├── LICENSE ├── README.md └── content_pack.json /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2015 Jared Orzechowski jaredo AT ameritech DOT net 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Active Directory Auditing Content Pack (Outdated - Please Fork+Update) 2 | 3 | Tested with nxLog/Windows 2008R2 Domain Controllers/Graylog 1.2 4 | 5 | This content pack provides several useful dashboards for auditing Active Directory events: 6 | * DNS Object Summary - DNS Creations, Deletions 7 | * Group Object Summary - Group Creations, Modifications, Deletions, Membership Changes 8 | * User Object Summary - Account Creations, Deletions, Modifications, Lockouts, Unlocks 9 | * Computer Object Summary - (in progress) 10 | * Logon Summary - Failed Authentication Attempts, Interactive Logins 11 | 12 | ## Includes 13 | 14 | * Input (GELF udp 5414) 15 | * Failed Logon Stream (unconfigured) 16 | * Dashboards 17 | 18 | ## Requirements 19 | 20 | * NXLog collecting windows logs, other log collectors will work but may require modifying the searches to match the different fields outputted by other collectors 21 | * Domain Controller secuirty policy with the following enabled: 22 | ** Audit Account Logon Events 23 | ** Audit Account Managmenet 24 | ** Audit Logon Events 25 | ** Audit Object Access 26 | ** Audit Policy Change 27 | ** Audit System Events 28 | * Leading Wildcard Searches enabled in graylog.conf: allow_leading_wildcard_searches = true 29 | 30 | ## NXLog Example 31 | ``` 32 | define ROOT C:\Program Files (x86)\nxlog 33 | 34 | Moduledir %ROOT%\modules 35 | CacheDir %ROOT%\data 36 | Pidfile %ROOT%\data\nxlog.pid 37 | SpoolDir %ROOT%\data 38 | LogFile %ROOT%\data\nxlog.log 39 | 40 | 41 | Module xm_gelf 42 | 43 | 44 | # For windows vista/2008 and above use: 45 | Module im_msvistalog 46 | 47 | # For windows 2003 and earlier use the following: 48 | # Module im_mseventlog 49 | 50 | 51 | 52 | Module om_udp 53 | Host graylog.server.com 54 | Port 5414 55 | OutputType GELF 56 | 57 | 58 | 59 | Path in => out 60 | 61 | ``` 62 | 63 | ## Screenshots 64 | 65 | ![Dashboard](http://www.ohjeah.net/wp-content/uploads/2015/09/ad_audit.png) 66 | -------------------------------------------------------------------------------- /content_pack.json: -------------------------------------------------------------------------------- 1 | { 2 | "id" : null, 3 | "name" : "Active Directory Auditing", 4 | "description" : "Active Directory Auditing Content Pack", 5 | "category" : "Active Directory, Windows, Operating Systems, Security", 6 | "inputs" : [ { 7 | "title" : "WinLogs-gelf", 8 | "configuration" : { 9 | "port" : 5414, 10 | "override_source" : "", 11 | "bind_address" : "0.0.0.0", 12 | "recv_buffer_size" : 1048576 13 | }, 14 | "type" : "org.graylog2.inputs.gelf.udp.GELFUDPInput", 15 | "global" : true, 16 | "extractors" : [ ], 17 | "static_fields" : { } 18 | } ], 19 | "streams" : [ { 20 | "id" : "54b59893e4b0de02bdd8439c", 21 | "title" : "AD Failed Logons", 22 | "description" : "AD Failed Logons", 23 | "disabled" : false, 24 | "outputs" : [ ], 25 | "stream_rules" : [ { 26 | "type" : "EXACT", 27 | "field" : "EventID", 28 | "value" : "4625", 29 | "inverted" : false 30 | } ] 31 | } ], 32 | "outputs" : [ ], 33 | "dashboards" : [ { 34 | "title" : "AD Summary (7d)", 35 | "description" : "AD Summary (7d)", 36 | "dashboard_widgets" : [ { 37 | "description" : "Account Lockouts ", 38 | "type" : "SEARCH_RESULT_COUNT", 39 | "configuration" : { 40 | "timerange" : { 41 | "type" : "relative", 42 | "range" : 604800 43 | }, 44 | "lower_is_better" : false, 45 | "trend" : true, 46 | "query" : "EventID:4740" 47 | }, 48 | "col" : 2, 49 | "row" : 1, 50 | "cache_time" : 300 51 | }, { 52 | "description" : "Account Creations", 53 | "type" : "SEARCH_RESULT_COUNT", 54 | "configuration" : { 55 | "timerange" : { 56 | "type" : "relative", 57 | "range" : 604800 58 | }, 59 | "lower_is_better" : false, 60 | "trend" : true, 61 | "query" : "EventID:631 OR EventID:635 OR EventID:658 OR EventID:4727 OR EventID:4731 OR EventID:4754" 62 | }, 63 | "col" : 1, 64 | "row" : 1, 65 | "cache_time" : 300 66 | }, { 67 | "description" : "Groups Created", 68 | "type" : "SEARCH_RESULT_COUNT", 69 | "configuration" : { 70 | "timerange" : { 71 | "type" : "relative", 72 | "range" : 604800 73 | }, 74 | "lower_is_better" : false, 75 | "trend" : true, 76 | "query" : "EventID:631 OR EventID:635 OR EventID:658 OR EventID:4727 OR EventID:4731 OR EventID:4754" 77 | }, 78 | "col" : 3, 79 | "row" : 1, 80 | "cache_time" : 300 81 | }, { 82 | "description" : "Account Deletions", 83 | "type" : "SEARCH_RESULT_COUNT", 84 | "configuration" : { 85 | "timerange" : { 86 | "type" : "relative", 87 | "range" : 604800 88 | }, 89 | "lower_is_better" : false, 90 | "trend" : true, 91 | "query" : "EventID:630 OR EventID:4726" 92 | }, 93 | "col" : 1, 94 | "row" : 2, 95 | "cache_time" : 300 96 | }, { 97 | "description" : "Account Unlocks", 98 | "type" : "SEARCH_RESULT_COUNT", 99 | "configuration" : { 100 | "timerange" : { 101 | "type" : "relative", 102 | "range" : 604800 103 | }, 104 | "lower_is_better" : false, 105 | "trend" : true, 106 | "query" : "EventID:4767" 107 | }, 108 | "col" : 2, 109 | "row" : 2, 110 | "cache_time" : 300 111 | }, { 112 | "description" : "Group Membership Changes", 113 | "type" : "SEARCH_RESULT_COUNT", 114 | "configuration" : { 115 | "timerange" : { 116 | "type" : "relative", 117 | "range" : 604800 118 | }, 119 | "lower_is_better" : false, 120 | "trend" : true, 121 | "query" : "EventID:4728 OR EventID:4729 OR EventID:4732 OR EventID:4733 OR EventID:4756 OR EventID:4757" 122 | }, 123 | "col" : 3, 124 | "row" : 2, 125 | "cache_time" : 300 126 | }, { 127 | "description" : "Group Modifications", 128 | "type" : "SEARCH_RESULT_COUNT", 129 | "configuration" : { 130 | "timerange" : { 131 | "type" : "relative", 132 | "range" : 604800 133 | }, 134 | "lower_is_better" : false, 135 | "trend" : true, 136 | "query" : "((EventID:4764 OR EventID:4735 OR EventID:4737 OR EventID:4755) AND NOT SamAccountName:\\-)" 137 | }, 138 | "col" : 4, 139 | "row" : 2, 140 | "cache_time" : 300 141 | }, { 142 | "description" : "Groups Deleted", 143 | "type" : "SEARCH_RESULT_COUNT", 144 | "configuration" : { 145 | "timerange" : { 146 | "type" : "relative", 147 | "range" : 604800 148 | }, 149 | "lower_is_better" : false, 150 | "trend" : true, 151 | "query" : "EventID:634 OR EventID:638 OR EventID:662 OR EventID:4730 OR EventID:4734 OR EventID:4758" 152 | }, 153 | "col" : 4, 154 | "row" : 1, 155 | "cache_time" : 300 156 | } ] 157 | }, { 158 | "title" : "AD DNS Object Summary (7d)", 159 | "description" : "AD DNS Object Summary (7d)", 160 | "dashboard_widgets" : [ { 161 | "description" : "Created DNS Objects By User", 162 | "type" : "SEARCH_RESULT_CHART", 163 | "configuration" : { 164 | "timerange" : { 165 | "type" : "relative", 166 | "range" : 604800 167 | }, 168 | "interval" : "hour", 169 | "query" : "EventID:5137 AND ObjectClass:dnsNode AND created AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:\\-)" 170 | }, 171 | "col" : 1, 172 | "row" : 1, 173 | "cache_time" : 300 174 | }, { 175 | "description" : "Created DNS Objects By User", 176 | "type" : "SEARCH_RESULT_COUNT", 177 | "configuration" : { 178 | "timerange" : { 179 | "type" : "relative", 180 | "range" : 604800 181 | }, 182 | "lower_is_better" : false, 183 | "trend" : false, 184 | "query" : "EventID:5137 AND ObjectClass:dnsNode AND created AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:\\-)" 185 | }, 186 | "col" : 3, 187 | "row" : 1, 188 | "cache_time" : 300 189 | }, { 190 | "description" : "Created DNS Objects By User", 191 | "type" : "QUICKVALUES", 192 | "configuration" : { 193 | "timerange" : { 194 | "type" : "relative", 195 | "range" : 604800 196 | }, 197 | "field" : "SubjectUserName", 198 | "show_pie_chart" : false, 199 | "query" : "EventID:5137 AND ObjectClass:dnsNode AND created AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:\\-)", 200 | "show_data_table" : true 201 | }, 202 | "col" : 1, 203 | "row" : 2, 204 | "cache_time" : 300 205 | }, { 206 | "description" : "Created DNS Objects By Source", 207 | "type" : "QUICKVALUES", 208 | "configuration" : { 209 | "timerange" : { 210 | "type" : "relative", 211 | "range" : 604800 212 | }, 213 | "field" : "source", 214 | "show_pie_chart" : false, 215 | "query" : "EventID:5137 AND ObjectClass:dnsNode AND created AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:\\-)", 216 | "show_data_table" : true 217 | }, 218 | "col" : 2, 219 | "row" : 2, 220 | "cache_time" : 300 221 | }, { 222 | "description" : "Created DNS Objects", 223 | "type" : "QUICKVALUES", 224 | "configuration" : { 225 | "timerange" : { 226 | "type" : "relative", 227 | "range" : 604800 228 | }, 229 | "field" : "ObjectDN", 230 | "show_pie_chart" : false, 231 | "query" : "EventID:5137 AND ObjectClass:dnsNode AND created AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:\\-)", 232 | "show_data_table" : true 233 | }, 234 | "col" : 3, 235 | "row" : 2, 236 | "cache_time" : 300 237 | }, { 238 | "description" : "Deleted DNS Objects By User", 239 | "type" : "SEARCH_RESULT_CHART", 240 | "configuration" : { 241 | "timerange" : { 242 | "type" : "relative", 243 | "range" : 604800 244 | }, 245 | "interval" : "hour", 246 | "query" : "((EventID:5136 AND AttributeLDAPDisplayName:dNSTombstoned) OR (EventID:5141)) AND ObjectClass:dnsNode AND deleted AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM)" 247 | }, 248 | "col" : 1, 249 | "row" : 4, 250 | "cache_time" : 300 251 | }, { 252 | "description" : "Deleted DNS Objects By User", 253 | "type" : "SEARCH_RESULT_COUNT", 254 | "configuration" : { 255 | "timerange" : { 256 | "type" : "relative", 257 | "range" : 604800 258 | }, 259 | "lower_is_better" : false, 260 | "trend" : false, 261 | "query" : "((EventID:5136 AND AttributeLDAPDisplayName:dNSTombstoned) OR (EventID:5141)) AND ObjectClass:dnsNode AND deleted AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM)" 262 | }, 263 | "col" : 3, 264 | "row" : 4, 265 | "cache_time" : 300 266 | }, { 267 | "description" : "Deleted DNS Objects By User", 268 | "type" : "QUICKVALUES", 269 | "configuration" : { 270 | "timerange" : { 271 | "type" : "relative", 272 | "range" : 604800 273 | }, 274 | "field" : "SubjectUserName", 275 | "show_pie_chart" : false, 276 | "query" : "((EventID:5136 AND AttributeLDAPDisplayName:dNSTombstoned) OR (EventID:5141)) AND ObjectClass:dnsNode AND deleted AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM)", 277 | "show_data_table" : true 278 | }, 279 | "col" : 1, 280 | "row" : 5, 281 | "cache_time" : 300 282 | }, { 283 | "description" : "Deleted DNS Objects By Source", 284 | "type" : "QUICKVALUES", 285 | "configuration" : { 286 | "timerange" : { 287 | "type" : "relative", 288 | "range" : 604800 289 | }, 290 | "field" : "source", 291 | "show_pie_chart" : false, 292 | "query" : "((EventID:5136 AND AttributeLDAPDisplayName:dNSTombstoned) OR (EventID:5141)) AND ObjectClass:dnsNode AND deleted AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM)", 293 | "show_data_table" : true 294 | }, 295 | "col" : 2, 296 | "row" : 5, 297 | "cache_time" : 300 298 | }, { 299 | "description" : "Deleted DNS Objects", 300 | "type" : "QUICKVALUES", 301 | "configuration" : { 302 | "timerange" : { 303 | "type" : "relative", 304 | "range" : 604800 305 | }, 306 | "field" : "ObjectDN", 307 | "show_pie_chart" : false, 308 | "query" : "((EventID:5136 AND AttributeLDAPDisplayName:dNSTombstoned) OR (EventID:5141)) AND ObjectClass:dnsNode AND deleted AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM)", 309 | "show_data_table" : true 310 | }, 311 | "col" : 3, 312 | "row" : 5, 313 | "cache_time" : 300 314 | } ] 315 | }, { 316 | "title" : "AD User Object Summary (7d)", 317 | "description" : "AD User Object Creations/Deletions", 318 | "dashboard_widgets" : [ { 319 | "description" : "Account Unlocks By User", 320 | "type" : "QUICKVALUES", 321 | "configuration" : { 322 | "field" : "SubjectUserName", 323 | "query" : "EventID:4767", 324 | "timerange" : { 325 | "range" : 604800, 326 | "type" : "relative" 327 | } 328 | }, 329 | "col" : 1, 330 | "row" : 11, 331 | "cache_time" : 10 332 | }, { 333 | "description" : "Accounts Unlocked", 334 | "type" : "QUICKVALUES", 335 | "configuration" : { 336 | "field" : "TargetUserName", 337 | "query" : "EventID:4767", 338 | "timerange" : { 339 | "range" : 604800, 340 | "type" : "relative" 341 | } 342 | }, 343 | "col" : 3, 344 | "row" : 11, 345 | "cache_time" : 300 346 | }, { 347 | "description" : "Unlocks By Source", 348 | "type" : "QUICKVALUES", 349 | "configuration" : { 350 | "field" : "source", 351 | "query" : "EventID:4767", 352 | "timerange" : { 353 | "range" : 604800, 354 | "type" : "relative" 355 | } 356 | }, 357 | "col" : 2, 358 | "row" : 11, 359 | "cache_time" : 10 360 | }, { 361 | "description" : "Account Lockouts By Source", 362 | "type" : "QUICKVALUES", 363 | "configuration" : { 364 | "field" : "source", 365 | "query" : "EventID:4740", 366 | "timerange" : { 367 | "range" : 604800, 368 | "type" : "relative" 369 | } 370 | }, 371 | "col" : 2, 372 | "row" : 8, 373 | "cache_time" : 10 374 | }, { 375 | "description" : "Account Lockouts By Machine", 376 | "type" : "QUICKVALUES", 377 | "configuration" : { 378 | "field" : "TargetDomainName", 379 | "query" : "EventID:4740", 380 | "timerange" : { 381 | "range" : 604800, 382 | "type" : "relative" 383 | } 384 | }, 385 | "col" : 1, 386 | "row" : 8, 387 | "cache_time" : 10 388 | }, { 389 | "description" : "Account Unlocks", 390 | "type" : "SEARCH_RESULT_COUNT", 391 | "configuration" : { 392 | "timerange" : { 393 | "type" : "relative", 394 | "range" : 604800 395 | }, 396 | "lower_is_better" : false, 397 | "trend" : false, 398 | "query" : "EventID:4767" 399 | }, 400 | "col" : 3, 401 | "row" : 10, 402 | "cache_time" : 10 403 | }, { 404 | "description" : "Account Unlocks", 405 | "type" : "SEARCH_RESULT_CHART", 406 | "configuration" : { 407 | "timerange" : { 408 | "type" : "relative", 409 | "range" : 604800 410 | }, 411 | "interval" : "hour", 412 | "query" : "EventID:4767" 413 | }, 414 | "col" : 1, 415 | "row" : 10, 416 | "cache_time" : 10 417 | }, { 418 | "description" : "Account Lockouts", 419 | "type" : "SEARCH_RESULT_CHART", 420 | "configuration" : { 421 | "timerange" : { 422 | "type" : "relative", 423 | "range" : 604800 424 | }, 425 | "interval" : "hour", 426 | "query" : "EventID:4740" 427 | }, 428 | "col" : 1, 429 | "row" : 7, 430 | "cache_time" : 10 431 | }, { 432 | "description" : "Account Lockouts", 433 | "type" : "SEARCH_RESULT_COUNT", 434 | "configuration" : { 435 | "timerange" : { 436 | "type" : "relative", 437 | "range" : 604800 438 | }, 439 | "lower_is_better" : false, 440 | "trend" : false, 441 | "query" : "EventID:4740" 442 | }, 443 | "col" : 3, 444 | "row" : 7, 445 | "cache_time" : 10 446 | }, { 447 | "description" : "Accounts Lockedout", 448 | "type" : "QUICKVALUES", 449 | "configuration" : { 450 | "timerange" : { 451 | "type" : "relative", 452 | "range" : 604800 453 | }, 454 | "field" : "TargetUserName", 455 | "show_pie_chart" : false, 456 | "query" : "EventID:4740", 457 | "show_data_table" : true 458 | }, 459 | "col" : 3, 460 | "row" : 8, 461 | "cache_time" : 10 462 | }, { 463 | "description" : "Accounts Deleted By Source", 464 | "type" : "QUICKVALUES", 465 | "configuration" : { 466 | "timerange" : { 467 | "type" : "relative", 468 | "range" : 604800 469 | }, 470 | "field" : "source", 471 | "show_pie_chart" : false, 472 | "query" : "EventID:630 OR EventID:4726", 473 | "show_data_table" : true 474 | }, 475 | "col" : 2, 476 | "row" : 5, 477 | "cache_time" : 300 478 | }, { 479 | "description" : "Deleted Accounts", 480 | "type" : "QUICKVALUES", 481 | "configuration" : { 482 | "timerange" : { 483 | "type" : "relative", 484 | "range" : 604800 485 | }, 486 | "field" : "TargetUserName", 487 | "show_pie_chart" : false, 488 | "query" : "EventID:630 OR EventID:4726", 489 | "show_data_table" : true 490 | }, 491 | "col" : 3, 492 | "row" : 5, 493 | "cache_time" : 300 494 | }, { 495 | "description" : "Accounts Deleted By User", 496 | "type" : "QUICKVALUES", 497 | "configuration" : { 498 | "timerange" : { 499 | "type" : "relative", 500 | "range" : 604800 501 | }, 502 | "field" : "SubjectUserName", 503 | "show_pie_chart" : false, 504 | "query" : "EventID:630 OR EventID:4726", 505 | "show_data_table" : true 506 | }, 507 | "col" : 1, 508 | "row" : 5, 509 | "cache_time" : 300 510 | }, { 511 | "description" : "Account Deletions", 512 | "type" : "SEARCH_RESULT_COUNT", 513 | "configuration" : { 514 | "timerange" : { 515 | "type" : "relative", 516 | "range" : 604800 517 | }, 518 | "lower_is_better" : false, 519 | "trend" : false, 520 | "query" : "EventID:630 OR EventID:4726" 521 | }, 522 | "col" : 3, 523 | "row" : 4, 524 | "cache_time" : 300 525 | }, { 526 | "description" : "Account Deletions", 527 | "type" : "SEARCH_RESULT_CHART", 528 | "configuration" : { 529 | "timerange" : { 530 | "type" : "relative", 531 | "range" : 604800 532 | }, 533 | "interval" : "hour", 534 | "query" : "EventID:630 OR EventID:4726" 535 | }, 536 | "col" : 1, 537 | "row" : 4, 538 | "cache_time" : 300 539 | }, { 540 | "description" : "Created Accounts", 541 | "type" : "QUICKVALUES", 542 | "configuration" : { 543 | "timerange" : { 544 | "type" : "relative", 545 | "range" : 604800 546 | }, 547 | "field" : "SamAccountName", 548 | "show_pie_chart" : false, 549 | "query" : "EventID:624 OR EventID:4720", 550 | "show_data_table" : true 551 | }, 552 | "col" : 3, 553 | "row" : 2, 554 | "cache_time" : 300 555 | }, { 556 | "description" : "Accounts Created By Source", 557 | "type" : "QUICKVALUES", 558 | "configuration" : { 559 | "timerange" : { 560 | "type" : "relative", 561 | "range" : 604800 562 | }, 563 | "field" : "source", 564 | "show_pie_chart" : false, 565 | "query" : "EventID:624 OR EventID:4720", 566 | "show_data_table" : true 567 | }, 568 | "col" : 2, 569 | "row" : 2, 570 | "cache_time" : 300 571 | }, { 572 | "description" : "Accounts Created By User", 573 | "type" : "QUICKVALUES", 574 | "configuration" : { 575 | "timerange" : { 576 | "type" : "relative", 577 | "range" : 604800 578 | }, 579 | "field" : "SubjectUserName", 580 | "show_pie_chart" : false, 581 | "query" : "EventID:624 OR EventID:4720", 582 | "show_data_table" : true 583 | }, 584 | "col" : 1, 585 | "row" : 2, 586 | "cache_time" : 300 587 | }, { 588 | "description" : "Account Creations", 589 | "type" : "SEARCH_RESULT_COUNT", 590 | "configuration" : { 591 | "timerange" : { 592 | "type" : "relative", 593 | "range" : 604800 594 | }, 595 | "lower_is_better" : false, 596 | "trend" : false, 597 | "query" : "EventID:624 OR EventID:4720" 598 | }, 599 | "col" : 3, 600 | "row" : 1, 601 | "cache_time" : 300 602 | }, { 603 | "description" : "Account Creations", 604 | "type" : "SEARCH_RESULT_CHART", 605 | "configuration" : { 606 | "timerange" : { 607 | "type" : "relative", 608 | "range" : 604800 609 | }, 610 | "interval" : "hour", 611 | "query" : "EventID:624 OR EventID:4720" 612 | }, 613 | "col" : 1, 614 | "row" : 1, 615 | "cache_time" : 300 616 | } ] 617 | }, { 618 | "title" : "AD Logon Summary (2h)", 619 | "description" : "AD Logon Summary (2h)", 620 | "dashboard_widgets" : [ { 621 | "description" : "Failed Authentication Attempts", 622 | "type" : "SEARCH_RESULT_COUNT", 623 | "configuration" : { 624 | "timerange" : { 625 | "type" : "relative", 626 | "range" : 7200 627 | }, 628 | "lower_is_better" : false, 629 | "trend" : false, 630 | "query" : "EventID:4625" 631 | }, 632 | "col" : 3, 633 | "row" : 1, 634 | "cache_time" : 60 635 | }, { 636 | "description" : "Interactive Logins By User", 637 | "type" : "QUICKVALUES", 638 | "configuration" : { 639 | "timerange" : { 640 | "type" : "relative", 641 | "range" : 7200 642 | }, 643 | "field" : "TargetUserName", 644 | "show_pie_chart" : false, 645 | "query" : "(EventID:4624 AND (LogonType:2 OR LogonType:10 OR LogonType:11))", 646 | "show_data_table" : true 647 | }, 648 | "col" : 1, 649 | "row" : 5, 650 | "cache_time" : 60 651 | }, { 652 | "description" : "Interactive Logins By IP", 653 | "type" : "QUICKVALUES", 654 | "configuration" : { 655 | "timerange" : { 656 | "type" : "relative", 657 | "range" : 7200 658 | }, 659 | "field" : "IpAddress", 660 | "show_pie_chart" : false, 661 | "query" : "(EventID:4624 AND (LogonType:2 OR LogonType:10 OR LogonType:11))", 662 | "show_data_table" : true 663 | }, 664 | "col" : 2, 665 | "row" : 5, 666 | "cache_time" : 60 667 | }, { 668 | "description" : "Interactive Logins By Destination", 669 | "type" : "QUICKVALUES", 670 | "configuration" : { 671 | "timerange" : { 672 | "type" : "relative", 673 | "range" : 7200 674 | }, 675 | "field" : "WorkstationName", 676 | "show_pie_chart" : false, 677 | "query" : "(EventID:4624 AND (LogonType:2 OR LogonType:10 OR LogonType:11))", 678 | "show_data_table" : true 679 | }, 680 | "col" : 3, 681 | "row" : 5, 682 | "cache_time" : 60 683 | }, { 684 | "description" : "Failed Authentication Attempts By User", 685 | "type" : "QUICKVALUES", 686 | "configuration" : { 687 | "timerange" : { 688 | "type" : "relative", 689 | "range" : 7200 690 | }, 691 | "field" : "TargetUserName", 692 | "show_pie_chart" : false, 693 | "query" : "EventID:4625", 694 | "show_data_table" : true 695 | }, 696 | "col" : 1, 697 | "row" : 2, 698 | "cache_time" : 60 699 | }, { 700 | "description" : "Failed Authentication Attempts By User IP", 701 | "type" : "QUICKVALUES", 702 | "configuration" : { 703 | "timerange" : { 704 | "type" : "relative", 705 | "range" : 7200 706 | }, 707 | "field" : "IpAddress", 708 | "show_pie_chart" : false, 709 | "query" : "EventID:4625", 710 | "show_data_table" : true 711 | }, 712 | "col" : 2, 713 | "row" : 2, 714 | "cache_time" : 60 715 | }, { 716 | "description" : "Failed Authentication Attempts By Source", 717 | "type" : "QUICKVALUES", 718 | "configuration" : { 719 | "timerange" : { 720 | "type" : "relative", 721 | "range" : 7200 722 | }, 723 | "field" : "source", 724 | "show_pie_chart" : false, 725 | "query" : "EventID:4625", 726 | "show_data_table" : true 727 | }, 728 | "col" : 3, 729 | "row" : 2, 730 | "cache_time" : 60 731 | }, { 732 | "description" : "Failed Authentication Attempts", 733 | "type" : "SEARCH_RESULT_CHART", 734 | "configuration" : { 735 | "timerange" : { 736 | "type" : "relative", 737 | "range" : 7200 738 | }, 739 | "interval" : "minute", 740 | "query" : "EventID:4625" 741 | }, 742 | "col" : 1, 743 | "row" : 1, 744 | "cache_time" : 60 745 | }, { 746 | "description" : "Interactive Logons", 747 | "type" : "SEARCH_RESULT_CHART", 748 | "configuration" : { 749 | "timerange" : { 750 | "type" : "relative", 751 | "range" : 7200 752 | }, 753 | "interval" : "minute", 754 | "query" : "(EventID:4624 AND (LogonType:2 OR LogonType:10 OR LogonType:11))" 755 | }, 756 | "col" : 1, 757 | "row" : 4, 758 | "cache_time" : 60 759 | }, { 760 | "description" : "Interactive Logins", 761 | "type" : "SEARCH_RESULT_COUNT", 762 | "configuration" : { 763 | "timerange" : { 764 | "type" : "relative", 765 | "range" : 7200 766 | }, 767 | "lower_is_better" : false, 768 | "trend" : false, 769 | "query" : "(EventID:4624 AND (LogonType:2 OR LogonType:10 OR LogonType:11))" 770 | }, 771 | "col" : 3, 772 | "row" : 4, 773 | "cache_time" : 60 774 | } ] 775 | }, { 776 | "title" : "AD Group Object Summary (7d)", 777 | "description" : "AD Group Object Summary(7d)", 778 | "dashboard_widgets" : [ { 779 | "description" : "Group Creations ", 780 | "type" : "SEARCH_RESULT_COUNT", 781 | "configuration" : { 782 | "timerange" : { 783 | "type" : "relative", 784 | "range" : 604800 785 | }, 786 | "lower_is_better" : false, 787 | "trend" : false, 788 | "query" : "EventID:631 OR EventID:635 OR EventID:658 OR EventID:4727 OR EventID:4731 OR EventID:4754" 789 | }, 790 | "col" : 3, 791 | "row" : 1, 792 | "cache_time" : 300 793 | }, { 794 | "description" : "Group Creations", 795 | "type" : "SEARCH_RESULT_CHART", 796 | "configuration" : { 797 | "timerange" : { 798 | "type" : "relative", 799 | "range" : 604800 800 | }, 801 | "interval" : "hour", 802 | "query" : "EventID:631 OR EventID:635 OR EventID:658 OR EventID:4727 OR EventID:4731 OR EventID:4754" 803 | }, 804 | "col" : 1, 805 | "row" : 1, 806 | "cache_time" : 300 807 | }, { 808 | "description" : "Group Creations By User", 809 | "type" : "QUICKVALUES", 810 | "configuration" : { 811 | "timerange" : { 812 | "type" : "relative", 813 | "range" : 604800 814 | }, 815 | "field" : "SubjectUserName", 816 | "show_pie_chart" : false, 817 | "query" : "EventID:631 OR EventID:635 OR EventID:658 OR EventID:4727 OR EventID:4731 OR EventID:4754", 818 | "show_data_table" : true 819 | }, 820 | "col" : 1, 821 | "row" : 2, 822 | "cache_time" : 300 823 | }, { 824 | "description" : "Group Creations By Source", 825 | "type" : "QUICKVALUES", 826 | "configuration" : { 827 | "timerange" : { 828 | "type" : "relative", 829 | "range" : 604800 830 | }, 831 | "field" : "source", 832 | "show_pie_chart" : false, 833 | "query" : "EventID:631 OR EventID:635 OR EventID:658 OR EventID:4727 OR EventID:4731 OR EventID:4754", 834 | "show_data_table" : true 835 | }, 836 | "col" : 2, 837 | "row" : 2, 838 | "cache_time" : 300 839 | }, { 840 | "description" : "Created Groups", 841 | "type" : "QUICKVALUES", 842 | "configuration" : { 843 | "timerange" : { 844 | "type" : "relative", 845 | "range" : 604800 846 | }, 847 | "field" : "TargetUserName", 848 | "show_pie_chart" : false, 849 | "query" : "EventID:631 OR EventID:635 OR EventID:658 OR EventID:4727 OR EventID:4731 OR EventID:4754", 850 | "show_data_table" : true 851 | }, 852 | "col" : 3, 853 | "row" : 2, 854 | "cache_time" : 300 855 | }, { 856 | "description" : "Group Deletions", 857 | "type" : "SEARCH_RESULT_CHART", 858 | "configuration" : { 859 | "timerange" : { 860 | "type" : "relative", 861 | "range" : 604800 862 | }, 863 | "interval" : "hour", 864 | "query" : "EventID:634 OR EventID:638 OR EventID:662 OR EventID:4730 OR EventID:4734 OR EventID:4758" 865 | }, 866 | "col" : 1, 867 | "row" : 4, 868 | "cache_time" : 300 869 | }, { 870 | "description" : "Group Deletions", 871 | "type" : "SEARCH_RESULT_COUNT", 872 | "configuration" : { 873 | "timerange" : { 874 | "type" : "relative", 875 | "range" : 604800 876 | }, 877 | "lower_is_better" : false, 878 | "trend" : false, 879 | "query" : "EventID:634 OR EventID:638 OR EventID:662 OR EventID:4730 OR EventID:4734 OR EventID:4758" 880 | }, 881 | "col" : 3, 882 | "row" : 4, 883 | "cache_time" : 300 884 | }, { 885 | "description" : "Groups Modified", 886 | "type" : "SEARCH_RESULT_COUNT", 887 | "configuration" : { 888 | "timerange" : { 889 | "type" : "relative", 890 | "range" : 604800 891 | }, 892 | "lower_is_better" : false, 893 | "trend" : false, 894 | "query" : "((EventID:4764 OR EventID:4735 OR EventID:4737 OR EventID:4755) AND NOT SamAccountName:\\-)" 895 | }, 896 | "col" : 3, 897 | "row" : 10, 898 | "cache_time" : 300 899 | }, { 900 | "description" : "Groups Modified", 901 | "type" : "SEARCH_RESULT_CHART", 902 | "configuration" : { 903 | "timerange" : { 904 | "type" : "relative", 905 | "range" : 604800 906 | }, 907 | "interval" : "hour", 908 | "query" : "((EventID:4764 OR EventID:4735 OR EventID:4737 OR EventID:4755) AND NOT SamAccountName:\\-)" 909 | }, 910 | "col" : 1, 911 | "row" : 10, 912 | "cache_time" : 10 913 | }, { 914 | "description" : "Groups Modified", 915 | "type" : "QUICKVALUES", 916 | "configuration" : { 917 | "timerange" : { 918 | "type" : "relative", 919 | "range" : 604800 920 | }, 921 | "field" : "TargetUserName", 922 | "show_pie_chart" : false, 923 | "query" : "((EventID:4764 OR EventID:4735 OR EventID:4737 OR EventID:4755) AND NOT SamAccountName:\\-)", 924 | "show_data_table" : true 925 | }, 926 | "col" : 3, 927 | "row" : 11, 928 | "cache_time" : 10 929 | }, { 930 | "description" : "Groups Modified By Source", 931 | "type" : "QUICKVALUES", 932 | "configuration" : { 933 | "timerange" : { 934 | "type" : "relative", 935 | "range" : 604800 936 | }, 937 | "field" : "source", 938 | "show_pie_chart" : false, 939 | "query" : "((EventID:4764 OR EventID:4735 OR EventID:4737 OR EventID:4755) AND NOT SamAccountName:\\-)", 940 | "show_data_table" : true 941 | }, 942 | "col" : 2, 943 | "row" : 11, 944 | "cache_time" : 10 945 | }, { 946 | "description" : "Groups Modified By User", 947 | "type" : "QUICKVALUES", 948 | "configuration" : { 949 | "timerange" : { 950 | "type" : "relative", 951 | "range" : 604800 952 | }, 953 | "field" : "SubjectUserName", 954 | "show_pie_chart" : false, 955 | "query" : "((EventID:4764 OR EventID:4735 OR EventID:4737 OR EventID:4755) AND NOT SamAccountName:\\-)", 956 | "show_data_table" : true 957 | }, 958 | "col" : 1, 959 | "row" : 11, 960 | "cache_time" : 10 961 | }, { 962 | "description" : "Membership Changes", 963 | "type" : "QUICKVALUES", 964 | "configuration" : { 965 | "timerange" : { 966 | "type" : "relative", 967 | "range" : 604800 968 | }, 969 | "field" : "TargetUserName", 970 | "show_pie_chart" : false, 971 | "query" : "EventID:4728 OR EventID:4729 OR EventID:4732 OR EventID:4733 OR EventID:4756 OR EventID:4757", 972 | "show_data_table" : true 973 | }, 974 | "col" : 3, 975 | "row" : 8, 976 | "cache_time" : 300 977 | }, { 978 | "description" : "Membership Changes By Source", 979 | "type" : "QUICKVALUES", 980 | "configuration" : { 981 | "timerange" : { 982 | "type" : "relative", 983 | "range" : 604800 984 | }, 985 | "field" : "source", 986 | "show_pie_chart" : false, 987 | "query" : "EventID:4728 OR EventID:4729 OR EventID:4732 OR EventID:4733 OR EventID:4756 OR EventID:4757", 988 | "show_data_table" : true 989 | }, 990 | "col" : 2, 991 | "row" : 8, 992 | "cache_time" : 300 993 | }, { 994 | "description" : "Membership Changes By User", 995 | "type" : "QUICKVALUES", 996 | "configuration" : { 997 | "timerange" : { 998 | "type" : "relative", 999 | "range" : 604800 1000 | }, 1001 | "field" : "SubjectUserName", 1002 | "show_pie_chart" : false, 1003 | "query" : "EventID:4728 OR EventID:4729 OR EventID:4732 OR EventID:4733 OR EventID:4756 OR EventID:4757", 1004 | "show_data_table" : true 1005 | }, 1006 | "col" : 1, 1007 | "row" : 8, 1008 | "cache_time" : 300 1009 | }, { 1010 | "description" : "Group Deletions By Source", 1011 | "type" : "QUICKVALUES", 1012 | "configuration" : { 1013 | "timerange" : { 1014 | "type" : "relative", 1015 | "range" : 604800 1016 | }, 1017 | "field" : "source", 1018 | "show_pie_chart" : false, 1019 | "query" : "EventID:634 OR EventID:638 OR EventID:662 OR EventID:4730 OR EventID:4734 OR EventID:4758", 1020 | "show_data_table" : true 1021 | }, 1022 | "col" : 2, 1023 | "row" : 5, 1024 | "cache_time" : 300 1025 | }, { 1026 | "description" : "Deleted Groups", 1027 | "type" : "QUICKVALUES", 1028 | "configuration" : { 1029 | "timerange" : { 1030 | "type" : "relative", 1031 | "range" : 604800 1032 | }, 1033 | "field" : "TargetUserName", 1034 | "show_pie_chart" : false, 1035 | "query" : "EventID:634 OR EventID:638 OR EventID:662 OR EventID:4730 OR EventID:4734 OR EventID:4758", 1036 | "show_data_table" : true 1037 | }, 1038 | "col" : 3, 1039 | "row" : 5, 1040 | "cache_time" : 300 1041 | }, { 1042 | "description" : "Membership Changes", 1043 | "type" : "SEARCH_RESULT_CHART", 1044 | "configuration" : { 1045 | "timerange" : { 1046 | "type" : "relative", 1047 | "range" : 604800 1048 | }, 1049 | "interval" : "hour", 1050 | "query" : "EventID:4728 OR EventID:4729 OR EventID:4732 OR EventID:4733 OR EventID:4756 OR EventID:4757" 1051 | }, 1052 | "col" : 1, 1053 | "row" : 7, 1054 | "cache_time" : 300 1055 | }, { 1056 | "description" : "Membership Changes", 1057 | "type" : "SEARCH_RESULT_COUNT", 1058 | "configuration" : { 1059 | "timerange" : { 1060 | "type" : "relative", 1061 | "range" : 604800 1062 | }, 1063 | "lower_is_better" : false, 1064 | "trend" : false, 1065 | "query" : "EventID:4728 OR EventID:4729 OR EventID:4732 OR EventID:4733 OR EventID:4756 OR EventID:4757" 1066 | }, 1067 | "col" : 3, 1068 | "row" : 7, 1069 | "cache_time" : 300 1070 | }, { 1071 | "description" : "Group Deletions By User", 1072 | "type" : "QUICKVALUES", 1073 | "configuration" : { 1074 | "timerange" : { 1075 | "type" : "relative", 1076 | "range" : 604800 1077 | }, 1078 | "field" : "SubjectUserName", 1079 | "show_pie_chart" : false, 1080 | "query" : "EventID:634 OR EventID:638 OR EventID:662 OR EventID:4730 OR EventID:4734 OR EventID:4758", 1081 | "show_data_table" : true 1082 | }, 1083 | "col" : 1, 1084 | "row" : 5, 1085 | "cache_time" : 300 1086 | } ] 1087 | }, { 1088 | "title" : "AD Computer Object Summary (7d)", 1089 | "description" : "AD Computer Object Summary (7d)", 1090 | "dashboard_widgets" : [ { 1091 | "description" : "Computer Objects Created ", 1092 | "type" : "SEARCH_RESULT_COUNT", 1093 | "configuration" : { 1094 | "timerange" : { 1095 | "type" : "relative", 1096 | "range" : 604800 1097 | }, 1098 | "lower_is_better" : false, 1099 | "trend" : false, 1100 | "query" : "EventID:4741" 1101 | }, 1102 | "col" : 1, 1103 | "row" : 1, 1104 | "cache_time" : 300 1105 | }, { 1106 | "description" : "Computer Objects Changed", 1107 | "type" : "SEARCH_RESULT_COUNT", 1108 | "configuration" : { 1109 | "timerange" : { 1110 | "type" : "relative", 1111 | "range" : 604800 1112 | }, 1113 | "lower_is_better" : false, 1114 | "trend" : false, 1115 | "query" : "EventID:4742" 1116 | }, 1117 | "col" : 1, 1118 | "row" : 2, 1119 | "cache_time" : 300 1120 | }, { 1121 | "description" : "Computer Objects Deleted", 1122 | "type" : "SEARCH_RESULT_COUNT", 1123 | "configuration" : { 1124 | "timerange" : { 1125 | "type" : "relative", 1126 | "range" : 604800 1127 | }, 1128 | "lower_is_better" : false, 1129 | "trend" : false, 1130 | "query" : "EventID:4743" 1131 | }, 1132 | "col" : 1, 1133 | "row" : 3, 1134 | "cache_time" : 300 1135 | } ] 1136 | } ], 1137 | "grok_patterns" : [ ] 1138 | } --------------------------------------------------------------------------------