New_DN),DN,New_DN),adminuser=if(isnull(src_nt_domain),lower(src_user),src_nt_domain."\\".lower(src_user))\ | rex field=dest_ou_dn "(?i)ou\=(?[^\,]+)"\ | rex field=Value max_match=0 "\{(?[^\}]+)"\ | fillnull value="NA" chg_gp_guid,dir_svcs_action,signature,LDAP_Display_Name,gpo_name,DN,Old_DN,New_DN,Correlation_ID\ | mvexpand chg_gp_guid\ | eval gpo_link=if(LDAP_Display_Name=="gPLink",lower(chg_gp_guid),"")\ | eval Value=if(isnull(Value),lower(AttributeValue),lower(Value))\ | lookup AD_Obj_GPO gpo_link, domain AS src_nt_domain OUTPUT displayName AS gpo_name\ | eval Correlation_ID=if(isnull(Correlation_ID),"NA",Correlation_ID)\ | eval mod_summary=if(LDAP_Display_Name=="gPLink" AND isnotnull(gpo_name),"| - Action: ".dir_svcs_action."| - Target Attribute: ".LDAP_Display_Name."| - Target Linked GPO: ".gpo_name."| - Target Linked GPO ID: ".chg_gp_guid,"| - Action: ".dir_svcs_action."| - Target Attribute: ".LDAP_Display_Name."| - Target Attribute Value: ".Value)\ | eval chg_summary=case(EventCode=5137,"|OU Created:| - signature: ".signature."| - Event Correlation ID: ".Correlation_ID."| - DN: ".DN,EventCode=5138,"|OU Undeleted:| - signature: ".signature."| - Event Correlation ID: ".Correlation_ID." - ",EventCode=5139,"|OU Moved:| - signature: ".signature."| - Event Correlation ID: ".Correlation_ID."| - From: ".Old_DN."| - To: ".New_DN,EventCode=5141,"|OU Deleted:| - signature: ".signature."| - Event Correlation ID: ".Correlation_ID,EventCode=5136 OR EventCode=4662,"|OU Modified:| - signature: ".signature." | - Event Correlation ID: ".Correlation_ID."|".mod_summary)\ | stats values(chg_summary) AS chg_summary by _time,adminuser,msad_action,ou_name,dest_ou_dn,EventCode,signature\ | makemv delim="|" chg_summary\ | rename msad_action AS "Action",adminuser AS "Admin User",ou_name AS OU,dest_ou_dn AS "OU DN",chg_summary AS "Changes" [AD Objects - Audit - Modified - OU] alert.track = 0 dispatch.earliest_time = -7d@d dispatch.latest_time = now display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.charting.chart = bar display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat_act("OU","modified")`\ | eval dest_ou_dn=if(isnull(New_DN),DN,New_DN)\ | rex field=dest_ou_dn "(?i)ou\=(?[^\,]+)"\ | rex field=Value max_match=0 "\{(?[^\}]+)"\ | fillnull value="NA" chg_gp_guid,dir_svcs_action,signature,LDAP_Display_Name,gpo_name,DN,Old_DN,New_DN,Correlation_ID\ | eval Value=if(isnull(Value),lower(AttributeValue),lower(Value)),chg_gp_guid=lower(chg_gp_guid)\ | mvexpand chg_gp_guid\ | eval chg_gplink=if(LDAP_Display_Name=="gPLink","{".chg_gp_guid."}","")\ | join type=left chg_gplink [| inputlookup AD_Obj_GPO | fields cn,displayName | rex field=cn "^(?[^(\s|$)]+)" | dedup chg_gplink | table chg_gplink, displayName | rename displayName AS gpo_name]\ | table _time,ou_name,dest_ou_dn,src_nt_domain,src_user,LDAP_Display_Name,dir_svcs_action, Correlation_ID,chg_gp_guid,gpo_name,EventCode,signature,DN,Old_DN,New_DN,Value,msad_action\ | eval chg_summary=if(LDAP_Display_Name=="gPLink" AND isnotnull(gpo_name),"OU Modified:| - Event Correlation ID: ".Correlation_ID."| - Action: ".dir_svcs_action."| - Target Attribute: ".LDAP_Display_Name."| - Target Linked GPO: ".gpo_name."| - Target Linked GPO ID: ".chg_gp_guid,"OU Modified:|| - Event Correlation ID: ".Correlation_ID." - Action: ".dir_svcs_action."| - Target Attribute: ".LDAP_Display_Name."| - Target Attribute Value: ".Value."| - Event Correlation ID: ".Correlation_ID)\ | table _time,ou_name,dest_ou_dn,msad_action,EventCode,signature,src_nt_domain,src_user,chg_summary\ | makemv delim="|" chg_summary\ | rename msad_action AS "OU Action",src_nt_domain AS "Admin Domain",src_user AS "Admin User",ou_name AS OU,dest_ou_dn AS "OU DN",chg_summary AS "Change Details" [AD Objects - Audit - Created - OU] action.email.useNSSubject = 1 alert.digest_mode = True alert.suppress = 0 alert.track = 0 auto_summarize.dispatch.earliest_time = -1d@h dispatch.earliest_time = -7d@h dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","name"] display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat_act("OU","created")`\ | rex field=DN "(?i)ou\=(?[^\,]+)"\ | fillnull value="NA" chg_gp_guid,dir_svcs_action,signature,LDAP_Display_Name,gpo_name,DN,Old_DN,New_DN\ | table _time,ou_name,DN,src_nt_domain,src_user,Correlation_ID,EventCode,signature,DN,Old_DN,New_DN,Value,msad_action\ | eval chg_summary = "OU Created:| - DN: ".DN."| - Event Correlation ID: ".Correlation_ID\ | table _time,msad_action,ou_name,DN,EventCode,signature,src_nt_domain,src_user,chg_summary\ | makemv delim="|" chg_summary\ | rename msad_action AS "OU Action",src_nt_domain AS "Admin Domain",src_user AS "Admin User",ou_name AS OU,DN AS "OU DN",chg_summary AS "Change Details" [AD Objects - Audit - Critical Objects - Lookup] action.email.useNSSubject = 1 alert.track = 0 display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.charting.chart = bar display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | inputlookup AD_Audit_Default_Critical_Objects\ | eval inherited_user_rights="- ".(replace(inherited_user_rights,";",";- "))\ | eval direct_user_rights="- ".(replace(direct_user_rights,";",";- "))\ | makemv delim=";" inherited_user_rights\ | makemv delim=";" direct_user_rights\ | table cn,default_container,description,direct_user_rights,group_scope,inherited_user_rights,obj_type,special_note,type_flag ## User AD Object Searches [AD Objects - View User AD Objects Lookup] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -60m dispatch.latest_time = 0 display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | inputlookup AD_Obj_User [AD Objects - Verify User Sync Or Update] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -7d@d dispatch.latest_time = 0 display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_user` ("admonEventType=Sync" OR "admonEventType=Update") [AD Objects - Verify User Delete] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -7d@d dispatch.latest_time = 0 display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_flt_obj_type(ms_obj_admon_user,ms_obj_admon_base_del_type)` ## AD Group Object Lookup Searches [AD Objects - Verify Group AD Objects Lookup] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -60m dispatch.latest_time = 0 display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | inputlookup AD_Obj_Group [AD Objects - Verify Group Sync Or Update] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -60m dispatch.latest_time = 0 display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_group` ("admonEventType=Sync" OR "admonEventType=Update") [AD Objects - Verify Group Delete] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -60m dispatch.latest_time = 0 display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_flt_obj_type(ms_obj_admon_group,ms_obj_admon_base_del_type)` [AD Objects - Verify DL Group AD Objects Lookup] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -60m dispatch.latest_time = 0 display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | inputlookup AD_Obj_Group WHERE isDistributionList="TRUE" [AD Objects - Verify DL Group Sync Or Update] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -60m dispatch.latest_time = 0 display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_group` ("admonEventType=Sync" OR "admonEventType=Update") sAMAccountType="268435457" [AD Objects - Verify DL Group Delete] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -60m dispatch.latest_time = 0 display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_flt_obj_type(ms_obj_admon_group,ms_obj_admon_base_del_type)` sAMAccountType="268435457" ## AD Computer Object Lookup Searches [AD Objects - Verify Computer AD Objects Lookup] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -60m dispatch.latest_time = 0 display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | inputlookup AD_Obj_Computer [AD Objects - Verify Computer Sync Or Update] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -60m dispatch.latest_time = 0 display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_computer` ("admonEventType=Sync" OR "admonEventType=Update") [AD Objects - Verify Computer Delete] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -60m dispatch.latest_time = 0 display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_flt_obj_type(ms_obj_admon_computer,ms_obj_admon_base_del_type)` ## AD OU Object Lookup Searches [AD Objects - Verify OU AD Objects Lookup] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -60m dispatch.latest_time = 0 display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | inputlookup AD_Obj_OU [AD Objects - Verify OU Sync Or Update] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -60m dispatch.latest_time = 0 display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_ou` ("admonEventType=Sync" OR "admonEventType=Update") [AD Objects - Verify OU Delete] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -60m dispatch.latest_time = 0 display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_flt_obj_type(ms_obj_admon_ou,ms_obj_admon_base_del_type)` ## AD Group Policy Object Lookup Searches [AD Objects - Verify GPO AD Objects Lookup] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -60m dispatch.latest_time = 0 display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | inputlookup AD_Obj_GPO [AD Objects - Verify GPO Sync Or Update] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -60m dispatch.latest_time = 0 display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_gpo` ("admonEventType=Sync" OR "admonEventType=Update") [AD Objects - Verify GPO Delete] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -60m dispatch.latest_time = 0 display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_admon_flt_obj_type(ms_obj_admon_gpo,ms_obj_admon_base_del_type)` ################################################# ##### App Health Searches ##### ################################################# [AD Objects - Scheduled Search - Runtime Statistics] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = @d dispatch.latest_time = now display.general.type = visualizations display.page.search.tab = visualizations display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = index=_internal sourcetype=scheduler savedsearch_name="ms_ad_obj_sched*" (status="completed" OR status="skipped" OR\ status="deferred")\ | eval window_time = if(isnotnull(window_time), window_time, 0)\ | eval execution_latency = max(dispatch_time - (scheduled_time + window_time), 0)\ | stats avg(run_time) as runtime, avg(execution_latency) AS avg_exec_latency, count(eval(status=="completed" OR status=="skipped")) AS total_exec, count(eval(status=="skipped")) AS skipped_exec count(eval(status=="deferred")) AS deferred_exec by app, savedsearch_name, user, savedsearch_id\ | join savedsearch_id type=outer [\ | rest "/servicesNS/-/-/saved/searches/" earliest_time=`ms_obj_time_modifier(-0s@s)` latest_time=`ms_obj_time_modifier(+8d@d)` search="is_scheduled=1" search="disabled=0"\ | search NOT (dispatch.earliest_time=rt* OR dispatch.latest_time=rt*)\ | mvexpand scheduled_times\ | stats count(title) as count max(scheduled_times) as max_t min(scheduled_times) as min_t by title, eai:acl.app, eai:acl.owner cron_schedule\ | eval schedule_interval=round((max_t-min_t)/(count-1), 0)\ | eval savedsearch_id = 'eai:acl.owner'.";".'eai:acl.app'.";".title\ | fields savedsearch_id, cron_schedule, schedule_interval ]\ | eval runtime = round(runtime, 0)\ | eval avg_exec_latency = round(avg_exec_latency, 0)\ | eval search_workload = round(runtime / schedule_interval * 100, 2)." %"\ | eval skip_ratio = round(skipped_exec / total_exec * 100, 2)." %"\ | fields savedsearch_name, app, user, cron_schedule, schedule_interval, runtime, search_workload, total_exec, skipped_exec, skip_ratio, deferred_exec, avg_exec_latency\ | sort - search_workload\ | rename savedsearch_name as "Report Name", app as App, user as User, cron_schedule as "Cron Schedule", runtime as "Average Runtime (sec)", total_exec as "Total Executions", skip_ratio as "Skip Ratio", skipped_exec as "Skipped Executions", deferred_exec AS "Deferred Executions", schedule_interval as "Schedule Interval (sec)", search_workload as "Interval Load Factor", avg_exec_latency AS "Average Execution Latency (sec)" disabled = 0 [AD Objects - Scheduled Search - Skipped Reasons] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = @d dispatch.latest_time = now display.general.type = visualizations display.page.search.tab = visualizations display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = index=_internal sourcetype=scheduler status="skipped" savedsearch_name="ms_ad_obj_sched_*"\ | eval alert_actions = if(isnull(alert_actions) OR alert_actions == "", "none", alert_actions)\ | eval reason = if(isnull(reason) OR reason == "", "none", reason)\ | stats count AS count values(alert_actions) AS alert_actions, max(_time) AS l_time by savedsearch_name, reason\ | eval reason_and_count = reason." (".count.")"\ | eval l_time=strftime(l_time,"%m/%d/%y %I:%M:%S %P")\ | stats values(l_time) AS "Last Time Skipped",values(reason_and_count) AS reasons first(alert_actions) AS alert_actions by savedsearch_name\ | rename reasons AS "Skip Reason (Skip Count)" alert_actions AS "Alert Actions" savedsearch_name AS "Report Name" ################################################# ##### Extra Help - Tools - Searches ##### ################################################# [AD Objects - Tools - Lookup Field List] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = @d dispatch.latest_time = now display.general.type = visualizations display.page.search.tab = visualizations display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | inputlookup lookup_field_lists.csv \ | table AD_Obj_GroupPolicies_LDAP* \ | stats values(AD_Obj_GPO-base_in) AS raw_in_fields, values(AD_Obj_GPO-base_out) AS base_out_fields \ | eval raw_in_fields=mvjoin(raw_in_fields,",") \ | eval base_out_fields=mvjoin(base_out_fields,",") [Admin_Extra_Field_Sizing_Analysis] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","Workstation_Name","src_ip","Source_Network_Address","src_nt_host","src_user","src_user_type","user","user_type","src","Logon_Type","member_id","member_dn","cn","distinguishedName","DN","group_name","group_id"] display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = eventtype=ms_ad_obj_wineventlog_index earliest=-15m latest=now\ | fieldsummary \ | rex field=values max_match=0 "value\":\"(?[^\"]*)\","\ | mvexpand values \ | eval bytes=len(values)\ | rex field=field "^(?!date|punct|host|hostip|index|linecount|source|sourcetype|timeendpos|timestartpos|splunk_server)(?.*)"\ | stats count sum(bytes) as SumOfBytesInField values(values) as Values max(bytes) as MaxFieldLengthInBytes by FieldName\ | rename count as NumberOfValuesPerField\ | eventstats sum(NumberOfValuesPerField) as TotalEvents sum(SumOfBytesInField) as TotalBytes\ | eval PercentageOfTotalEvents=round(NumberOfValuesPerField/TotalEvents*100,2)\ | eval PercentageOfTotalBytes=round(SumOfBytesInField/TotalBytes*100,2)\ | eval ConsumedMB=SumOfBytesInField/1024/1024\ | eval TotalMB=TotalBytes/1024/1024\ | table FieldName NumberOfValuesPerField SumOfBytesInField ConsumedMB PercentageOfTotalBytes PercentageOfTotalEvents\ | addcoltotals labelfield=FieldName label=Totals\ | sort - PercentageOfTotalEvents [ms_ad_obj_dev_user_delete_missing_fields] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -30d@d dispatch.latest_time = now display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | makeresults \ | eval field="DomainDNSName,OU,accountExpires,adminCount,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dSCorePropagationData,dcName,deletedDate,department,description,displayName,distinguishedName,dn,dn_path,domain,givenName,guid_lookup,initials,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,last_evt_flg,lockoutTime,logonCount,logonHours,managedBy,memberOf,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,physicalDeliveryOfficeName,postalCode,primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType,servicePrincipalName,showInAdvancedViewOnly,sid_lookup,sn,st,streetAddress,title,uSNChanged,uSNCreated,userAccountControl,userPrincipalName,userWorkstations,whenChanged,whenCreated" \ | makemv delim="," field \ | eval match="true" \ | mvexpand field \ | table field, match\ | join field type=left \ [search eventtype=ms_ad_obj_msad_data (admonEventType=Deleted) objectClass="top|person|organizationalPerson|user" \ | fieldsummary \ | table field, match, values] \ | table field, match, values \ | sort match, field\ | search NOT values="[{*"\ | stats values(field) AS field\ | eval field=mvjoin(field,",") ## Directory Services - Verify Field Extractions: [AD Objects - Directory Services - Field Extractions] alert.track = 0 auto_summarize.dispatch.earliest_time = -1d@h search = `ms_obj_win_events_security` (EventCode=5136 OR EventCode=5137 OR EventCode=5138 OR EventCode=5139 OR EventCode=5141)\ | rex field=_raw "(?msi)Message\=A\sdirectory\sservice\sobject\swas\s(?[^\.]+)"\ | rex field=_raw "(?msi)Object:(\s+|\n|\r).*DN\:\s+(?[^(\r|\n)]+)(\s+|\n|\r).*Class\:\s+(?[^(\r|\n)]+)"\ | rex field=_raw "(?msi)(Object Type\:|Object\:)(\s+|\n|\r).*(Object\sName|GUID)\:\s+CN(=\"|=\{)(?[^(\"|\})]+)"\ | fillnull value="Empty" Object_Type, distinguishedName, Object_Name_Guid, msad_action\ | stats values(Class) AS Classes, values(distinguishedName) AS distinguishedName, values(Object_Type) AS Object_Type,values(Object_Name_Guid) AS Object_Name_Guid by msad_action ###--------------------------------------------------------### #--- File Audit and ACL Reports ---# ###--------------------------------------------------------### ## User Access Control Details ## [AD Objects - File ACL - Base List] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.charting.chart = bar display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms__obj_win_api_index` sourcetype="WinDirAcl"\ | rex max_match=0 "(?:\[)(?[^\]]+)"\ | rex max_match=0 "(?:\"IdentityReference\"\:\")(?[^\"]+)\"\,\"FileSystemRights\"\:\"(?[^\"]+)\"\,\"AccessControlType\"\:\"(?[^\"]+)\"\,\"IsInherited\"\:\"(?[^\"]+)\"\,\"InheritanceFlags\"\:\"(?[^\"]+)\"\,\"PropagationFlags\"\:\"(?[^\"]+)\""\ | stats count,values(IdentityReference) AS IdentityReference,values(object_acls) AS object_acls by object_path,object_last_mod_time,object_size,object_dir_cnt,object_file_cnt [AD Objects - Audit - Login - Details] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -60m@m dispatch.latest_time = now display.general.type = statistics display.page.search.mode = fast display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_failed_success_logons("user")`\ | fields user, status, _time, host,src_ip,src_nt_host,signature,Failure_Reason,Logon_Type,Sub_Status\ | lookup AD_Audit_Logon_Types Logon_Type OUTPUT Logon_TypeName\ | eval Logon_User=lower(user)\ | eval src_ip=replace(src_ip,"::ffff:|::1","")\ | eval src_nt_host=if(isnull(src_nt_host),if(isnull(src_ip) OR src_ip=="127.0.0.1" OR src_ip=="" OR src_ip=="-",upper(host),src_ip),src_nt_host)\ | eval src_ip=if(isnull(src_ip) OR src_ip=="127.0.0.1" OR src_ip=="" OR src_ip=="-",host,src_ip)\ | fillnull value="Not In Event" src_nt_host, src_ip,Failure_Reason,signature\ | eval Session_Status="Audit ".status\ | eval Failure_Reason=if(Sub_Status=="0xC0000064","Non-Domain Account - ".Failure_Reason,Failure_Reason)\ | fields _time, host,src_ip,src_nt_host,Logon_User, status, Session_Status,signature,Failure_Reason,Logon_TypeName\ | stats count,values(Logon_TypeName) AS Logon_Type by _time, host,src_ip,src_nt_host,Logon_User, status, Session_Status,signature,Failure_Reason\ | eval Success_count=if(status=="success",1,0)\ | eval Failure_count=if(status=="failure",1,0)\ | join type=left Logon_User [| inputlookup AD_Obj_User | fields userAccountControl,sAMAccountName | lookup AD_Obj_UAC userAccountControl OUTPUT uac_details| rename sAMAccountName as Logon_User | table uac_details,Logon_User]\ | eval Failure_Reason=if(isnull(Failure_Reason) OR Failure_Reason=="Not In Event",status.": ".signature,status.": ".Failure_Reason)\ | fillnull value="Not Available" uac_details\ | eventstats count AS Failure_Reason_cnt by Failure_Reason,Logon_User\ | eventstats count AS src_ip_cnt by src_ip,Logon_User\ | eventstats count AS src_nt_host_cnt by src_nt_host,Logon_User\ | eval Failure_Reason="(".Failure_Reason_cnt.") - ".Failure_Reason\ | eval src_ip="(".src_ip_cnt.") - ".src_ip\ | eval src_nt_host="(".src_nt_host_cnt.") - ".src_nt_host\ | sort - src_ip_cnt, - src_nt_host_cnt\ | stats count AS Total_Attempts, sum(Success_count) AS Success_Count, sum(Failure_count) AS Failure_Count, values(Logon_Type) AS Logon_Types, values(Failure_Reason) AS Failure_Reason,values(src_ip) AS src_ip,values(src_nt_host) AS src_nt_host by Logon_User,uac_details\ | sort -Total_Attempts\ | makemv delim=":" uac_details\ | eval src_nt_host=mvsort(src_nt_host) [AD Objects - Audit - Login - Expired Disabled] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -7d@h dispatch.latest_time = now display.general.type = statistics display.page.search.mode = fast display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_failed_success_logons("user")` [| inputlookup AD_Obj_User| fields accountExpires, uac_details, whenChanged,sAMAccountName| makemv delim=":" uac_details | eval uac_filter=if(match(uac_details, "Disabled"),"True","False") | eval accountExpipres_utc=round(strptime(accountExpires,"%I:%M.%S %P, %a %m/%d/%Y"),0)| WHERE uac_filter=="True" OR accountExpires_utc[^$]+)" \ | eventstats count AS Total_Lockouts by user\ | table Locked_Time, user, displayName, Caller_Computer_Name,distinguishedName,Total_Lockouts \ | rename user as "User Name", displayName as "Display Name", Caller_Computer_Name as "Source Computer Name" [AD Objects - Audit - Login - Computer] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -60m@m dispatch.latest_time = now display.general.type = statistics display.page.search.mode = fast display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_failed_success_logons("computer")`\ | fields user, status, _time, host,src_ip,src_nt_host,signature,Failure_Reason,Logon_Type,Sub_Status\ | lookup AD_Audit_Logon_Types Logon_Type OUTPUT Logon_TypeName\ | eval Logon_User=lower(user)\ | eval src_ip=replace(src_ip,"::ffff:|::1","")\ | eval src_nt_host=if(isnull(src_nt_host),if(isnull(src_ip) OR src_ip=="127.0.0.1" OR src_ip=="" OR src_ip=="-",upper(host),src_ip),src_nt_host)\ | eval src_ip=if(isnull(src_ip) OR src_ip=="127.0.0.1" OR src_ip=="" OR src_ip=="-",host,src_ip)\ | fillnull value="Not In Event" src_nt_host, src_ip,Failure_Reason,signature\ | eval Session_Status="Audit ".status\ | eval Failure_Reason=if(Sub_Status=="0xC0000064","Non-Domain Account - ".Failure_Reason,Failure_Reason)\ | fields _time, host,src_ip,src_nt_host,Logon_User, status, Session_Status,signature,Failure_Reason,Logon_TypeName\ | stats count,values(Logon_TypeName) AS Logon_Type by _time, host,src_ip,src_nt_host,Logon_User, status, Session_Status,signature,Failure_Reason\ | eval Success_count=if(status=="success",1,0)\ | eval Failure_count=if(status=="failure",1,0)\ | join type=left Logon_User [| inputlookup AD_Obj_User | fields uac_details,sAMAccountName | rename sAMAccountName as Logon_User | table uac_details,Logon_User]\ | eval Failure_Reason=if(isnull(Failure_Reason) OR Failure_Reason=="Not In Event",status.": ".signature,status.": ".Failure_Reason)\ | fillnull value="Not Available" uac_details\ | eventstats count AS Failure_Reason_cnt by Failure_Reason,Logon_User\ | eventstats count AS src_ip_cnt by src_ip,Logon_User\ | eventstats count AS src_nt_host_cnt by src_nt_host,Logon_User\ | eval Failure_Reason="(".Failure_Reason_cnt.") - ".Failure_Reason\ | eval src_ip="(".src_ip_cnt.") - ".src_ip\ | eval src_nt_host="(".src_nt_host_cnt.") - ".src_nt_host\ | sort - src_ip_cnt, - src_nt_host_cnt\ | stats count AS Total_Attempts, sum(Success_count) AS Success_Count, sum(Failure_count) AS Failure_Count, values(Logon_Type) AS Logon_Types, values(Failure_Reason) AS Failure_Reason,values(src_ip) AS src_ip,values(src_nt_host) AS src_nt_host by Logon_User,uac_details\ | sort -Total_Attempts\ | makemv delim=":" uac_details\ | eval src_nt_host=mvsort(src_nt_host) [AD Objects - Audit - Critical Users - Events] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = @d dispatch.latest_time = now display.page.search.mode = verbose display.visualizations.charting.chart = bar display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_win_events_security` [| inputlookup AD_Audit_Default_Critical_Objects\ | fields cn\ | join type=left cn [| inputlookup AD_Obj_User | fields cn, dn | table cn,dn]\ | eval user=if(cn="Administrator" OR cn="Guest","user=\"".cn,NULL),src_user=if(cn="Administrator" OR cn="Guest","src_user=\"".cn,NULL)\ | eval search=if(cn="Administrator" OR cn="Guest",dn,cn."|".dn)\ | makemv delim="|" search\ | eval search=mvappend(search,user,src_user)\ | stats values(search) AS search\ | search search=*\ | eval search=replace(replace("\"".mvjoin(search,"\" OR \"")."\"","\"user\=","user="),"\"src_user\=","src_user=")\ | table search] [AD Objects - Audit - Changes - Users] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -30d@d dispatch.latest_time = now display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat("User")`\ | `ms_obj_md_user_change_cmb("AD_Obj_User")` [AD Objects - OU - GPO Linked] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = @d dispatch.latest_time = now display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | inputlookup AD_Obj_OU WHERE gpo_link!=""\ | table OU,displayName,name,objectClass,distinguishedName,Linked_GPO,gpo_link,objectCategory,whenChanged,whenCreated\ | mvexpand gpo_link\ | join type=left gpo_link [|inputlookup AD_Obj_GPO | rename displayName AS Linked_GPO | table gpo_link,Linked_GPO]\ | stats values(Linked_GPO) AS Linked_GPO, values(gpo_link) AS gpo_link by OU,displayName,name,objectClass,distinguishedName,objectCategory,whenChanged,whenCreated\ | table OU,displayName,name,objectClass,distinguishedName,Linked_GPO,gpo_link,objectCategory,whenChanged,whenCreated [AD Objects - Audit - Changes - Computers] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat("Computer")`\ | `ms_obj_md_computer_change_cmb("AD_Obj_Computer")` [AD Objects - Audit - Created - Computers] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat_act("Computer","created")`\ | `ms_obj_md_computer_change_cmb("AD_Obj_Computer")` [AD Objects - Audit - Deleted - Computers] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat_act("Computer","deleted")`\ | `ms_obj_md_computer_change_cmb("AD_Obj_Computer")` [AD Objects - Audit - Undeleted - Computers] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat_act("Computer","undeleted")`\ | `ms_obj_md_computer_change_cmb("AD_Obj_Computer")` [AD Objects - Audit - Moved - Computers] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat_act("Computer","moved")`\ | `ms_obj_md_computer_change_cmb("AD_Obj_Computer")` [AD Objects - Audit - Created - Users] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat_act("User","created")`\ | `ms_obj_md_user_change_cmb("AD_Obj_User")` [AD Objects - Audit - Deleted - Users] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat_act("User","deleted")` \ | `ms_obj_md_user_change_cmb("AD_Obj_User")` [AD Objects - Audit - Undeleted - Users] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat_act("User","undeleted")`\ | `ms_obj_md_user_change_cmb("AD_Obj_User")` [AD Objects - Audit - Moved - Users] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = 0 display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat_act("User","moved")`\ | `ms_obj_md_user_change_cmb("AD_Obj_User")` [AD Objects - Audit - Changes - Group Membership] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = 0 display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat("Group Membership")`\ | `ms_obj_groupmembership_change_out`\ | rename group_obj_nm as "Target_Group",MSADGroupClass as "Class",msad_action AS "Action",member AS "Target Member",member_obj_lkp AS "Target Member Lookup",MSADGroupType as "Type",adminuser as "Admin User",MSADChanges as "Changes" [AD Objects - Audit - Created - Group] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat_act("Group","created")` \ | `ms_obj_group_change_out`\ | fields - member\ | rename adminuser as "Administrator",msad_action as "Action",group_obj_nm as "Group Name",MSADGroupType as "Group Type",MSADGroupClass AS "Group Class",signature as "Changes" [AD Objects - Audit - Deleted - Group] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat_act("Group","deleted")`\ | `ms_obj_group_change_out`\ | fields - member\ | rename adminuser as "Administrator",msad_action as "Action",group_obj_nm as "Group Name",MSADGroupType as "Group Type",MSADGroupClass AS "Group Class",signature as "Changes" [AD Objects - Audit - Undeleted - Group] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat_act("Group","undeleted")`\ | `ms_obj_group_change_out`\ | fields - member\ | rename adminuser as "Administrator",msad_action as "Action",group_obj_nm as "Group Name",MSADGroupType as "Group Type",MSADGroupClass AS "Group Class",signature as "Changes" [AD Objects - Audit - Moved - Group] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = 0 display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat_act("Group","moved")` \ | `ms_obj_group_change_out`\ | fields - member\ | rename adminuser as "Administrator",msad_action as "Action",group_obj_nm as "Group Name",MSADGroupType as "Group Type",MSADGroupClass AS "Group Class",signature as "Changes" [AD Objects - Audit - Critical Groups - Events] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = 0 display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.charting.chart = bar display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_win_events_security`\ [| inputlookup AD_Audit_Default_Critical_Objects\ | fields cn\ | join type=left cn [| inputlookup AD_Obj_Group | fields cn, dn | rename dn AS lkp_dn | table cn,lkp_dn]\ | search lkp_dn=*\ | stats values(lkp_dn) AS search\ | format]\ | `ms_obj_group_change_out`\ | rename adminuser as "Administrator",msad_action as "Action",group_obj_nm as "Target_Group",MSADGroupType as "Target Group Type",MSADGroupClass AS "Target Group Class",member AS "Target Member",MSADChanges as "Changes" [AD Objects - Group Lookup - Members and UsersList] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = 0 display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | inputlookup AD_Obj_Group WHERE membercount!="0"\ | fields cn,member,domain,dn,description,membercount\ | rename cn AS GroupName, domain AS GroupDomain,dn AS GroupDN\ | mvexpand member\ | lookup AD_Obj_User dn AS member OUTPUT distinguishedName AS member,dn AS UserDN,sAMAccountName AS User,domain AS UserDomain\ | eval User=if(isnull(User),NULL,UserDomain."\\".User)\ | fillnull value="" description, GroupDomain, GroupName, GroupDN,User,UserDN,UserDomain\ | stats max(membercount) AS membercount,list(member) AS member, list(User) AS User,list(UserDN) AS UserDN by GroupDN,GroupName, GroupDomain, description\ | eval User=mvfilter(User!=""),UserDN=mvfilter(UserDN!="")\ | eval UserCount=if(mvcount(User)>0,mvcount(User),0)\ | search UserCount>0 [AD Objects - Group Lookup - Members and ComputerList] action.email.useNSSubject = 1 dispatch.earliest_time = 0 display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | inputlookup AD_Obj_Group WHERE membercount!="0"\ | fields cn,member,domain,dn,description,membercount\ | rename cn AS GroupName, domain AS GroupDomain,dn AS GroupDN\ | mvexpand member\ | lookup AD_Obj_Computer dn AS member OUTPUT distinguishedName AS member,dn AS ComputerDN,sAMAccountName AS Computer,domain AS ComputerDomain\ | eval User=if(isnull(User),NULL,UserDomain."\\".User),Computer=if(isnull(Computer),NULL,ComputerDomain."\\".Computer),EmbGroup=if(isnull(EmbGroup),NULL,EmbGroupDomain."\\".EmbGroup)\ | fillnull value="" description, GroupDomain, GroupName, GroupDN,Computer,ComputerDN,ComputerDomain\ | stats max(membercount) AS membercount,list(member) AS member,list(Computer) AS Computer,list(ComputerDN) AS ComputerDN by GroupDN,GroupName, GroupDomain, description\ | eval Computer=mvfilter(Computer!=""),ComputerDN=mvfilter(ComputerDN!="")\ | eval ComputerCount=if(mvcount(Computer)>0,mvcount(Computer),0)\ | search ComputerCount>0 [AD Objects - Group Lookup - Members and EmbGroupList] action.email.useNSSubject = 1 dispatch.earliest_time = 0 display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | inputlookup AD_Obj_Group WHERE membercount!="0"\ | fields cn,member,domain,dn,description,membercount\ | rename cn AS GroupName, domain AS GroupDomain,dn AS GroupDN\ | mvexpand member\ | lookup AD_Obj_Group dn AS member OUTPUT distinguishedName AS member,dn AS EmbGroupDN,sAMAccountName AS EmbGroup,domain AS EmbGroupDomain\ | eval EmbGroup=if(isnull(EmbGroup),NULL,EmbGroupDomain."\\".EmbGroup)\ | fillnull value="" description, GroupDomain, GroupName, GroupDN,EmbGroup,EmbGroupDN,EmbGroupDomain\ | stats max(membercount) AS membercount,list(member) AS member,list(EmbGroup) AS EmbGroup,list(EmbGroupDN) AS EmbGroupDN by GroupDN,GroupName, GroupDomain, description\ | eval EmbGroup=mvfilter(EmbGroup!=""),EmbGroupDN=mvfilter(EmbGroupDN!="")\ | eval EmbGroupCount=if(mvcount(EmbGroup)>0,mvcount(EmbGroup),0)\ | search EmbGroupCount>0 [AD Objects - Group Lookup - Members List] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = 0 display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | inputlookup AD_Obj_Group WHERE membercount!="0"\ | rename cn AS GroupName\ | table GroupName, domain, groupType_Name,description, member [AD Objects - Group Lookup - Embedded In Group List] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = 0 display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | inputlookup AD_Obj_Group\ | fields cn,dn,domain\ | lookup AD_Obj_Group member AS dn output cn AS Embedded_In_Group,distinguishedName AS Embedded_In_Group_DN\ | rename cn AS Group\ | eval Embedded_Group_Count=mvcount(Embedded_In_Group)\ | sort -Embedded_Group_Count\ | table Group, domain, dn,Embedded_Group_Count,Embedded_In_Group,Embedded_In_Group_DN [AD Objects - Group Lookup - Windows Security Membership Changes] alert.suppress = 0 alert.track = 0 display.general.type = statistics display.page.search.tab = statistics request.ui_dispatch_view = search search = `ms_obj_changes_base_cat("Group Membership")` \ | fields src_user,src_nt_domain,member_obj_domain,member_obj_id,member_obj_dn,member,MSADGroupClassID,MSADGroupClass,group_obj_dn,member_id,objectGUID,user_group,group_obj_nm,msad_action,MSADGroupType\ | eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user) \ | eval member=if(isnull(member_obj_domain),replace(member_obj_id,"\x5C{1}",""),member_obj_domain."\\".replace(member_obj_id,"\x5C{1}","")) \ | eval member=if(isnull(member),if(isnull(member_obj_dn),"NA",member_obj_dn),member) \ | lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass \ | join type=left group_obj_dn \ [| inputlookup AD_Obj_Group \ | fields cn, MSADGroupClass,MSADGroupType, distinguishedName \ | rename distniguishedName AS group_obj_dn,cn AS group_obj_nm \ | table group_obj_dn,group_obj_nm,MSADGroupClass,MSADGroupType] \ | rex mode=sed field=member_id "s/\s/###/g" \ | makemv delim="###" member_id \ | eval member=if(isnull(member_id),member,member_id) \ | eval objectGUID=if(isnull(objectGUID),lower(ObjectGUID),lower(objectGUID)) \ | join type=left user_group \ [| inputlookup AD_Obj_Group \ | fields objectGUID, cn, MSADGroupClass,MSADGroupType, distinguishedName \ | rename distniguishedName AS group_obj_dn,cn AS user_group \ | table objectGUID,group_obj_dn,user_group,MSADGroupClass,MSADGroupType] \ | table _time,adminuser,MSADGroupClass,MSADGroupType,src_nt_domain,group_obj_nm,msad_action,member \ | rename adminuser as "Administrator",MSADGroupClass as "Type",MSADGroupType as "Scope",src_nt_domain as "Domain",group_obj_nm as "Group",msad_action as "Action",member as "Member" \ | sort -Group [AD Objects - Group Lookup - Critical Members] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = 0 display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | inputlookup AD_Audit_Default_Critical_Objects WHERE obj_type="group"\ | fields cn\ | lookup AD_Obj_Group cn OUTPUT member\ | search member!=""\ | table cn,member [AD Objects - Audit - Changes - Group] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = 0 display.general.type = statistics display.page.search.tab = statistics display.visualizations.charting.chart.showDataLabels = all display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat("Group")` \ | `ms_obj_group_change_out`\ | fields - member_obj_lkp\ | rename adminuser as "Administrator",msad_action as "Action",group_obj_nm as "Group Name",MSADGroupType as "Group Type",MSADGroupClass AS "Group Class",signature as "Changes" [AD Objects - Audit - Moved - OU] alert.track = 0 dispatch.earliest_time = 0 display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.charting.chart = bar display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = `ms_obj_changes_base_cat_act("OU","moved")`\ | eval dest_ou_dn=if(isnull(New_DN),DN,New_DN)\ | rex field=dest_ou_dn "(?i)ou\=(?[^\,]+)"\ | fillnull value="NA" signature,DN,Old_DN,New_DN,Correlation_ID\ | eval chg_summary="OU Moved:| - Event Correlation ID: ".Correlation_ID."| - From: ".Old_DN."| - To: ".New_DN\ | table _time,ou_name,dest_ou_dn,msad_action,EventCode,signature,src_nt_domain,src_user,chg_summary\ | makemv delim="|" chg_summary\ | rename msad_action AS "OU Action",src_nt_domain AS "Admin Domain",src_user AS "Admin User",ou_name AS OU,dest_ou_dn AS "OU DN",chg_summary AS "Change Details" [AD Objects - App Health - Sourcetype Counts Windows] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = 0 display.events.fields = ["host","source","sourcetype","src_user","user_type","DN"] display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | metadata type=sourcetypes index=[| `ms_ad_obj_cfg_idx_base`\ | mvexpand index\ | table index]\ | stats max(lastTime) AS lastTime, , max(firstTime) AS firstTime, sum(totalCount) AS totalCount by sourcetype\ | sort -totalCount\ | eval totalCount=tostring(totalCount,"commas")\ | eval lastTime=strftime(lastTime,"%m/%d/%y %I:%M %P")\ | eval firstTime=strftime(firstTime,"%m/%d/%y %I:%M %P") [AD Objects - App Health - Sourcetypes by Indexes] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = 0 display.events.fields = ["host","source","sourcetype","src_user","user_type","DN"] display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | `ms_ad_obj_cfg_idx_data`\ | makemv delim="|" cmb\ | mvexpand cmb\ | rex field=cmb "(?[^\(]+)\((?[^\)]+)"\ | table index,sourcetype,Total_Events [AD Objects - App Health - Windows Index Details] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = 0 display.events.fields = ["host","source","sourcetype","src_user","user_type","DN"] display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | rest /servicesNS/-/-/data/indexes count=0 splunk_server=local\ | table title, *\ | rename title AS index\ | join index [| `ms_ad_obj_cfg_idx_base`\ | mvexpand index\ | table index] [AD Objects - App Health - Macro Data Summary] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -30d@d dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","src_user","user_type","DN"] display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | `ms_ad_obj_cfg_idx_base`\ | mvexpand index\ | join type=left index [| `ms_ad_obj_cfg_idx_avail` ]\ | join type=left index [| `ms_ad_obj_cfg_idx_data` ]\ | sort flag,-Total_Events\ | eval Total_Sourcetypes=if(isnull(cmb),0,mvcount(cmb))\ | fillnull 0 Total_Events,currentDBSizeMB\ | eval flag=if(isnull(index_flag),2,if(isnull(data_flag),1,0))\ | eval flag_msg=case(flag=2,"index Not Created: ".index,flag=1,"Missing Index Data: ".index,flag=0,"OK: ".index)\ | rename index as macro_index, cmb as sourcetypes\ | fillnull value=0 Total_Events,currentDBSizeMB\ | eval sourcetypes=if(isnull(sourcetypes),flag_msg,sourcetypes)\ | makemv delim="|" sourcetypes\ | sort -flag macro_name\ | table macro_name,macro_definition,macro_index,flag,flag_msg,Total_Events,currentDBSizeMB,sourcetypes [AD Objects - App Health - Macro Data Details] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -60m@m dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","src_user","user_type","DN"] display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | `ms_ad_obj_cfg_idx_base` \ | mvexpand index \ | join type=left index \ [| `ms_ad_obj_cfg_idx_avail` ] \ | join type=left index \ [| `ms_ad_obj_cfg_idx_data` ] \ | sort flag,-Total_Events\ | eval Total_Sourcetypes=if(isnull(cmb),0,mvcount(cmb)) \ | fillnull 0 Total_Events,currentDBSizeMB \ | eval flag=if(isnull(index_flag),2,if(currentDBSizeMB<2,1,0)) \ | eval flag_msg=case(flag=2,"index Not Created: ".index,flag=1,"Missing Index Data: ".index,flag=0,"OK: ".index)\ | rename index as macro_index, cmb as sourcetypes \ | fillnull value=0 Total_Events,currentDBSizeMB \ | makemv delim="|" sourcetypes \ | eval Total_Sourcetypes=if(isnull(sourcetypes),0,mvcount(sourcetypes))\ | eval sourcetypes=if(isnull(sourcetypes),flag_msg,sourcetypes)\ | sort -flag macro_name \ | table macro_name,macro_definition,macro_index,flag,flag_msg,Total_Events,Total_Sourcetypes,currentDBSizeMB,sourcetypes [AD Objects - App Health - Slow SvdSrch Detail] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","user","user_obj_dn","LDAP_Display_Name"] display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = index=_audit action=search info=completed savedsearch_name!=""\ | stats p95(total_run_time) as p95_time, max(total_run_time) AS max_time, avg(total_run_time) AS avg_time,count AS executions,values(search) AS search_text by app,savedsearch_name\ | eval avg_time=round(avg_time,2)\ | rex mode=sed field=search_text "s/(\'search\s+|\'$)//g"\ | sort -avg_time [AD Objects - App Health - Slow SvdSrch] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","user","user_obj_dn","LDAP_Display_Name"] display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = index=_audit action=search info=completed savedsearch_name!=""\ | stats p95(total_run_time) as p95_time, max(total_run_time) AS max_time, avg(total_run_time) AS avg_time,count AS executions,avg(result_count) AS avg_result_count,avg(scan_count) AS avg_scan_count by app,savedsearch_name\ | eval avg_time=round(avg_time,2),avg_result_count=round(avg_result_count,2),avg_scan_count=round(avg_scan_count,2)\ | sort -avg_time [AD Objects - App Health - Slow SvdSrch Time] action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","user","user_obj_dn","LDAP_Display_Name"] display.general.type = visualizations display.page.search.mode = verbose display.page.search.tab = visualizations display.statistics.show = 0 display.visualizations.charting.chart.stackMode = stacked request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = index=_audit action=search info=completed savedsearch_name!=""\ | eval time_val=strftime(_time,"%I %P"),time_srt=strftime(_time,"%H")\ | eval time_val="(".time_srt.") ".time_val\ | chart p95(total_run_time) AS p95_time over time_val by savedsearch_name\ | sort time_val ## Windows Registry Searches ## [AD Objects - Windows Registry - By Key Path Level] action.email.useNSSubject = 1 dispatch.earliest_time = -60m@m dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","primaryGroupToken"] display.general.type = visualizations display.page.search.mode = verbose display.page.search.tab = visualizations display.statistics.show = 0 display.visualizations.charting.axisY2.enabled = 1 display.visualizations.charting.chart.stackMode = stacked request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = source="WinRegistry" registry_type!=baseline\ | fields object,key_path,registry_type\ | eval key_path_level=key_path\ | makemv delim="\\" key_path_level\ | eval base_path=if(isnull(mvindex(key_path_level,2)),mvindex(key_path_level,0)."\\".mvindex(key_path_level,1),mvindex(key_path_level,0)."\\".mvindex(key_path_level,1)."\\".mvindex(key_path_level,2))\ | stats count,values(registry_type) AS registry_types,values(base_path) AS base_paths by key_path_level,object\ | sort 0 -count\ | eval details="(".tostring(count,"commas").") Object: ".object." - Actions:".mvjoin(registry_types,", ")\ | stats list(details) AS Top_10_Object_Details, sum(count) AS Total_Count,values(base_paths) AS base_paths by key_path_level\ | sort -Total_Count\ | eval Top_10_Object_Details=mvindex(Top_10_Object_Details,0,9) [AD Objects - Windows Registry - Objects Values Hosts] action.email.useNSSubject = 1 dispatch.earliest_time = -60m@m dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","primaryGroupToken"] display.general.type = visualizations display.page.search.mode = verbose display.page.search.tab = visualizations display.statistics.show = 0 display.visualizations.charting.axisY2.enabled = 1 display.visualizations.charting.chart.stackMode = stacked request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = source="WinRegistry" registry_type!=baseline\ | fields host,key_path, object, data, registry_type, _time\ | fillnull value="Empty" data \ | eventstats count as host_count by host,key_path, object, data, registry_type\ | eval host_info=host_count." - ".host\ | stats count,values(host_info) AS host_info by key_path, object, data, registry_type\ | sort -count\ | eval comb="(".tostring(count,"commas").") ".key_path." - ".object." - ".data \ | stats values(host_info) AS host_info,list(comb) AS Registry_Values, sum(count) As Total_Count by registry_type,object\ | eval host_info=mvsort(host_info)\ | sort -Total_Count [AD Objects - Windows Registry - Top 10 Objects by Type] action.email.useNSSubject = 1 dispatch.earliest_time = -60m@m dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","primaryGroupToken"] display.general.type = visualizations display.page.search.mode = verbose display.page.search.tab = visualizations display.statistics.show = 0 display.visualizations.charting.axisY2.enabled = 1 display.visualizations.charting.chart.stackMode = stacked request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = source="WinRegistry" registry_type!=baseline\ | fields object, registry_type\ | stats count by registry_type,object\ | sort -count\ | eval object_info="(".tostring(count,"commas").") ".object\ | stats list(object_info) AS Top_10_Objects,sum(count) AS Total_Count by registry_type\ | eval Top_10_Objects=mvindex(Top_10_Objects,0,9)\ | sort -Total_Count [AD Objects - Windows Registry - Count by Object] action.email.useNSSubject = 1 dispatch.earliest_time = -60m@m dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","primaryGroupToken"] display.general.type = visualizations display.page.search.mode = verbose display.page.search.tab = visualizations display.statistics.show = 0 display.visualizations.charting.axisY2.enabled = 1 display.visualizations.charting.chart.stackMode = stacked request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = source="WinRegistry" registry_type!=baseline\ | fields object, registry_type\ | stats count by registry_type,object\ | sort -count\ | eval type_info="(".tostring(count,"commas").") ".registry_type\ | stats list(type_info) AS Registry_Types,sum(count) AS Total_Count by object\ | sort -Total_Count [AD Objects - Windows Registry - Type by Key Path] action.email.useNSSubject = 1 dispatch.earliest_time = -60m@m dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","primaryGroupToken"] display.general.type = visualizations display.page.search.mode = verbose display.page.search.tab = visualizations display.statistics.show = 0 display.visualizations.charting.axisY2.enabled = 1 display.visualizations.charting.chart.stackMode = stacked request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = source="WinRegistry" registry_type!=baseline\ | fields key_path, registry_type\ | stats count by registry_type,key_path\ | sort -count\ | eval type_info="(".tostring(count,"commas").") ".registry_type\ | stats list(type_info) AS Registry_Types,sum(count) AS Total_Count by key_path\ | sort -Total_Count [AD Objects - Windows Registry - Type by root_hive] action.email.useNSSubject = 1 dispatch.earliest_time = -60m@m dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","primaryGroupToken"] display.general.type = visualizations display.page.search.mode = verbose display.page.search.tab = visualizations display.statistics.show = 0 display.visualizations.charting.axisY2.enabled = 1 display.visualizations.charting.chart.stackMode = stacked request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = source="WinRegistry" registry_type!=baseline\ | fields object,key_path,registry_type,sourcetype\ | rex field=key_path "^(?[^\\\]+)"\ | stats dc(object) AS Object_Count,count by root_hive,registry_type,sourcetype\ | sort 0 -count\ | eval Registry_Types="(".tostring(count,"commas").") ".registry_type\ | stats list(Registry_Types) AS Registry_Types, sum(Object_Count) AS Object_Counts, sum(count) AS Total_Count by sourcetype,root_hive\ | sort -Total_Count [AD Objects - Windows Registry - Type by sub_root_hive] description = Registry Type Counts by sub_root_hive action.email.useNSSubject = 1 dispatch.earliest_time = -60m@m dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","primaryGroupToken"] display.general.type = visualizations display.page.search.mode = verbose display.page.search.tab = visualizations display.statistics.show = 0 display.visualizations.charting.axisY2.enabled = 1 display.visualizations.charting.chart.stackMode = stacked request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = source="WinRegistry" registry_type!=baseline\ | fields object,key_path,registry_type\ | rex field=key_path "^(?[\.A-Za-z0-9\-\_]+\\\\[\.A-Za-z0-9\-\_]+)(\\\\|$)"\ | eval sub_root_hive=if(isnull(sub_root_hive),key_path,sub_root_hive)\ | eval registry_type=if(isnull(registry_type),"NA",registry_type)\ | stats dc(object) AS Object_Count,count by sub_root_hive,registry_type\ | sort 0 -count\ | eval Registry_Types="(".tostring(count,"commas").") ".registry_type\ | stats list(Registry_Types) AS Registry_Types, sum(Object_Count) AS Object_Counts, sum(count) AS Total_Count by sub_root_hive\ | sort -Total_Count [AD Objects - Windows Registry - Procces Threads] action.email.useNSSubject = 1 dispatch.earliest_time = -60m@m dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","primaryGroupToken"] display.general.type = visualizations display.page.search.mode = verbose display.page.search.tab = visualizations display.statistics.show = 0 display.visualizations.charting.axisY2.enabled = 1 display.visualizations.charting.chart.stackMode = stacked request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = source="WinRegistry" registry_type!=baseline\ | fields object,key_path,registry_type\ | rex field=key_path "^(?[^\\\$]+)"\ | rex field=key_path "^([\.A-Za-z0-9\-\_\s]+)\\\(?[^\\\$]+)"\ | rex field=key_path "^([\.A-Za-z0-9\-\_\s]+)\\\([\.A-Za-z0-9\-\_\s]+)\\\(?[^\\\$]+)"\ | rex field=key_path "^(?[\.A-Za-z0-9\-\_\s]+\\\\[\.A-Za-z0-9\-\_]+($|\\\\[\.A-Za-z0-9\-\_\s]+))"\ | eval cmb_base_hive=if(isnull(sub_hive),root_hive,if(isnull(sub_third_hive),root_hive."\\".sub_hive,root_hive."\\".sub_hive."\\".sub_third_hive))\ | fillnull value=" " cmb_base_hive,root_hive,sub_hive,sub_third_hive,other_ex_cmb_base_hive\ | stats dc(object) AS Object_Count,count AS Total_Count by cmb_base_hive,root_hive,sub_hive,sub_third_hive,other_ex_cmb_base_hive\ | sort -Total_Count [AD Objects - Windows Registry - Third Level Analysis] action.email.useNSSubject = 1 dispatch.earliest_time = -60m@m dispatch.latest_time = now display.events.fields = ["host","source","sourcetype","primaryGroupToken"] display.general.type = visualizations display.page.search.mode = verbose display.page.search.tab = visualizations display.statistics.show = 0 display.visualizations.charting.axisY2.enabled = 1 display.visualizations.charting.chart.stackMode = stacked request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = source="WinRegistry" registry_type!=baseline\ | fields object,key_path,registry_type\ | rex field=key_path "^(?[^\\\$]+)"\ | rex field=key_path "^([\.A-Za-z0-9\-\_\s]+)\\\(?[^\\\$]+)"\ | rex field=key_path "^([\.A-Za-z0-9\-\_\s]+)\\\([\.A-Za-z0-9\-\_\s]+)\\\(?[^\\\$]+)"\ | rex field=key_path "^(?[\.A-Za-z0-9\-\_\s]+\\\\[\.A-Za-z0-9\-\_]+($|\\\\[\.A-Za-z0-9\-\_\s]+))"\ | eval cmb_base_hive=if(isnull(sub_hive),root_hive,if(isnull(sub_third_hive),root_hive."\\".sub_hive,root_hive."\\".sub_hive."\\".sub_third_hive))\ | fillnull value=" " cmb_base_hive,root_hive,sub_hive,sub_third_hive,other_ex_cmb_base_hive\ | stats dc(object) AS Object_Count,count AS count by cmb_base_hive,root_hive,sub_hive,sub_third_hive\ | sort -count\ | eval third_level_hives=if(sub_third_hive=="","","(Total: ".tostring(count,"commas")." - Objects:".Object_Count.") ".sub_third_hive)\ | eval cmb_base_hives=if(sub_third_hive=="","","(Total: ".tostring(count,"commas")." - Objects:".Object_Count.") ".cmb_base_hive)\ | stats list(third_level_hives) AS third_level_hives,list(cmb_base_hives) AS cmb_base_hives,sum(Object_Count) AS Object_Count,sum(count) AS count by root_hive,sub_hive,\ | sort -count\ | eval sub_hives=if(sub_hive=="","","(Total: ".tostring(count,"commas")." - Objects:".Object_Count.") ".sub_hive)\ | stats list(sub_hives) AS sub_hives,values(third_level_hives) AS third_level_hives,values(cmb_base_hives) AS cmb_base_hives,sum(Object_Count) AS Total_Objects,sum(count) AS Total_Events by root_hive ################################################################################### ##### Search to fix Multi Value fields in tSessions and tHostInfo Lookups ##### ##### - This is caused by incorrect regex for pulling the ##### ##### src_nt_domain and session_id in the Windows TA. ##### ##### - This app has the updated regex to fix it going forward ##### ##### but this search can be used to update the tSessions ##### ##### Lookup that has the incorrect information before. ##### ##### - Uncomment out to enable - ##### ################################################################################### ##[ms_ad_obj_fix_multivalue_fields_in_tSessions_lookup] ##alert.digest_mode = True ##alert.suppress = 0 ##search = | inputlookup tSessions\ ##| rex mode=sed field=session_id "s/\s/###/g"\ ##| makemv delim="###" session_id\ ##| eval session_id=if(mvcount(session_id)>1,mvindex(session_id,1),session_id)\ ##| rex mode=sed field=login_domain "s/\s/###/g"\ ##| makemv delim="###" login_domain\ ##| eval login_domain=if(mvcount(login_domain)>1,mvindex(login_domain,1),login_domain)\ ##| outputlookup tSessions ##[ms_ad_obj_fix_multivalue_fields_in_tHostInfo_lookup] ##alert.digest_mode = True ##alert.suppress = 0 ##search = | inputlookup tHostInfo\ ##| rex mode=sed field=src_hostdomain "s/\s/###/g"\ ##| makemv delim="###" src_hostdomain\ ##| eval src_hostdomain=if(mvcount(src_hostdomain)>1,mvindex(src_hostdomain,1),src_hostdomain)\ ##| rex mode=sed field=src_nt_domain "s/\s/###/g"\ ##| makemv delim="###" src_nt_domain\ ##| eval src_nt_domain=if(mvcount(src_nt_domain)>1,mvindex(src_nt_domain,1),src_nt_domain)\ ##| outputlookup tHostInfo ################################################################################### ##### Search to reset the Environment Scope - In the Getting Started Wizard ##### ################################################################################### [ms_obj_reset_gs_cfg] description = Search to reset the Environment Scope values set in the Getting Started Wizard action.email.useNSSubject = 1 alert.track = 0 dispatch.earliest_time = -24h@h dispatch.latest_time = now display.general.type = statistics display.page.search.mode = verbose display.page.search.tab = statistics display.visualizations.show = 0 request.ui_dispatch_app = ms_windows_ad_objects request.ui_dispatch_view = search search = | `ms_obj_cfg_gs_reset`