Splunk_deploy/deployment-apps/ms_windows_ad_objects/default/savedsearches.conf

[AD Objects - Windows Performance - Process CPU]
action.email.useNSSubject = 1
dispatch.earliest_time = -15m
dispatch.latest_time = now
display.general.type = visualizations
display.page.search.mode = verbose
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.axisTitleX.visibility = collapsed
display.visualizations.charting.axisY.maximumNumber = 100
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.charting.chart.stackMode = stacked
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms__obj_win_perfmon_index` object="Process" counter="% Processor Time" instance!="_Total"  instance!="Idle"\
| fields _time,host,object,counter,instance,Value\
| eventstats sum(Value) AS Total_Host_Value by host,_time\
| eventstats avg(Value) AS Avg_Process_Value,sum(Value) AS Process_Value by _time,host,instance\
| eval True_Process_Percent=(Process_Value/Total_Host_Value)*100\
| eventstats sum(True_Process_Percent) AS Total_Host_Percent by _time\
| eval True_Process_Percent=round(True_Process_Percent,2),True_Percent_Total=round(True_Percent_Total,2),Avg_Process_Value=round(Avg_Process_Value,2),Total_Host_Value=round(Total_Host_Value,2),Process_Value=round(Process_Value,2),Total_Host_Percent=round(Total_Host_Percent,2)\
| rename instance AS Process\
| table _time,host,counter,Process,Total_Host_Percent,Total_Host_Value,True_Process_Percent,Process_Value,,Avg_Process_Value\
| chart span=1m avg(True_Process_Percent) AS Process_Percent over _time by Process\
| sort -_time

[AD Objects - Windows Performance - Procces Threads]
action.email.useNSSubject = 1
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","primaryGroupToken"]
display.general.type = visualizations
display.page.search.mode = verbose
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.axisY2.enabled = 1
display.visualizations.charting.chart.stackMode = stacked
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms__obj_win_perfmon_index` (host="*") instance!="idle" ((counter="% Processor Time" instance!="_Total") OR counter="Thread Count")\
| fields _time,host,counter,instance,Value\
| eval threads=if(counter="Thread Count", Value,NULL),proc_time=if(counter="% Processor Time",Value,NULL)\
| table _time,host,counter,instance,threads,proc_time\
| timechart dc(instance) AS Process_Count,avg(proc_time) AS Avg_CPU_Time,max(threads) AS Avg_Threads by host

[AD Objects - Audit - Modified - Computers]
action.email.useNSSubject = 1
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat_act("Computer","modified")`\
| fields _time, src_user, user, comp_obj_dn, comp_obj_sam,msad_action, MSADChanges, dest_nt_domain, signature, MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action\
| eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user)\
| `ms_obj_computer_change_out`\
| rename adminuser as "Admin User",user as "Target Computer",msad_action as "Action",dest_user_subject as "Target Computer ID",MSADChanges as "Changes"

[AD Objects - Audit - Modified - Users]
action.email.useNSSubject = 1
dispatch.earliest_time = -24h@h
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat_act("User","modified")`\
| fields _time,user,src_user,src_nt_domain,dest_nt_domain,user_obj_guid,user_type,msad_action,signature,Correlation_ID,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action,user_obj_dn,Old_DN,New_DN\
| `ms_obj_user_change_out`\
| table _time,adminuser,msad_action,user,dest_user_subject,Correlation_IDs,MSADChanges\
| makemv delim="########" MSADChanges\
| rename adminuser as "Administrator",msad_action as "Action",dest_user_subject as "Target User ID",MSADChanges as "Changes"

[AD Objects - Audit - Changes - Group All]
action.email.useNSSubject = 1
dispatch.earliest_time = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat("Group*")`\
| fields _time,_raw,member_obj_dn,member_obj_id,member_obj_domain,member_obj_class,src_user,src_nt_domain,group_obj_id,Group_Name,group_obj_nm,user_group,msad_action,MSADGroupClassID,MSADGroupType,MSADGroupClass,signature,Correlation_ID,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action,Old_DN,New_DN\
| `ms_obj_group_change_out`\
| rename adminuser as "Administrator",msad_action as "Action",group_obj_nm as "Target_Group",MSADGroupType as "Target Group Type",MSADGroupClass AS "Target Group Class",member AS "Target Member",MSADChanges as "Changes"

[AD Objects - Audit - Changes - Group Membership Add]
action.email.useNSSubject = 1
dispatch.earliest_time = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat_act("Group Membership","added")`\
| fields _time,_raw,member_obj_dn,member_obj_id,member_obj_domain,member_obj_class,src_user,src_nt_domain,group_obj_id,Group_Name,group_obj_nm,user_group,msad_action,MSADGroupClassID,MSADGroupType,MSADGroupClass,signature,Correlation_ID,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action,Old_DN,New_DN\
| `ms_obj_group_change_out`\
| rename adminuser as "Administrator",msad_action as "Action",group_obj_nm as "Target_Group",MSADGroupType as "Target Group Type",MSADGroupClass AS "Target Group Class",member AS "Target Member",MSADChanges as "Changes"

[AD Objects - Audit - Changes - Group Membership Remove]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat_act("Group Membership","removed")`\
| fields _time,_raw,member_obj_dn,member_obj_id,member_obj_domain,member_obj_class,src_user,src_nt_domain,group_obj_id,Group_Name,group_obj_nm,user_group,msad_action,MSADGroupClassID,MSADGroupType,MSADGroupClass,signature,Correlation_ID,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action,Old_DN,New_DN\
| `ms_obj_group_change_out`\
| rename adminuser as "Administrator",msad_action as "Action",group_obj_nm as "Target_Group",MSADGroupType as "Target Group Type",MSADGroupClass AS "Target Group Class",member AS "Target Member",MSADChanges as "Changes"

## Group Membership ##
[AD Objects - Membership - All]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | inputlookup AD_Obj_Group WHERE member!=""\
| fields cn,displayName,distinguishedName,member,objectGUID\
| eval group_displayName=if(displayName="",cn,displayName)\
| makemv delim="####" member\
| rename cn AS group_cn,distinguishedName AS group_dn,objectGUID AS group_obj\
| stats values(cn) AS group_cn,values(group_displayName) AS group_displayName by member,group_dn,group_obj\
| join type=left member [ |inputlookup AD_Obj_User | fields distinguishedName,objectGUID,sAMAccountName,cn,objectClass,userPrincipalName| rename userPrincipalName AS member_email,objectClass AS member_class,distinguishedName AS member,objectGUID as member_obj,sAMAccountName AS member_user,cn AS member_cn | table member,member_obj,member_user,member_cn,member_class,member_email]\
| join type=left member [ |inputlookup AD_Obj_Computer | fields distinguishedName,objectGUID,sAMAccountName,cn,objectClass,userPrincipalName| rename userPrincipalName AS member_email,objectClass AS member_class,distinguishedName AS member,objectGUID as member_obj,sAMAccountName AS member_user,cn AS member_cn | table member,member_obj,member_user,member_cn,member_class,member_email]\
| join type=left member [ |inputlookup AD_Obj_Group | fields distinguishedName,objectGUID,sAMAccountName,cn,objectClass,userPrincipalName| rename userPrincipalName AS member_email,objectClass AS member_class,distinguishedName AS member,objectGUID as member_obj,sAMAccountName AS member_user,cn AS member_cn | table member,member_obj,member_user,member_cn,member_class,member_email]

[AD Objects - Membership - User]
action.email.useNSSubject = 1
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
alert.track = 0
search = | inputlookup AD_Obj_User\
| lookup AD_Obj_Group member AS distinguishedName OUTPUT cn AS Group,distinguishedName AS Group_dn\
| lookup AD_Obj_Group primaryGroupToken AS primaryGroupID OUTPUT cn AS PrimaryGroup,distinguishedName AS PrimaryGroup_dn\
| eval Group=mvappend(Group,PrimaryGroup),Group_dn=mvappend(Group_dn,PrimaryGroup_dn)\
| table cn,sAMAccountName,userPrincipalName,distinguishedName,Group,Group_dn

[AD Objects - Membership - Computer]
action.email.useNSSubject = 1
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | inputlookup AD_Obj_Computer\
| lookup AD_Obj_Group member AS distinguishedName OUTPUT cn AS Group,distinguishedName AS Group_dn\
| lookup AD_Obj_Group primaryGroupToken AS primaryGroupID OUTPUT cn AS PrimaryGroup,distinguishedName AS PrimaryGroup_dn\
| eval Group=mvappend(Group,PrimaryGroup),Group_dn=mvappend(Group_dn,PrimaryGroup_dn)\
| table cn,sAMAccountName,userPrincipalName,distinguishedName,Group,Group_dn

[AD Objects - Membership - Group]
action.email.useNSSubject = 1
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | inputlookup AD_Obj_Group\
| lookup AD_Obj_Group member AS distinguishedName OUTPUT cn AS Group,distinguishedName AS Group_dn\
| lookup AD_Obj_Group primaryGroupToken AS primaryGroupID OUTPUT cn AS PrimaryGroup,distinguishedName AS PrimaryGroup_dn\
| eval Group=mvappend(Group,PrimaryGroup),Group_dn=mvappend(Group_dn,PrimaryGroup_dn)\
| table cn,sAMAccountName,userPrincipalName,distinguishedName,Group,Group_dn\
| search Group!=""

[AD Objects - Membership - Individual Group]
action.email.useNSSubject = 1
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | inputlookup AD_Obj_Group\
| lookup AD_Obj_User distinguishedName AS member OUTPUT userPrincipalName AS Member_User_email,sAMAccountName AS Member_User_ID,cn AS Member_User_cn,distinguishedName AS Member_User_dn,objectClass AS Member_User_class\
| lookup AD_Obj_User primaryGroupID AS primaryGroupToken OUTPUT userPrincipalName AS Member_User_email_pg,sAMAccountName AS Member_User_ID_pg,cn AS Member_User_cn,distinguishedName AS Member_User_dn_pg,objectClass AS Member_User_class_pg\
| lookup AD_Obj_Group distinguishedName AS member OUTPUT sAMAccountName AS Member_Group_ID,cn AS Member_Group_cn,distinguishedName AS Member_Group_dn,objectClass AS Member_Group_class\
| lookup AD_Obj_Computer distinguishedName AS member OUTPUT sAMAccountName AS Member_Computer_ID,cn AS Member_Computer_cn,distinguishedName AS Member_Computer_dn,objectClass AS Member_Computer_class\
| lookup AD_Obj_Computer primaryGroupID AS primaryGroupToken OUTPUT sAMAccountName AS Member_Computer_ID_pg,cn AS Member_Computer_cn_pg,distinguishedName AS Member_Computer_dn_pg,objectClass AS Member_Computer_class_pg\
| eval Group=if(displayName="",cn,displayName)\
| eval Member_User_emai=if(Member_User_email_pg="",Member_User_email,mvappend(Member_User_email,Member_User_email_pg)),Member_User_ID=if(Member_User_ID_pg="",Member_User_ID,mvappend(Member_User_ID,Member_User_ID_pg)),Member_User_cn=if(Member_User_cn_pg="",Member_User_cn,mvappend(Member_User_cn,Member_User_cn_pg)),Member_User_dn=if(Member_User_dn_pg="",Member_User_dn,mvappend(Member_User_dn,Member_User_dn_pg)),Member_User_class=if(Member_User_class_pg="",Member_User_class,mvappend(Member_User_class,Member_User_class_pg))\
| eval Member_Computer_ID=if(Member_Computer_ID_pg="",Member_Computer_ID,mvappend(Member_Computer_ID,Member_Computer_ID_pg)),Member_Computer_cn=if(Member_Computer_cn_pg="",Member_User_cn,mvappend(Member_Computer_cn,Member_Computer_cn_pg)),Member_Computer_dn=if(Member_Computer_dn_pg="",Member_Computer_dn,mvappend(Member_Computer_dn,Member_User_dn_pg)),Member_Computer_class=if(Member_Computer_class_pg="",Member_Computer_class,mvappend(Member_Computer_class,Member_Computer_class_pg))\
| table Group,sAMAccountName,distinguishedName,member,Group,Member_User_cn,Member_User_ID,Member_User_dn,Member_User_class,Member_Computer_cn,Member_Computer_ID,Member_Computer_dn,Member_Computer_class,Member_Group_cn,Member_Group_ID,Member_Group_class\
| rename sAMAccountName AS Group_ID, distinguishedName AS Group_dn,member AS Current_Members

[temp_build_inputs_lookup]
action.email.useNSSubject = 1
dispatch.earliest_time = 0
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.charting.chart = bar
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = index=temp | rex "(?msi)(?:\[)(?<input_stanza>[^\]]+)\](\r|\n)(?<input_setting_ex>.*)(\r|\n|$)"\
| rex "(?msi)(?:##Header##) (?<input_type>[^(\r|\n|#)]+)"\
| rex "(?msi)(?:##SubHeader(##\s|\s+))(?<input_sub_type>[^(\r|\n|#)]+)"\
| eval input_setting=replace(input_setting_ex,"(\r|\n)","#DIV#")\
| makemv delim="#DIV#" input_setting_ex\
| rex field=input_stanza "^(?<input_stanza_type>[^(\:|\/)]+)"\
| eval input_type=if(input_type=="Splunk 5.0+ Performance Counters ","Performance Counters",if(input_stanza=="script://.\bin\win_timesync_status.bat","TimeSync Status Script",input_type))\
| eval input_description=if(isnull(input_sub_type),input_stanza_type." - ".input_type,input_stanza_type." - ".input_type." - ".input_sub_type)\
| mvexpand input_setting_ex\
| search input_setting_ex!="##*"\
| rex field=input_setting_ex "^(?<input_key>[^\=]+)\=(?<input_value>[^$]+)"\
| eval input_key=trim(input_key),input_value=trim(input_value)\
| eval recommended_value=input_value,can_edit="false",win_vers_filt="",target_group="AD/DNS or Base Windows",special_config_notes=""\
| table input_stanza_type,input_stanza,input_description,input_key,input_value,input_setting_ex,recommended_value,can_edit,win_vers_filt,target_group,special_config_notes\
| outputlookup ms_ad_obj_inputs_vals.csv

[AD Objects - File ACL - Full List]
action.email.useNSSubject = 1
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.charting.chart = bar
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms__obj_win_api_index` sourcetype="WinDirAcl"\
| rex max_match=0 "(?:\[)(?<object_acls>[^\]]+)"\
| mvexpand object_acls\
| rex "IdentityReference\"\:\"(?<IdentityReference>[^\"]+)\"\,\"FileSystemRights\"\:\"(?<FileSystemRights>[^\"]+)\"\,\"AccessControlType\"\:\"(?<AccessControlType>[^\"]+)\"\,\"IsInherited\"\:\"(?<IsInherited>[^\"]+)\"\,\"InheritanceFlags\"\:\"(?<InheritanceFlags>[^\"]+)\"\,\"PropagationFlags\"\:\"(?<PropagationFlags>[^\"]+)"\
| table object_path,object_last_mod_time,object_size,object_dir_cnt,object_file_cnt,object_acls,IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags,PropagationFlags

[AD Objects - File ACL - Summary]
action.email.useNSSubject = 1
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.charting.chart = bar
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms__obj_win_api_index` sourcetype="WinDirAcl"\
| rex max_match=0 "(?:\[)(?<object_acls>[^\]]+)"\
| mvexpand object_acls\
| rex "IdentityReference\"\:\"(?<IdentityReference>[^\"]+)\"\,\"FileSystemRights\"\:\"(?<FileSystemRights>[^\"]+)\"\,\"AccessControlType\"\:\"(?<AccessControlType>[^\"]+)\"\,\"IsInherited\"\:\"(?<IsInherited>[^\"]+)\"\,\"InheritanceFlags\"\:\"(?<InheritanceFlags>[^\"]+)\"\,\"PropagationFlags\"\:\"(?<PropagationFlags>[^\"]+)"\
| table object_path,object_last_mod_time,object_size,object_dir_cnt,object_file_cnt,object_acls,IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags,PropagationFlags\
| eval ACL_Type="( ".AccessControlType." ) ".FileSystemRights, Object_Paths=object_path." (SubDir: ".object_dir_cnt.", Files: ".object_file_cnt." )"\
| fillnull value="NA" object_path,object_last_mod_time,object_size,object_dir_cnt,object_file_cnt,object_acls,IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags,PropagationFlags,ACL_Type\
| stats values(Object_Paths) AS Object_Paths,sum(object_size) AS Total_Size,sum(object_dir_cnt) As Total_Directories,sum(object_file_cnt) AS Total_Files by IdentityReference,ACL_Type\
| eval Total_Size=tostring(Total_Size/1024,"commas")." MB"

[AD Objects - File Audit - Detailed View]
action.email.useNSSubject = 1
dispatch.earliest_time = @d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","primaryGroupToken"]
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_win_events_security` Object_Server="Security" TaskCategory="File System" Accesses!="Read*" Accesses!="Execute/Traverse" Accesses!="SYNCHRONIZE" user_type="user"\
| fields _time,EventCode,Object_Name,Accesses,Account_Name,RecordNumber,user,src_user,signature\
| eval Object_Path=Object_Name, temp=_time, signature=if(isnull(signature),"NA",signature)\
| eval user=if(isnull(user),lower(src_user),lower(user))\
| convert timeformat="%m-%d-%Y %H:%M:%S" ctime(temp) AS eventtimes \
| eval history=eventtimes."(User: ".Account_Name." Type:".Accesses.")",signature=if(isnull(signature),Message,signature)\
| stats values(history) as Change_History, values(EventCode) as Win_Event_IDs, values(RecordNumber) as Win_Event_Record, min(eventtimes) as First_Change_Time by user,Object_Path,signature \
| lookup AD_Obj_User lookup_usr AS user OUTPUT cn\
| eval user=if(isnull(cn),user,cn." (".user.")")\
| eval Win_Event_Records=mvjoin(Win_Event_Record,", ")  \
| eval Win_Event_IDs=mvjoin(Win_Event_IDs,", ") \
| eval Change_Type=mvjoin(Change_Type,", ") \
| table First_Change_Time, Object_Path, signature,user, Win_Event_IDs, Win_Event_Records, Change_History, \
| sort First_Change_Time

[AD Objects - File Audit - Top 10 Obj Path]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","primaryGroupToken"]
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_win_events_security` Object_Server="Security" TaskCategory="File System" Accesses!="Read*" Accesses!="Execute/Traverse" Accesses!="SYNCHRONIZE" user_type="user"\
| fields _time,EventCode,Object_Name,Accesses,Account_Name,user,src_user\
| eval Object_Path=Object_Name, temp=_time, signature=if(isnull(signature),"NA",signature)\
| eval user=if(isnull(user),lower(src_user),lower(user))\
| stats count by Accesses,Object_Path,user\
| sort -count\
| eval cmb=count." - ".Object_Path." (".Accesses.")"\
| stats sum(count) AS Total_Events,list(cmb) AS Top_10_Object_Details by user\
| lookup AD_Obj_User lookup_usr AS user OUTPUT cn\
| eval user=if(isnull(cn),user,cn." (".user.")"),Top_10_Object_Details=mvindex(Top_10_Object_Details,0,9)\
| table user, Top_10_Object_Details, Total_Events

[AD Objects - File Audit - Top 10 User  and Obj Path]
action.email.useNSSubject = 1
dispatch.earliest_time = @d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","primaryGroupToken"]
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_win_events_security` Object_Server="Security" TaskCategory="File System" Accesses!="Read*" Accesses!="Execute/Traverse" Accesses!="SYNCHRONIZE" user_type="user"\
| fields Object_Name,Accesses,Account_Name,user,src_user\
| eval Object_Path=Object_Name, temp=_time, signature=if(isnull(signature),"NA",signature)\
| eval user=if(isnull(user),lower(src_user),lower(user))\
| stats count by Accesses,Object_Path,user\
| sort -count\
| lookup AD_Obj_User lookup_usr AS user OUTPUT cn\
| eval user=if(isnull(cn),user,cn." (".user.")")\
| eval cmb=count." - ".user." (".Accesses.")"\
| stats sum(count) AS Total_Events,list(cmb) AS cmb by Object_Path\
| eval Top_10_User_Details=mvindex(cmb,0,9)\
| table Object_Path, Top_10_User_Details, Total_Events\
| sort -Total_Events

[AD Objects - File Audit - Top 10 Path and Type]
action.email.useNSSubject = 1
dispatch.earliest_time = @d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","primaryGroupToken"]
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_win_events_security` Object_Server="Security" TaskCategory="File System" Accesses!="Read*" Accesses!="Execute/Traverse" Accesses!="SYNCHRONIZE" user_type="user"\
| fields Object_Name,Accesses,Account_Name,user,src_user\
| eval Object_Path=Object_Name, temp=_time, signature=if(isnull(signature),"NA",signature)\
| eval user=if(isnull(user),lower(src_user),lower(user))\
| stats count by Accesses,Object_Path,user\
| sort -count\
| lookup AD_Obj_User lookup_usr AS user OUTPUT cn\
| eval user=if(isnull(cn),user,cn." (".user.")")\
| eval cmb=count." - ".Object_Path\
| stats sum(count) AS Total_Events,list(cmb) AS cmb by Accesses,user\
| eval Top_10_Type_Details=mvindex(cmb,0,9)\
| table user,Accesses, Top_10_Type_Details, Total_Events\
| sort -Total_Events

[AD Objects - Config - KVstore - Configuration]
action.email.useNSSubject = 1
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.charting.chart = bar
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | rest /servicesNS/-/ms_windows_ad_objects/storage/collections/config\
| search eai:acl.app="ms_windows_ad_objects"\
| table title,*\
| sort title

#################################################################
#####   	admon Verify and Viewing data Searches			#####
#################################################################
[AD Objects - Verify Baseline Data - Completed]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -6m
dispatch.latest_time = 0
display.general.type = visualizations
display.page.search.tab = visualizations
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_get_sync_cnt(ms_obj_admon_base_a_obj)`\
| timechart span=30s count

[AD Objects - Verify Baseline Data - Overall]
action.email.useNSSubject = 1
alert.track = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_get_sync_cnt(ms_obj_admon_base_a_obj)`

[AD Objects - Verify Baseline Data - ManualTime]
action.email.useNSSubject = 1
alert.track = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_get_sync_cnt_nt(ms_obj_admon_base_a_obj)`

#################################################################
#####   Object Lookup Build/Update/Migrate Adhoc Searches	#####
#################################################################
##	- Migrate CSV Lookup to KVStore Lookups
## 		- Example - Migrate User - `ms_obj_admon_migrate_out(user,User)`
## 		- Example - Migrate Group - `ms_obj_admon_migrate_out(group,Group)`
## 		- Example - Migrate Computer - `ms_obj_admon_migrate_out(computer,Computer)`
## 		- Example - Migrate OU - `ms_obj_admon_migrate_out(ou,OU)`
## 		- Example - Migrate GPO - `ms_obj_admon_migrate_out(gpo,GPO)`
#################################################################

##------- Domain Lookup (AD_Obj_Domain) Build/Update/Migrate -------##
## Domain - Adhoc Update
[AD_Obj_Domain_Update]
alert.suppress = 0
alert.track = 0
cron_schedule = 00,10,20,30,40,50 * * * *
description = Scheduled Search for picking up User AD Object Updates, then syncing for User Lookup Table
dispatch.earliest_time = -15m@m
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
run_on_startup = 1
search = `ms_obj_admon_upd_domain`

##------- Group Lookup (AD_Obj_Group) Build and Update -------##
## Group - Adhoc Build/Update/Migrate ##
[AD_Obj_Group_ReBuild]
alert.suppress = 0
alert.track = 0
description = Search for Rebuilding the AD_Obj_Group Lookup in the KV Store.  This will replace the data currently in the lookup with all new values from the last time the admon baseline was collected.
dispatch.earliest_time = 0
dispatch.latest_time = now
enableSched = 0
run_on_startup = false
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_bld_init_out(group,Group)`
disabled = 0
## Group - Adhoc Migrate from CSV ##
[AD_Obj_Group_Migrate]
alert.suppress = 0
alert.track = 0
description = Search for Migrating from AD_Groups_LDAP_list.csv to the AD_Obj_Group Lookup in the KV Store.
dispatch.earliest_time = 0
dispatch.latest_time = now
enableSched = 0
run_on_startup = false
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_migrate_out(group,Group)`
disabled = 0
#- Group - Scheduled Search - New, Updated, Deleted,Moved -#
[AD_Obj_Group_Update]
alert.suppress = 0
alert.track = 0
cron_schedule = 05,15,25,35,45,55 * * * *
description = Scheduled Search for picking up Group AD Object Updates,New,Deleted,Moved then syncing AD_Obj_Group Lookup Table
dispatch.earliest_time = -15m@m
dispatch.latest_time = now
enableSched = 1
run_on_startup = true
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_bld_upd_out(group,Group)`
disabled = 0

##------- User Lookup (AD_Obj_User) Build/Update/Migrate -------##
## Users - Adhoc Initial/Rebuild ##
[AD_Obj_User_ReBuild]
alert.suppress = 0
alert.track = 0
description = Search for Rebuilding the AD_Obj_User Lookup in the KV Store.  This will replace the data currently in the lookup with all new values from the last time the admon baseline was collected.
dispatch.earliest_time = 0
dispatch.latest_time = now
enableSched = 0
run_on_startup = false
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_bld_init_out(user,User)`
disabled = 0
## User - Adhoc Migrate from CSV ##
[AD_Obj_User_Migrate]
alert.suppress = 0
alert.track = 0
description = Search for Migrating from AD_User_LDAP_list.csv to the AD_Obj_User Lookup in the KV Store.
dispatch.earliest_time = 0
dispatch.latest_time = now
enableSched = 0
run_on_startup = false
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_migrate_out(user,User)`
disabled = 0
#- Users - Scheduled Search - New, Updated, Deleted,Moved -#
[AD_Obj_User_Update]
alert.suppress = 0
alert.track = 0
cron_schedule = 01,11,21,31,41,51 * * * *
description = Scheduled Search for picking up Group AD Object Updates,New,Deleted,Moved then syncing AD_Obj_User Lookup Table
dispatch.earliest_time = -15m@m
dispatch.latest_time = now
enableSched = 1
run_on_startup = true
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_bld_upd_out(user,User)`
disabled = 0

##------- Computer Lookup (AD_Obj_Computer) Build and Update -------##
## Computers - Adhoc Initial/Rebuild ##
[AD_Obj_Computer_ReBuild]
alert.suppress = 0
alert.track = 0
description = Search for Rebuilding the AD_Obj_Computer Lookup in the KV Store.  This will replace the data currently in the lookup with all new values from the last time the admon baseline was collected.
dispatch.earliest_time = 0
dispatch.latest_time = now
enableSched = 0
run_on_startup = false
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_bld_init_out(computer,Computer)`
disabled = 0
## Computer - Adhoc Migrate from CSV ##
[AD_Obj_Computer_Migrate]
alert.suppress = 0
alert.track = 0
description = Search for Migrating from AD_Computer_LDAP_list.csv to the AD_Obj_Computer Lookup in the KV Store.
dispatch.earliest_time = 0
dispatch.latest_time = now
enableSched = 0
run_on_startup = false
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_migrate_out(computer,Computer)`
disabled = 0
#- Computer - Scheduled Search - New, Updated, Deleted,Moved -#
[AD_Obj_Computer_Update]
alert.suppress = 0
alert.track = 0
cron_schedule = 03,13,23,33,43,53 * * * *
description = Scheduled Search for picking up Computer AD Object Updates,New,Deleted,Moved then syncing AD_Obj_Computer Lookup Table
dispatch.earliest_time = -15m@m
dispatch.latest_time = now
enableSched = 1
run_on_startup = true
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_bld_upd_out(computer,Computer)`
disabled = 0

##------- OU Lookup (AD_Obj_OU) Build and Update -------##
## OUs - Adhoc Initial/Rebuild ##
[AD_Obj_OU_ReBuild]
alert.suppress = 0
alert.track = 0
description = Search for Rebuilding the AD_Obj_OU Lookup in the KV Store.  This will replace the data currently in the lookup with all new values from the last time the admon baseline was collected.
dispatch.earliest_time = 0
dispatch.latest_time = now
enableSched = 0
run_on_startup = false
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_bld_init_out(ou,OU)`
disabled = 0
## OU - Adhoc Migrate from CSV ##
[AD_Obj_OU_Migrate]
alert.suppress = 0
alert.track = 0
description = Search for Migrating from AD_OU_LDAP_list.csv to the AD_Obj_OU Lookup in the KV Store.
dispatch.earliest_time = 0
dispatch.latest_time = now
enableSched = 0
run_on_startup = false
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_migrate_out(ou,OU)`
disabled = 0
#- OUs - Scheduled Search - New, Updated, Deleted,Moved -#
[AD_Obj_OU_Update]
alert.suppress = 0
alert.track = 0
cron_schedule = 07,17,27,37,47,57 * * * *
description = Scheduled Search for picking up OU AD Object Updates,New,Deleted,Moved then syncing AD_Obj_OU Lookup Table
dispatch.earliest_time = -15m@m
dispatch.latest_time = now
enableSched = 1
run_on_startup = true
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_bld_upd_out(ou,OU)`
disabled = 0

##------- GPO Lookup (AD_Obj_GPO) Build, Update and GPO Link Update -------##
## GPOs - Adhoc Initial/Rebuild ##
[AD_Obj_GPO_ReBuild]
alert.suppress = 0
alert.track = 0
description = Search for Rebuilding the AD_Obj_GPO Lookup in the KV Store.  This will replace the data currently in the lookup with all new values from the last time the admon baseline was collected.
dispatch.earliest_time = 0
dispatch.latest_time = now
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_bld_init_out(gpo,GPO)`
## GPOs - Adhoc Migrate from CSV ##
[AD_Obj_GPO_Migrate]
alert.suppress = 0
alert.track = 0
description = Search for Migrating from AD_GroupPolicies_LDAP_list.csv to the AD_Obj_GPO Lookup in the KV Store.
dispatch.earliest_time = 0
dispatch.latest_time = now
enableSched = 0
run_on_startup = false
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_migrate_out(gpo,GPO)`
disabled = 0
#- GPOs - Scheduled Search - New, Updated, Deleted,Moved -#
[AD_Obj_GPO_Update]
alert.suppress = 0
alert.track = 0
cron_schedule = 08,18,28,38,48,58 * * * *
description = Scheduled Search for picking up GPO AD Object Updates,New,Deleted,Moved then syncing AD_Obj_GPO Lookup Table
dispatch.earliest_time = -15m@m
dispatch.latest_time = now
enableSched = 1
run_on_startup = true
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_bld_upd_out(gpo,GPO)`
disabled = 0

[AD_Obj_GPO_OU_Update]
alert.suppress = 0
alert.track = 0
cron_schedule = 09,19,29,39,49,59 * * * *
description = Scheduled Search for picking up GPO AD Object Updates, then syncing for GPO Lookup Table
dispatch.earliest_time = -10m@m
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
run_on_startup = 1
search = | `ms_ad_admon_upd_gpo_wou`

[AD_Obj_OU_GPO_Update]
alert.suppress = 0
alert.track = 0
cron_schedule = 02,12,22,32,42,52 * * * *
description = Scheduled Search for picking up OU AD Object Updates, then syncing linked GPO's with the AD Obj GPO table.
dispatch.earliest_time = -10m@m
dispatch.latest_time = now
enableSched = 1
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
run_on_startup = 1
search = | `ms_ad_admon_upd_ou_wgpo`

##------- Admin_Audit Lookup (AD_Obj_Admin_Audit) Build, Update, and Migrate -------##
## Admin_Audit - Adhoc Initial/Rebuild ##
[AD_Obj_Admin_Audit_Build]
alert.suppress = 0
alert.track = 0
description = Search for Rebuilding the AD_Obj_Admin_Audit Lookup in the KV Store.  This will replace the data currently in the lookup with all new values from the Windows Security Event Logs.
dispatch.earliest_time = 0
dispatch.latest_time = now
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_winevt_init_admin_audit`
## Admin_Audit - Migrate ##
[AD_Obj_Admin_Audit_Migrate]
alert.suppress = 0
alert.track = 0
description = Search for Rebuilding the AD_Obj_GPO Lookup in the KV Store.  This will replace the data currently in the lookup with all new values from the Windows Security Event Logs.
dispatch.earliest_time = 0
dispatch.latest_time = now
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_winevt_migrate_admin_audit`
#- Admin_Audit -  Scheduled Search - New, Updated, Deleted,Moved -#
[AD_Obj_Admin_Audit_Update]
alert.suppress = 0
alert.track = 0
cron_schedule = 08,18,28,38,48,58 * * * *
description = Scheduled Search for picking up Change Management, administrator Details AD_Obj_Admin_Audit Lookup Table
dispatch.earliest_time = -15m@m
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
enableSched = 1
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
run_on_startup = 1
search = `ms_obj_winevt_upd_admin_audit`

##------- MULTI-DOMAIN - SPLIT - Update Templates ----------##
#- Template MULTI-DOMAIN - SPLIT - User - Scheduled Search - New, Updated, Deleted,Moved -#
[AD_Obj_md_template_User_Update]
alert.suppress = 0
alert.track = 0
cron_schedule = 05,15,25,35,45,55 * * * *
description = Template for Splitting KV Stores by AD Domains - Copy and Update search for each AD Domain (Important - replace your_domain and your_dc_val with target domain values) and then schedule for picking up User AD Object Updates,New,Deleted,Moved admon events and syncing with the Domains User Lookup.
dispatch.earliest_time = -15m@m
dispatch.latest_time = now
enableSched = 0
run_on_startup = true
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_md_admon_bld_upd_out("your_domain","your_dc_val",user,User)`
disabled = 0
#- Template MULTI-DOMAIN - SPLIT - Group - Scheduled Search - New, Updated, Deleted,Moved -#
[AD_Obj_md_template_Group_Update]
alert.suppress = 0
alert.track = 0
cron_schedule = 05,15,25,35,45,55 * * * *
description = Template for Splitting KV Stores by AD Domains - Copy and Update search for each AD Domain (Important - replace your_domain and your_dc_val with target domain values) and then schedule for picking up Group AD Object Updates,New,Deleted,Moved admon events and syncing with the Domains Group Lookup.
dispatch.earliest_time = -15m@m
dispatch.latest_time = now
enableSched = 0
run_on_startup = true
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_md_admon_bld_upd_out("your_domain","your_dc_val",group,Group)`
disabled = 0
#- Template MULTI-DOMAIN - SPLIT - Group - Scheduled Search - New, Updated, Deleted,Moved -#
[AD_Obj_md_template_Computer_Update]
alert.suppress = 0
alert.track = 0
cron_schedule = 05,15,25,35,45,55 * * * *
description = Template for Splitting KV Stores by AD Domains - Copy and Update search for each AD Domain (Important - replace your_domain and your_dc_val with target domain values) and then schedule for picking up Computer AD Object Updates,New,Deleted,Moved admon events and syncing with the Domains Computer Lookup.
dispatch.earliest_time = -15m@m
dispatch.latest_time = now
enableSched = 0
run_on_startup = true
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_md_admon_bld_upd_out("your_domain","your_dc_val",computer,Computer)`
disabled = 0

##------- Macro State Check -------##
[ms_ad_obj_cfg_macro_chk]
action.email.useNSSubject = 1
alert.track = 0
description = Scheduled Search for Checking the Health of the macro defined indexes.  
dispatch.earliest_time = -60m
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
enableSched = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | `ms_obj_cfg_macro_chk`

#################################################
#####  AD Computer Object Specific Searches	#####
#################################################
[AD Objects - Computer Lookup - Group List]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | inputlookup AD_Obj_Computer\
| fields cn,dn,primaryGroupID\
| lookup AD_Obj_Group member AS dn output cn AS Group,distinguishedName AS Group_DN\
| lookup AD_Obj_Group primaryGroupToken AS primaryGroupID OUTPUT cn AS p_Group,distinguishedName AS p_Group_DN\
| eval p_Group="(Primary) ".p_Group,p_Group_DN="(Primary) ".p_Group_DN\
| eval Group=mvappend(Group,p_Group),Group_DN=mvappend(Group_DN,p_Group_DN)\
| rename cn AS Computer\
| eval Group_Count=mvcount(Group)\
| sort -Group_Count\
| table Computer, domain, dn,Group_Count,Group,Group_DN

#################################################
#####   AD User Object Specific Searches	#####
#################################################
[AD Objects - User Lookup - SubSearch txt - Critical Obj Events]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_win_events_security` (`ms_obj_critical_filter_raw(User)`)\
| fields EventCode,src_user,signature\
| stats values(EventCode) AS EventCode, count by src_user,signature\
| `ms_obj_critical_filter_field(User,src_user)`

[AD Objects - User Lookup - SubSearch - Critical Obj Events]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_win_events_security` (`ms_obj_critical_filter_raw(User,src_user)`)\
| fields EventCode,src_user,signature\
| stats values(EventCode) AS EventCode, count by src_user,signature

[AD Objects - User Lookup - UAC to Binary Example]
search = | inputlookup AD_Obj_User append=true  \
| fields userAccountControl \
| dedup userAccountControl \
| eval octet = userAccountControl \
| eval rank = split("1", ",") \
| eval octet_rank = mvzip(rank, octet) \
| fields - octet, rank \
| mvexpand octet_rank \
| eval octet_rank_split = split(octet_rank, ",") \
| eval rank = mvindex(octet_rank_split, 0) \
| eval octet = mvindex(octet_rank_split, 1) \
| fields - octet_rank, octet_rank_split \
| eval power = mvrange(0,32) \
| mvexpand power \
| eval base2 = pow(2, power) \
| eval mydiv = floor(octet / base2) \
| eval octet_bin = mydiv % 2 \
| fields - mydiv, base2 \
| sort limit=0 IP, rank, octet, - power \
| stats list(octet_bin) as octet_bin by userAccountControl \
| eval uac_bin_map = mvjoin(octet_bin, "") \
| rex field=uac_bin_map "00000(?<uac_dc_account>\d{1})(?<uac_kerb_no_pac>\d{1})(?<uac_trust_auth_for_delegation>\d{1})(?<uac_pwd_expired>\d{1})(?<uac_pwd_kerb_pre_auth>\d{1})(?<uac_pwd_kerb_des>\d{1})(?<uac_sensitive>\d{1})(?<uac_trust_for_delegation>\d{1})(?<uac_smartcard_req>\d{1})(?<uac_mns_account>\d{1})(?<uac_pwd_not_expire>\d{1})(?<na_uac_5>\d{1})(?<na_uac_4>\d{1})(?<uac_srvr_trust_account>\d{1})(?<uac_wkstn_trust_account>\d{1})(?<uac_trust_account>\d{1})(?<na_uac_3>\d{1})(?<uac_normal_account>\d{1})(?<uac_temp_dup_account>\d{1})(?<uac_pwd_store_rev>\d{1})(?<uac_pwd_cant_change>\d{1})(?<uac_pwd_not_req>\d{1})(?<uac_lockout>\d{1})(?<uac_home_dir_req>\d{1})(?<na_uac_1>\d{1})(?<uac_account_state>\d{1})(?<uac_script_account>\d{1})" \
| eval uac_details="" \
| eval uac_details=if(uac_account_state=1,uac_details."Disabled",uac_details."Enabled") \
| eval uac_details=if(uac_script_account=1,uac_details.":Logon script is executed",uac_details) \
| eval uac_details=if(uac_temp_dup_account=1,uac_details.":Temp Duplicate Account",uac_details) \
| eval uac_details=if(uac_home_dir_req=1,uac_details.":Home Directory Required",uac_details) \
| eval uac_details=if(uac_pwd_not_req=1,uac_details.":Password Not Required",uac_details) \
| eval uac_details=if(uac_pwd_cant_change=1,uac_details.":Cant Change Password",uac_details) \
| eval uac_details=if(uac_pwd_store_rev=1,uac_details.":Store Password using reversible encryption",uac_details) \
| eval uac_details=if(uac_normal_account=1,uac_details.":Normal User Account",uac_details) \
| eval uac_details=if(uac_trust_account=1,uac_details.":InterDomain Trust Account",uac_details) \
| eval uac_details=if(uac_wkstn_trust_account=1,uac_details.":Workstation Trust Account",uac_details) \
| eval uac_details=if(uac_srvr_trust_account=1,uac_details.":Server Trust Account",uac_details) \
| eval uac_details=if(uac_pwd_not_expire=1,uac_details.":Password Does Not Expire",uac_details) \
| eval uac_details=if(uac_mns_account=1,uac_details.":Majority Node Set (MNS) account",uac_details) \
| eval uac_details=if(uac_smartcard_req=1,uac_details.":Smart Card Required",uac_details) \
| eval uac_details=if(uac_trust_for_delegation=1,uac_details.":Trusted for Delegation",uac_details) \
| eval uac_details=if(uac_sensitive=1,uac_details.":Sensitive - Not Delegated",uac_details) \
| eval uac_details=if(uac_pwd_kerb_des=1,uac_details.":Kerberos authentication DES only",uac_details) \
| eval uac_details=if(uac_pwd_kerb_pre_auth=1,uac_details.":Kerberos Does Not Require Pre-Auth",uac_details) \
| eval uac_details=if(uac_pwd_expired=1,uac_details.":Password has Expired",uac_details) \
| eval uac_details=if(uac_trust_auth_for_delegation=1,uac_details.":Can request a Kerberos ticket on behalf of another user",uac_details) \
| eval uac_details=if(uac_kerb_no_pac=1,uac_details.":Request Kerberos Ticket without PAC data",uac_details) \
| eval uac_details=if(uac_dc_account=1,uac_details.":Read Only Domain Controller Account",uac_details) \
| makemv delim=":" uac_details\
| table userAccountControl,uac_bin_map,uac_details

[AD Objects - User Lookup - User Settings Full]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | inputlookup AD_Obj_User append=true\
| `ms_obj_uac_details`\
| table sAMAccountName,userAccountControl, uac*

[AD Objects - User Lookup - User Settings Basic]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | inputlookup AD_Obj_User append=true  \
| `ms_obj_uac_details` \
| makemv delim=":" uac_details\
| table domain, sAMAccountName, userAccountControl, uac_details,domain, distinguishedName,whenChanged,whenCreated  \
| sort sAMAccountName \
| rename sAMAccountName AS "user", uac_details AS userAccountControl_Details

[AD Objects - User Lookup - Group List]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | inputlookup AD_Obj_User\
| lookup AD_Obj_Group member AS dn output cn AS Group,distinguishedName AS Group_DN\
| lookup AD_Obj_Group primaryGroupToken AS primaryGroupID OUTPUT cn AS p_Group,distinguishedName AS p_Group_DN\
| eval p_Group="(Primary) ".p_Group,p_Group_DN="(Primary) ".p_Group_DN\
| eval Group=mvappend(Group,p_Group),Group_DN=mvappend(Group_DN,p_Group_DN)\
| rename cn AS User\
| eval Group_Count=mvcount(Group)\
| sort -Group_Count\
| table User, domain, distinguishedName,Group_Count,Group,Group_DN

#################################################
#####   	AD Object Audit Changes	    	#####
#################################################
## All Objects - AD Audit Changes Searches##
[AD Objects - Audit - Changes - User - By Admin Day Summary]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat("User")`\
| fields _time,user,src_user,src_nt_domain,dest_nt_domain,user_obj_guid,user_type,msad_action,signature,Correlation_ID,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action,user_obj_dn,Old_DN,New_DN\
| join type=left src_user [| inputlookup AD_Obj_User | fields cn,sAMAccountName | rename sAMAccountName as src_user,cn AS Admin | table Admin,src_user]\
| eval Admin=if(isnull(Admin),src_user,Admin." (".src_user.")")\
| eval Day=strftime(_time,"%m/%d/%y")\
| stats count by msad_action, Admin,Day\
| eval comb="|".msad_action." (".count.")"\
| sort -count\
| stats list(comb) AS Daily_Change_Summary, sum(count) AS Total_Events by Admin,Day\
| makemv delim="|" Daily_Change_Summary\
| sort -Day \
| xyseries  Day Admin Daily_Change_Summary

[AD Objects - Audit - Changes - User - By Admin Change Summary]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat("User")`\
| fields _time,user,src_user,src_nt_domain,dest_nt_domain,user_obj_guid,user_type,msad_action,signature,Correlation_ID,MSADChangedAttributes,AttributeLDAPDisplayName,AttributeValue,DN,dir_svcs_action,user_obj_dn,Old_DN,New_DN\
| join type=left src_user [| inputlookup AD_Obj_User | fields cn,sAMAccountName | rename sAMAccountName as src_user,cn AS Admin | table Admin,src_user]\
| eval Admin=if(isnull(Admin),src_user,Admin." (".src_user.")")\
| eval Day=strftime(_time,"%m/%d/%y")\
| stats count by msad_action, Admin,Day\
| eval comb="|".Day." (".count.")"\
| sort -count\
| stats list(comb) AS Daily_Change_Summary, sum(count) AS Total_Events by Admin,msad_action\
| makemv delim="|" Daily_Change_Summary\
| sort -Day \
| xyseries  msad_action Admin Daily_Change_Summary

[AD Objects - Audit - Changes - GPO - By Admin Day Summary]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat("Group Policy")`\
| fields _time, session_id, src_nt_domain, src_user,Object_Name_Guid,displayName,dir_svcs_action,AttributeLDAPDisplayName,AttributeValue,MSADChangedAttributes,Correlation_ID,signature,msad_action,Old_DN,New_DN\
| fillnull value="" Correlation_ID,msad_action\
| eval Object_Lookup_Name="{".upper(Object_Name_Guid)."}" \
| lookup AD_Obj_GPO cn AS Object_Lookup_Name OUTPUT displayName \
| join type=left Object_Lookup_Name [| inputlookup AD_Obj_GPO | fields cn,displayName | rename cn AS Object_Lookup_Name | table Object_Lookup_Name,displayName]\
| eval displayName=if(isnull(displayName),Object_Lookup_Name." GPO CN not found",displayName) \
| join type=left src_user [| inputlookup AD_Obj_User | fields cn,sAMAccountName | rename sAMAccountName as src_user,cn AS Admin | table Admin,src_user]\
| eval Admin=if(isnull(Admin),src_user,Admin." (".src_user.")")\
| eval Day=strftime(_time,"%m/%d/%y")\
| stats count by displayName, Admin,Day\
| eval comb="|".displayName." (".count.")"\
| sort -count\
| stats list(comb) AS Daily_Change_Summary, sum(count) AS Total_Events by Admin,Day\
| makemv delim="|" Daily_Change_Summary\
| sort -Day \
| xyseries  Day Admin Daily_Change_Summary

##_____ Group Policy Change Searches ______##
##V4.0.0 Updated
[AD Objects - Audit - Changes - Group Policies]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat("Group Policy")`\
| fields _time, session_id, src_nt_domain, src_user,Object_Name_Guid,displayName,dir_svcs_action,AttributeLDAPDisplayName,AttributeValue,MSADChangedAttributes,Correlation_ID,signature,msad_action,Old_DN,New_DN\
| fillnull value="" Correlation_ID,msad_action\
| eval adminuser=if(isnull(src_nt_domain),src_user,src_nt_domain."\\".src_user) \
| eval Object_Lookup_Name="{".lower(Object_Name_Guid)."}" \
| join type=left Object_Lookup_Name [| inputlookup AD_Obj_GPO | fields cn, displayName | rename cn AS Object_Lookup_Name | table Object_Lookup_Name, displayName]\
| eval displayName=if(isnull(displayName),"Warning: ".Object_Lookup_Name." GPO CN not found in the AD_Obj_GPO Lookup. If GPO is new wait 15 minutes and run report again, or check that ms_ad_obj_sched_sync_gpo scheduled search is running as scheduled.",displayName) \
| `ms_obj_msad-changed-attributes`\
| stats max(_time) AS last_time, min(_time) AS start_time,list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by session_id,Object_Lookup_Name,displayName,adminuser,signature,msad_action\
| eval MSADChanges=mvjoin(MSADChanges, "########")\
| eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\
| eval Session_Time="Session ID (".session_id.")|Start: ".strftime(start_time,"%m/%d/%y %I:%M:%S %P")."|End: ".strftime(last_time,"%m/%d/%y %I:%M:%S %P")\
| table displayName,adminuser,Session_Time,msad_action,Correlation_IDs,MSADChanges\
| makemv delim="########" MSADChanges\
| makemv delim="|" Session_Time\
| rename adminuser as "Administrator",msad_action as "Action",displayName as "GPO Name",MSADChanges as "Changes"

## V 3.2.4 Updated
[AD Objects - Audit - Created - Group Policies]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat_act("Group Policy","created")`\
| fields _time, session_id, src_nt_domain, src_user,Object_Name_Guid,displayName,dir_svcs_action,AttributeLDAPDisplayName,AttributeValue,MSADChangedAttributes,Correlation_ID,signature,msad_action,Old_DN,New_DN\
| fillnull value="" Correlation_ID,msad_action\
| eval adminuser=if(isnull(src_nt_domain),src_user,src_nt_domain."\\".src_user) \
| eval Object_Lookup_Name="{".upper(Object_Name_Guid)."}" \
| join type=left Object_Lookup_Name [| inputlookup AD_Obj_GPO | fields cn_link, displayName | rename cn_link AS Object_Lookup_Name | table Object_Lookup_Name, displayName]\
| eval displayName=if(isnull(displayName),"Warning: ".Object_Lookup_Name." GPO CN not found in the AD_Obj_GPO Lookup. If GPO is new wait 15 minutes and run report again, or check that ms_ad_obj_sched_sync_gpo scheduled search is running as scheduled.",displayName) \
| `ms_obj_msad-changed-attributes`\
| stats max(_time) AS last_time, min(_time) AS start_time,list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by session_id,Object_Lookup_Name,displayName,adminuser,signature,msad_action\
| eval MSADChanges=mvjoin(MSADChanges, "########")\
| eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\
| eval Session_Time="Session ID (".session_id.")|Start: ".strftime(start_time,"%m/%d/%y %I:%M:%S %P")."|End: ".strftime(last_time,"%m/%d/%y %I:%M:%S %P")\
| table displayName,adminuser,Session_Time,msad_action,Correlation_IDs,MSADChanges\
| makemv delim="########" MSADChanges\
| makemv delim="|" Session_Time\
| rename adminuser as "Administrator",msad_action as "Action",displayName as "GPO Name",MSADChanges as "Changes"

##V4.0.0 Updated
[AD Objects - Audit - Deleted - Group Policies]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat_act("Group Policy","deleted")`\
| fields _time, session_id, src_nt_domain, src_user,Object_Name_Guid,displayName,dir_svcs_action,AttributeLDAPDisplayName,AttributeValue,MSADChangedAttributes,Correlation_ID,signature,msad_action,Old_DN,New_DN\
| fillnull value="" Correlation_ID,msad_action\
| eval adminuser=if(isnull(src_nt_domain),src_user,src_nt_domain."\\".src_user) \
| eval Object_Lookup_Name="{".upper(Object_Name_Guid)."}" \
| join type=left Object_Lookup_Name [| inputlookup AD_Obj_GPO | fields cn_link, displayName | rename cn_link AS Object_Lookup_Name | table Object_Lookup_Name, displayName]\
| eval displayName=if(isnull(displayName),"Warning: ".Object_Lookup_Name." GPO CN not found in the AD_Obj_GPO Lookup. If GPO is new wait 15 minutes and run report again, or check that ms_ad_obj_sched_sync_gpo scheduled search is running as scheduled.",displayName) \
| `ms_obj_msad-changed-attributes`\
| stats max(_time) AS last_time, min(_time) AS start_time,list(MSADChanges) AS MSADChanges,values(Correlation_ID) AS Correlation_IDs by session_id,Object_Lookup_Name,displayName,adminuser,signature,msad_action\
| eval MSADChanges=mvjoin(MSADChanges, "########")\
| eval MSADChanges=case(isnull(signature) AND isnull(MSADChanges),"Unknown Changes",isnull(signature),MSADChanges,isnotnull(MSADChanges),"Signature: ".signature."########".MSADChanges)\
| eval Session_Time="Session ID (".session_id.")|Start: ".strftime(start_time,"%m/%d/%y %I:%M:%S %P")."|End: ".strftime(last_time,"%m/%d/%y %I:%M:%S %P")\
| table displayName,adminuser,Session_Time,msad_action,Correlation_IDs,MSADChanges\
| makemv delim="########" MSADChanges\
| makemv delim="|" Session_Time\
| rename adminuser as "Administrator",msad_action as "Action",displayName as "GPO Name",MSADChanges as "Changes"

##_____ Organizational Unit Change Searches ______##
[AD Objects - Audit - Changes - OU]
alert.track = 0
dispatch.earliest_time = -7d@d
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.charting.chart = bar
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat("OU")` (src_nt_domain="*" OR dest_nt_domain="*")\
| fields _raw,_time,chg_gp_guid,dir_svcs_action,signature,LDAP_Display_Name,gpo_name,ou_obj_dn,DN,Old_DN,New_DN,Correlation_ID,Value,LDAP_Display_Name,chg_gp_guid,src_user,src_nt_domain,EventCode,msad_action\
| eval dest_ou_dn=if(isnull(New_DN),DN,New_DN),adminuser=if(isnull(src_nt_domain),lower(src_user),src_nt_domain."\\".lower(src_user))\
| rex field=dest_ou_dn "(?i)ou\=(?<ou_name>[^\,]+)"\
| rex field=Value max_match=0 "\{(?<chg_gp_guid>[^\}]+)"\
| fillnull value="NA" chg_gp_guid,dir_svcs_action,signature,LDAP_Display_Name,gpo_name,DN,Old_DN,New_DN,Correlation_ID\
| mvexpand chg_gp_guid\
| eval gpo_link=if(LDAP_Display_Name=="gPLink",lower(chg_gp_guid),"")\
| eval Value=if(isnull(Value),lower(AttributeValue),lower(Value))\
| lookup AD_Obj_GPO gpo_link, domain AS src_nt_domain OUTPUT displayName AS gpo_name\
| eval Correlation_ID=if(isnull(Correlation_ID),"NA",Correlation_ID)\
| eval mod_summary=if(LDAP_Display_Name=="gPLink" AND isnotnull(gpo_name),"| - Action: ".dir_svcs_action."| - Target Attribute: ".LDAP_Display_Name."| - Target Linked GPO: ".gpo_name."| - Target Linked GPO ID: ".chg_gp_guid,"| - Action: ".dir_svcs_action."| - Target Attribute: ".LDAP_Display_Name."| - Target Attribute Value: ".Value)\
| eval chg_summary=case(EventCode=5137,"|OU Created:| - signature: ".signature."| - Event Correlation ID: ".Correlation_ID."| - DN: ".DN,EventCode=5138,"|OU Undeleted:| - signature: ".signature."| - Event Correlation ID: ".Correlation_ID." - ",EventCode=5139,"|OU Moved:| - signature: ".signature."| - Event Correlation ID: ".Correlation_ID."| - From: ".Old_DN."| - To: ".New_DN,EventCode=5141,"|OU Deleted:| - signature: ".signature."| - Event Correlation ID: ".Correlation_ID,EventCode=5136 OR EventCode=4662,"|OU Modified:| - signature: ".signature." | - Event Correlation ID: ".Correlation_ID."|".mod_summary)\
| stats values(chg_summary) AS chg_summary by _time,adminuser,msad_action,ou_name,dest_ou_dn,EventCode,signature\
| makemv delim="|" chg_summary\
| rename msad_action AS "Action",adminuser AS "Admin User",ou_name AS OU,dest_ou_dn AS "OU DN",chg_summary AS "Changes"

[AD Objects - Audit - Modified - OU]
alert.track = 0
dispatch.earliest_time = -7d@d
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.charting.chart = bar
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat_act("OU","modified")`\
| eval dest_ou_dn=if(isnull(New_DN),DN,New_DN)\
| rex field=dest_ou_dn "(?i)ou\=(?<ou_name>[^\,]+)"\
| rex field=Value max_match=0 "\{(?<chg_gp_guid>[^\}]+)"\
| fillnull value="NA" chg_gp_guid,dir_svcs_action,signature,LDAP_Display_Name,gpo_name,DN,Old_DN,New_DN,Correlation_ID\
| eval Value=if(isnull(Value),lower(AttributeValue),lower(Value)),chg_gp_guid=lower(chg_gp_guid)\
| mvexpand chg_gp_guid\
| eval chg_gplink=if(LDAP_Display_Name=="gPLink","{".chg_gp_guid."}","")\
| join type=left chg_gplink [| inputlookup AD_Obj_GPO | fields cn,displayName | rex field=cn "^(?<chg_gplink>[^(\s|$)]+)" | dedup chg_gplink | table chg_gplink, displayName | rename displayName AS gpo_name]\
| table _time,ou_name,dest_ou_dn,src_nt_domain,src_user,LDAP_Display_Name,dir_svcs_action, Correlation_ID,chg_gp_guid,gpo_name,EventCode,signature,DN,Old_DN,New_DN,Value,msad_action\
| eval chg_summary=if(LDAP_Display_Name=="gPLink" AND isnotnull(gpo_name),"OU Modified:| - Event Correlation ID: ".Correlation_ID."| - Action: ".dir_svcs_action."| - Target Attribute: ".LDAP_Display_Name."| - Target Linked GPO: ".gpo_name."| - Target Linked GPO ID: ".chg_gp_guid,"OU Modified:|| - Event Correlation ID: ".Correlation_ID." - Action: ".dir_svcs_action."| - Target Attribute: ".LDAP_Display_Name."| - Target Attribute Value: ".Value."| - Event Correlation ID: ".Correlation_ID)\
| table _time,ou_name,dest_ou_dn,msad_action,EventCode,signature,src_nt_domain,src_user,chg_summary\
| makemv delim="|" chg_summary\
| rename msad_action AS "OU Action",src_nt_domain AS "Admin Domain",src_user AS "Admin User",ou_name AS OU,dest_ou_dn AS "OU DN",chg_summary AS "Change Details"

[AD Objects - Audit - Created - OU]
action.email.useNSSubject = 1
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","name"]
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat_act("OU","created")`\
| rex field=DN "(?i)ou\=(?<ou_name>[^\,]+)"\
| fillnull value="NA" chg_gp_guid,dir_svcs_action,signature,LDAP_Display_Name,gpo_name,DN,Old_DN,New_DN\
| table _time,ou_name,DN,src_nt_domain,src_user,Correlation_ID,EventCode,signature,DN,Old_DN,New_DN,Value,msad_action\
| eval chg_summary = "OU Created:| - DN: ".DN."| - Event Correlation ID: ".Correlation_ID\
| table _time,msad_action,ou_name,DN,EventCode,signature,src_nt_domain,src_user,chg_summary\
| makemv delim="|" chg_summary\
| rename msad_action AS "OU Action",src_nt_domain AS "Admin Domain",src_user AS "Admin User",ou_name AS OU,DN AS "OU DN",chg_summary AS "Change Details"

[AD Objects - Audit - Critical Objects - Lookup]
action.email.useNSSubject = 1
alert.track = 0
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.charting.chart = bar
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | inputlookup AD_Audit_Default_Critical_Objects\
| eval inherited_user_rights="- ".(replace(inherited_user_rights,";",";- "))\
| eval direct_user_rights="- ".(replace(direct_user_rights,";",";- "))\
| makemv delim=";" inherited_user_rights\
| makemv delim=";" direct_user_rights\
| table cn,default_container,description,direct_user_rights,group_scope,inherited_user_rights,obj_type,special_note,type_flag

## User AD Object Searches
[AD Objects - View User AD Objects Lookup]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -60m
dispatch.latest_time = 0
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | inputlookup AD_Obj_User

[AD Objects - Verify User Sync Or Update]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -7d@d
dispatch.latest_time = 0
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_user`  ("admonEventType=Sync" OR "admonEventType=Update")

[AD Objects - Verify User Delete]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -7d@d
dispatch.latest_time = 0
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_flt_obj_type(ms_obj_admon_user,ms_obj_admon_base_del_type)`

## AD Group Object Lookup Searches 
[AD Objects - Verify Group AD Objects Lookup]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -60m
dispatch.latest_time = 0
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | inputlookup AD_Obj_Group

[AD Objects - Verify Group Sync Or Update]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -60m
dispatch.latest_time = 0
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_group`  ("admonEventType=Sync" OR "admonEventType=Update")

[AD Objects - Verify Group Delete]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -60m
dispatch.latest_time = 0
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_flt_obj_type(ms_obj_admon_group,ms_obj_admon_base_del_type)`

[AD Objects - Verify DL Group AD Objects Lookup]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -60m
dispatch.latest_time = 0
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | inputlookup AD_Obj_Group WHERE isDistributionList="TRUE"

[AD Objects - Verify DL Group Sync Or Update]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -60m
dispatch.latest_time = 0
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_group`  ("admonEventType=Sync" OR "admonEventType=Update")  sAMAccountType="268435457"

[AD Objects - Verify DL Group Delete]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -60m
dispatch.latest_time = 0
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_flt_obj_type(ms_obj_admon_group,ms_obj_admon_base_del_type)`  sAMAccountType="268435457"

## AD Computer Object Lookup Searches 
[AD Objects - Verify Computer AD Objects Lookup]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -60m
dispatch.latest_time = 0
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | inputlookup AD_Obj_Computer

[AD Objects - Verify Computer Sync Or Update]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -60m
dispatch.latest_time = 0
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_computer`  ("admonEventType=Sync" OR "admonEventType=Update")

[AD Objects - Verify Computer Delete]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -60m
dispatch.latest_time = 0
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_flt_obj_type(ms_obj_admon_computer,ms_obj_admon_base_del_type)`

## AD OU Object Lookup Searches 
[AD Objects - Verify OU AD Objects Lookup]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -60m
dispatch.latest_time = 0
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | inputlookup AD_Obj_OU

[AD Objects - Verify OU Sync Or Update]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -60m
dispatch.latest_time = 0
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_ou`  ("admonEventType=Sync" OR "admonEventType=Update")

[AD Objects - Verify OU Delete]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -60m
dispatch.latest_time = 0
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_flt_obj_type(ms_obj_admon_ou,ms_obj_admon_base_del_type)`

## AD Group Policy Object Lookup Searches 
[AD Objects - Verify GPO AD Objects Lookup]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -60m
dispatch.latest_time = 0
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | inputlookup AD_Obj_GPO

[AD Objects - Verify GPO Sync Or Update]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -60m
dispatch.latest_time = 0
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_gpo`  ("admonEventType=Sync" OR "admonEventType=Update")

[AD Objects - Verify GPO Delete]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -60m
dispatch.latest_time = 0
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_admon_flt_obj_type(ms_obj_admon_gpo,ms_obj_admon_base_del_type)`


#################################################
#####   		App Health Searches	    	#####
#################################################
[AD Objects - Scheduled Search - Runtime Statistics]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
display.general.type = visualizations
display.page.search.tab = visualizations
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = index=_internal sourcetype=scheduler savedsearch_name="ms_ad_obj_sched*" (status="completed" OR status="skipped" OR\
status="deferred")\
| eval window_time = if(isnotnull(window_time), window_time, 0)\
| eval execution_latency = max(dispatch_time - (scheduled_time + window_time), 0)\
| stats avg(run_time) as runtime, avg(execution_latency) AS avg_exec_latency, count(eval(status=="completed" OR status=="skipped")) AS total_exec, count(eval(status=="skipped")) AS skipped_exec count(eval(status=="deferred")) AS deferred_exec by app, savedsearch_name, user, savedsearch_id\
| join savedsearch_id type=outer [\
| rest "/servicesNS/-/-/saved/searches/" earliest_time=`ms_obj_time_modifier(-0s@s)` latest_time=`ms_obj_time_modifier(+8d@d)` search="is_scheduled=1" search="disabled=0"\
| search NOT (dispatch.earliest_time=rt* OR dispatch.latest_time=rt*)\
| mvexpand scheduled_times\
| stats count(title) as count max(scheduled_times) as max_t min(scheduled_times) as min_t by title, eai:acl.app, eai:acl.owner cron_schedule\
| eval schedule_interval=round((max_t-min_t)/(count-1), 0)\
| eval savedsearch_id = 'eai:acl.owner'.";".'eai:acl.app'.";".title\
| fields savedsearch_id, cron_schedule, schedule_interval ]\
| eval runtime = round(runtime, 0)\
| eval avg_exec_latency = round(avg_exec_latency, 0)\
| eval search_workload = round(runtime / schedule_interval * 100, 2)." %"\
| eval skip_ratio = round(skipped_exec / total_exec * 100, 2)." %"\
| fields savedsearch_name, app, user, cron_schedule, schedule_interval, runtime, search_workload, total_exec, skipped_exec, skip_ratio, deferred_exec, avg_exec_latency\
| sort - search_workload\
| rename savedsearch_name as "Report Name", app as App, user as User, cron_schedule as "Cron Schedule", runtime as "Average Runtime (sec)", total_exec as "Total Executions", skip_ratio as "Skip Ratio", skipped_exec as "Skipped Executions", deferred_exec AS "Deferred Executions", schedule_interval as "Schedule Interval (sec)", search_workload as "Interval Load Factor", avg_exec_latency AS "Average Execution Latency (sec)"
disabled = 0

[AD Objects - Scheduled Search - Skipped Reasons]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
display.general.type = visualizations
display.page.search.tab = visualizations
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = index=_internal sourcetype=scheduler status="skipped" savedsearch_name="ms_ad_obj_sched_*"\
| eval alert_actions = if(isnull(alert_actions) OR alert_actions == "", "none", alert_actions)\
| eval reason = if(isnull(reason) OR reason == "", "none", reason)\
| stats count AS count values(alert_actions) AS alert_actions, max(_time) AS l_time by savedsearch_name, reason\
| eval reason_and_count = reason." (".count.")"\
| eval l_time=strftime(l_time,"%m/%d/%y %I:%M:%S %P")\
| stats values(l_time) AS "Last Time Skipped",values(reason_and_count) AS reasons first(alert_actions) AS alert_actions by savedsearch_name\
| rename reasons AS "Skip Reason (Skip Count)" alert_actions AS "Alert Actions" savedsearch_name AS "Report Name"

#################################################
#####   Extra Help - Tools - Searches	    #####
#################################################
[AD Objects - Tools - Lookup Field List]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
display.general.type = visualizations
display.page.search.tab = visualizations
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | inputlookup lookup_field_lists.csv \
| table AD_Obj_GroupPolicies_LDAP* \
| stats values(AD_Obj_GPO-base_in) AS raw_in_fields, values(AD_Obj_GPO-base_out) AS base_out_fields \
| eval raw_in_fields=mvjoin(raw_in_fields,",") \
| eval base_out_fields=mvjoin(base_out_fields,",")

[Admin_Extra_Field_Sizing_Analysis]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","Workstation_Name","src_ip","Source_Network_Address","src_nt_host","src_user","src_user_type","user","user_type","src","Logon_Type","member_id","member_dn","cn","distinguishedName","DN","group_name","group_id"]
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = eventtype=ms_ad_obj_wineventlog_index earliest=-15m latest=now\
| fieldsummary \
| rex field=values max_match=0 "value\":\"(?<values>[^\"]*)\","\
| mvexpand values \
| eval bytes=len(values)\
| rex field=field "^(?!date|punct|host|hostip|index|linecount|source|sourcetype|timeendpos|timestartpos|splunk_server)(?<FieldName>.*)"\
| stats count sum(bytes) as SumOfBytesInField values(values) as Values max(bytes) as MaxFieldLengthInBytes by FieldName\
| rename count as NumberOfValuesPerField\
| eventstats sum(NumberOfValuesPerField) as TotalEvents sum(SumOfBytesInField) as TotalBytes\
| eval PercentageOfTotalEvents=round(NumberOfValuesPerField/TotalEvents*100,2)\
| eval PercentageOfTotalBytes=round(SumOfBytesInField/TotalBytes*100,2)\
| eval ConsumedMB=SumOfBytesInField/1024/1024\
| eval TotalMB=TotalBytes/1024/1024\
| table FieldName NumberOfValuesPerField SumOfBytesInField ConsumedMB PercentageOfTotalBytes PercentageOfTotalEvents\
| addcoltotals labelfield=FieldName label=Totals\
| sort - PercentageOfTotalEvents

[ms_ad_obj_dev_user_delete_missing_fields]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | makeresults \
| eval field="DomainDNSName,OU,accountExpires,adminCount,badPasswordTime,badPwdCount,c,cn,orig_cn,codePage,countryCode,dSCorePropagationData,dcName,deletedDate,department,description,displayName,distinguishedName,dn,dn_path,domain,givenName,guid_lookup,initials,instanceType,isCriticalSystemObject,isDeleted,isRecycled,l,lastKnownParent,lastLogon,lastLogonTimestamp,last_evt_flg,lockoutTime,logonCount,logonHours,managedBy,memberOf,msDS-SupportedEncryptionTypes,name,objectCategory,objectClass,objectGUID,objectSid,physicalDeliveryOfficeName,postalCode,primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType,servicePrincipalName,showInAdvancedViewOnly,sid_lookup,sn,st,streetAddress,title,uSNChanged,uSNCreated,userAccountControl,userPrincipalName,userWorkstations,whenChanged,whenCreated" \
| makemv delim="," field \
| eval match="true" \
| mvexpand field \
| table field, match\
| join field type=left \
    [search  eventtype=ms_ad_obj_msad_data (admonEventType=Deleted) objectClass="top|person|organizationalPerson|user" \
| fieldsummary \
    | table field, match, values] \
| table field, match, values \
| sort match, field\
| search NOT values="[{*"\
| stats values(field) AS field\
| eval field=mvjoin(field,",")

## Directory Services - Verify Field Extractions:
[AD Objects - Directory Services - Field Extractions]
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
search = `ms_obj_win_events_security` (EventCode=5136 OR EventCode=5137 OR EventCode=5138 OR EventCode=5139 OR EventCode=5141)\
| rex field=_raw "(?msi)Message\=A\sdirectory\sservice\sobject\swas\s(?<msad_action>[^\.]+)"\
| rex field=_raw "(?msi)Object:(\s+|\n|\r).*DN\:\s+(?<distinguishedName>[^(\r|\n)]+)(\s+|\n|\r).*Class\:\s+(?<Object_Type>[^(\r|\n)]+)"\
| rex field=_raw "(?msi)(Object Type\:|Object\:)(\s+|\n|\r).*(Object\sName|GUID)\:\s+CN(=\"|=\{)(?<Object_Name_Guid>[^(\"|\})]+)"\
| fillnull value="Empty" Object_Type, distinguishedName, Object_Name_Guid, msad_action\
| stats values(Class) AS Classes, values(distinguishedName) AS distinguishedName, values(Object_Type) AS Object_Type,values(Object_Name_Guid) AS Object_Name_Guid by msad_action

###--------------------------------------------------------###
#---     		File Audit and ACL Reports                ---#
###--------------------------------------------------------###
## User Access Control Details ##
[AD Objects - File ACL - Base List]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.charting.chart = bar
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms__obj_win_api_index` sourcetype="WinDirAcl"\
| rex max_match=0 "(?:\[)(?<object_acls>[^\]]+)"\
| rex max_match=0 "(?:\"IdentityReference\"\:\")(?<IdentityReference>[^\"]+)\"\,\"FileSystemRights\"\:\"(?<FileSystemRights>[^\"]+)\"\,\"AccessControlType\"\:\"(?<AccessControlType>[^\"]+)\"\,\"IsInherited\"\:\"(?<IsInherited>[^\"]+)\"\,\"InheritanceFlags\"\:\"(?<InheritanceFlags>[^\"]+)\"\,\"PropagationFlags\"\:\"(?<PropagationFlags>[^\"]+)\""\
| stats count,values(IdentityReference) AS IdentityReference,values(object_acls) AS object_acls by object_path,object_last_mod_time,object_size,object_dir_cnt,object_file_cnt

[AD Objects - Audit - Login - Details]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_failed_success_logons("user")`\
| fields user, status, _time, host,src_ip,src_nt_host,signature,Failure_Reason,Logon_Type,Sub_Status\
| lookup AD_Audit_Logon_Types Logon_Type OUTPUT Logon_TypeName\
| eval Logon_User=lower(user)\
| eval src_ip=replace(src_ip,"::ffff:|::1","")\
| eval src_nt_host=if(isnull(src_nt_host),if(isnull(src_ip) OR src_ip=="127.0.0.1" OR src_ip=="" OR src_ip=="-",upper(host),src_ip),src_nt_host)\
| eval src_ip=if(isnull(src_ip) OR src_ip=="127.0.0.1" OR src_ip=="" OR src_ip=="-",host,src_ip)\
| fillnull value="Not In Event" src_nt_host, src_ip,Failure_Reason,signature\
| eval Session_Status="Audit ".status\
| eval Failure_Reason=if(Sub_Status=="0xC0000064","Non-Domain Account - ".Failure_Reason,Failure_Reason)\
| fields _time, host,src_ip,src_nt_host,Logon_User, status, Session_Status,signature,Failure_Reason,Logon_TypeName\
| stats count,values(Logon_TypeName) AS Logon_Type by _time, host,src_ip,src_nt_host,Logon_User, status, Session_Status,signature,Failure_Reason\
| eval Success_count=if(status=="success",1,0)\
| eval Failure_count=if(status=="failure",1,0)\
| join type=left Logon_User [| inputlookup AD_Obj_User | fields userAccountControl,sAMAccountName | lookup AD_Obj_UAC userAccountControl OUTPUT uac_details| rename sAMAccountName as Logon_User | table uac_details,Logon_User]\
| eval Failure_Reason=if(isnull(Failure_Reason) OR Failure_Reason=="Not In Event",status.": ".signature,status.": ".Failure_Reason)\
| fillnull value="Not Available" uac_details\
| eventstats count AS Failure_Reason_cnt by Failure_Reason,Logon_User\
| eventstats count AS src_ip_cnt by src_ip,Logon_User\
| eventstats count AS src_nt_host_cnt by src_nt_host,Logon_User\
| eval Failure_Reason="(".Failure_Reason_cnt.") - ".Failure_Reason\
| eval src_ip="(".src_ip_cnt.") - ".src_ip\
| eval src_nt_host="(".src_nt_host_cnt.") - ".src_nt_host\
| sort - src_ip_cnt, - src_nt_host_cnt\
| stats count AS Total_Attempts, sum(Success_count) AS Success_Count, sum(Failure_count) AS Failure_Count, values(Logon_Type) AS Logon_Types, values(Failure_Reason) AS Failure_Reason,values(src_ip) AS src_ip,values(src_nt_host) AS src_nt_host by Logon_User,uac_details\
| sort -Total_Attempts\
| makemv delim=":" uac_details\
| eval src_nt_host=mvsort(src_nt_host)

[AD Objects - Audit - Login - Expired Disabled]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -7d@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_failed_success_logons("user")` [| inputlookup AD_Obj_User| fields accountExpires, uac_details, whenChanged,sAMAccountName| makemv delim=":" uac_details | eval uac_filter=if(match(uac_details, "Disabled"),"True","False") | eval accountExpipres_utc=round(strptime(accountExpires,"%I:%M.%S %P, %a %m/%d/%Y"),0)| WHERE uac_filter=="True" OR accountExpires_utc<now()| rename sAMAccountName AS search | stats count by search | fields search| format]\
| fields user, status, _time, host,src_ip,Failure_Reason,signature,src_nt_host\
| eval src_ip=replace(src_ip,"::ffff:|::1","")\
| eval src_nt_host=if(isnull(src_nt_host),if(isnull(src_ip) OR src_ip=="127.0.0.1" OR src_ip=="" OR src_ip=="-",upper(host),src_ip),src_nt_host)\
| eval src_ip=if(isnull(src_ip) OR src_ip=="127.0.0.1" OR src_ip=="" OR src_ip=="-",host,src_ip)\
| fillnull value="Not In Event" src_nt_host, src_ip\
| eval Failure_Reason=if(isnull(Failure_Reason),signature,Failure_Reason)\
| stats count by src_ip,src_nt_host, user,Failure_Reason\
| join user [| inputlookup AD_Obj_User | fields cn,accountExpires, uac_details, whenChanged,sAMAccountName | eval uac_filter=if(match(uac_details, "Disabled"),"True","False") | eval accountExpipres_utc=round(strptime(accountExpires,"%I:%M.%S %P, %a %m/%d/%Y"),0)| WHERE uac_filter=="True" OR accountExpires_utc<now()| rename sAMAccountName AS user | table cn,accountExpires, uac_details, whenChanged,user]\
| sort -count\
| eval cn=if(isnull(cn),user,cn)\
| eventstats sum(count) AS f_cnt by user,Failure_Reason\
| eventstats sum(count) AS s_ip_cnt by src_ip,user\
| eventstats sum(count) AS shst_ip_cnt by src_nt_host,user\
| eval Source_IPs="(".tostring(s_ip_cnt,"commas").") - ".src_ip\
| eval Source_Systems="(".tostring(shst_ip_cnt,"commas").") - ".src_nt_host\
| eval Top_Reasons="(".tostring(f_cnt,"commas").") - ".Failure_Reason\
| stats list(Source_IPs) AS Source_IPs, list(Source_Systems) AS Source_Systems, list(Top_Reasons) AS Top_Reasons, sum(count) AS Total_Failed_Attempts by user,cn, uac_details, accountExpires, whenChanged\
| sort -Total_Failed_Attempts\
| makemv delim=":" uac_details\
| eval Source_IPs=mvdedup(Source_IPs),Source_Systems=mvdedup(Source_Systems)\
| eval uac_filter=mvfilter(match(uac_details, "Disabled"))\
| eval accountExpipres_utc=round(strptime(accountExpires,"%I:%M.%S %P, %a %m/%d/%Y"),0)\
| eval user_state=if(accountExpires_utc<now(),"Expired At (".accountExpires.")",if(uac_filter=="Disabled", "Disabled At (".whenChanged.")","NA"))\
| eval Top_Reasons=mvindex(mvdedup(Top_Reasons),0,9)\
| table user,cn,user_state, uac_details, accountExpires,whenChanged,Total_Failed_Attempts,Source_IPs, Source_Systems,Top_Reasons\
| rename user AS Logon_User

[AD Objects - Audit - Login - Failed - Non-Domain Users]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_failed_logons("user")` Sub_Status=0xC0000064\
| eval Date=strftime(_time, "%m/%d/%Y") \
| eval Workstation_Name=if(isnull(Workstation_Name),host,lower(Workstation_Name))\
| stats count by Date, user, host, Workstation_Name \
| rename count as "Attempts" \
| sort -Date -Attempts \
| rename user as "Target Account" host as "Host"

[AD Objects - Audit - Login - Failed Logons - Basic]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_failed_logons("user")`\
| fields user, status, _time, host,src_ip,src_nt_host,signature,Failure_Reason,Logon_Type,Sub_Status\
| lookup AD_Audit_Logon_Types Logon_Type OUTPUT Logon_TypeName\
| eval Logon_User=lower(user)\
| eval src_ip=replace(src_ip,"::ffff:|::1","")\
| eval src_nt_host=if(isnull(src_nt_host),if(isnull(src_ip) OR src_ip=="127.0.0.1" OR src_ip=="" OR src_ip=="-",upper(host),src_ip),src_nt_host)\
| eval src_ip=if(isnull(src_ip) OR src_ip=="127.0.0.1" OR src_ip=="" OR src_ip=="-",host,src_ip)\
| fillnull value="Not In Event" src_nt_host, src_ip,Failure_Reason,signature\
| eval Session_Status="Audit ".status\
| eval Failure_Reason=if(Sub_Status=="0xC0000064","Non-Domain Account - ".Failure_Reason,Failure_Reason)\
| fields _time, host,src_ip,src_nt_host,Logon_User, status, Session_Status,signature,Failure_Reason,Logon_TypeName\
| stats count,values(Logon_TypeName) AS Logon_Type by _time, host,src_ip,src_nt_host,Logon_User, status, Session_Status,signature,Failure_Reason

[AD Objects - Audit - Login - Success Ratio]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_failed_success_logons("user")` \
| fields user, status, _time, host,src_ip\
| eval src_ip=replace(src_ip,"::ffff:|::1","")\
| eval src_nt_host=if(isnull(src_nt_host),if(isnull(src_ip) OR src_ip=="127.0.0.1" OR src_ip=="" OR src_ip=="-",upper(host),src_ip),src_nt_host)\
| eval Session_Status="Audit ".status \
| stats max(_time) AS latest, min(_time) AS earliest, count AS sesscount, dc(src_nt_host) AS Session_Host_Count, values(Logon_Type) AS Session_Types, count(eval(status="success")) AS success_count, count(eval(status="failure")) AS fail_count by user \
| eval First_Attempt=strftime(earliest, "%m/%d/%Y %H:%M:%S") \
| eval Last_Attempt=strftime(latest, "%m/%d/%Y %H:%M:%S") \
| eval Fail_Percent=round((fail_count/sesscount)*100,2)\
| eval Total_Attempts=fail_count+success_count \
| sort -Fail_Percent, - Total_Attempts \
| eval Fail_Percent=Fail_Percent."%"\
| eval Success_Percent=round((success_count/sesscount)*100,2)."%" \
| table user, Session_Host_Count, Total_Attempts, Fail_Percent, Success_Percent, First_Attempt, Last_Attempt\
| rename user AS Logon_User

[AD Objects - Audit - Login - User Locked Events]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_win_events_security` EventCode=4740\
| fields _time, user,Caller_Computer_Name\
| eval Locked_Account=mvindex(Account_Name,1)\
| transaction user maxpause=5s \
| eval Locked_Time=strftime(_time, "%m/%d/%Y %H:%M:%S") \
| join type=left user [| inputlookup AD_Obj_User | fields displayName, distinguishedName,sAMAccountName | rename sAMAccountName as user | table displayName, distinguishedName,user]\
| fillnull value="Account Not Found" displayName\
| rex field=Caller_Computer_Name "\\\\\\\(?<Caller_Computer_Name>[^$]+)" \
| eventstats count AS Total_Lockouts by user\
| table Locked_Time, user, displayName, Caller_Computer_Name,distinguishedName,Total_Lockouts \
| rename user as "User Name", displayName as "Display Name", Caller_Computer_Name as "Source Computer Name"

[AD Objects - Audit - Login - Computer]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = fast
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_failed_success_logons("computer")`\
| fields user, status, _time, host,src_ip,src_nt_host,signature,Failure_Reason,Logon_Type,Sub_Status\
| lookup AD_Audit_Logon_Types Logon_Type OUTPUT Logon_TypeName\
| eval Logon_User=lower(user)\
| eval src_ip=replace(src_ip,"::ffff:|::1","")\
| eval src_nt_host=if(isnull(src_nt_host),if(isnull(src_ip) OR src_ip=="127.0.0.1" OR src_ip=="" OR src_ip=="-",upper(host),src_ip),src_nt_host)\
| eval src_ip=if(isnull(src_ip) OR src_ip=="127.0.0.1" OR src_ip=="" OR src_ip=="-",host,src_ip)\
| fillnull value="Not In Event" src_nt_host, src_ip,Failure_Reason,signature\
| eval Session_Status="Audit ".status\
| eval Failure_Reason=if(Sub_Status=="0xC0000064","Non-Domain Account - ".Failure_Reason,Failure_Reason)\
| fields _time, host,src_ip,src_nt_host,Logon_User, status, Session_Status,signature,Failure_Reason,Logon_TypeName\
| stats count,values(Logon_TypeName) AS Logon_Type by _time, host,src_ip,src_nt_host,Logon_User, status, Session_Status,signature,Failure_Reason\
| eval Success_count=if(status=="success",1,0)\
| eval Failure_count=if(status=="failure",1,0)\
| join type=left Logon_User [| inputlookup AD_Obj_User | fields uac_details,sAMAccountName | rename sAMAccountName as Logon_User | table uac_details,Logon_User]\
| eval Failure_Reason=if(isnull(Failure_Reason) OR Failure_Reason=="Not In Event",status.": ".signature,status.": ".Failure_Reason)\
| fillnull value="Not Available" uac_details\
| eventstats count AS Failure_Reason_cnt by Failure_Reason,Logon_User\
| eventstats count AS src_ip_cnt by src_ip,Logon_User\
| eventstats count AS src_nt_host_cnt by src_nt_host,Logon_User\
| eval Failure_Reason="(".Failure_Reason_cnt.") - ".Failure_Reason\
| eval src_ip="(".src_ip_cnt.") - ".src_ip\
| eval src_nt_host="(".src_nt_host_cnt.") - ".src_nt_host\
| sort - src_ip_cnt, - src_nt_host_cnt\
| stats count AS Total_Attempts, sum(Success_count) AS Success_Count, sum(Failure_count) AS Failure_Count, values(Logon_Type) AS Logon_Types, values(Failure_Reason) AS Failure_Reason,values(src_ip) AS src_ip,values(src_nt_host) AS src_nt_host by Logon_User,uac_details\
| sort -Total_Attempts\
| makemv delim=":" uac_details\
| eval src_nt_host=mvsort(src_nt_host)

[AD Objects - Audit - Critical Users - Events]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
display.page.search.mode = verbose
display.visualizations.charting.chart = bar
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_win_events_security` [| inputlookup AD_Audit_Default_Critical_Objects\
| fields cn\
| join type=left cn [| inputlookup AD_Obj_User | fields cn, dn | table cn,dn]\
| eval user=if(cn="Administrator" OR cn="Guest","user=\"".cn,NULL),src_user=if(cn="Administrator" OR cn="Guest","src_user=\"".cn,NULL)\
| eval search=if(cn="Administrator" OR cn="Guest",dn,cn."|".dn)\
| makemv delim="|" search\
| eval search=mvappend(search,user,src_user)\
| stats values(search) AS search\
| search search=*\
| eval search=replace(replace("\"".mvjoin(search,"\" OR \"")."\"","\"user\=","user="),"\"src_user\=","src_user=")\
| table search]

[AD Objects - Audit - Changes - Users]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat("User")`\
| `ms_obj_md_user_change_cmb("AD_Obj_User")`

[AD Objects - OU - GPO Linked]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = @d
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | inputlookup AD_Obj_OU WHERE gpo_link!=""\
| table OU,displayName,name,objectClass,distinguishedName,Linked_GPO,gpo_link,objectCategory,whenChanged,whenCreated\
| mvexpand gpo_link\
| join type=left gpo_link [|inputlookup AD_Obj_GPO | rename displayName AS Linked_GPO | table gpo_link,Linked_GPO]\
| stats values(Linked_GPO) AS Linked_GPO, values(gpo_link) AS gpo_link by OU,displayName,name,objectClass,distinguishedName,objectCategory,whenChanged,whenCreated\
| table OU,displayName,name,objectClass,distinguishedName,Linked_GPO,gpo_link,objectCategory,whenChanged,whenCreated

[AD Objects - Audit - Changes - Computers]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat("Computer")`\
| `ms_obj_md_computer_change_cmb("AD_Obj_Computer")`

[AD Objects - Audit - Created - Computers]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat_act("Computer","created")`\
| `ms_obj_md_computer_change_cmb("AD_Obj_Computer")`

[AD Objects - Audit - Deleted - Computers]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat_act("Computer","deleted")`\
| `ms_obj_md_computer_change_cmb("AD_Obj_Computer")`

[AD Objects - Audit - Undeleted - Computers]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat_act("Computer","undeleted")`\
| `ms_obj_md_computer_change_cmb("AD_Obj_Computer")`

[AD Objects - Audit - Moved - Computers]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat_act("Computer","moved")`\
| `ms_obj_md_computer_change_cmb("AD_Obj_Computer")`

[AD Objects - Audit - Created - Users]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat_act("User","created")`\
| `ms_obj_md_user_change_cmb("AD_Obj_User")`

[AD Objects - Audit - Deleted - Users]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat_act("User","deleted")` \
| `ms_obj_md_user_change_cmb("AD_Obj_User")`

[AD Objects - Audit - Undeleted - Users]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat_act("User","undeleted")`\
| `ms_obj_md_user_change_cmb("AD_Obj_User")`

[AD Objects - Audit - Moved - Users]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat_act("User","moved")`\
| `ms_obj_md_user_change_cmb("AD_Obj_User")`

[AD Objects - Audit - Changes - Group Membership]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat("Group Membership")`\
| `ms_obj_groupmembership_change_out`\
| rename  group_obj_nm as "Target_Group",MSADGroupClass as "Class",msad_action AS "Action",member AS "Target Member",member_obj_lkp AS "Target Member Lookup",MSADGroupType as "Type",adminuser as "Admin User",MSADChanges as "Changes"

[AD Objects - Audit - Created - Group]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat_act("Group","created")` \
| `ms_obj_group_change_out`\
| fields - member\
| rename adminuser as "Administrator",msad_action as "Action",group_obj_nm as "Group Name",MSADGroupType as "Group Type",MSADGroupClass AS "Group Class",signature as "Changes"

[AD Objects - Audit - Deleted - Group]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat_act("Group","deleted")`\
| `ms_obj_group_change_out`\
| fields - member\
| rename adminuser as "Administrator",msad_action as "Action",group_obj_nm as "Group Name",MSADGroupType as "Group Type",MSADGroupClass AS "Group Class",signature as "Changes"

[AD Objects - Audit - Undeleted - Group]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat_act("Group","undeleted")`\
| `ms_obj_group_change_out`\
| fields - member\
| rename adminuser as "Administrator",msad_action as "Action",group_obj_nm as "Group Name",MSADGroupType as "Group Type",MSADGroupClass AS "Group Class",signature as "Changes"

[AD Objects - Audit - Moved - Group]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat_act("Group","moved")`  \
| `ms_obj_group_change_out`\
| fields - member\
| rename adminuser as "Administrator",msad_action as "Action",group_obj_nm as "Group Name",MSADGroupType as "Group Type",MSADGroupClass AS "Group Class",signature as "Changes"

[AD Objects - Audit - Critical Groups - Events]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.charting.chart = bar
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_win_events_security`\
[| inputlookup AD_Audit_Default_Critical_Objects\
| fields cn\
| join type=left cn [| inputlookup AD_Obj_Group | fields cn, dn | rename dn AS lkp_dn | table cn,lkp_dn]\
| search lkp_dn=*\
| stats values(lkp_dn) AS search\
| format]\
| `ms_obj_group_change_out`\
| rename adminuser as "Administrator",msad_action as "Action",group_obj_nm as "Target_Group",MSADGroupType as "Target Group Type",MSADGroupClass AS "Target Group Class",member AS "Target Member",MSADChanges as "Changes"

[AD Objects - Group Lookup - Members and UsersList]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | inputlookup AD_Obj_Group WHERE membercount!="0"\
| fields cn,member,domain,dn,description,membercount\
| rename cn AS GroupName, domain AS GroupDomain,dn AS GroupDN\
| mvexpand member\
| lookup AD_Obj_User dn AS member OUTPUT distinguishedName AS member,dn AS UserDN,sAMAccountName AS User,domain AS UserDomain\
| eval User=if(isnull(User),NULL,UserDomain."\\".User)\
| fillnull value="" description, GroupDomain, GroupName, GroupDN,User,UserDN,UserDomain\
| stats max(membercount) AS membercount,list(member) AS member, list(User) AS User,list(UserDN) AS UserDN by GroupDN,GroupName, GroupDomain, description\
| eval User=mvfilter(User!=""),UserDN=mvfilter(UserDN!="")\
| eval UserCount=if(mvcount(User)>0,mvcount(User),0)\
| search UserCount>0

[AD Objects - Group Lookup - Members and ComputerList]
action.email.useNSSubject = 1
dispatch.earliest_time = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | inputlookup AD_Obj_Group WHERE membercount!="0"\
| fields cn,member,domain,dn,description,membercount\
| rename cn AS GroupName, domain AS GroupDomain,dn AS GroupDN\
| mvexpand member\
| lookup AD_Obj_Computer dn AS member OUTPUT distinguishedName AS member,dn AS ComputerDN,sAMAccountName AS Computer,domain AS ComputerDomain\
| eval User=if(isnull(User),NULL,UserDomain."\\".User),Computer=if(isnull(Computer),NULL,ComputerDomain."\\".Computer),EmbGroup=if(isnull(EmbGroup),NULL,EmbGroupDomain."\\".EmbGroup)\
| fillnull value="" description, GroupDomain, GroupName, GroupDN,Computer,ComputerDN,ComputerDomain\
| stats max(membercount) AS membercount,list(member) AS member,list(Computer) AS Computer,list(ComputerDN) AS ComputerDN by GroupDN,GroupName, GroupDomain, description\
| eval Computer=mvfilter(Computer!=""),ComputerDN=mvfilter(ComputerDN!="")\
| eval ComputerCount=if(mvcount(Computer)>0,mvcount(Computer),0)\
| search ComputerCount>0

[AD Objects - Group Lookup - Members and EmbGroupList]
action.email.useNSSubject = 1
dispatch.earliest_time = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | inputlookup AD_Obj_Group WHERE membercount!="0"\
| fields cn,member,domain,dn,description,membercount\
| rename cn AS GroupName, domain AS GroupDomain,dn AS GroupDN\
| mvexpand member\
| lookup AD_Obj_Group dn AS member OUTPUT distinguishedName AS member,dn AS EmbGroupDN,sAMAccountName AS EmbGroup,domain AS EmbGroupDomain\
| eval EmbGroup=if(isnull(EmbGroup),NULL,EmbGroupDomain."\\".EmbGroup)\
| fillnull value="" description, GroupDomain, GroupName, GroupDN,EmbGroup,EmbGroupDN,EmbGroupDomain\
| stats max(membercount) AS membercount,list(member) AS member,list(EmbGroup) AS EmbGroup,list(EmbGroupDN) AS EmbGroupDN by GroupDN,GroupName, GroupDomain, description\
| eval EmbGroup=mvfilter(EmbGroup!=""),EmbGroupDN=mvfilter(EmbGroupDN!="")\
| eval EmbGroupCount=if(mvcount(EmbGroup)>0,mvcount(EmbGroup),0)\
| search EmbGroupCount>0

[AD Objects - Group Lookup - Members List]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | inputlookup AD_Obj_Group WHERE membercount!="0"\
| rename cn AS GroupName\
| table GroupName, domain, groupType_Name,description, member

[AD Objects - Group Lookup - Embedded In Group List]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | inputlookup AD_Obj_Group\
| fields cn,dn,domain\
| lookup AD_Obj_Group member AS dn output cn AS Embedded_In_Group,distinguishedName AS Embedded_In_Group_DN\
| rename cn AS Group\
| eval Embedded_Group_Count=mvcount(Embedded_In_Group)\
| sort -Embedded_Group_Count\
| table Group, domain, dn,Embedded_Group_Count,Embedded_In_Group,Embedded_In_Group_DN

[AD Objects - Group Lookup - Windows Security Membership Changes]
alert.suppress = 0
alert.track = 0
display.general.type = statistics
display.page.search.tab = statistics
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat("Group Membership")` \
| fields src_user,src_nt_domain,member_obj_domain,member_obj_id,member_obj_dn,member,MSADGroupClassID,MSADGroupClass,group_obj_dn,member_id,objectGUID,user_group,group_obj_nm,msad_action,MSADGroupType\
| eval adminuser=if(isnull(src_nt_domain),src_user,upper(src_nt_domain)."\\".src_user) \
| eval member=if(isnull(member_obj_domain),replace(member_obj_id,"\x5C{1}",""),member_obj_domain."\\".replace(member_obj_id,"\x5C{1}","")) \
| eval member=if(isnull(member),if(isnull(member_obj_dn),"NA",member_obj_dn),member) \
| lookup AD_Audit_Group_Type MSADGroupClassID OUTPUT MSADGroupClass \
| join type=left group_obj_dn \
    [| inputlookup AD_Obj_Group \
    | fields cn, MSADGroupClass,MSADGroupType, distinguishedName \
    | rename distniguishedName AS group_obj_dn,cn AS group_obj_nm \
    | table group_obj_dn,group_obj_nm,MSADGroupClass,MSADGroupType] \
| rex mode=sed field=member_id "s/\s/###/g" \
| makemv delim="###" member_id \
| eval member=if(isnull(member_id),member,member_id) \
| eval objectGUID=if(isnull(objectGUID),lower(ObjectGUID),lower(objectGUID)) \
| join type=left user_group \
    [| inputlookup AD_Obj_Group \
    | fields objectGUID, cn, MSADGroupClass,MSADGroupType, distinguishedName \
    | rename distniguishedName AS group_obj_dn,cn AS user_group \
    | table objectGUID,group_obj_dn,user_group,MSADGroupClass,MSADGroupType] \
| table _time,adminuser,MSADGroupClass,MSADGroupType,src_nt_domain,group_obj_nm,msad_action,member \
| rename adminuser as "Administrator",MSADGroupClass as "Type",MSADGroupType as "Scope",src_nt_domain as "Domain",group_obj_nm as "Group",msad_action as "Action",member as "Member" \
| sort -Group

[AD Objects - Group Lookup - Critical Members]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | inputlookup AD_Audit_Default_Critical_Objects WHERE obj_type="group"\
| fields cn\
| lookup AD_Obj_Group cn OUTPUT member\
| search member!=""\
| table cn,member

[AD Objects - Audit - Changes - Group]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
display.general.type = statistics
display.page.search.tab = statistics
display.visualizations.charting.chart.showDataLabels = all
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat("Group")` \
| `ms_obj_group_change_out`\
| fields - member_obj_lkp\
| rename adminuser as "Administrator",msad_action as "Action",group_obj_nm as "Group Name",MSADGroupType as "Group Type",MSADGroupClass AS "Group Class",signature as "Changes"

[AD Objects - Audit - Moved - OU]
alert.track = 0
dispatch.earliest_time = 0
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.charting.chart = bar
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = `ms_obj_changes_base_cat_act("OU","moved")`\
| eval dest_ou_dn=if(isnull(New_DN),DN,New_DN)\
| rex field=dest_ou_dn "(?i)ou\=(?<ou_name>[^\,]+)"\
| fillnull value="NA" signature,DN,Old_DN,New_DN,Correlation_ID\
| eval chg_summary="OU Moved:| - Event Correlation ID: ".Correlation_ID."| - From: ".Old_DN."| - To: ".New_DN\
| table _time,ou_name,dest_ou_dn,msad_action,EventCode,signature,src_nt_domain,src_user,chg_summary\
| makemv delim="|" chg_summary\
| rename msad_action AS "OU Action",src_nt_domain AS "Admin Domain",src_user AS "Admin User",ou_name AS OU,dest_ou_dn AS "OU DN",chg_summary AS "Change Details"

[AD Objects - App Health - Sourcetype Counts Windows]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
display.events.fields = ["host","source","sourcetype","src_user","user_type","DN"]
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | metadata type=sourcetypes index=[| `ms_ad_obj_cfg_idx_base`\
| mvexpand index\
| table index]\
| stats max(lastTime) AS lastTime, , max(firstTime) AS firstTime, sum(totalCount) AS totalCount by sourcetype\
| sort -totalCount\
| eval totalCount=tostring(totalCount,"commas")\
| eval lastTime=strftime(lastTime,"%m/%d/%y %I:%M %P")\
| eval firstTime=strftime(firstTime,"%m/%d/%y %I:%M %P")

[AD Objects - App Health - Sourcetypes by Indexes]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
display.events.fields = ["host","source","sourcetype","src_user","user_type","DN"]
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | `ms_ad_obj_cfg_idx_data`\
| makemv delim="|" cmb\
| mvexpand cmb\
| rex field=cmb "(?<sourcetype>[^\(]+)\((?<Total_Events>[^\)]+)"\
| table index,sourcetype,Total_Events

[AD Objects - App Health - Windows Index Details]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = 0
display.events.fields = ["host","source","sourcetype","src_user","user_type","DN"]
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | rest /servicesNS/-/-/data/indexes count=0 splunk_server=local\
| table title, *\
| rename title AS index\
| join index [| `ms_ad_obj_cfg_idx_base`\
| mvexpand index\
| table index]

[AD Objects - App Health - Macro Data Summary]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -30d@d
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","src_user","user_type","DN"]
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | `ms_ad_obj_cfg_idx_base`\
| mvexpand index\
| join type=left index [| `ms_ad_obj_cfg_idx_avail` ]\
| join type=left index [| `ms_ad_obj_cfg_idx_data` ]\
| sort flag,-Total_Events\
| eval Total_Sourcetypes=if(isnull(cmb),0,mvcount(cmb))\
| fillnull 0 Total_Events,currentDBSizeMB\
| eval flag=if(isnull(index_flag),2,if(isnull(data_flag),1,0))\
| eval flag_msg=case(flag=2,"index Not Created: ".index,flag=1,"Missing Index Data: ".index,flag=0,"OK: ".index)\
| rename index as macro_index, cmb as sourcetypes\
| fillnull value=0 Total_Events,currentDBSizeMB\
| eval sourcetypes=if(isnull(sourcetypes),flag_msg,sourcetypes)\
| makemv delim="|" sourcetypes\
| sort -flag macro_name\
| table macro_name,macro_definition,macro_index,flag,flag_msg,Total_Events,currentDBSizeMB,sourcetypes

[AD Objects - App Health - Macro Data Details]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","src_user","user_type","DN"]
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | `ms_ad_obj_cfg_idx_base` \
| mvexpand index \
| join type=left index \
    [| `ms_ad_obj_cfg_idx_avail` ] \
| join type=left index \
    [| `ms_ad_obj_cfg_idx_data` ] \
| sort flag,-Total_Events\
| eval Total_Sourcetypes=if(isnull(cmb),0,mvcount(cmb)) \
| fillnull 0 Total_Events,currentDBSizeMB \
| eval flag=if(isnull(index_flag),2,if(currentDBSizeMB<2,1,0)) \
| eval flag_msg=case(flag=2,"index Not Created: ".index,flag=1,"Missing Index Data: ".index,flag=0,"OK: ".index)\
| rename index as macro_index, cmb as sourcetypes \
| fillnull value=0 Total_Events,currentDBSizeMB \
| makemv delim="|" sourcetypes \
| eval Total_Sourcetypes=if(isnull(sourcetypes),0,mvcount(sourcetypes))\
| eval sourcetypes=if(isnull(sourcetypes),flag_msg,sourcetypes)\
| sort -flag macro_name \
| table macro_name,macro_definition,macro_index,flag,flag_msg,Total_Events,Total_Sourcetypes,currentDBSizeMB,sourcetypes

[AD Objects - App Health - Slow SvdSrch Detail]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","user","user_obj_dn","LDAP_Display_Name"]
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = index=_audit action=search info=completed savedsearch_name!=""\
| stats p95(total_run_time) as p95_time, max(total_run_time) AS max_time, avg(total_run_time) AS avg_time,count AS executions,values(search) AS search_text by app,savedsearch_name\
| eval avg_time=round(avg_time,2)\
| rex mode=sed field=search_text "s/(\'search\s+|\'$)//g"\
| sort -avg_time

[AD Objects - App Health - Slow SvdSrch]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","user","user_obj_dn","LDAP_Display_Name"]
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = index=_audit action=search info=completed savedsearch_name!=""\
| stats p95(total_run_time) as p95_time, max(total_run_time) AS max_time, avg(total_run_time) AS avg_time,count AS executions,avg(result_count) AS avg_result_count,avg(scan_count) AS avg_scan_count by app,savedsearch_name\
| eval avg_time=round(avg_time,2),avg_result_count=round(avg_result_count,2),avg_scan_count=round(avg_scan_count,2)\
| sort -avg_time

[AD Objects - App Health - Slow SvdSrch Time]
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","user","user_obj_dn","LDAP_Display_Name"]
display.general.type = visualizations
display.page.search.mode = verbose
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.chart.stackMode = stacked
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = index=_audit action=search info=completed savedsearch_name!=""\
| eval time_val=strftime(_time,"%I %P"),time_srt=strftime(_time,"%H")\
| eval time_val="(".time_srt.") ".time_val\
| chart p95(total_run_time) AS p95_time over time_val by savedsearch_name\
| sort time_val

## Windows Registry Searches ##
[AD Objects - Windows Registry - By Key Path Level]
action.email.useNSSubject = 1
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","primaryGroupToken"]
display.general.type = visualizations
display.page.search.mode = verbose
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.axisY2.enabled = 1
display.visualizations.charting.chart.stackMode = stacked
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = source="WinRegistry"  registry_type!=baseline\
| fields object,key_path,registry_type\
| eval key_path_level=key_path\
| makemv delim="\\" key_path_level\
| eval base_path=if(isnull(mvindex(key_path_level,2)),mvindex(key_path_level,0)."\\".mvindex(key_path_level,1),mvindex(key_path_level,0)."\\".mvindex(key_path_level,1)."\\".mvindex(key_path_level,2))\
| stats count,values(registry_type) AS registry_types,values(base_path) AS base_paths by key_path_level,object\
| sort 0 -count\
| eval details="(".tostring(count,"commas").") Object: ".object." - Actions:".mvjoin(registry_types,", ")\
| stats list(details) AS Top_10_Object_Details, sum(count) AS Total_Count,values(base_paths) AS base_paths by key_path_level\
| sort -Total_Count\
| eval Top_10_Object_Details=mvindex(Top_10_Object_Details,0,9)

[AD Objects - Windows Registry - Objects Values Hosts]
action.email.useNSSubject = 1
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","primaryGroupToken"]
display.general.type = visualizations
display.page.search.mode = verbose
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.axisY2.enabled = 1
display.visualizations.charting.chart.stackMode = stacked
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = source="WinRegistry"  registry_type!=baseline\
| fields host,key_path, object, data, registry_type, _time\
| fillnull value="Empty" data \
| eventstats count as host_count by host,key_path, object, data, registry_type\
| eval host_info=host_count." - ".host\
| stats count,values(host_info) AS host_info by key_path, object, data, registry_type\
| sort -count\
| eval comb="(".tostring(count,"commas").") ".key_path." - ".object." - ".data \
| stats values(host_info) AS host_info,list(comb) AS Registry_Values, sum(count) As Total_Count by registry_type,object\
| eval host_info=mvsort(host_info)\
| sort -Total_Count

[AD Objects - Windows Registry - Top 10 Objects by Type]
action.email.useNSSubject = 1
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","primaryGroupToken"]
display.general.type = visualizations
display.page.search.mode = verbose
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.axisY2.enabled = 1
display.visualizations.charting.chart.stackMode = stacked
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = source="WinRegistry"  registry_type!=baseline\
| fields object, registry_type\
| stats count by registry_type,object\
| sort -count\
| eval object_info="(".tostring(count,"commas").") ".object\
| stats list(object_info) AS Top_10_Objects,sum(count) AS Total_Count by registry_type\
| eval Top_10_Objects=mvindex(Top_10_Objects,0,9)\
| sort -Total_Count

[AD Objects - Windows Registry - Count by Object]
action.email.useNSSubject = 1
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","primaryGroupToken"]
display.general.type = visualizations
display.page.search.mode = verbose
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.axisY2.enabled = 1
display.visualizations.charting.chart.stackMode = stacked
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = source="WinRegistry"  registry_type!=baseline\
| fields object, registry_type\
| stats count by registry_type,object\
| sort -count\
| eval type_info="(".tostring(count,"commas").") ".registry_type\
| stats list(type_info) AS Registry_Types,sum(count) AS Total_Count by object\
| sort -Total_Count

[AD Objects - Windows Registry - Type by Key Path]
action.email.useNSSubject = 1
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","primaryGroupToken"]
display.general.type = visualizations
display.page.search.mode = verbose
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.axisY2.enabled = 1
display.visualizations.charting.chart.stackMode = stacked
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = source="WinRegistry"  registry_type!=baseline\
| fields key_path, registry_type\
| stats count by registry_type,key_path\
| sort -count\
| eval type_info="(".tostring(count,"commas").") ".registry_type\
| stats list(type_info) AS Registry_Types,sum(count) AS Total_Count by key_path\
| sort -Total_Count

[AD Objects - Windows Registry - Type by root_hive]
action.email.useNSSubject = 1
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","primaryGroupToken"]
display.general.type = visualizations
display.page.search.mode = verbose
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.axisY2.enabled = 1
display.visualizations.charting.chart.stackMode = stacked
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = source="WinRegistry"  registry_type!=baseline\
| fields object,key_path,registry_type,sourcetype\
| rex field=key_path "^(?<root_hive>[^\\\]+)"\
| stats dc(object) AS Object_Count,count by root_hive,registry_type,sourcetype\
| sort 0 -count\
| eval Registry_Types="(".tostring(count,"commas").") ".registry_type\
| stats list(Registry_Types) AS Registry_Types, sum(Object_Count) AS Object_Counts, sum(count) AS Total_Count by sourcetype,root_hive\
| sort -Total_Count

[AD Objects - Windows Registry - Type by sub_root_hive]
description = Registry Type Counts by sub_root_hive
action.email.useNSSubject = 1
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","primaryGroupToken"]
display.general.type = visualizations
display.page.search.mode = verbose
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.axisY2.enabled = 1
display.visualizations.charting.chart.stackMode = stacked
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = source="WinRegistry"  registry_type!=baseline\
| fields object,key_path,registry_type\
| rex field=key_path "^(?<sub_root_hive>[\.A-Za-z0-9\-\_]+\\\\[\.A-Za-z0-9\-\_]+)(\\\\|$)"\
| eval sub_root_hive=if(isnull(sub_root_hive),key_path,sub_root_hive)\
| eval registry_type=if(isnull(registry_type),"NA",registry_type)\
| stats dc(object) AS Object_Count,count by sub_root_hive,registry_type\
| sort 0 -count\
| eval Registry_Types="(".tostring(count,"commas").") ".registry_type\
| stats list(Registry_Types) AS Registry_Types, sum(Object_Count) AS Object_Counts, sum(count) AS Total_Count by sub_root_hive\
| sort -Total_Count

[AD Objects - Windows Registry - Procces Threads]
action.email.useNSSubject = 1
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","primaryGroupToken"]
display.general.type = visualizations
display.page.search.mode = verbose
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.axisY2.enabled = 1
display.visualizations.charting.chart.stackMode = stacked
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = source="WinRegistry"  registry_type!=baseline\
| fields object,key_path,registry_type\
| rex field=key_path "^(?<root_hive>[^\\\$]+)"\
| rex field=key_path "^([\.A-Za-z0-9\-\_\s]+)\\\(?<sub_hive>[^\\\$]+)"\
| rex field=key_path "^([\.A-Za-z0-9\-\_\s]+)\\\([\.A-Za-z0-9\-\_\s]+)\\\(?<sub_third_hive>[^\\\$]+)"\
| rex field=key_path "^(?<other_ex_cmb_base_hive>[\.A-Za-z0-9\-\_\s]+\\\\[\.A-Za-z0-9\-\_]+($|\\\\[\.A-Za-z0-9\-\_\s]+))"\
| eval cmb_base_hive=if(isnull(sub_hive),root_hive,if(isnull(sub_third_hive),root_hive."\\".sub_hive,root_hive."\\".sub_hive."\\".sub_third_hive))\
| fillnull value=" " cmb_base_hive,root_hive,sub_hive,sub_third_hive,other_ex_cmb_base_hive\
| stats dc(object) AS Object_Count,count AS Total_Count by cmb_base_hive,root_hive,sub_hive,sub_third_hive,other_ex_cmb_base_hive\
| sort -Total_Count

[AD Objects - Windows Registry - Third Level Analysis]
action.email.useNSSubject = 1
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","primaryGroupToken"]
display.general.type = visualizations
display.page.search.mode = verbose
display.page.search.tab = visualizations
display.statistics.show = 0
display.visualizations.charting.axisY2.enabled = 1
display.visualizations.charting.chart.stackMode = stacked
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = source="WinRegistry"  registry_type!=baseline\
| fields object,key_path,registry_type\
| rex field=key_path "^(?<root_hive>[^\\\$]+)"\
| rex field=key_path "^([\.A-Za-z0-9\-\_\s]+)\\\(?<sub_hive>[^\\\$]+)"\
| rex field=key_path "^([\.A-Za-z0-9\-\_\s]+)\\\([\.A-Za-z0-9\-\_\s]+)\\\(?<sub_third_hive>[^\\\$]+)"\
| rex field=key_path "^(?<other_ex_cmb_base_hive>[\.A-Za-z0-9\-\_\s]+\\\\[\.A-Za-z0-9\-\_]+($|\\\\[\.A-Za-z0-9\-\_\s]+))"\
| eval cmb_base_hive=if(isnull(sub_hive),root_hive,if(isnull(sub_third_hive),root_hive."\\".sub_hive,root_hive."\\".sub_hive."\\".sub_third_hive))\
| fillnull value=" " cmb_base_hive,root_hive,sub_hive,sub_third_hive,other_ex_cmb_base_hive\
| stats dc(object) AS Object_Count,count AS count by cmb_base_hive,root_hive,sub_hive,sub_third_hive\
| sort -count\
| eval third_level_hives=if(sub_third_hive=="","","(Total: ".tostring(count,"commas")." - Objects:".Object_Count.") ".sub_third_hive)\
| eval cmb_base_hives=if(sub_third_hive=="","","(Total: ".tostring(count,"commas")." - Objects:".Object_Count.") ".cmb_base_hive)\
| stats list(third_level_hives) AS third_level_hives,list(cmb_base_hives) AS cmb_base_hives,sum(Object_Count) AS Object_Count,sum(count) AS count by root_hive,sub_hive,\
| sort -count\
| eval sub_hives=if(sub_hive=="","","(Total: ".tostring(count,"commas")." - Objects:".Object_Count.") ".sub_hive)\
| stats list(sub_hives) AS sub_hives,values(third_level_hives) AS third_level_hives,values(cmb_base_hives) AS cmb_base_hives,sum(Object_Count) AS Total_Objects,sum(count) AS Total_Events by root_hive


###################################################################################
##### Search to fix Multi Value fields in tSessions and tHostInfo Lookups     #####
##### - This is caused by incorrect regex for pulling the 	   				  #####
#####   src_nt_domain and session_id in the Windows TA.        				  #####
##### - This app has the updated regex to fix it going forward 				  #####
#####   but this search can be used to update the tSessions    				  #####
##### 	Lookup that has the incorrect information before.      				  #####
#####  - Uncomment out to enable -											  #####
###################################################################################
##[ms_ad_obj_fix_multivalue_fields_in_tSessions_lookup]
##alert.digest_mode = True
##alert.suppress = 0
##search = | inputlookup tSessions\
##| rex mode=sed field=session_id "s/\s/###/g"\
##| makemv delim="###" session_id\
##| eval session_id=if(mvcount(session_id)>1,mvindex(session_id,1),session_id)\
##| rex mode=sed field=login_domain "s/\s/###/g"\
##| makemv delim="###" login_domain\
##| eval login_domain=if(mvcount(login_domain)>1,mvindex(login_domain,1),login_domain)\
##| outputlookup tSessions

##[ms_ad_obj_fix_multivalue_fields_in_tHostInfo_lookup]
##alert.digest_mode = True
##alert.suppress = 0
##search = | inputlookup tHostInfo\
##| rex mode=sed field=src_hostdomain "s/\s/###/g"\
##| makemv delim="###" src_hostdomain\
##| eval src_hostdomain=if(mvcount(src_hostdomain)>1,mvindex(src_hostdomain,1),src_hostdomain)\
##| rex mode=sed field=src_nt_domain "s/\s/###/g"\
##| makemv delim="###" src_nt_domain\
##| eval src_nt_domain=if(mvcount(src_nt_domain)>1,mvindex(src_nt_domain,1),src_nt_domain)\
##| outputlookup tHostInfo

###################################################################################
##### Search to reset the Environment Scope - In the Getting Started Wizard   #####
###################################################################################
[ms_obj_reset_gs_cfg]
description = Search to reset the Environment Scope values set in the Getting Started Wizard
action.email.useNSSubject = 1
alert.track = 0
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.show = 0
request.ui_dispatch_app = ms_windows_ad_objects
request.ui_dispatch_view = search
search = | `ms_obj_cfg_gs_reset`