[{"ID":"io.gravwell.o365","Name":"Office 365","UUID":"06816d4b-ab09-441c-b9e3-913f43abb97d","Version":4,"Description":"Office 365 resources, queries, and automations.  Contains lookups for Office 365 data across azure, DLP, exchange, and sharepoint.","Readme":"","Signed":true,"AdminRequired":false,"MinVersion":{"Major":5,"Minor":2,"Point":0},"MaxVersion":{"Major":0,"Minor":0,"Point":0},"Size":3563008,"Created":"2025-02-25T19:31:58.807860157Z","Ingesters":["Office 365"],"Tags":["365-dlp","365-azure","365-general","365-exchange","365-sharepoint"],"Assets":[{"Type":"image","Source":"cover.png","Legend":"Office 365","Featured":true,"Banner":false},{"Type":"image","Source":"banner.png","Legend":"Banner Image","Featured":true,"Banner":true},{"Type":"readme","Source":"README.md","Legend":"","Featured":false,"Banner":false}],"Dependencies":[{"ID":"io.gravwell.networkenrichment","MinVersion":14}],"Items":[{"Name":"0642db70-5022-4f7d-8aab-56d1d18150d2","Type":"file","AdditionalInfo":{"UUID":"0642db70-5022-4f7d-8aab-56d1d18150d2","Name":"o365-cover.png","Description":"Cover for O365 Gravwell Kit","Size":1980519,"ContentType":"image/png"},"Hash":[43,208,212,28,178,44,40,224,234,219,187,146,119,123,184,18,220,99,64,61,151,232,229,168,146,59,76,17,168,236,196,70]},{"Name":"d03694e4-0972-11ee-a452-878f39f3d022","Type":"file","AdditionalInfo":{"UUID":"d03694e4-0972-11ee-a452-878f39f3d022","Name":"o365-banner.png","Description":"Banner for O365 Gravwell Kit","Size":576718,"ContentType":"image/png"},"Hash":[1,148,218,196,113,74,0,200,51,64,88,200,219,243,48,196,4,79,87,69,122,84,151,73,110,240,114,214,171,145,223,73]},{"Name":"o365_audit_recordtype","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"o365_audit_recordtype","Description":"","Size":8207,"Labels":["o365","Office365","record","recordtype"]},"Hash":[172,43,238,40,18,38,10,29,213,135,33,214,37,184,236,241,89,254,144,23,165,4,208,24,129,184,118,16,152,11,103,225]},{"Name":"o365_audit_usertype","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"o365_audit_usertype","Description":"O365 audit log usertype int32 resolution","Size":315,"Labels":["o365","Office365","user","usertype"]},"Hash":[148,100,30,110,97,180,185,160,176,74,185,122,88,93,131,103,87,83,79,123,98,253,108,217,68,255,10,197,67,152,251,38]},{"Name":"o365_audit_applicationid","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"o365_audit_applicationid","Description":"Common Application IDs for Office 365","Size":5569,"Labels":["o365","Office365","application","applicationid"]},"Hash":[9,104,218,97,80,54,57,116,57,86,114,209,212,250,213,228,226,150,238,140,143,235,242,23,180,53,160,159,164,80,224,113]},{"Name":"RESOLVE_O365_RECORDTYPE","Type":"macro","AdditionalInfo":{"Name":"RESOLVE_O365_RECORDTYPE","Description":"Resolves int32 RecordType values in the common o365 audit log schema\nhttps://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema","Expansion":"lookup -r o365_audit_recordtype RecordType value name as RecordType"},"Hash":[86,13,131,223,114,6,233,236,114,173,61,11,243,206,219,116,160,90,1,16,175,11,64,120,81,90,206,25,93,80,26,132]},{"Name":"RESOLVE_O365_USERTYPE","Type":"macro","AdditionalInfo":{"Name":"RESOLVE_O365_USERTYPE","Description":"Resolves int32 UserType values in the common o365 audit log schema\nhttps://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema","Expansion":" lookup -r o365_audit_usertype UserType value name as UserType"},"Hash":[187,22,27,168,118,56,234,59,139,49,205,140,176,36,77,11,214,2,188,114,23,38,243,181,24,118,227,11,216,41,222,218]},{"Name":"2921b756-9c5f-4adb-83f2-cf62241151fd","Type":"dashboard","AdditionalInfo":{"UUID":"2921b756-9c5f-4adb-83f2-cf62241151fd","Name":"Office 365 - Exchange User Investigative Dashboard","Description":"Investigative Dashboard for a specific user in Office 365 Exchange"},"Hash":[7,150,175,210,215,241,221,40,255,169,88,192,230,169,128,191,28,94,100,2,218,248,140,45,114,9,103,11,119,84,237,221]},{"Name":"9f03ab0a-a8fc-46fc-9caa-b1815bdaacf5","Type":"dashboard","AdditionalInfo":{"UUID":"9f03ab0a-a8fc-46fc-9caa-b1815bdaacf5","Name":"Office 365 - Sharepoint User Investigation","Description":"Investigation dashboard for user activity"},"Hash":[183,69,13,109,155,173,62,171,86,24,165,168,86,61,165,80,185,114,92,34,226,115,158,74,5,75,59,117,178,241,173,48]},{"Name":"13b4e909-ee47-4fbc-b74d-a6b000effa74","Type":"dashboard","AdditionalInfo":{"UUID":"13b4e909-ee47-4fbc-b74d-a6b000effa74","Name":"Office 365 - Azure User Investigative Dashboard","Description":"Investigative Dashboard for a specific user"},"Hash":[70,23,172,129,90,50,159,150,70,197,43,187,188,194,202,224,22,63,212,71,32,181,55,34,61,209,146,33,200,147,201,217]},{"Name":"e868edb2-e6bb-4103-a56e-3af19a6dc036","Type":"dashboard","AdditionalInfo":{"UUID":"e868edb2-e6bb-4103-a56e-3af19a6dc036","Name":"Office 365 - Exchange IP Investigative Dashboard","Description":"Investigative dashboard for Office 365 activity by IP Address"},"Hash":[121,53,236,66,135,213,231,251,161,185,92,238,193,245,229,197,220,122,150,22,165,139,109,17,6,18,114,164,23,96,40,120]},{"Name":"ab22baa3-9d0d-412a-b7f0-41470330fbb7","Type":"dashboard","AdditionalInfo":{"UUID":"ab22baa3-9d0d-412a-b7f0-41470330fbb7","Name":"Office 365 - Sharepoint Overview","Description":"Office 365 Sharepoint Overview"},"Hash":[72,42,211,81,248,16,86,70,186,157,252,209,207,218,122,95,253,62,238,25,60,132,237,183,25,187,26,1,159,35,143,105]},{"Name":"06be9d81-7118-4e70-95bd-99767ae8223e","Type":"dashboard","AdditionalInfo":{"UUID":"06be9d81-7118-4e70-95bd-99767ae8223e","Name":"Office 365 - Azure Overview","Description":"Overview of Office 365 Azure Activity"},"Hash":[191,86,236,142,238,111,116,18,121,80,205,74,121,150,116,123,137,67,246,247,134,235,24,41,196,207,219,233,193,178,160,41]},{"Name":"458fa0d0-7017-4ad6-86ab-9592bcd5496e","Type":"dashboard","AdditionalInfo":{"UUID":"458fa0d0-7017-4ad6-86ab-9592bcd5496e","Name":"Office 365 - General Overview","Description":"Overview Dashboard of Office 365 General API activity"},"Hash":[249,238,149,152,134,13,198,94,5,58,160,57,91,156,173,194,210,118,68,0,221,31,131,20,193,147,212,27,225,188,222,27]},{"Name":"577f092c-b89b-4678-966f-e5d0246a5200","Type":"dashboard","AdditionalInfo":{"UUID":"577f092c-b89b-4678-966f-e5d0246a5200","Name":"Office 365 - Sharepoint Asset Investigation","Description":"Office 365 Sharepoint Asset Investigation"},"Hash":[137,40,192,19,112,96,114,226,16,105,71,234,44,171,15,100,25,22,145,224,98,115,237,62,109,178,63,180,185,218,55,223]},{"Name":"b550b9bf-6dcc-4bc5-a4cf-74f111cdfd78","Type":"dashboard","AdditionalInfo":{"UUID":"b550b9bf-6dcc-4bc5-a4cf-74f111cdfd78","Name":"Office 365 Exchange User Overview","Description":"Overview dashboard of users on Office 365 Exchange"},"Hash":[153,126,150,105,236,199,85,84,211,19,140,245,137,246,234,230,213,107,228,32,212,217,135,98,202,25,11,82,38,93,140,104]},{"Name":"67390821-3bd6-4a98-ad16-be6ccbbe9f1d","Type":"template","AdditionalInfo":{"UUID":"67390821-3bd6-4a98-ad16-be6ccbbe9f1d","Name":"Office 365 - Exchange Client Activity","Description":"Table of client activity by user"},"Hash":[236,145,227,179,244,109,217,253,194,169,254,4,156,90,140,134,82,250,34,65,245,31,22,184,51,48,234,164,149,140,46,89]},{"Name":"4548aceb-8e7d-414c-a5e2-57f62bf6080d","Type":"template","AdditionalInfo":{"UUID":"4548aceb-8e7d-414c-a5e2-57f62bf6080d","Name":"Office 365 - Exchange Operation Activity","Description":"Chart of users Office 365 Exchange Operational Activity"},"Hash":[224,38,6,58,144,112,166,130,124,8,232,66,67,136,108,78,125,152,54,66,154,218,232,149,60,237,94,65,205,137,160,212]},{"Name":"0a4df85e-fadc-479f-aedc-237d2ac5eb0b","Type":"template","AdditionalInfo":{"UUID":"0a4df85e-fadc-479f-aedc-237d2ac5eb0b","Name":"Office 365 - User Attachment Activity","Description":"Show table of email attachment activity in Office 365"},"Hash":[122,175,51,43,91,189,15,196,182,224,236,38,173,207,185,66,214,231,189,81,247,218,109,173,153,11,154,187,28,168,239,215]},{"Name":"392ce1aa-f1ff-453b-a4d0-2ef309b3ec55","Type":"template","AdditionalInfo":{"UUID":"392ce1aa-f1ff-453b-a4d0-2ef309b3ec55","Name":"Office 365 - Sharepoint User Investigation Heatmap","Description":""},"Hash":[239,207,58,140,123,212,63,42,0,95,154,204,237,242,251,119,151,104,101,184,163,167,34,227,191,48,141,126,74,96,126,240]},{"Name":"96109284-e578-47be-bf67-15a397bac65e","Type":"template","AdditionalInfo":{"UUID":"96109284-e578-47be-bf67-15a397bac65e","Name":"Office 365 - Sharepoint User File deletions","Description":"Deletion activity within sharepoint"},"Hash":[241,109,98,76,36,242,30,66,28,52,89,249,223,32,125,44,195,228,146,72,149,194,99,154,148,105,154,141,166,189,127,109]},{"Name":"e52b44a6-406f-4be4-9d26-3d46130fbef6","Type":"template","AdditionalInfo":{"UUID":"e52b44a6-406f-4be4-9d26-3d46130fbef6","Name":"Office 365 - Sharepoint User operation count","Description":"Investigative query"},"Hash":[226,67,181,36,79,173,3,36,207,0,81,75,130,154,249,214,65,76,191,237,103,31,119,150,250,216,96,178,22,91,86,15]},{"Name":"e0acd20f-af34-48b8-ab20-a8d442f72cc5","Type":"template","AdditionalInfo":{"UUID":"e0acd20f-af34-48b8-ab20-a8d442f72cc5","Name":"Office 365 - Sharepoint external shares","Description":"Office 365 Sharepoint external shares"},"Hash":[186,71,75,47,170,50,168,244,174,92,127,115,62,120,37,141,60,150,114,194,222,28,66,175,46,26,129,156,212,88,59,200]},{"Name":"7f0385e6-9183-4b95-9ce8-812a96cda9e2","Type":"template","AdditionalInfo":{"UUID":"7f0385e6-9183-4b95-9ce8-812a96cda9e2","Name":"Office 365 - User OS Operation Distribution","Description":"Show a stackgraph of operations distributed by operating system"},"Hash":[199,125,237,29,218,30,199,65,172,47,242,255,64,232,9,226,231,60,12,98,25,161,106,64,50,192,145,234,88,249,131,68]},{"Name":"e6d7bd23-d805-44f5-9fb2-a1c3bd5cbce0","Type":"template","AdditionalInfo":{"UUID":"e6d7bd23-d805-44f5-9fb2-a1c3bd5cbce0","Name":"Office 365 - User Workload  Operations","Description":"Table of User Workload Operations"},"Hash":[121,126,143,145,246,51,208,60,35,251,123,119,180,222,86,143,54,180,192,196,119,15,192,195,224,173,45,21,31,219,202,179]},{"Name":"ec300f4a-0b42-4b9e-814d-c75c69c952f2","Type":"template","AdditionalInfo":{"UUID":"ec300f4a-0b42-4b9e-814d-c75c69c952f2","Name":"Office 365 - User Operation Overview","Description":"Show a chart of Operations performed by a specific Office 365 user"},"Hash":[194,140,216,26,51,169,133,111,171,192,55,103,138,19,49,154,47,107,151,4,8,11,253,136,144,139,219,90,37,23,241,188]},{"Name":"d9aed2e0-a105-484d-9c69-cb99f5f7a72a","Type":"template","AdditionalInfo":{"UUID":"d9aed2e0-a105-484d-9c69-cb99f5f7a72a","Name":"Office 365 - User Login Success/Failure Numbercard","Description":"Show Login Success and Failure counts for a specific user"},"Hash":[107,82,42,219,7,43,80,44,91,133,136,128,20,178,102,16,162,30,59,191,18,123,18,79,81,16,235,132,54,148,116,221]},{"Name":"be7ea7a2-e7f1-4507-bc85-549fdeac1d86","Type":"template","AdditionalInfo":{"UUID":"be7ea7a2-e7f1-4507-bc85-549fdeac1d86","Name":"Office 365 - User Unique Useragent numbercard","Description":"Show a numbercard of unique user agents for a specific user"},"Hash":[81,238,143,33,142,79,194,78,80,46,39,160,158,9,71,119,153,99,249,69,69,187,148,168,46,43,65,161,112,80,52,204]},{"Name":"f7b702bd-56df-4c1f-bfd8-9e0e20a70098","Type":"template","AdditionalInfo":{"UUID":"f7b702bd-56df-4c1f-bfd8-9e0e20a70098","Name":"Office 365 - Azure Geo-Located User Operations","Description":"Show a table of operations and counts for a specific user grouped by client ip and geolocation."},"Hash":[51,7,81,221,226,15,171,178,151,118,110,104,200,45,156,228,153,146,154,70,236,210,252,174,249,50,81,190,157,6,176,189]},{"Name":"9dbad550-7919-4aec-a27a-60888b09cdac","Type":"template","AdditionalInfo":{"UUID":"9dbad550-7919-4aec-a27a-60888b09cdac","Name":"Office 365 - Exchange Simple IP Lookup","Description":"Show a table for a given IP with Country, City, and ANS Organization"},"Hash":[36,18,17,110,104,40,104,109,252,223,13,205,98,179,171,199,169,9,247,25,52,124,103,203,54,216,18,57,53,106,130,79]},{"Name":"f83e8d57-6bfe-4c8c-ab2a-6b29a6675873","Type":"template","AdditionalInfo":{"UUID":"f83e8d57-6bfe-4c8c-ab2a-6b29a6675873","Name":"Office 365 - Exchange IP Activity","Description":"Show Stackgraph of User operations for a given IP"},"Hash":[129,2,76,22,182,5,38,213,233,195,17,59,2,168,84,52,194,16,158,181,84,246,138,195,130,59,168,11,229,204,215,180]},{"Name":"a309b3eb-62df-4f2a-ba7e-24873743d8d6","Type":"template","AdditionalInfo":{"UUID":"a309b3eb-62df-4f2a-ba7e-24873743d8d6","Name":"Office 365 - Client accounting for IP","Description":"Show a list of unique users for a given client and version"},"Hash":[111,99,103,77,174,69,32,237,69,255,31,74,157,36,223,158,104,97,201,212,95,247,109,231,102,71,86,36,112,142,183,50]},{"Name":"e0b2de4b-3160-42a0-842c-8b5a33d38b2b","Type":"template","AdditionalInfo":{"UUID":"e0b2de4b-3160-42a0-842c-8b5a33d38b2b","Name":"Office 365 - Exchange Unique Users for an IP","Description":"Show a Numbercard of unique user IDs accessed by a given IP"},"Hash":[210,115,131,8,180,84,151,244,197,52,42,224,21,122,251,34,95,223,138,95,249,154,148,20,183,254,46,251,91,158,79,65]},{"Name":"b9d8ad5a-7042-4161-963b-1c7c54fe6ba2","Type":"template","AdditionalInfo":{"UUID":"b9d8ad5a-7042-4161-963b-1c7c54fe6ba2","Name":"Office 365 - Sharepoint Asset user activity","Description":""},"Hash":[226,58,50,3,150,216,155,131,57,52,89,91,11,187,95,126,16,49,122,164,58,224,13,113,82,182,120,132,67,194,208,27]},{"Name":"25a6886f-2376-4fe4-a332-2d860afb85b1","Type":"template","AdditionalInfo":{"UUID":"25a6886f-2376-4fe4-a332-2d860afb85b1","Name":"Office 365 - Sharepoint Asset activity map","Description":""},"Hash":[177,44,199,148,215,3,31,205,40,46,47,194,57,54,16,70,221,153,193,79,84,77,59,103,131,104,17,4,220,251,51,12]},{"Name":"3ccea445-536f-4abc-9c98-999099b62667","Type":"template","AdditionalInfo":{"UUID":"3ccea445-536f-4abc-9c98-999099b62667","Name":"Office 365 - Sharepoint Asset search","Description":""},"Hash":[172,16,79,82,210,253,178,83,89,110,127,224,224,110,224,126,72,170,255,172,188,223,183,12,211,140,141,206,56,88,126,43]},{"Name":"13be8511-cd54-43ba-bd76-0fd85f57e958","Type":"template","AdditionalInfo":{"UUID":"13be8511-cd54-43ba-bd76-0fd85f57e958","Name":"Office 365 - Exchange Client IP Login Activity List","Description":"Show table of login attempts and successes"},"Hash":[227,156,81,142,121,78,231,201,22,175,59,37,96,123,26,220,130,48,78,47,92,97,144,39,90,42,152,90,26,152,13,10]},{"Name":"73529bc7-dd72-4caf-b30a-af012f322e29","Type":"pivot","AdditionalInfo":{"UUID":"73529bc7-dd72-4caf-b30a-af012f322e29","Name":"Office 365 - Azure IP Address","Description":"Actionable to start Office 365 Azure IP Address actions"},"Hash":[48,154,140,45,2,11,25,211,102,199,105,78,153,202,98,30,30,197,209,65,120,241,198,213,254,99,7,169,19,224,186,168]},{"Name":"7be2a47c-cd46-4e45-a094-90093b1dcefd","Type":"pivot","AdditionalInfo":{"UUID":"7be2a47c-cd46-4e45-a094-90093b1dcefd","Name":"Office 365 - Azure Username","Description":"Investigate using Office 365 Azure Logs"},"Hash":[151,67,171,144,138,62,231,182,58,74,119,216,66,28,206,91,119,146,61,64,84,33,210,107,164,52,12,38,209,31,138,71]},{"Name":"b03a04d1-475d-46dc-a2ef-dc14a7d9dff9","Type":"pivot","AdditionalInfo":{"UUID":"b03a04d1-475d-46dc-a2ef-dc14a7d9dff9","Name":"Office 365 - Exchange Email","Description":"Actionable to trigger on email addresses"},"Hash":[236,3,81,181,2,97,102,126,26,2,248,221,50,149,22,95,122,96,220,130,88,174,126,100,79,92,39,99,152,3,36,137]},{"Name":"3bf3db7d-7afe-4b90-a15a-ac488dc5fb88","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - Sharepoint Client Map","Description":"Map of user activity (excluding sync operations)","Query":"tag=$365-SHAREPOINT json UserId SourceFileName SourceRelativeUrl UserAgent SourceFileExtension Operation!=\"ManagedSyncClientAllowed\" ClientIP ObjectId ItemType\n| grep -e Operation -v FileSyncUploadedFull\n| count by UserId ClientIP Operation\n| geoip ClientIP.Location\n| pointmap ClientIP UserId Operation","UUID":"3bf3db7d-7afe-4b90-a15a-ac488dc5fb88"},"Hash":[40,120,18,50,110,125,178,201,116,104,81,242,84,185,12,217,95,77,136,166,121,8,150,126,243,193,57,200,104,154,66,86]},{"Name":"0808c326-302e-4b7e-9eea-a57355ccd895","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - Users sharing externally","Description":"Counts of users sharing files to new Guest users","Query":"tag=$365-SHAREPOINT words -or AnonymousLinkCreated SecureLinkCreated AddedToSecureLink SharingInvitationCreated\n| json TargetUserOrGroupType==\"Guest\" TargetUserOrGroupName UserId SourceFileName SourceRelativeUrl UserAgent SourceFileExtension Operation ClientIP ObjectId ItemType\n| count by UserId ItemType\n| table UserId ItemType count","UUID":"0808c326-302e-4b7e-9eea-a57355ccd895"},"Hash":[191,111,11,255,17,10,67,174,186,92,32,204,76,100,41,222,51,174,209,207,240,54,162,92,56,159,139,137,229,172,206,68]},{"Name":"dba32092-adbe-4b3d-a173-5e1cacbb2079","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - Users deleting \u003e 5 files","Description":"Sharepoint users who have deleted more than X files","Query":"tag=$365-SHAREPOINT words FileDeleted\n| json UserId SourceFileName SourceRelativeUrl UserAgent SourceFileExtension Operation==\"FileDeleted\" ClientIP ObjectId ItemType\n| count by UserId\n| eval (count \u003e 5)\n| chart count by UserId limit 30","UUID":"dba32092-adbe-4b3d-a173-5e1cacbb2079"},"Hash":[202,122,141,98,80,227,125,78,87,232,98,231,152,109,93,96,61,91,193,179,21,165,175,169,112,128,170,149,12,11,72,186]},{"Name":"abf89ce9-8ddf-4b36-84d1-15ff0a1a0b75","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - Users touching .exe files","Description":"Chart of users performing sharepoint operations on .exe files","Query":"tag=$365-SHAREPOINT words -v ManagedSyncClientAllowed \n| json UserId SourceFileName SourceRelativeUrl UserAgent SourceFileExtension==\"exe\" Operation ClientIP ObjectId ItemType\n| count by UserId\n| chart count by UserId limit 20","UUID":"abf89ce9-8ddf-4b36-84d1-15ff0a1a0b75"},"Hash":[101,25,33,255,160,25,253,250,104,68,39,10,78,239,108,221,228,54,167,249,179,200,187,136,169,23,119,173,209,165,58,122]},{"Name":"9325f888-37d1-4c66-919c-d8eb25c18de9","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - Domains receiving new shares","Description":"","Query":"tag=$365-SHAREPOINT words -or AnonymousLinkCreated SecureLinkCreated AddedToSecureLink SharingInvitationCreated\n| json TargetUserOrGroupType==\"Guest\" TargetUserOrGroupName UserId SourceFileName SourceRelativeUrl UserAgent SourceFileExtension Operation ClientIP ObjectId ItemType\n| regex -e TargetUserOrGroupName \".+@(?P\u003cDomain\u003e.+)\"\n| count by Domain ItemType\n| table Domain ItemType count","UUID":"9325f888-37d1-4c66-919c-d8eb25c18de9"},"Hash":[82,63,183,57,116,194,90,102,224,34,81,41,45,26,237,216,239,161,53,129,2,134,28,112,40,70,202,51,209,45,154,249]},{"Name":"e39fee53-4742-4e53-8008-43ee9a56d5d5","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - Azure Login Success/Failure Ratio","Description":"Show a table with failure/success ratios with ClientIP lookups.","Query":"@failure{tag=$365-AZURE json Operation==UserLoginFailed UserType UserId RecordType ClientIP\n| stats count as Failures by UserType UserId RecordType ClientIP\n| lookup -r o365_audit_usertype UserType value name as UserType\n| table UserId UserType Failures RecordType ClientIP};\n@success{tag=$365-AZURE json Operation==UserLoggedIn UserType UserId RecordType ClientIP\n| stats count as Logins by UserType UserId RecordType ClientIP\n| lookup -r o365_audit_usertype UserType value name as UserType\n| table UserId UserType Logins RecordType ClientIP};\n\n/* dump both tables into the pipeline */\ndump -r @failure | dump -r @success -p\n| stats sum(Failures) as Failures sum(Logins) as Logins by UserId UserType ClientIP RecordType\n| lookup -r o365_audit_recordtype RecordType value name as RecordType\n| eval (Ratio=float(Failures)/float(Logins))\n| sort by Ratio desc\n| geoip ClientIP.CountryName ClientIP.City\n| table UserId UserType Logins Failures Ratio RecordType ClientIP CountryName City","UUID":"e39fee53-4742-4e53-8008-43ee9a56d5d5"},"Hash":[42,114,240,185,138,249,221,127,226,67,55,155,93,96,181,4,112,69,211,171,196,162,104,70,23,21,144,80,104,214,152,36]},{"Name":"eff76888-6c58-4703-ad2c-8e1dc57dcc49","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - Azure Active Directory Users","Description":"Numbercard of Office 365 Azure AD users","Query":"tag=$365-AZURE json Operation == \"UserLoggedIn\" ResultStatus == \"Success\" UserId\n| stats unique_count(UserId) as Users\n| numbercard Users","UUID":"eff76888-6c58-4703-ad2c-8e1dc57dcc49"},"Hash":[93,109,115,103,74,165,65,124,13,25,113,252,184,228,209,189,144,219,166,46,76,178,191,183,46,40,164,254,16,115,109,78]},{"Name":"21c4a5ce-9fc7-421c-a8f8-4fdcade8789c","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - Azure Activity Distribution","Description":"Chart of Office 365 Azure Activities","Query":"tag=$365-AZURE json Operation\n| stats count by Operation\n| chart count by Operation limit 16","UUID":"21c4a5ce-9fc7-421c-a8f8-4fdcade8789c"},"Hash":[101,76,130,191,173,78,46,210,114,167,22,65,247,200,147,58,104,147,31,203,62,2,31,57,143,91,143,98,105,39,234,242]},{"Name":"4c04e13f-c007-4453-a33b-9fcc578aa3dd","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - Azure Active Directory User Login Failures","Description":"Numbercard of the unique count of users that failed to login","Query":"tag=$365-AZURE json Operation==UserLoginFailed UserId\n| stats unique_count(UserId) as \"Users With Login Failures\"\n| numbercard \"Users With Login Failures\"","UUID":"4c04e13f-c007-4453-a33b-9fcc578aa3dd"},"Hash":[91,162,140,89,254,125,198,114,20,52,167,206,235,90,37,143,200,124,115,168,51,234,243,179,138,241,143,20,14,114,19,230]},{"Name":"04d45193-e1ea-4755-9870-d08426dc42ae","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - Azure Active Directory Login Failures","Description":"Table of Login failures and for Azure Active Directory","Query":"tag=$365-AZURE json Operation==UserLoginFailed UserId LogonError UserType\n| stats count by LogonError UserId\n| lookup -r o365_audit_usertype UserType value name as UserType\n| table UserId UserType LogonError count","UUID":"04d45193-e1ea-4755-9870-d08426dc42ae"},"Hash":[197,166,122,184,172,132,215,182,172,217,192,16,36,194,239,136,38,108,135,159,29,228,131,104,187,91,233,73,56,55,159,99]},{"Name":"faa94f82-9ebb-43e7-9273-ccfbbc5aac04","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - Azure Active Directory Login Failure Map","Description":"Map of Office 365 Azure Active Directory login failures","Query":"tag=$365-AZURE json Operation == \"UserLoginFailed\" UserId ClientIP\n| stats count by ClientIP UserId\n| geoip ClientIP.Location\n| geoip -r asn_db ClientIP.ASNOrg\n| pointmap UserId ClientIP ASNOrg","UUID":"faa94f82-9ebb-43e7-9273-ccfbbc5aac04"},"Hash":[242,2,143,118,151,75,239,219,129,110,220,170,49,229,209,23,182,135,77,223,9,14,81,147,254,146,35,117,247,191,191,18]},{"Name":"3bc2f8d5-d54b-4a6d-bc7e-f5d07b03f84a","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - General ThreatIntel Verdict Distribution","Description":"Chart of Office 365 General ThreatIntel Verdicts","Query":"tag=$365-GENERAL json Workload == \"ThreatIntelligence\" Verdict \n| stats count by Verdict\n| chart count by Verdict","UUID":"3bc2f8d5-d54b-4a6d-bc7e-f5d07b03f84a"},"Hash":[231,60,222,187,31,147,64,58,122,46,19,78,181,77,215,77,42,95,6,101,243,138,40,10,205,90,151,70,153,18,40,28]},{"Name":"0975d37c-373e-4d7a-9bed-8f8ca7123e93","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - General User Activity Map","Description":"Map of User locations from Office365 General API","Query":"tag=$365-GENERAL json ClientIP UserId | geoip ClientIP.Location\n| stats count by UserId Location\n| pointmap UserId","UUID":"0975d37c-373e-4d7a-9bed-8f8ca7123e93"},"Hash":[8,126,154,112,248,181,200,17,165,171,249,111,210,108,216,178,113,72,43,154,58,116,218,99,100,79,136,187,46,74,235,106]},{"Name":"3fe01f34-6016-40e6-bb03-58c6b24f59db","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - ThreatManagement Alerts","Description":"Table of alert types, levels. and categories using ThreatManagement logs","Query":"tag=$365-GENERAL json RecordType==40 Severity Category EntityType Name\n| stats count by Severity Category EntityType Name\n| table Severity Category EntityType Name count","UUID":"3fe01f34-6016-40e6-bb03-58c6b24f59db"},"Hash":[155,104,10,48,123,213,1,249,199,82,190,21,222,142,194,178,66,131,224,17,22,49,100,164,130,47,105,136,111,216,168,40]},{"Name":"10f7addf-6d33-4605-9d3d-5c60a32c9977","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - General User Count","Description":"Numbercard of Unique Users seen in general workload","Query":"tag=$365-GENERAL json UserId | stats unique_count(UserId) as Users | numbercard Users","UUID":"10f7addf-6d33-4605-9d3d-5c60a32c9977"},"Hash":[26,212,221,35,132,127,216,245,3,181,175,54,0,86,6,14,172,221,66,107,120,143,172,8,4,133,241,146,21,116,12,230]},{"Name":"e3de4a9b-5adb-40c0-bab7-88d72428f4b7","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - General Workload Distribution","Description":"Chart of Office 365 general workload distribution","Query":"tag=$365-GENERAL json Workload | stats count by Workload | chart count by Workload limit 32","UUID":"e3de4a9b-5adb-40c0-bab7-88d72428f4b7"},"Hash":[166,210,104,130,41,103,27,240,15,220,150,138,5,149,2,168,246,29,154,47,35,151,162,223,179,255,152,145,62,230,193,169]},{"Name":"7dcb0090-b33c-4e82-acaf-6091274e76f6","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - Email Traffic","Description":"Chart of bandwidth usage by Email traffic in Office 365 Exchange","Query":"tag=$365-EXCHANGE json Operation == \"Create\" Item.SizeInBytes\n| stats sum(SizeInBytes) as traffic over 10m\n| chart traffic\n","UUID":"7dcb0090-b33c-4e82-acaf-6091274e76f6"},"Hash":[76,178,243,198,245,155,139,26,214,23,247,110,21,157,255,205,178,60,248,38,207,152,191,245,100,97,110,160,208,218,69,234]},{"Name":"cc3d314f-7d07-427d-9902-c76ed9203ff8","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - Login Activity Map","Description":"Pointmap of Geographic Login Activity for Office 365 Exchange","Query":"tag=$365-EXCHANGE json Operation==\"MailboxLogin\" ResultStatus==Succeeded ClientIP UserId\n| geoip ClientIP.Location\n| stats count by UserId Location\n| pointmap UserId count\n","UUID":"cc3d314f-7d07-427d-9902-c76ed9203ff8"},"Hash":[212,165,19,199,197,97,224,105,210,189,253,22,57,201,125,35,67,219,245,217,19,65,10,223,154,1,163,207,67,125,138,183]},{"Name":"99da6f6a-bb04-439d-b9ab-c729829563a8","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - Azure Failed Logons using Password","Description":"Show table with geoip lookups with logon failures by password","Query":"tag=$365-AZURE json Operation == \"UserLoginFailed\" LogonError==\"InvalidUserNameOrPassword\" UserId ClientIP\n| stats count by UserId ClientIP\n| geoip ClientIP.CountryName as Country ClientIP.City\n| table count UserId ClientIP Country City","UUID":"99da6f6a-bb04-439d-b9ab-c729829563a8"},"Hash":[162,57,247,127,118,174,60,47,152,77,123,246,85,90,88,60,96,10,189,226,41,118,120,65,249,123,115,35,136,17,195,29]},{"Name":"721f2b91-67b5-44d6-b2c7-c841540f39c5","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - EXE activity","Description":"Table of users performing sharepoint operations on .exe files","Query":"tag=$365-SHAREPOINT words -v ManagedSyncClientAllowed \n| json UserId SourceFileName SourceRelativeUrl UserAgent SourceFileExtension==\"exe\" Operation ClientIP ObjectId ItemType\n| unique UserId Operation ObjectId\n| table UserId Operation ObjectId","UUID":"721f2b91-67b5-44d6-b2c7-c841540f39c5"},"Hash":[72,171,242,8,232,0,185,253,19,68,230,211,44,48,158,227,25,45,27,250,116,41,90,52,247,191,24,249,140,106,187,27]},{"Name":"af1a6dc2-477d-47a8-ba49-8b54c7829b43","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - Exchange EXE Attachments","Description":"Table of Emails containing EXE attachments from Office 365","Query":"tag=$365-EXCHANGE json -s MailboxOwnerUPN Item.Subject as \"Subject\" Operation == \"Create\" Item.Attachments as \"Attachments\"\n| split -d \"; \" Attachments\n| regex -e \"Attachments\" \"\\.(?P\u003cextension\u003e[^\\.]+) \\(\\d+b\\)\" extension\n| lower extension\n| eval extension == \"exe\"\n| table TIMESTAMP MailboxOwnerUPN Subject Attachments","UUID":"af1a6dc2-477d-47a8-ba49-8b54c7829b43"},"Hash":[51,104,36,110,156,48,67,251,212,203,174,0,12,192,42,46,177,16,62,226,99,189,91,149,230,114,136,3,254,177,29,142]},{"Name":"966eec2c-a0df-45da-88b0-db4fea66cccc","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - Exchange Active Users by Domain","Description":"Chart of unique active users by domain","Query":"tag=$365-EXCHANGE json MailboxOwnerUPN\n| regex -e MailboxOwnerUPN \"[^@]+@(?P\u003cdomain\u003e.+)\"\n| stats unique_count(MailboxOwnerUPN) as users by domain\n| chart users by domain","UUID":"966eec2c-a0df-45da-88b0-db4fea66cccc"},"Hash":[154,158,90,50,181,215,50,124,169,121,179,146,5,86,189,64,25,187,146,29,189,207,197,231,147,5,232,5,189,193,86,207]},{"Name":"36bb7555-e0ab-4688-8459-e2376f29e1f4","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - Azure MFA Logon Failures","Description":"Show list of users that passed username and password logon step but failed the MFA step.","Query":"tag=$365-AZURE json Operation == \"UserLoginFailed\" LogonError==\"UserStrongAuthClientAuthNRequiredInterrupt\" UserId!=\"Not Available\" ClientIP\n| stats count by UserId ClientIP\n| geoip ClientIP.CountryName as Country ClientIP.City\n| table count UserId ClientIP Country City","UUID":"36bb7555-e0ab-4688-8459-e2376f29e1f4"},"Hash":[172,63,123,186,174,69,174,237,225,124,235,13,237,204,246,46,110,44,157,57,96,18,202,13,126,131,15,45,234,233,79,90]},{"Name":"9a85567b-f2e4-4c86-9b7e-92aee843086e","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - Existing Guests w/ new shares","Description":"New shares added to existing guest accounts","Query":"tag=$365-SHAREPOINT words TargetUserOrGroupType\n| json TargetUserOrGroupType==\"Guest\" TargetUserOrGroupName UserId SourceFileName SourceRelativeUrl UserAgent SourceFileExtension Operation==\"AddedToGroup\" ClientIP ObjectId ItemType\n| count by TargetUserOrGroupName ItemType\n| table TargetUserOrGroupName ItemType count","UUID":"9a85567b-f2e4-4c86-9b7e-92aee843086e"},"Hash":[172,8,99,39,131,73,48,116,232,149,75,251,173,111,20,82,82,36,167,152,29,251,181,168,224,200,253,206,158,39,131,184]},{"Name":"365-dlp","Type":"autoextractor","AdditionalInfo":{"name":"365-dlp","desc":"Extract Office 365 standard fields for DLP data","module":"json","tag":"365-dlp"},"Hash":[168,84,125,29,176,11,119,143,208,113,40,240,171,173,107,93,24,252,120,238,72,195,162,228,224,179,56,154,219,128,3,209]},{"Name":"365-azure","Type":"autoextractor","AdditionalInfo":{"name":"365-azure","desc":"Extract Office 365 standard fields for Azure data","module":"json","tag":"365-azure"},"Hash":[183,60,179,119,102,148,3,84,222,94,9,169,34,227,85,255,162,216,216,239,203,169,3,207,253,248,235,186,1,79,69,160]},{"Name":"365-general","Type":"autoextractor","AdditionalInfo":{"name":"365-general","desc":"Extract Office 365 standard fields for general data","module":"json","tag":"365-general"},"Hash":[5,116,5,144,39,195,142,120,72,142,166,72,44,15,57,254,26,137,50,40,44,88,226,70,162,105,101,101,233,130,120,97]},{"Name":"365-sharepoint","Type":"autoextractor","AdditionalInfo":{"name":"365-sharepoint","desc":"Extract Office 365 standard fields for Sharepoint data","module":"json","tag":"365-sharepoint"},"Hash":[38,138,175,207,79,5,12,219,167,152,67,135,17,128,104,52,110,143,91,30,47,169,182,191,238,148,53,73,132,64,89,82]},{"Name":"365-AZURE","Type":"macro","AdditionalInfo":{"Name":"365-AZURE","Description":"O365 tag containing Azure events","Expansion":"365-azure\n"},"Hash":[67,237,189,218,172,68,172,248,162,66,35,139,1,100,20,102,22,226,59,247,232,5,147,56,49,139,117,51,106,95,32,143]},{"Name":"365-EXCHANGE","Type":"macro","AdditionalInfo":{"Name":"365-EXCHANGE","Description":"O365 tag containing Exchange events","Expansion":"365-exchange\n"},"Hash":[231,61,139,121,99,236,52,209,208,188,73,121,92,96,104,82,175,50,23,137,98,57,4,137,184,171,103,11,115,80,48,179]},{"Name":"365-GENERAL","Type":"macro","AdditionalInfo":{"Name":"365-GENERAL","Description":"O365 tag containing General events","Expansion":"365-general\n"},"Hash":[34,144,152,32,138,38,32,102,177,42,127,147,244,44,166,104,121,145,70,180,229,165,100,130,24,11,12,50,123,143,248,175]},{"Name":"365-SHAREPOINT","Type":"macro","AdditionalInfo":{"Name":"O365-SHAREPOINT","Description":"O365 tag containing Sharepoint events","Expansion":"365-sharepoint\n"},"Hash":[0,98,83,81,202,193,166,209,239,130,37,173,68,184,129,50,109,83,198,123,77,103,111,70,136,118,238,227,178,165,98,214]},{"Name":"35379d80-485c-4822-8f84-0c0542505b02","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - Active Users and User Domains","Description":"Numbercard of active user count and domain count for those users","Query":"tag=$365-EXCHANGE json UserId\r\n| regex -e UserId \"[^@]+@(?P\u003cdomain\u003e.+)\"\r\n| stats unique_count(domain) as \"Active Domains\" unique_count(UserId) as \"Active Users\"\r\n| numbercard \"Active Users\" \"Active Domains\"\r\n","UUID":"35379d80-485c-4822-8f84-0c0542505b02"},"Hash":[206,18,117,221,42,15,238,10,191,38,167,139,108,193,233,178,176,158,46,250,86,41,144,232,194,144,60,240,75,183,18,108]},{"Name":"c151f61e-62d4-4f80-98c7-9b2bbd7ac55a","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - Attachment extensions","Description":"Table of least occurring attachment extensions","Query":"tag=$365-EXCHANGE json -s Operation == \"Create\" Item.Attachments as \"Attachments\"\r\n| split -d \"; \" Attachments\r\n| regex -e Attachments \"\\.(?P\u003cextension\u003e[^\\.]+) \\(\\d+b\\)\"\r\n| lower extension\r\n| stats count by extension\r\n| sort by count asc\r\n| limit 10\r\n| table extension count\r\n","UUID":"c151f61e-62d4-4f80-98c7-9b2bbd7ac55a"},"Hash":[62,86,61,141,83,251,215,30,28,77,77,49,222,132,28,188,26,57,135,238,7,30,83,37,30,171,122,13,246,112,110,204]},{"Name":"29528ab0-239d-445d-95e2-96319f099686","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - Attachment extensions over time","Description":"Count of attachment extensions over time","Query":"tag=$365-EXCHANGE json -s Operation == \"Create\" Item.Attachments as \"Attachments\"\r\n| split -d \"; \" Attachments\r\n| regex -e Attachments \"\\.(?P\u003cextension\u003e[^\\.]+) \\(\\d+b\\)\"\r\n| stats count by extension\r\n| lower extension\r\n| chart count by extension limit 32\r\n","UUID":"29528ab0-239d-445d-95e2-96319f099686"},"Hash":[53,167,103,90,34,39,78,250,25,185,194,135,241,42,176,156,238,247,166,89,131,13,76,206,62,219,244,189,177,249,39,83]},{"Name":"e5b0ce97-5320-4ab8-aa2e-90e7eaf0980e","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - New Mailbox Events","Description":"Numbercard of new mailbox events","Query":"tag=$365-EXCHANGE json Operation==\"New-Mailbox\"\r\n| stats count as \"New Mailboxes\"\r\n| numbercard \"New Mailboxes\"\r\n","UUID":"e5b0ce97-5320-4ab8-aa2e-90e7eaf0980e"},"Hash":[172,92,190,29,140,157,57,21,177,72,85,89,161,4,65,23,89,64,31,214,62,232,109,83,163,62,51,118,252,12,240,253]},{"Name":"68659f92-f629-448c-b717-38d5b3bec77b","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - Exchange events count","Description":"Count of Exchange events","Query":"tag=$365-EXCHANGE stats count\n| chart count\n","UUID":"68659f92-f629-448c-b717-38d5b3bec77b"},"Hash":[156,64,92,89,58,177,186,168,184,250,57,53,146,148,31,173,107,101,60,124,165,5,243,129,201,132,136,205,146,77,38,162]},{"Name":"a31b4633-4206-4481-9dd9-5fd8f24b69e4","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - Remove Mailbox Events","Description":"Numbercard of remove mailbox events","Query":"tag=$365-EXCHANGE json Operation==\"Remove-Mailbox\"\r\n| stats count as \"Removed Mailboxes\"\r\n| numbercard \"Removed Mailboxes\"\r\n","UUID":"a31b4633-4206-4481-9dd9-5fd8f24b69e4"},"Hash":[205,70,191,99,177,58,130,106,244,187,87,49,186,13,138,208,28,228,221,233,9,187,140,188,199,59,145,19,150,181,108,191]},{"Name":"bea054cd-f223-4c2f-9fa5-54f9c7d9d448","Type":"searchlibrary","AdditionalInfo":{"Name":"Office 365 - Historical User Info","Description":"Create o365_login_history resource from previous 30 days of Office 365 Azure data","Query":"tag=$365-AZURE json -s UserKey as HistoricalUserKey UserId != \"Not Available\" as HistoricalUserId\r\n| lower HistoricalUserId\r\n| unique HistoricalUserKey HistoricalUserId\r\n| table -nt -save o365_login_history HistoricalUserKey HistoricalUserId\r\n","UUID":"bea054cd-f223-4c2f-9fa5-54f9c7d9d448"},"Hash":[211,140,29,94,225,211,33,176,67,4,35,167,233,197,68,16,36,209,129,233,235,162,160,38,250,66,223,236,160,203,30,246]},{"Name":"e584594d-4be8-4f1f-b42b-e82d5439ba7b","Type":"scheduled search","AdditionalInfo":{"Name":"Office 365 - Historical User Info","Description":"Create o365_login_history resource","Schedule":"0 1 * * *","SearchString":"tag=$365-AZURE json -s UserKey as HistoricalUserKey UserId != \"Not Available\" as HistoricalUserId\n| lower HistoricalUserId\n| unique HistoricalUserKey HistoricalUserId\n| table -nt -save o365_login_history HistoricalUserKey HistoricalUserId\n","Duration":-2592000,"ScheduledType":"search","DefaultDeploymentRules":{"Disabled":false,"RunImmediately":false}},"Hash":[18,27,71,133,54,233,105,161,81,123,214,125,119,101,49,125,226,26,188,13,89,232,196,186,235,148,41,221,209,18,214,97]}],"ConfigMacros":[{"MacroName":"365-AZURE","Description":"O365 tag containing Azure events","DefaultValue":"365-azure","Value":"","Type":"STRING","InstalledByID":""},{"MacroName":"365-EXCHANGE","Description":"O365 tag containing Exchange events","DefaultValue":"365-exchange","Value":"","Type":"STRING","InstalledByID":""},{"MacroName":"365-GENERAL","Description":"O365 tag containing General events","DefaultValue":"365-general","Value":"","Type":"STRING","InstalledByID":""},{"MacroName":"365-SHAREPOINT","Description":"O365 tag containing Sharepoint events","DefaultValue":"365-sharepoint","Value":"","Type":"STRING","InstalledByID":""}]},{"ID":"io.gravwell.ipmi","Name":"IPMI","UUID":"0b39775f-0771-4165-97c3-58ab7b8cb56f","Version":6,"Description":"An IPMI kit that pairs with the Gravwell IPMI ingester.","Readme":"","Signed":true,"AdminRequired":false,"MinVersion":{"Major":5,"Minor":4,"Point":0},"MaxVersion":{"Major":0,"Minor":0,"Point":0},"Size":194560,"Created":"2023-10-23T15:37:49.012968124Z","Ingesters":["IPMI"],"Tags":["ipmi"],"Assets":[{"Type":"image","Source":"cover.jpeg","Legend":"IPMI","Featured":true,"Banner":false},{"Type":"readme","Source":"README.md","Legend":"","Featured":false,"Banner":false}],"Dependencies":null,"Items":[{"Name":"BSD-2","Type":"license","AdditionalInfo":"Copyright 2021 Gravwell Inc.\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:\n\n1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.\n\n2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.","Hash":[54,152,143,223,158,249,179,152,34,170,39,46,218,201,79,93,70,122,194,92,8,74,48,72,161,148,1,8,214,55,195,39]},{"Name":"46495878862902","Type":"dashboard","AdditionalInfo":{"UUID":"fde03452-494d-48ba-91cd-b22b6747be9a","Name":"IPMI Device Investigation","Description":""},"Hash":[179,56,146,23,47,185,163,37,9,216,56,233,136,205,30,247,240,247,167,213,150,94,116,168,71,98,162,43,30,18,231,109]},{"Name":"249638155122607","Type":"dashboard","AdditionalInfo":{"UUID":"5804a229-7aa9-42db-aa03-532b03681f64","Name":"IPMI Temperature Overview","Description":""},"Hash":[227,207,95,14,142,199,38,63,159,252,196,15,30,161,199,13,227,183,11,31,70,141,185,114,175,86,110,101,87,49,59,42]},{"Name":"205736850289731","Type":"dashboard","AdditionalInfo":{"UUID":"ebc9bb7d-7652-4a83-8b33-e50e112a9986","Name":"IPMI Overview","Description":""},"Hash":[15,163,211,38,83,101,177,33,170,112,33,226,136,70,29,44,152,119,239,102,182,6,211,96,196,40,137,86,21,183,28,137]},{"Name":"22e76583-e349-4400-8fc4-b238378a9b23","Type":"template","AdditionalInfo":{"UUID":"22e76583-e349-4400-8fc4-b238378a9b23","Name":"IPMI CPU Temperature Over Time","Description":""},"Hash":[124,24,135,32,175,183,98,219,222,1,17,87,52,76,167,24,125,141,77,141,218,120,240,48,222,173,204,230,47,15,245,50]},{"Name":"d30f711b-1b21-45cd-8808-4b97eae4f3be","Type":"template","AdditionalInfo":{"UUID":"d30f711b-1b21-45cd-8808-4b97eae4f3be","Name":"IPMI Power Supply Status","Description":""},"Hash":[158,69,200,194,189,32,20,24,12,56,76,178,223,54,224,159,182,136,170,84,105,125,82,25,126,183,114,8,25,211,217,33]},{"Name":"05c1c163-66a6-4a49-bb72-fd103eddf313","Type":"template","AdditionalInfo":{"UUID":"05c1c163-66a6-4a49-bb72-fd103eddf313","Name":"IPMI System Temperature Over Time","Description":""},"Hash":[149,44,74,13,16,171,142,185,115,114,75,124,217,53,196,166,184,35,70,109,60,99,183,32,66,93,19,192,70,4,136,16]},{"Name":"504e6191-0065-493c-9519-e9a8f0b0242f","Type":"template","AdditionalInfo":{"UUID":"504e6191-0065-493c-9519-e9a8f0b0242f","Name":"IPMI System Event Log","Description":""},"Hash":[152,52,253,49,33,42,154,251,116,207,236,100,200,249,168,107,22,2,199,60,14,187,50,86,162,43,17,252,77,78,43,99]},{"Name":"cfc18ea5-7dc8-4180-b48d-575926c2cea8","Type":"pivot","AdditionalInfo":{"UUID":"cfc18ea5-7dc8-4180-b48d-575926c2cea8","Name":"IPMI","Description":""},"Hash":[215,12,140,150,158,24,33,105,242,63,125,77,110,87,98,239,129,238,47,82,29,52,71,167,249,83,75,186,125,144,208,244]},{"Name":"7cbc6e21-6fc4-419c-b594-67c1acf7a9f6","Type":"searchlibrary","AdditionalInfo":{"Name":"IPMI Active Targets","Description":"","Query":"tag=$IPMI json Target | unique Target | table","UUID":"7cbc6e21-6fc4-419c-b594-67c1acf7a9f6"},"Hash":[236,229,206,147,181,37,177,122,39,237,98,150,102,205,134,223,30,139,92,244,167,205,163,222,45,227,69,212,251,253,188,13]},{"Name":"d2fc7cf7-549c-4169-9b7e-b2cd880ccb4b","Type":"searchlibrary","AdditionalInfo":{"Name":"IPMI All Fan Speeds (RPM) Over Time","Description":"","Query":"tag=$IPMI json Type==SDR Target \nData.\"FAN1\".Reading as Fan1 \nData.\"FAN2\".Reading as Fan2 \nData.\"FAN3\".Reading as Fan3 \nData.\"FAN4\".Reading as Fan4 \nData.\"FAN5\".Reading as Fan5 \nData.\"FAN6\".Reading as Fan6 \nData.\"FAN7\".Reading as Fan7 \nData.\"FAN8\".Reading as Fan8 \n| stats mean(Fan1) as Fan1 \nmean(Fan2) as Fan2\nmean(Fan3) as Fan3\nmean(Fan4) as Fan4\nmean(Fan5) as Fan5\nmean(Fan6) as Fan6\nmean(Fan7) as Fan7\nmean(Fan8) as Fan8\nby Target \n| chart Fan1 Fan2 Fan3 Fan4 Fan5 Fan6 Fan7 Fan8 by Target\n","UUID":"d2fc7cf7-549c-4169-9b7e-b2cd880ccb4b"},"Hash":[4,209,195,101,46,145,202,38,168,79,60,253,62,94,234,134,204,195,145,31,122,213,34,155,83,188,7,41,108,64,195,217]},{"Name":"5e04103b-43b3-4818-99e8-68a5d29a5d94","Type":"searchlibrary","AdditionalInfo":{"Name":"IPMI CPU Temperature Over Time","Description":"","Query":"tag=$IPMI json Type==SDR Target Data.\"CPU1 Temp\".Reading as CPU1Temp Data.\"CPU2 Temp\".Reading as CPU2Temp | stats mean(CPU1Temp) as CPU1Temp mean(CPU2Temp) as CPU2Temp by Target | chart CPU1Temp CPU2Temp by Target","UUID":"5e04103b-43b3-4818-99e8-68a5d29a5d94"},"Hash":[137,94,88,84,189,217,93,9,125,171,44,15,200,250,5,118,41,253,18,42,231,157,66,66,4,210,29,55,136,45,249,113]},{"Name":"c4be9089-6b2e-498f-9f4a-92da66bd42fd","Type":"searchlibrary","AdditionalInfo":{"Name":"IPMI System Event Log","Description":"","Query":"tag=$IPMI json Type==SEL Target Description | table TIMESTAMP Target Description","UUID":"c4be9089-6b2e-498f-9f4a-92da66bd42fd"},"Hash":[211,255,231,48,187,129,176,218,40,101,10,93,62,77,188,198,158,118,58,2,105,198,227,36,176,240,147,100,206,64,73,120]},{"Name":"abde9a38-7397-4871-8335-d0376afa2fe1","Type":"searchlibrary","AdditionalInfo":{"Name":"IPMI PCH (Chipset) Temperature","Description":"","Query":"tag=$IPMI json Type==SDR Target Data.\"PCH Temp\".Reading | stats mean(Reading) by Target | chart mean by Target","UUID":"abde9a38-7397-4871-8335-d0376afa2fe1"},"Hash":[165,69,213,98,68,13,140,84,115,209,237,226,107,37,146,127,215,21,139,216,78,236,233,152,81,64,108,118,240,168,233,172]},{"Name":"c444605e-0175-41ac-8c81-96406bb6eada","Type":"searchlibrary","AdditionalInfo":{"Name":"IPMI Peripheral Temperature Over Time","Description":"","Query":"tag=$IPMI json Type==SDR Target Data.\"Peripheral Temp\".Reading | stats mean(Reading) by Target | chart mean by Target","UUID":"c444605e-0175-41ac-8c81-96406bb6eada"},"Hash":[61,83,14,54,239,183,233,234,119,189,0,242,126,28,183,4,136,229,214,220,225,199,75,100,124,51,174,9,74,171,148,54]},{"Name":"161044ea-893b-4af2-880e-a74d7689586b","Type":"searchlibrary","AdditionalInfo":{"Name":"IPMI Power Supply Status","Description":"","Query":"tag=$IPMI json Type==SDR Target Data.\"PS1 Status\".Reading as PS1 Data.\"PS2 Status\".Reading as PS2 | eval if (PS1 == \"0x01\") { PS1 = \"OK\"; } else { PS1 = \"FAIL\"; } | eval if (PS2 == \"0x01\") { PS2 = \"OK\"; } else { PS2 = \"FAIL\"; } | last Target | table Target PS1 PS2\n","UUID":"161044ea-893b-4af2-880e-a74d7689586b"},"Hash":[39,130,72,86,87,67,103,197,47,246,80,139,69,27,66,189,97,211,206,95,146,204,218,173,186,3,201,128,141,236,203,127]},{"Name":"40765f44-a30e-44f2-8319-9ccae7f701b7","Type":"searchlibrary","AdditionalInfo":{"Name":"IPMI System Temperature by Target Over Time","Description":"","Query":"tag=$IPMI json Type==SDR Target Data.\"System Temp\".Reading \n| stats mean(Reading) by Target \n| chart mean by Target","UUID":"40765f44-a30e-44f2-8319-9ccae7f701b7"},"Hash":[153,23,3,222,79,235,127,210,255,98,232,120,29,120,159,224,17,233,177,111,76,113,108,85,65,9,230,38,8,144,115,193]},{"Name":"070e37c1-051e-4eb5-9126-c346b970ad89","Type":"file","AdditionalInfo":{"UUID":"070e37c1-051e-4eb5-9126-c346b970ad89","Name":"IPMI cover","Description":"","Size":112582,"ContentType":"image/jpeg"},"Hash":[48,153,59,163,216,90,4,49,118,197,29,30,18,75,239,64,5,58,55,171,25,45,109,106,154,188,79,122,154,197,47,204]},{"Name":"c6032ccd-790e-4361-ab10-1620b6d98272","Type":"playbook","AdditionalInfo":{"UUID":"f544fa45-8702-4acb-8f6f-ee671cbbbd70","Name":"IPMI \u0026 Gravwell","Description":""},"Hash":[252,109,128,218,172,97,227,211,109,60,157,229,116,41,197,68,178,130,227,118,71,81,77,63,94,193,122,27,202,230,21,147]}],"ConfigMacros":[{"MacroName":"IPMI","Description":"IPMI tag name","DefaultValue":"ipmi","Value":"","Type":"TAG","InstalledByID":""}]},{"ID":"io.gravwell.coredns","Name":"CoreDNS","UUID":"2e1c36f0-8e71-4a73-8b53-07f98b49414e","Version":7,"Description":"This kit provides ready-to-roll dashboards, queries, templates, playbooks, and actionables for analyzing DNS.","Readme":"","Signed":true,"AdminRequired":false,"MinVersion":{"Major":5,"Minor":4,"Point":0},"MaxVersion":{"Major":0,"Minor":0,"Point":0},"Size":180224,"Created":"2023-12-22T23:25:10.532121166Z","Ingesters":["coredns"],"Tags":["dns"],"Assets":[{"Type":"image","Source":"cover.jpg","Legend":"DNS","Featured":true,"Banner":false},{"Type":"readme","Source":"README.md","Legend":"","Featured":false,"Banner":false}],"Dependencies":[{"ID":"io.gravwell.networkenrichment","MinVersion":6}],"Items":[{"Name":"BSD-2","Type":"license","AdditionalInfo":"Copyright 2021 Gravwell Inc.\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:\n\n1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.\n\n2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.","Hash":[54,152,143,223,158,249,179,152,34,170,39,46,218,201,79,93,70,122,194,92,8,74,48,72,161,148,1,8,214,55,195,39]},{"Name":"37","Type":"dashboard","AdditionalInfo":{"UUID":"fd9902cf-ecef-41e0-b1f3-37f1f6d4d039","Name":"CoreDNS Client Investigation","Description":""},"Hash":[35,13,207,181,22,9,22,79,53,43,58,185,198,238,175,119,195,23,181,55,183,234,60,199,235,31,173,7,49,236,201,28]},{"Name":"28","Type":"dashboard","AdditionalInfo":{"UUID":"3195438b-b1ce-4b72-9921-e3ff4ef98415","Name":"CoreDNS Overview","Description":"General DNS Traffic Overview"},"Hash":[121,31,41,214,170,176,148,168,53,153,9,143,243,186,69,180,197,17,43,38,233,79,55,156,76,67,140,171,254,219,23,211]},{"Name":"36","Type":"dashboard","AdditionalInfo":{"UUID":"d35ddeb3-94c6-4d94-8f10-a467a37fd720","Name":"CoreDNS Domain Investigation","Description":""},"Hash":[170,140,213,214,116,33,130,81,49,156,132,109,9,115,172,107,35,133,183,26,25,32,120,158,17,132,38,203,189,186,239,41]},{"Name":"730a95af-4a04-47ed-98a5-187f4cb38462","Type":"template","AdditionalInfo":{"UUID":"730a95af-4a04-47ed-98a5-187f4cb38462","Name":"Rare DNS Queries by Client","Description":""},"Hash":[76,199,205,98,29,187,173,27,254,224,221,238,43,137,35,237,15,90,87,17,159,2,119,213,208,244,235,203,115,181,163,91]},{"Name":"83a30c25-b5ce-48f0-9a31-b9c568d7c804","Type":"template","AdditionalInfo":{"UUID":"83a30c25-b5ce-48f0-9a31-b9c568d7c804","Name":"Most Common SLDs","Description":""},"Hash":[199,15,236,98,125,246,247,148,127,14,227,93,190,154,69,133,84,29,116,208,207,110,188,78,8,212,17,195,174,225,124,190]},{"Name":"da829df5-60ec-4308-bc95-dc1214225565","Type":"template","AdditionalInfo":{"UUID":"da829df5-60ec-4308-bc95-dc1214225565","Name":"Requests over Time","Description":""},"Hash":[154,158,233,181,172,11,223,67,48,167,111,105,194,133,224,214,127,16,253,68,200,11,130,217,106,73,45,94,58,83,142,89]},{"Name":"65b78579-f546-43dd-8403-e5066da20f2f","Type":"template","AdditionalInfo":{"UUID":"65b78579-f546-43dd-8403-e5066da20f2f","Name":"DNS Beaconing by Client","Description":""},"Hash":[155,172,98,172,207,78,113,28,81,50,22,37,219,123,153,243,7,154,189,52,107,240,224,215,198,168,55,56,208,41,40,111]},{"Name":"67161210-f12d-4165-a94b-385e6d5aa691","Type":"template","AdditionalInfo":{"UUID":"67161210-f12d-4165-a94b-385e6d5aa691","Name":"DNS SLDs with the Most Subdomains","Description":""},"Hash":[39,166,168,124,190,145,220,164,146,76,17,23,127,108,132,176,164,89,190,66,72,52,109,174,242,217,30,211,82,233,8,190]},{"Name":"a1f55c54-f262-43ae-bf5a-9b6feadbdd36","Type":"template","AdditionalInfo":{"UUID":"a1f55c54-f262-43ae-bf5a-9b6feadbdd36","Name":"Unique A Records for this Name","Description":""},"Hash":[120,21,61,218,245,144,172,47,172,95,147,51,216,239,140,3,163,136,74,131,54,41,31,192,117,115,107,162,103,123,182,169]},{"Name":"711626dd-9793-4e92-95a3-295aebb1e697","Type":"template","AdditionalInfo":{"UUID":"711626dd-9793-4e92-95a3-295aebb1e697","Name":"DNS Over Time by Client","Description":""},"Hash":[41,186,111,89,92,23,233,247,217,50,53,131,200,224,96,222,185,17,233,243,109,52,109,197,238,255,138,217,20,104,142,135]},{"Name":"af0b9f11-7ee6-4181-891b-26b0b8bf2dba","Type":"template","AdditionalInfo":{"UUID":"af0b9f11-7ee6-4181-891b-26b0b8bf2dba","Name":"Related DNS subdomains","Description":""},"Hash":[205,195,9,178,21,5,244,96,127,221,204,210,184,88,24,219,46,234,141,125,234,95,173,118,41,15,151,64,71,212,65,106]},{"Name":"bb6bd29e-da6e-48b6-a060-07eac7e014ce","Type":"template","AdditionalInfo":{"UUID":"bb6bd29e-da6e-48b6-a060-07eac7e014ce","Name":"Clients Querying this Name","Description":""},"Hash":[118,219,29,107,6,92,187,195,79,203,139,132,177,18,135,241,113,117,12,63,78,132,60,113,249,245,17,226,255,241,51,108]},{"Name":"3a09f1d1-cfc9-408f-b519-3e73aca1ec8c","Type":"template","AdditionalInfo":{"UUID":"3a09f1d1-cfc9-408f-b519-3e73aca1ec8c","Name":"DNS Queries by Resource Record Type","Description":""},"Hash":[45,46,192,70,68,221,250,189,177,13,92,213,16,202,70,225,221,159,25,23,15,141,56,95,169,56,239,163,228,50,4,119]},{"Name":"d86f45c2-f18d-4095-9f3b-2eedb9b29678","Type":"template","AdditionalInfo":{"UUID":"d86f45c2-f18d-4095-9f3b-2eedb9b29678","Name":"Most Queries DNS Names by Client","Description":""},"Hash":[218,39,60,94,244,17,241,197,248,97,93,203,24,126,192,56,100,147,8,140,240,134,82,166,153,204,176,76,213,36,122,210]},{"Name":"df53a819-0503-4300-b6d5-37669b6fc598","Type":"template","AdditionalInfo":{"UUID":"df53a819-0503-4300-b6d5-37669b6fc598","Name":"DNS Totals by Client","Description":""},"Hash":[17,90,79,192,139,24,168,112,179,253,73,147,186,165,253,117,253,15,213,121,4,60,161,121,205,82,76,217,17,121,48,237]},{"Name":"7f343946-e4c7-40e8-9ef9-ce19250f8a12","Type":"pivot","AdditionalInfo":{"UUID":"7f343946-e4c7-40e8-9ef9-ce19250f8a12","Name":"DNS FQDN","Description":"CoreDNS actions specific to FQDNs."},"Hash":[82,19,40,75,44,110,92,95,60,199,115,198,96,32,226,46,219,137,61,28,53,195,60,115,28,46,31,221,67,236,210,69]},{"Name":"6bd0ee15-9232-415f-94d0-f4246b58db53","Type":"pivot","AdditionalInfo":{"UUID":"6bd0ee15-9232-415f-94d0-f4246b58db53","Name":"DNS SLD","Description":"CoreDNS actions specific to DNS Second Level Domains."},"Hash":[158,192,92,95,238,50,72,115,234,144,47,149,216,124,142,115,116,15,156,40,149,31,206,78,77,191,200,206,119,254,133,17]},{"Name":"7bd0ee15-9232-415f-94d0-f4246b58db54","Type":"pivot","AdditionalInfo":{"UUID":"7bd0ee15-9232-415f-94d0-f4246b58db54","Name":"DNS FQDN/SLD combined actionables","Description":"CoreDNS actions common to both FQDNs and SLDs."},"Hash":[58,247,153,219,75,66,246,39,131,158,91,110,239,104,38,16,30,59,148,206,80,79,22,3,151,154,139,228,140,50,76,85]},{"Name":"57ede8c4-16f0-4c84-9183-b08239b35416","Type":"pivot","AdditionalInfo":{"UUID":"57ede8c4-16f0-4c84-9183-b08239b35416","Name":"IP Address","Description":"CoreDNS actions on IP Addresses."},"Hash":[177,47,220,80,144,174,50,53,188,139,140,239,141,75,53,153,15,208,252,203,204,165,231,66,117,229,79,243,130,28,211,112]},{"Name":"DNS Beaconing","Type":"searchlibrary","AdditionalInfo":{"Name":"DNS Beaconing","Description":"Frequent DNS requests with the smallest variance","Query":"tag=$COREDNS_KIT_TAG sort by time asc | json Question.Hdr.Name | diff TIMESTAMP by Name| require -s diff | stats mean(diff) stddev(diff) count by Name | eval (stddev \u003c mean \u0026\u0026 count \u003e 2) | eval r = stddev/mean; Duration = duration(mean); | sort by r asc | table Name Duration count\n","UUID":"d148e9de-107b-4b46-a9f4-3a715305d8fb"},"Hash":[218,111,131,3,203,102,146,161,96,31,83,26,254,57,169,26,249,66,168,109,48,33,215,184,92,85,8,199,124,43,195,246]},{"Name":"DNS Queries by Resource Record Type","Type":"searchlibrary","AdditionalInfo":{"Name":"DNS Queries by Resource Record Type","Description":"","Query":"tag=$COREDNS_KIT_TAG json Question.Hdr.Rrtype as rrtype | lookup -s -r dns_types rrtype Value TYPE as dnstype | stats count by dnstype| chart count by dnstype","UUID":"4a226195-a26a-402a-b714-d4e2cc451908"},"Hash":[155,125,243,72,41,53,49,9,65,168,49,48,176,76,71,108,66,59,204,219,208,48,233,24,229,15,196,222,252,21,226,8]},{"Name":"Rare DNS Queries","Type":"searchlibrary","AdditionalInfo":{"Name":"Rare DNS Queries","Description":"Least queried DNS names over time","Query":"tag=$COREDNS_KIT_TAG json Question.Hdr.Name as Name |\nstats count by Name |\nsort by count asc |\nlimit 100 |\ntable Name count","UUID":"184e46b9-4db7-48a4-892b-32235d4e4c80"},"Hash":[82,178,200,216,165,128,227,147,130,148,38,128,10,144,122,160,187,171,101,143,10,100,151,177,78,194,227,136,132,149,30,18]},{"Name":"DNS Over Time","Type":"searchlibrary","AdditionalInfo":{"Name":"DNS Over Time","Description":"","Query":"tag=$COREDNS_KIT_TAG chart","UUID":"1ef0c32b-74af-483c-a2a9-78f05db1b719"},"Hash":[250,255,161,90,37,193,154,126,16,116,166,236,211,103,14,51,182,149,228,84,4,198,42,32,155,211,184,120,72,85,89,64]},{"Name":"DNS Totals","Type":"searchlibrary","AdditionalInfo":{"Name":"DNS Totals","Description":"DNS Totals for Unique and Total Queries","Query":"tag=$COREDNS_KIT_TAG json Question.Hdr.Name as Name | stats unique_count(Name) as \"Unique Queries\" count as \"Total Queries\"  | gauge \"Unique Queries\" \"Total Queries\"","UUID":"a585f698-cd53-45a0-8d96-df25c6cbf02e"},"Hash":[86,211,54,134,48,138,144,37,107,13,171,66,133,197,147,39,42,170,81,100,175,158,246,16,58,143,242,112,114,31,203,161]},{"Name":"DNS SLDs with the most Subdomains","Type":"searchlibrary","AdditionalInfo":{"Name":"DNS SLDs with the most Subdomains","Description":"DNS SLDs with the most Subdomains","Query":"tag=$COREDNS_KIT_TAG json Question.Hdr.Name as Name | unique Name | regex -e Name \"(?P\u003csld\u003e\\w+\\.\\w+\\.\\s*$)\" | stats count by sld | sort by count desc | limit 100 | table sld count","UUID":"5bc38bee-8518-4ff5-adf5-74a7f3be10b1"},"Hash":[177,21,154,131,200,121,207,90,76,83,154,171,180,110,248,100,78,164,23,246,219,85,132,98,56,235,193,193,119,108,164,196]},{"Name":"DNS TXT Records by Length","Type":"searchlibrary","AdditionalInfo":{"Name":"DNS TXT Records by Length","Description":"DNS TXT Records by Length","Query":"tag=$COREDNS_KIT_TAG json Question.Hdr.Rrtype == 16 Question.Hdr.Name as Name Question.Txt as Payload Question.Hdr.Rdlength as rdlength | eval Length = int(rdlength); | sort by Length desc | table Name Payload\n","UUID":"fb9aa769-1f24-418a-8ee7-1dd90ebf5298"},"Hash":[83,59,38,119,241,114,59,103,14,246,186,22,194,152,116,220,33,229,146,44,213,135,224,79,193,41,156,26,146,85,115,226]},{"Name":"DNS Requests by Host","Type":"searchlibrary","AdditionalInfo":{"Name":"DNS Requests by Host","Description":"DNS Requests by Host","Query":"tag=$COREDNS_KIT_TAG json Remote as rmt | fields -e rmt -d \":\" [0] as Host | stats count by Host | table Host count","UUID":"d0e65b69-5f4b-4cef-9144-f191348f52ba"},"Hash":[127,96,140,203,226,99,254,47,203,196,10,199,10,59,23,241,219,217,22,174,178,84,116,192,61,243,90,68,29,146,169,144]},{"Name":"Most Common SLDs","Type":"searchlibrary","AdditionalInfo":{"Name":"Most Common SLDs","Description":"","Query":"tag=$COREDNS_KIT_TAG json Question.Hdr.Name as Name | regex -e Name \"(?P\u003csld\u003e\\w+\\.\\w+\\.\\s*$)\" | stats count by sld | sort by count desc | limit 100 | table sld count","UUID":"927edbea-5941-473d-a7be-ce714d686c2d"},"Hash":[219,219,189,162,93,11,218,25,0,56,120,130,57,119,162,162,146,58,189,233,108,222,50,67,114,139,25,128,35,11,86,95]},{"Name":"Most Queried DNS Name","Type":"searchlibrary","AdditionalInfo":{"Name":"Most Queried DNS Name","Description":"Most queried DNS names over time","Query":"tag=$COREDNS_KIT_TAG json Question.Hdr.Name as Name |\nstats count by Name |\nsort by count desc |\nlimit 100 |\ntable Name count","UUID":"b085fb65-48bc-43f6-bada-a4f4bc555da3"},"Hash":[132,255,4,117,76,219,88,48,235,84,68,71,188,174,40,175,198,12,192,183,174,81,67,58,149,39,17,101,162,246,97,83]},{"Name":"cf12119b-bf34-4d41-b138-88e1a0ea0fbb","Type":"file","AdditionalInfo":{"UUID":"cf12119b-bf34-4d41-b138-88e1a0ea0fbb","Name":"CoreDNS icon","Description":"Icon used by the CoreDNS kit","Size":85519,"ContentType":"image/png"},"Hash":[96,184,20,136,44,185,242,202,155,185,215,85,158,101,163,22,46,168,183,138,138,116,218,246,203,62,113,49,63,54,140,138]},{"Name":"e21ac76c-7dd7-46a9-b77d-f7c00915bfc9","Type":"playbook","AdditionalInfo":{"UUID":"2e86499d-0521-4d9b-a19f-423ae37afa42","Name":"DNS \u0026 Gravwell","Description":"CoreDNS Kit Overview"},"Hash":[101,142,196,54,11,74,117,252,93,47,34,92,150,28,28,48,33,222,86,162,181,150,246,6,1,196,17,78,124,100,106,130]}],"ConfigMacros":[{"MacroName":"COREDNS_KIT_TAG","Description":"The tag(s) with DNS records","DefaultValue":"dns","Value":"","Type":"TAG","InstalledByID":""}]},{"ID":"com.banduracyber.tifirewall","Name":"ThreatBlockr","UUID":"30c59109-e976-4324-acb3-998969bba364","Version":4,"Description":"ThreatBlockr Firewall Kit","Readme":"","Signed":true,"AdminRequired":false,"MinVersion":{"Major":4,"Minor":0,"Point":0},"MaxVersion":{"Major":0,"Minor":0,"Point":0},"Size":990720,"Created":"2022-12-20T23:53:42.726245602Z","Ingesters":["simple_relay"],"Tags":[""],"Assets":[{"Type":"image","Source":"cover.png","Legend":"ThreatBlockr","Featured":true,"Banner":false},{"Type":"image","Source":"banner.png","Legend":"ThreatBlockr banner","Featured":true,"Banner":true},{"Type":"readme","Source":"README.md","Legend":"","Featured":false,"Banner":false}],"Dependencies":null,"Items":[{"Name":"106019307882003","Type":"dashboard","AdditionalInfo":{"UUID":"5a31f9bf-f155-47a6-9107-8296a1a148c6","Name":"ThreatBlockr IP Investigator | Last 7 Days","Description":"All packet_log activity for a given IP address in the past 7 days"},"Hash":[78,237,230,78,40,2,230,111,213,171,94,53,50,251,60,96,249,102,140,231,15,123,106,168,5,177,239,150,235,29,70,236]},{"Name":"12486274-07e0-40fb-9b80-4123a01f6fdc","Type":"file","AdditionalInfo":{"UUID":"12486274-07e0-40fb-9b80-4123a01f6fdc","Name":"ThreatBlockr icon","Description":"","Size":6757,"ContentType":"image/png"},"Hash":[55,181,237,0,85,82,187,184,5,5,15,227,222,98,216,117,82,205,52,111,195,206,198,72,35,210,76,87,78,240,162,125]},{"Name":"145f5cfd-3147-43fa-8658-5c5bd3978a61","Type":"searchlibrary","AdditionalInfo":{"Name":"Allowed by Country","Description":"All","Query":"tag=$BANDURA_TAG syslog Appname==bctifw MsgID==\"packet_log\" Message |\nkv -e Message -q -d \", \" action==allowed country |\nstats count by country |\nchart count by country","UUID":"145f5cfd-3147-43fa-8658-5c5bd3978a61"},"Hash":[3,132,218,247,119,175,85,172,141,253,177,239,44,224,160,77,240,65,192,126,111,210,23,114,8,90,76,221,172,165,226,168]},{"Name":"23fe5960-8166-4c9a-b392-5093ac7f3bf5","Type":"pivot","AdditionalInfo":{"UUID":"23fe5960-8166-4c9a-b392-5093ac7f3bf5","Name":"ThreatBlockr Activity","Description":"ThreatBlockr Activity for a given IP address"},"Hash":[238,217,94,113,187,10,29,98,112,130,133,40,78,18,161,175,107,4,143,175,24,44,232,151,161,148,85,207,126,28,132,98]},{"Name":"244316310601646","Type":"dashboard","AdditionalInfo":{"UUID":"452b964b-4b7f-480f-9e37-9af7801877b0","Name":"ThreatBlockr Packet Log Activity | Last 7 Days","Description":"All ThreatBlockr packet_log activity in the past 7 days."},"Hash":[230,93,56,156,1,236,8,33,20,147,205,145,121,94,254,43,118,249,215,244,59,100,169,163,63,146,31,248,206,11,99,113]},{"Name":"369c49a7-5540-4536-9248-9f328d28f8df","Type":"searchlibrary","AdditionalInfo":{"Name":"All Log Data","Description":"All records from the packet_log dns_log and system_log message IDs","Query":"tag=$BANDURA_TAG syslog Appname==bctifw Timestamp Hostname MsgID Message |\ntable","UUID":"369c49a7-5540-4536-9248-9f328d28f8df"},"Hash":[4,175,74,165,54,168,141,27,29,87,254,207,224,36,255,183,175,165,85,64,246,32,222,245,166,54,179,72,127,33,186,176]},{"Name":"3b52e23a-41a3-42f2-9bf7-065a468e68a1","Type":"searchlibrary","AdditionalInfo":{"Name":"Denied by Country","Description":"","Query":"tag=$BANDURA_TAG syslog Appname==bctifw MsgID==\"packet_log\" Message |\nwords denied |\nkv -e Message -q -d \", \" action==denied country |\nstats count by country |\nchart count by country","UUID":"3b52e23a-41a3-42f2-9bf7-065a468e68a1"},"Hash":[114,230,21,205,131,142,149,164,53,113,228,8,119,64,244,40,43,222,243,39,83,138,40,46,53,34,48,12,21,169,116,2]},{"Name":"42748503276283","Type":"dashboard","AdditionalInfo":{"UUID":"52a2fa37-2b3d-412f-90f1-155438e3e703","Name":"ThreatBlockr IP Investigator | Last 24 Hours","Description":"All packet_log activity for a given IP address in the past 24 hours."},"Hash":[131,15,225,125,22,129,1,110,196,225,36,148,100,131,82,101,243,205,121,161,37,181,37,207,234,133,78,184,28,73,74,170]},{"Name":"481efff9-eee9-4cc7-b288-93461ce42ff1","Type":"searchlibrary","AdditionalInfo":{"Name":"Allow/Deny by Reason","Description":"","Query":"tag=$BANDURA_TAG syslog Appname==bctifw MsgID==\"packet_log\" Message |\nkv -e Message -q -d \", \" action reason |\ncount by action reason |\nstackgraph reason action count\n","UUID":"481efff9-eee9-4cc7-b288-93461ce42ff1"},"Hash":[166,227,193,201,12,165,83,69,229,76,215,135,202,18,17,82,30,78,38,22,7,218,187,127,75,140,155,116,190,219,235,113]},{"Name":"49cf7c14-9f49-430d-9550-4a2b39f258e7","Type":"template","AdditionalInfo":{"UUID":"49cf7c14-9f49-430d-9550-4a2b39f258e7","Name":"IP | Denied by ASN","Description":"ThreatBlockr Denied by ASN Chart"},"Hash":[33,217,91,89,209,13,252,131,136,190,55,19,105,189,225,51,171,164,104,176,145,230,118,177,80,57,28,181,194,188,2,152]},{"Name":"4ff312e9-387c-47a6-88bf-afa476ff63ce","Type":"file","AdditionalInfo":{"UUID":"4ff312e9-387c-47a6-88bf-afa476ff63ce","Name":"ThreatBlockr cover","Description":"undefined","Size":6757,"ContentType":"image/png"},"Hash":[246,104,13,92,98,238,195,110,71,103,33,25,57,204,9,57,172,12,187,86,90,229,38,238,1,53,124,177,82,166,56,60]},{"Name":"6e3835c7-d49d-47dc-af60-496f901c7fc0","Type":"searchlibrary","AdditionalInfo":{"Name":"Denied by Reason","Description":"","Query":"tag=$BANDURA_TAG syslog Appname==bctifw MsgID==\"packet_log\" Message |\nwords denied |\nkv -e Message -q -d \", \" action==denied reason |\nstats count by reason |\nchart count by reason","UUID":"6e3835c7-d49d-47dc-af60-496f901c7fc0"},"Hash":[134,96,125,188,103,114,116,190,242,37,87,154,148,63,93,230,139,172,217,209,90,86,238,201,161,209,40,74,74,149,235,116]},{"Name":"6fca714c-c24a-4374-9215-7180afb42be5","Type":"searchlibrary","AdditionalInfo":{"Name":"Denied by ASN","Description":"","Query":"tag=$BANDURA_TAG syslog Appname==bctifw MsgID==\"packet_log\" Message |\nwords denied |\nkv -e Message -q -d \", \" action==denied as_name |\nstats count by as_name |\nchart count by as_name","UUID":"6fca714c-c24a-4374-9215-7180afb42be5"},"Hash":[6,43,73,250,215,33,60,117,108,53,162,64,150,89,29,160,77,80,127,122,196,153,184,240,29,31,52,178,23,229,236,170]},{"Name":"71353ad4-70b6-41ca-9414-62fb1896517e","Type":"searchlibrary","AdditionalInfo":{"Name":"Packet Log Data","Description":"","Query":"tag=$BANDURA_TAG syslog Hostname Appname==bctifw MsgID==packet_log Message |\nkv -e Message -q -d \", \" action direction group proto country as_name reason src dst src_port dst_port\nal_active al_inactive dl_active dl_inactive tl\ntl_category tl_score tl_threshold |\ntable TIMESTAMP Hostname action direction group proto country as_name reason src dst src_port dst_port\nal_active al_inactive dl_active dl_inactive tl\ntl_category tl_score tl_threshold","UUID":"71353ad4-70b6-41ca-9414-62fb1896517e"},"Hash":[54,83,71,104,4,246,245,46,165,62,161,142,123,56,240,49,149,182,61,131,20,128,66,128,161,225,64,158,71,231,206,26]},{"Name":"71635470589606","Type":"dashboard","AdditionalInfo":{"UUID":"6c8fae1e-18e1-4891-921e-3a4ebfd99243","Name":"ThreatBlockr Packet Log Activity | Last 24 Hours","Description":"All ThreatBlockr packet_log activity in the past 24 hours."},"Hash":[8,93,81,170,14,254,187,254,4,152,44,137,222,137,248,165,136,45,63,20,177,52,48,7,203,173,75,228,42,179,215,32]},{"Name":"884d75fc-5f2b-4b36-a8f2-05ba91f3ccc9","Type":"file","AdditionalInfo":{"UUID":"884d75fc-5f2b-4b36-a8f2-05ba91f3ccc9","Name":"bandura-investigator.png","Description":"ThreatBlockr Investigative Dashboard","Size":307225,"ContentType":"image/png"},"Hash":[125,255,253,177,229,78,114,208,189,227,209,175,93,86,199,55,147,70,189,18,70,89,244,197,189,56,161,28,99,86,216,116]},{"Name":"8f201601-754b-4564-b358-9e71f3cb43b0","Type":"searchlibrary","AdditionalInfo":{"Name":"Allowed by ASN","Description":"","Query":"tag=$BANDURA_TAG syslog Appname==bctifw MsgID==\"packet_log\" Message |\nkv -e Message -q -d \", \" action==allowed as_name |\ncount by as_name |\nchart count by as_name","UUID":"8f201601-754b-4564-b358-9e71f3cb43b0"},"Hash":[202,237,21,237,126,107,58,246,93,197,102,202,26,245,179,98,83,21,194,217,52,235,195,171,14,252,156,45,89,63,29,243]},{"Name":"90614aac-3792-4c7b-aeee-1d7ebee05e50","Type":"file","AdditionalInfo":{"UUID":"90614aac-3792-4c7b-aeee-1d7ebee05e50","Name":"ThreatBlockr cover","Description":"","Size":23737,"ContentType":"image/png"},"Hash":[70,187,243,240,116,45,196,157,19,38,214,210,129,67,120,181,43,129,151,175,190,66,47,130,132,236,123,194,68,134,188,253]},{"Name":"93b2489f-9f66-4e9e-b9dc-c714980b5511","Type":"file","AdditionalInfo":{"UUID":"93b2489f-9f66-4e9e-b9dc-c714980b5511","Name":"bc-syslog-export-config.jpg","Description":"Configuring the ThreatBlockr TI Firewall's Syslog Export","Size":75706,"ContentType":"image/jpeg"},"Hash":[125,59,171,249,158,199,46,175,143,95,213,68,212,84,135,54,167,63,251,211,141,208,162,86,30,7,147,162,199,44,86,39]},{"Name":"9703d522-ac1f-4c37-b273-37ffa1be766c","Type":"file","AdditionalInfo":{"UUID":"9703d522-ac1f-4c37-b273-37ffa1be766c","Name":"bc-syslog-export-config.jpg","Description":"Configuring the ThreatBlockr TI Firewall's Syslog Export","Size":75706,"ContentType":"image/jpeg"},"Hash":[57,13,168,53,114,254,234,22,84,38,19,134,70,211,233,79,69,102,28,37,248,175,146,170,237,141,163,49,58,53,230,97]},{"Name":"a1f0292d-c367-4ebc-9755-6fbfc2782f3a","Type":"file","AdditionalInfo":{"UUID":"a1f0292d-c367-4ebc-9755-6fbfc2782f3a","Name":"shield-bandura.png","Description":"Banner for ThreatBlockr TI Kit","Size":20000,"ContentType":"image/png"},"Hash":[70,187,230,210,105,48,9,205,128,105,196,252,141,27,200,81,213,148,5,96,193,252,8,145,71,8,5,53,211,210,143,224]},{"Name":"a224061c-e245-4aa3-8495-f64bd486a670","Type":"file","AdditionalInfo":{"UUID":"a224061c-e245-4aa3-8495-f64bd486a670","Name":"bandura-overview.png","Description":"ThreatBlockr","Size":170537,"ContentType":"image/png"},"Hash":[15,143,251,3,143,0,81,98,25,87,204,89,252,132,234,236,83,119,44,172,167,152,195,231,72,234,239,31,244,86,25,101]},{"Name":"b4bea69b-6b94-4093-8c74-f4b2988f2ff6","Type":"template","AdditionalInfo":{"UUID":"b4bea69b-6b94-4093-8c74-f4b2988f2ff6","Name":"IP | All packet_log activity","Description":"Show packet_log activity for a given IP address"},"Hash":[3,230,40,10,51,61,39,203,237,73,189,151,51,239,52,92,84,175,105,112,228,198,136,33,122,56,158,18,3,190,82,245]},{"Name":"bb74551d-9e01-4378-8a5e-39627e1be1ce","Type":"template","AdditionalInfo":{"UUID":"bb74551d-9e01-4378-8a5e-39627e1be1ce","Name":"IP | Denied by Country","Description":"ThreatBlockr show the country denies from/to a specific IP"},"Hash":[20,153,112,29,131,46,7,147,168,143,203,67,143,16,1,18,158,74,34,222,240,58,213,146,216,155,172,74,225,244,247,200]},{"Name":"beebc0ce-e002-4657-b897-1bbad9e76de7","Type":"template","AdditionalInfo":{"UUID":"beebc0ce-e002-4657-b897-1bbad9e76de7","Name":"IP | Reasons denied over time","Description":"ThreatBlockr IP Denied Reasons Chart"},"Hash":[245,209,88,131,29,134,0,51,202,96,214,89,109,228,36,190,118,133,111,217,191,49,64,159,75,101,101,173,105,200,74,144]},{"Name":"d90d8c32-0aa2-47a7-985b-5c9e5e09be0b","Type":"template","AdditionalInfo":{"UUID":"d90d8c32-0aa2-47a7-985b-5c9e5e09be0b","Name":"IP | Allowed by country","Description":"ThreatBlockr IP Allowed by Country Chart"},"Hash":[132,149,196,170,102,0,88,37,71,101,135,33,62,227,233,231,181,249,220,166,85,210,106,186,191,166,147,177,10,203,80,98]},{"Name":"dd16754f-5c13-4d91-b878-f2adfa91121f","Type":"playbook","AdditionalInfo":{"UUID":"68aac7b8-9754-4ad5-b37a-d97a7e34bd69","Name":"ThreatBlockr TI Kit Overview","Description":""},"Hash":[1,132,95,98,39,207,77,173,201,251,117,146,174,3,152,90,49,207,190,252,39,125,56,250,191,5,97,125,65,26,246,76]},{"Name":"eec846d9-47aa-444b-a3bb-7a8a5822313d","Type":"template","AdditionalInfo":{"UUID":"eec846d9-47aa-444b-a3bb-7a8a5822313d","Name":"IP | Point2Point GeoIP","Description":"ThreatBlockr IP Pointmap Traffic"},"Hash":[125,150,52,158,72,88,99,136,226,152,224,77,238,5,82,234,61,16,112,182,1,216,93,191,225,32,93,12,241,60,249,192]},{"Name":"ef7542c5-f656-46a0-b8d7-fd8fc61777b2","Type":"searchlibrary","AdditionalInfo":{"Name":"Threatlist activity","Description":"All ThreatBlockr logs with threatlist information","Query":"tag=$BANDURA_TAG syslog Hostname Appname==bctifw MsgID==packet_log Message |\nkv -e Message -q -d \", \" action direction group proto country as_name reason src dst src_port dst_port\nal_active al_inactive dl_active dl_inactive tl\ntl_category tl_score tl_threshold |\nrequire tl |\ntable action direction group proto country as_name reason src dst src_port dst_port tl\ntl_category tl_score tl_threshold","UUID":"ef7542c5-f656-46a0-b8d7-fd8fc61777b2"},"Hash":[113,182,139,21,169,134,209,90,242,119,79,56,57,213,13,20,53,142,174,184,241,52,76,61,205,140,190,38,170,232,38,34]},{"Name":"f322b593-cb26-4dd9-adc1-82b799dc0153","Type":"searchlibrary","AdditionalInfo":{"Name":"GeoIP traffic","Description":"","Query":"tag=$BANDURA_TAG syslog Appname==bctifw MsgID==\"packet_log\" Hostname Message Timestamp |\nkv -e Message -q -d \", \" action direction group proto country as_num as_name reason src dst src_port dst_port |\ngeoip dst.Location as dloc src.Location as sloc |\npoint2point -srcloc sloc -dstloc dloc","UUID":"f322b593-cb26-4dd9-adc1-82b799dc0153"},"Hash":[161,60,134,22,214,169,133,58,8,19,237,201,122,225,106,185,131,37,191,134,116,154,202,184,36,71,135,166,248,31,220,14]},{"Name":"f5f73388-6d76-403b-9526-d0e9d24fdfdd","Type":"template","AdditionalInfo":{"UUID":"f5f73388-6d76-403b-9526-d0e9d24fdfdd","Name":"IP | Allowed by ASN","Description":"ThreatBlockr IP Allowed by ASN Chart"},"Hash":[23,116,161,213,146,145,229,150,129,98,90,95,67,126,151,55,52,180,8,95,245,207,174,124,38,111,153,223,127,154,193,3]},{"Name":"f7750eca-08c7-4894-a6ee-633299ca2c6f","Type":"template","AdditionalInfo":{"UUID":"f7750eca-08c7-4894-a6ee-633299ca2c6f","Name":"IP | Allow/Deny by reason","Description":"ThreatBlockr stackgraph of allow/deny by reason for specific IP"},"Hash":[191,191,103,2,192,52,53,20,130,69,216,222,43,175,244,54,171,203,82,217,154,112,189,7,199,69,89,151,96,64,11,49]}],"ConfigMacros":[{"MacroName":"BANDURA_TAG","Description":"Threatblockr tag.  (It's probably \"syslog\")","DefaultValue":"syslog","Value":"","Type":"TAG","InstalledByID":""}]},{"ID":"io.gravwell.paloalto","Name":"Palo Alto","UUID":"3b19393b-3e5b-4ef7-b106-1590b9222a0b","Version":8,"Description":"Analyze Palo Alto logs.","Readme":"","Signed":true,"AdminRequired":false,"MinVersion":{"Major":5,"Minor":4,"Point":0},"MaxVersion":{"Major":0,"Minor":0,"Point":0},"Size":501760,"Created":"2024-11-04T17:07:56.345084574Z","Ingesters":["simplerelay"],"Tags":["pan_traffic","pan_threat"],"Assets":[{"Type":"image","Source":"cover.png","Legend":"Gravwell","Featured":true,"Banner":false},{"Type":"image","Source":"banner.png","Legend":"Gravwell","Featured":true,"Banner":true},{"Type":"readme","Source":"README.md","Legend":"","Featured":false,"Banner":false}],"Dependencies":[{"ID":"io.gravwell.networkenrichment","MinVersion":13}],"Items":[{"Name":"excluded_url_categories","Type":"resource","AdditionalInfo":{"VersionNumber":2,"ResourceName":"excluded_url_categories","Description":"Palo Alto URL categories to be excluded.","Size":125,"Labels":null},"Hash":[240,190,215,252,85,248,46,84,109,198,93,110,226,196,182,219,51,16,154,220,112,56,224,172,5,187,147,147,235,215,75,171]},{"Name":"c30772c4-22a9-4495-8fbf-f62a69bc9640","Type":"dashboard","AdditionalInfo":{"UUID":"c30772c4-22a9-4495-8fbf-f62a69bc9640","Name":"Palo Alto Wildfire Overview","Description":"Overview of Wildfire analysis submissions \u0026 verdicts."},"Hash":[252,246,153,183,199,153,81,234,252,55,8,73,220,158,138,99,207,197,246,85,163,14,4,105,150,51,115,141,205,181,109,120]},{"Name":"7fdbf49e-82e9-4b60-b69c-2ec32703c6a7","Type":"dashboard","AdditionalInfo":{"UUID":"7fdbf49e-82e9-4b60-b69c-2ec32703c6a7","Name":"Palo Alto SaaS Overview","Description":""},"Hash":[86,239,67,125,7,161,182,23,137,179,80,139,245,88,153,215,175,118,113,240,87,124,21,85,13,93,202,155,196,113,122,126]},{"Name":"6ce64d08-9962-4e1b-9654-78c0e2ac3a09","Type":"dashboard","AdditionalInfo":{"UUID":"6ce64d08-9962-4e1b-9654-78c0e2ac3a09","Name":"Palo Alto GlobalProtect Overview","Description":"Information about clients connecting via GlobalProtect VPN"},"Hash":[250,188,156,46,131,183,80,253,176,112,112,152,16,94,181,218,65,64,101,112,95,226,40,182,239,172,116,242,147,103,52,4]},{"Name":"fe0de242-49f7-4c50-9860-26a51ff9ef56","Type":"dashboard","AdditionalInfo":{"UUID":"fe0de242-49f7-4c50-9860-26a51ff9ef56","Name":"Palo Alto Threat Investigative Dashboard","Description":"Investigate Palo Alto threat logs for a particular IP address."},"Hash":[135,6,137,62,127,26,16,88,3,57,137,181,73,126,84,91,95,77,217,127,92,44,206,99,150,48,112,234,242,0,215,112]},{"Name":"76e14b04-ed9b-4303-997b-5dd0183d1b1f","Type":"dashboard","AdditionalInfo":{"UUID":"76e14b04-ed9b-4303-997b-5dd0183d1b1f","Name":"Palo Alto Config Overview","Description":"Config logs from Palo Alto devices"},"Hash":[38,210,103,78,138,237,127,45,3,129,81,31,188,45,237,226,152,250,196,50,120,200,142,132,198,13,94,178,45,136,182,201]},{"Name":"7d826f9f-73b8-4047-9dfe-2f0163c9ccee","Type":"dashboard","AdditionalInfo":{"UUID":"7d826f9f-73b8-4047-9dfe-2f0163c9ccee","Name":"Palo Alto Threat Overview","Description":"Threat log analysis"},"Hash":[85,248,33,21,102,115,54,135,107,46,2,252,147,142,143,168,206,206,21,38,218,78,213,179,215,175,160,238,170,71,224,222]},{"Name":"1bc04ece-9e58-496b-8297-7c8d1f9ba46f","Type":"dashboard","AdditionalInfo":{"UUID":"1bc04ece-9e58-496b-8297-7c8d1f9ba46f","Name":"Palo Alto User Behavior","Description":"General overview of user behavior from Palo Alto logs"},"Hash":[41,103,138,50,1,164,158,248,175,216,183,9,0,52,123,101,39,51,112,234,28,173,7,180,90,189,87,88,100,141,231,41]},{"Name":"21c85c02-8c7a-42fd-9cba-005d36c2cce1","Type":"template","AdditionalInfo":{"UUID":"21c85c02-8c7a-42fd-9cba-005d36c2cce1","Name":"Threat subtypes for IP","Description":"Generate a numbercard showing counts of threat subtypes related to a given IP."},"Hash":[114,210,222,6,154,42,69,42,149,155,157,104,46,127,27,39,36,2,244,174,168,54,225,199,220,69,169,130,76,228,27,110]},{"Name":"f451f8b7-cf3d-423b-95c6-3738852bd9ea","Type":"template","AdditionalInfo":{"UUID":"f451f8b7-cf3d-423b-95c6-3738852bd9ea","Name":"GlobalProtect Info for IP","Description":"If IP is a GlobalProtect private IP, show information about the user \u0026 machine associated with the IP."},"Hash":[107,176,96,59,210,174,223,194,203,142,231,234,89,62,230,22,71,147,119,73,14,234,174,231,172,196,47,162,189,156,110,96]},{"Name":"182e5db7-4513-4056-a8a8-987fbf570599","Type":"template","AdditionalInfo":{"UUID":"182e5db7-4513-4056-a8a8-987fbf570599","Name":"Traffic categories for IP","Description":"Categories of traffic seen by Palo Alto related to given IP address."},"Hash":[140,86,79,210,241,63,109,189,254,205,74,247,20,130,156,80,132,35,125,122,26,246,168,95,250,67,203,18,2,53,251,201]},{"Name":"e06715fe-29f6-4d29-bdf2-df6ef933fc72","Type":"template","AdditionalInfo":{"UUID":"e06715fe-29f6-4d29-bdf2-df6ef933fc72","Name":"Wildfire Submissions for IP","Description":"Table of Wildfire submissions related to a given IP."},"Hash":[241,198,85,236,91,244,33,68,223,193,194,177,201,64,3,248,202,34,166,84,166,87,101,40,157,210,191,112,126,73,238,221]},{"Name":"8ff368b5-1d29-422a-89a7-7eb20c50d224","Type":"template","AdditionalInfo":{"UUID":"8ff368b5-1d29-422a-89a7-7eb20c50d224","Name":"Threat Table for IP","Description":"Table of threats related to a given IP."},"Hash":[249,203,161,78,246,15,88,141,217,1,128,11,109,34,37,240,64,109,181,156,209,86,190,212,39,131,183,174,198,159,97,122]},{"Name":"6991b96f-3b3f-4255-b790-a7623ccc18c6","Type":"pivot","AdditionalInfo":{"UUID":"6991b96f-3b3f-4255-b790-a7623ccc18c6","Name":"IP Address","Description":"Palo Alto actions on IP address"},"Hash":[165,38,124,177,160,169,223,254,26,109,87,88,188,204,208,247,234,234,118,218,5,119,65,66,27,16,97,141,186,7,99,26]},{"Name":"f99bf07b-e093-4631-85d4-687b039ecda2","Type":"file","AdditionalInfo":{"UUID":"f99bf07b-e093-4631-85d4-687b039ecda2","Name":"palo enumerated values","Description":"Showing enumerated values expanded in text results for Palo Alto logs","Size":170223,"ContentType":"image/png"},"Hash":[232,5,8,195,128,160,173,134,61,121,218,154,90,71,181,15,212,18,46,146,220,205,168,110,106,163,217,196,22,9,234,146]},{"Name":"3392b289-f7e5-4f0a-802e-075cd62b45a5","Type":"file","AdditionalInfo":{"UUID":"3392b289-f7e5-4f0a-802e-075cd62b45a5","Name":"PANW_Parent_Brand_Primary_Logo_RGB.png","Description":"Banner for Palo Alto Kit","Size":20154,"ContentType":"image/png"},"Hash":[233,90,163,188,103,36,244,221,197,104,237,174,230,100,151,63,37,85,63,159,27,226,154,101,102,2,96,176,22,224,59,121]},{"Name":"7d17282a-b57b-41d7-aa76-ebae78021abc","Type":"file","AdditionalInfo":{"UUID":"7d17282a-b57b-41d7-aa76-ebae78021abc","Name":"PANW_icon.png","Description":"Cover for Palo Alto Kit","Size":2977,"ContentType":"image/png"},"Hash":[0,211,245,90,76,99,242,20,203,77,69,247,135,103,159,250,123,220,13,199,153,104,221,4,121,125,229,102,169,206,131,16]},{"Name":"3bfcce25-dc9f-40dd-a838-fddd02e1cbdf","Type":"file","AdditionalInfo":{"UUID":"3bfcce25-dc9f-40dd-a838-fddd02e1cbdf","Name":"palo-syslog.png","Description":"palo-syslog.png","Size":22726,"ContentType":"image/png"},"Hash":[145,41,187,76,248,219,131,249,233,7,139,187,197,180,55,207,27,137,253,251,252,218,146,196,233,173,214,6,25,229,120,207]},{"Name":"c69dee69-d682-4d6c-951b-a66924098495","Type":"file","AdditionalInfo":{"UUID":"c69dee69-d682-4d6c-951b-a66924098495","Name":"icon file for kit build \"Palo Alto v1\"","Description":"","Size":2977,"ContentType":"image/png"},"Hash":[43,19,84,116,4,154,130,104,15,163,255,175,147,143,98,88,16,71,220,62,175,102,118,86,169,225,69,164,200,149,169,71]},{"Name":"1f8f6d4b-0ff4-4764-a053-50cf8c876cc7","Type":"file","AdditionalInfo":{"UUID":"1f8f6d4b-0ff4-4764-a053-50cf8c876cc7","Name":"cover file for kit build \"Palo Alto v1\"","Description":"","Size":2977,"ContentType":"image/png"},"Hash":[29,229,199,62,23,205,135,26,122,159,183,120,140,19,185,166,54,100,158,255,195,136,56,96,179,214,90,210,5,225,144,72]},{"Name":"ac8d907f-c540-4237-8327-1ad55c173b6e","Type":"file","AdditionalInfo":{"UUID":"ac8d907f-c540-4237-8327-1ad55c173b6e","Name":"banner file for kit build \"Palo Alto v1\"","Description":"","Size":20154,"ContentType":"image/png"},"Hash":[51,132,177,166,252,226,122,35,181,128,210,238,92,89,179,204,243,107,54,180,204,98,44,236,201,136,27,244,55,59,36,36]},{"Name":"e4aac01c-abda-4b6e-a95c-d42887ad29ed","Type":"playbook","AdditionalInfo":{"UUID":"e4aac01c-abda-4b6e-a95c-d42887ad29ed","Name":"Palo Alto Kit","Description":"High-level overview of the Palo Alto kit from Gravwell"},"Hash":[95,172,111,204,206,201,119,111,104,216,102,77,219,204,195,117,233,14,207,241,104,213,235,15,172,159,183,237,206,36,11,110]},{"Name":"pan_globalprotect","Type":"autoextractor","AdditionalInfo":{"name":"Palo Alto globalprotect","desc":"Palo Alto globalprotect log format","module":"csv","tag":"pan_globalprotect"},"Hash":[144,214,186,106,61,176,114,94,173,122,20,42,230,69,228,171,101,155,15,200,13,65,247,28,28,254,190,206,213,162,181,158]},{"Name":"pan_sctp","Type":"autoextractor","AdditionalInfo":{"name":"Palo Alto sctp","desc":"Palo Alto sctp log format","module":"csv","tag":"pan_sctp"},"Hash":[79,149,37,67,116,29,104,166,189,222,39,70,192,174,183,211,103,239,222,82,122,61,6,241,91,174,33,183,16,86,116,208]},{"Name":"pan_gtp","Type":"autoextractor","AdditionalInfo":{"name":"Palo Alto gtp","desc":"Palo Alto gtp log format","module":"csv","tag":"pan_gtp"},"Hash":[214,171,60,201,143,250,61,224,26,40,135,193,183,217,136,0,52,69,225,76,255,24,166,63,162,113,251,13,167,231,217,49]},{"Name":"pan_iptag","Type":"autoextractor","AdditionalInfo":{"name":"Palo Alto iptag","desc":"Palo Alto iptag log format","module":"csv","tag":"pan_iptag"},"Hash":[58,52,66,188,83,245,237,245,106,89,153,22,36,115,180,0,162,176,121,244,64,184,80,171,8,85,204,111,203,100,144,226]},{"Name":"pan_userid","Type":"autoextractor","AdditionalInfo":{"name":"Palo Alto userid","desc":"Palo Alto userid log format","module":"csv","tag":"pan_userid"},"Hash":[37,29,6,199,55,248,86,134,56,73,192,251,79,80,216,20,90,68,131,9,251,216,133,125,115,148,25,238,236,135,130,25]},{"Name":"pan_traffic","Type":"autoextractor","AdditionalInfo":{"name":"Palo Alto traffic","desc":"Palo Alto traffic log format","module":"csv","tag":"pan_traffic"},"Hash":[137,209,21,28,115,189,36,92,163,114,109,9,107,152,115,72,136,224,116,0,144,128,7,197,163,169,217,30,191,97,39,173]},{"Name":"pan_decryption","Type":"autoextractor","AdditionalInfo":{"name":"Palo Alto decryption","desc":"Palo Alto decryption log format","module":"csv","tag":"pan_decryption"},"Hash":[214,118,169,110,154,139,52,133,149,231,151,68,244,235,116,213,77,200,0,39,75,86,232,100,192,4,9,151,125,21,4,126]},{"Name":"pan_threat","Type":"autoextractor","AdditionalInfo":{"name":"Palo Alto threat","desc":"Palo Alto threat log format","module":"csv","tag":"pan_threat"},"Hash":[237,252,254,117,228,114,39,53,176,25,196,144,25,166,216,216,172,181,156,153,171,121,200,93,20,69,147,76,160,24,90,126]},{"Name":"pan_hipmatch","Type":"autoextractor","AdditionalInfo":{"name":"Palo Alto hipmatch","desc":"Palo Alto hipmatch log format","module":"csv","tag":"pan_hipmatch"},"Hash":[109,159,15,126,234,105,10,48,182,52,54,206,156,67,18,3,112,82,197,55,72,233,149,22,241,243,102,55,190,69,87,55]},{"Name":"pan_system","Type":"autoextractor","AdditionalInfo":{"name":"Palo Alto system","desc":"Palo Alto system log format","module":"csv","tag":"pan_system"},"Hash":[27,217,1,70,236,136,174,165,24,177,91,102,122,34,210,83,73,239,228,69,6,16,239,252,197,215,88,230,42,218,226,154]},{"Name":"pan_tunnel","Type":"autoextractor","AdditionalInfo":{"name":"Palo Alto tunnel","desc":"Palo Alto tunnel log format","module":"csv","tag":"pan_tunnel"},"Hash":[208,51,176,125,23,76,249,80,244,184,58,20,94,101,146,147,59,204,232,119,241,12,119,91,138,136,15,56,5,249,35,21]},{"Name":"pan_correlation","Type":"autoextractor","AdditionalInfo":{"name":"Palo Alto correlation","desc":"Palo Alto correlation log format","module":"csv","tag":"pan_correlation"},"Hash":[133,133,113,105,68,152,99,204,57,90,43,34,138,8,250,89,140,73,203,20,112,62,11,239,73,236,145,18,101,140,132,113]},{"Name":"pan_config","Type":"autoextractor","AdditionalInfo":{"name":"Palo Alto config","desc":"Palo Alto config log format","module":"csv","tag":"pan_config"},"Hash":[165,214,59,201,178,38,135,16,10,187,144,182,173,135,83,247,9,78,207,107,162,59,24,44,217,209,165,56,124,67,174,121]},{"Name":"pan_auth","Type":"autoextractor","AdditionalInfo":{"name":"Palo Alto auth","desc":"Palo Alto auth log format","module":"csv","tag":"pan_auth"},"Hash":[127,139,35,141,192,230,250,50,82,169,166,198,3,5,18,77,24,39,185,217,236,233,141,80,6,12,207,244,187,79,8,54]},{"Name":"16b991a1-86c7-4f08-b408-c5faa8afeef3","Type":"file","AdditionalInfo":{"UUID":"16b991a1-86c7-4f08-b408-c5faa8afeef3","Name":"logforwarding","Description":"Log Forwarding","Size":32857,"ContentType":"image/png"},"Hash":[5,46,139,1,196,253,237,166,115,48,7,129,3,176,225,68,11,11,57,213,102,174,149,33,76,97,186,132,195,39,101,210]},{"Name":"50cb5863-6867-47da-bc49-7bef73317ddc","Type":"file","AdditionalInfo":{"UUID":"50cb5863-6867-47da-bc49-7bef73317ddc","Name":"payloadformat","Description":"Payload Format","Size":20195,"ContentType":"image/png"},"Hash":[87,116,183,7,151,20,151,244,177,8,139,190,143,139,98,10,9,6,136,3,140,27,65,44,16,249,221,67,167,91,224,53]},{"Name":"PAN_ALL","Type":"macro","AdditionalInfo":{"Name":"PAN_ALL","Description":"Palo Alto tag containing type=* events","Expansion":"pan_*\n"},"Hash":[240,0,9,90,119,123,170,26,184,89,133,165,39,167,162,35,30,203,130,142,66,201,90,41,201,147,202,208,177,12,198,108]},{"Name":"PAN_CONFIG","Type":"macro","AdditionalInfo":{"Name":"PAN_CONFIG","Description":"Palo Alto tag containing type=config events","Expansion":"pan_config\n"},"Hash":[153,194,142,64,3,216,15,12,37,70,91,56,46,46,137,117,2,159,13,9,46,172,109,109,203,189,156,66,31,251,78,154]},{"Name":"PAN_GLOBALPROTECT","Type":"macro","AdditionalInfo":{"Name":"PAN_GLOBALPROTECT","Description":"Palo Alto tag containing type=globalprotect events","Expansion":"pan_globalprotect\n"},"Hash":[99,182,79,216,245,118,163,28,168,50,130,183,243,43,123,82,194,82,14,238,135,103,232,179,238,130,164,72,222,205,127,255]},{"Name":"PAN_THREAT","Type":"macro","AdditionalInfo":{"Name":"PAN_THREAT","Description":"Palo Alto tag containing type=threat events","Expansion":"pan_threat\n"},"Hash":[205,148,105,217,159,41,73,250,76,2,58,126,222,58,42,152,73,73,49,100,41,150,213,32,219,55,32,159,82,205,36,188]},{"Name":"PAN_TRAFFIC","Type":"macro","AdditionalInfo":{"Name":"PAN_TRAFFIC","Description":"Palo Alto tag containing type=traffic events","Expansion":"pan_traffic\n"},"Hash":[235,21,198,23,56,138,187,117,94,59,230,218,144,248,108,230,76,243,204,242,203,146,58,105,216,88,232,176,27,82,14,121]},{"Name":"PAN_THREAT_TRAFFIC","Type":"macro","AdditionalInfo":{"Name":"PAN_THREAT_TRAFFIC","Description":"Palo Alto tag containing type=threat and type=traffic events","Expansion":"$PAN_THREAT,$PAN_TRAFFIC\n"},"Hash":[254,244,4,221,172,29,80,74,171,31,46,206,34,199,156,157,36,55,243,153,221,39,128,77,79,127,11,89,75,143,97,189]}],"ConfigMacros":[{"MacroName":"PAN_ALL","Description":"Palo Alto tag containing type=* events","DefaultValue":"pan_*","Value":"","Type":"STRING","InstalledByID":""},{"MacroName":"PAN_CONFIG","Description":"Palo Alto tag containing type=config events","DefaultValue":"pan_config","Value":"","Type":"STRING","InstalledByID":""},{"MacroName":"PAN_GLOBALPROTECT","Description":"Palo Alto tag containing type=globalprotect events","DefaultValue":"pan_globalprotect","Value":"","Type":"STRING","InstalledByID":""},{"MacroName":"PAN_THREAT","Description":"Palo Alto tag containing type=threat events","DefaultValue":"pan_threat","Value":"","Type":"STRING","InstalledByID":""},{"MacroName":"PAN_TRAFFIC","Description":"Palo Alto tag containing type=traffic events","DefaultValue":"pan_traffic","Value":"","Type":"STRING","InstalledByID":""}]},{"ID":"io.gravwell.beta.zeek","Name":"Gravwell Zeek","UUID":"4bbf204f-65f4-4d77-b788-3d8fa99a8a9e","Version":11,"Description":"The Gravwell Zeek Kit provides a baseline set of queries, dashboards, templates, and investigative resources for the Zeek Network Security Monitor.","Readme":"","Signed":true,"AdminRequired":false,"MinVersion":{"Major":5,"Minor":4,"Point":0},"MaxVersion":{"Major":0,"Minor":0,"Point":0},"Size":1725440,"Created":"2024-07-03T16:23:50.817634939Z","Ingesters":["file follower"],"Tags":["zeekconn","zeekdns","zeekfiles","zeekssl"],"Assets":[{"Type":"image","Source":"zeek-cover.png","Legend":"ZEEK","Featured":true,"Banner":false},{"Type":"image","Source":"zeek-banner.png","Legend":"Banner Image","Featured":true,"Banner":true},{"Type":"readme","Source":"README.md","Legend":"","Featured":false,"Banner":false}],"Dependencies":[{"ID":"io.gravwell.networkenrichment","MinVersion":6}],"Items":[{"Name":"0173803d-2953-469f-ba26-f73fa1b89d49","Type":"template","AdditionalInfo":{"UUID":"0173803d-2953-469f-ba26-f73fa1b89d49","Name":"Zeek SMB Share types for IP","Description":""},"Hash":[141,104,209,170,67,210,42,66,5,225,198,7,248,87,35,74,132,98,55,115,235,80,194,49,184,201,117,149,33,241,248,239]},{"Name":"022a1dcb-393f-4249-8d89-6170800baae7","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek HTTP Unusual HTTP Methods","Description":"A table of info for requests with unusual HTTP request methods","Query":"tag=zeekhttp ax \"id.orig_h\" \"id.resp_h\" method uri\n| regex -v -e method \"^-|GET|HEAD|POST|PUT|DELETE|CONNECT|OPTIONS|PATCH|TRACE$\"\n| table \"id.orig_h\" \"id.resp_h\" method uri\n","UUID":"022a1dcb-393f-4249-8d89-6170800baae7"},"Hash":[221,67,85,255,203,130,230,74,110,225,245,45,208,210,59,132,28,59,186,53,251,153,215,248,160,253,69,55,243,107,13,254]},{"Name":"03ead8d0-d440-447d-938f-50fd51f53768","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek HTTP Internal Server Error Counts","Description":"Count of internal Server Errors per host","Query":"tag=zeekhttp ax status_msg==500 | stats count by host | table host count","UUID":"03ead8d0-d440-447d-938f-50fd51f53768"},"Hash":[211,199,212,12,183,2,128,89,121,197,251,246,93,167,23,43,76,186,16,67,110,93,182,214,166,121,61,123,16,196,132,247]},{"Name":"07fe5fcf-b744-4a96-b6c6-ccd6c29bf0d2","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek DNS Most Common SLDs","Description":"","Query":"tag=zeekdns ax | regex -e query \"(?P\u003csld\u003e\\w+\\.\\w+\\s*$)\" | stats count by sld | sort by count desc | limit 100 | table sld count","UUID":"07fe5fcf-b744-4a96-b6c6-ccd6c29bf0d2"},"Hash":[81,145,154,54,65,99,247,227,37,82,83,126,159,29,9,234,252,5,123,166,216,34,2,69,226,204,104,95,40,178,147,201]},{"Name":"090a07e1-d13d-4822-b908-ad301471edfa","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek All Modbus","Description":"","Query":"tag=zeekmodbus ax | table","UUID":"090a07e1-d13d-4822-b908-ad301471edfa"},"Hash":[158,28,81,183,76,160,85,96,8,8,12,236,196,55,33,55,49,107,165,19,186,100,41,113,117,35,108,67,12,192,244,247]},{"Name":"096bbd42-7679-4d73-b131-185e5553bb3b","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek SSH Successful Login Map","Description":"Map of successful logins via SSH","Query":"tag=zeekssh ax auth_success == \"T\"\n| alias \"id.orig_h\" client\n| stats count by client\n| geoip client.Location\n| pointmap client count\n","UUID":"096bbd42-7679-4d73-b131-185e5553bb3b"},"Hash":[249,201,174,108,249,54,101,236,243,84,127,207,61,165,155,211,241,116,79,9,127,28,73,221,157,243,175,223,154,27,54,212]},{"Name":"0bf2d926-e288-4c22-85e5-47b8e9f7b8c6","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek Potential Port Scans","Description":"Potential port scans as seen by the Zeek conn log","Query":"tag=zeekconn ax \"id.orig_h\" \"id.resp_h\" \"id.resp_p\"\n| stats unique_count(\"id.resp_p\") by \"id.orig_h\" \"id.resp_h\"\n| eval unique_count \u003e 64\n| geoip \"id.orig_h\".Country \"id.orig_h\".City\n| table TIMESTAMP \"id.orig_h\" Country City \"id.resp_h\" unique_count\n","UUID":"0bf2d926-e288-4c22-85e5-47b8e9f7b8c6"},"Hash":[77,220,139,146,97,44,116,84,96,48,249,250,72,141,215,229,27,173,199,63,123,230,253,0,163,86,237,17,63,114,2,212]},{"Name":"0f94a1cc-5df4-4fe6-9c02-7a0a6f24fc26","Type":"file","AdditionalInfo":{"UUID":"0f94a1cc-5df4-4fe6-9c02-7a0a6f24fc26","Name":"bits icon","Description":"","Size":13937,"ContentType":"image/png"},"Hash":[204,208,173,34,25,122,246,176,147,200,143,118,95,48,212,237,86,244,165,88,249,44,43,179,27,55,83,250,17,67,103,27]},{"Name":"10fd0997-9ad1-4ec1-a2d3-de775f4cf332","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek All SMTP","Description":"","Query":"tag=zeeksmtp ax | table","UUID":"10fd0997-9ad1-4ec1-a2d3-de775f4cf332"},"Hash":[40,87,215,36,119,226,124,45,194,203,11,40,33,24,31,42,193,116,101,4,69,92,90,122,204,34,173,224,87,49,40,231]},{"Name":"114421113769043","Type":"dashboard","AdditionalInfo":{"UUID":"29eef45f-ee30-40eb-a5df-ddb79507cacd","Name":"Zeek DNS Domain Investigation","Description":""},"Hash":[11,14,172,34,17,13,34,30,13,13,240,58,55,99,145,234,79,253,75,92,231,122,5,243,182,148,251,224,139,19,186,105]},{"Name":"117366086622235","Type":"dashboard","AdditionalInfo":{"UUID":"3ef85611-d7a6-4054-ad67-e66454aadce6","Name":"Zeek IP Investigation","Description":"IP Investigative Dashboard using Zeek Data"},"Hash":[165,224,212,65,164,251,65,206,127,203,0,218,84,210,169,210,250,6,237,97,171,119,167,243,110,116,199,130,209,144,176,220]},{"Name":"12892d83-4b7d-4e0a-a0a2-c4c75762b252","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek Tunnel Unique Orig Host Count","Description":"A gauge displaying the count of unique orig hosts. Useful as a number card.","Query":"tag=zeektunnel ax \"id.orig_h\"\n| count \"id.orig_h\"\n| gauge (count \"Unique Orig Hosts\")\n","UUID":"12892d83-4b7d-4e0a-a0a2-c4c75762b252"},"Hash":[157,31,63,228,244,94,197,104,246,15,167,195,163,87,236,63,126,239,92,23,37,180,117,156,57,148,250,81,246,4,31,179]},{"Name":"165107893417419","Type":"dashboard","AdditionalInfo":{"UUID":"498b0653-7bc4-406c-986c-9457c3038618","Name":"Zeek DHCP Overview","Description":""},"Hash":[252,147,164,76,57,218,31,232,97,141,146,143,81,108,53,34,196,226,35,74,113,65,164,11,30,129,15,216,223,67,200,61]},{"Name":"170748654654798","Type":"dashboard","AdditionalInfo":{"UUID":"3fb48f40-ded1-41a8-9fcc-acf6291f4775","Name":"Zeek SSL/x509 Overview","Description":"Information about SSL connections and x509 certificates"},"Hash":[19,137,94,127,233,12,187,163,243,191,22,155,214,109,185,65,64,201,191,34,255,60,118,240,83,208,77,111,59,113,240,188]},{"Name":"17781775970589","Type":"dashboard","AdditionalInfo":{"UUID":"cfc02287-60b2-446f-aa4c-0b738286136f","Name":"Zeek DNS Overview","Description":""},"Hash":[225,14,58,17,17,66,195,56,118,45,177,105,75,222,164,65,112,139,167,146,109,251,42,174,68,91,97,254,137,147,244,224]},{"Name":"185818692246396","Type":"dashboard","AdditionalInfo":{"UUID":"e5f2c4ca-611e-41e1-ba0a-f583dcd6eedb","Name":"Zeek HTTP","Description":""},"Hash":[100,40,87,227,238,118,4,2,132,160,82,160,192,121,95,46,190,25,191,147,196,87,7,172,243,169,236,165,181,179,182,179]},{"Name":"1873ea26-d180-423c-9e6f-5ef3242e1972","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek DHCP unique client counts","Description":"Numbercard showing unique client counts for each DHCP server","Query":"tag=zeekdhcp ax server_addr != - mac | stats unique_count(mac) as server by server_addr | numbercard server","UUID":"1873ea26-d180-423c-9e6f-5ef3242e1972"},"Hash":[183,115,66,137,196,169,141,94,32,93,33,7,123,38,221,244,34,101,37,216,242,45,161,97,87,236,194,42,96,183,44,67]},{"Name":"18a32aa6-53f4-4969-8413-b02f467df9ac","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek HTTP Password exposures","Description":"Table with exposed passwords in HTTP requests","Query":"tag=zeekhttp ax password != \"-\" \"id.orig_h\" \"id.resp_h\" host uri username info_code\n| table \"id.orig_h\" \"id.resp_h\" host uri username password info_code\n","UUID":"18a32aa6-53f4-4969-8413-b02f467df9ac"},"Hash":[24,184,157,137,208,17,21,158,137,6,160,139,122,219,76,75,160,163,57,142,238,183,101,88,253,205,1,81,240,161,138,98]},{"Name":"19594ace-3d02-411d-b07f-f11e71498f48","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek DNS round trip time mean, min, and max","Description":"Chart of round trip times on DNS","Query":"tag=zeekdns ax qtype_name == A rtt!=- |\nstats mean(rtt) max(rtt) min(rtt) |\nchart min mean max","UUID":"19594ace-3d02-411d-b07f-f11e71498f48"},"Hash":[14,222,110,16,58,145,166,81,154,190,236,247,57,222,30,61,48,23,9,50,99,45,24,42,96,107,133,45,134,199,152,180]},{"Name":"1b78d4a8-12da-4d03-b2a6-991101515873","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek SMB Client Map","Description":"","Query":"tag=zeeksmb* ax \"id.orig_h\"\n| unique \"id.orig_h\"\n| geoip \"id.orig_h\".Location\n| heatmap \"id.orig_h\"\n","UUID":"1b78d4a8-12da-4d03-b2a6-991101515873"},"Hash":[22,87,203,216,205,219,140,52,112,5,144,194,166,214,153,51,142,199,109,178,186,128,152,16,78,189,120,205,67,163,78,66]},{"Name":"1b8878d9-8d61-480f-aa10-090da60674e4","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek DNS Totals","Description":"","Query":"tag=zeekdns ax | stats unique_count(query) as \"Unique Queries\" count as \"Total Queries\" | gauge \"Unique Queries\" \"Total Queries\"","UUID":"1b8878d9-8d61-480f-aa10-090da60674e4"},"Hash":[146,184,34,206,243,22,242,213,45,198,65,225,57,68,70,5,128,148,36,146,119,176,88,8,88,134,62,34,97,24,210,2]},{"Name":"1f4a4980-3b6b-4997-91bf-422eccbdbb68","Type":"pivot","AdditionalInfo":{"UUID":"1f4a4980-3b6b-4997-91bf-422eccbdbb68","Name":"Zeek DNS FQDN/SLD combined actionables","Description":""},"Hash":[33,198,222,200,35,147,117,135,182,134,157,51,7,77,225,17,244,137,204,8,137,189,170,24,11,49,38,69,52,56,150,94]},{"Name":"20a1d25a-952e-4998-8b77-f02b43dffedc","Type":"template","AdditionalInfo":{"UUID":"20a1d25a-952e-4998-8b77-f02b43dffedc","Name":"Zeek DNS Clients Querying this Name","Description":""},"Hash":[218,48,113,81,35,182,46,244,26,68,242,196,51,39,12,233,196,70,124,191,241,211,182,234,91,177,142,158,64,231,198,223]},{"Name":"213587770620490","Type":"dashboard","AdditionalInfo":{"UUID":"af886067-860f-4c7c-9dd6-e4ab8021ffe8","Name":"Zeek SSH Overview","Description":"Overview of SSH activity using the zeek ssh.log"},"Hash":[232,76,89,205,74,203,145,108,243,35,153,73,197,138,240,145,19,73,243,204,0,198,126,166,80,21,135,216,185,97,44,160]},{"Name":"2165790173070","Type":"dashboard","AdditionalInfo":{"UUID":"fe8112c1-07f3-4182-8df1-54b03c91ad3c","Name":"Zeek Connection Overview","Description":"Basic overview of connection data as seen by Zeek"},"Hash":[78,116,189,236,114,155,21,94,236,19,208,189,41,27,72,95,190,10,195,0,86,51,157,100,39,182,129,62,79,106,85,60]},{"Name":"21917c45-40c6-41a3-9fbf-9180ed19af97","Type":"template","AdditionalInfo":{"UUID":"21917c45-40c6-41a3-9fbf-9180ed19af97","Name":"Zeek IP Service Usage","Description":"Aggregate count of connections by service as seen by Zeek"},"Hash":[105,85,7,113,134,85,223,157,73,131,186,193,196,30,47,132,216,176,35,26,112,40,87,115,51,67,105,81,226,137,112,212]},{"Name":"21efc152-f78d-49c1-9a83-2739ae842e88","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek Tunnel Orig Host Counts","Description":"Table showing the number of events for each orig host","Query":"tag=zeektunnel ax \"id.orig_h\"\n| count by \"id.orig_h\"\n| table count \"id.orig_h\"\n","UUID":"21efc152-f78d-49c1-9a83-2739ae842e88"},"Hash":[118,12,56,208,86,74,245,2,21,114,218,153,63,158,20,235,159,163,94,245,112,42,211,246,41,217,110,197,13,76,122,56]},{"Name":"237ab20c-db63-4352-8590-4388b8c270e1","Type":"template","AdditionalInfo":{"UUID":"237ab20c-db63-4352-8590-4388b8c270e1","Name":"Zeek All DNP3 for IP","Description":""},"Hash":[52,213,20,90,91,100,171,122,236,245,226,147,209,188,15,202,184,90,168,236,222,131,194,229,175,136,82,68,7,134,155,130]},{"Name":"23f10acf-d1b9-471e-85d1-e6afcf7de663","Type":"template","AdditionalInfo":{"UUID":"23f10acf-d1b9-471e-85d1-e6afcf7de663","Name":"Zeek All Files for IP","Description":""},"Hash":[69,103,133,97,110,29,230,98,254,156,4,75,84,229,156,97,73,181,81,6,1,231,233,227,179,177,47,124,209,24,240,140]},{"Name":"269322047303843","Type":"dashboard","AdditionalInfo":{"UUID":"ce0ca51d-f131-4a6f-a863-1bdd5f1bcce1","Name":"Zeek SMB Overview","Description":"Windows fileshare activity"},"Hash":[195,203,161,8,104,113,189,74,226,155,15,3,235,138,32,34,125,157,122,202,161,11,57,245,52,101,82,35,118,195,110,85]},{"Name":"279143874980783","Type":"dashboard","AdditionalInfo":{"UUID":"c53dcc2f-4334-4d07-8cf8-66c8e867eed8","Name":"Zeek DNS Client Investigation","Description":""},"Hash":[206,57,167,147,178,168,84,55,89,209,216,101,76,147,253,129,54,224,59,229,150,40,215,167,26,103,130,108,131,111,56,6]},{"Name":"279933858880339","Type":"dashboard","AdditionalInfo":{"UUID":"b2ce8387-a271-4f5f-b537-9bb5f291ce4d","Name":"Zeek Tunnels Overview","Description":""},"Hash":[247,222,1,174,80,22,107,170,25,73,227,37,5,138,205,118,33,163,6,228,153,174,214,81,130,12,43,143,94,220,214,231]},{"Name":"279e768b-e1df-4d4c-93f4-c705c9ed0730","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek Service Connection Reset Rates","Description":"Chart of connection reset rates by service as seen by Zeek","Query":"tag=zeekconn ax conn_state ~ RST proto==tcp service |\nstats count by service |\nchart count by service","UUID":"279e768b-e1df-4d4c-93f4-c705c9ed0730"},"Hash":[207,145,224,207,184,235,139,139,1,232,132,92,0,47,36,201,143,141,138,76,73,114,214,85,220,152,64,164,204,129,48,25]},{"Name":"2b6ab0ff-afb6-48cc-a2cf-434df0333eec","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek SSL Version Chart","Description":"Display a chart of the SSL/TLS versions in use.","Query":"tag=zeekssl ax version!=\"-\" | stats count by version | chart count by version","UUID":"2b6ab0ff-afb6-48cc-a2cf-434df0333eec"},"Hash":[234,88,181,187,222,95,14,254,22,195,151,39,128,155,188,163,188,48,19,222,165,240,255,136,131,234,228,43,237,204,48,114]},{"Name":"2ee1be2e-30bc-42d8-970d-00f262506bf1","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek DNS Requests by Host","Description":"","Query":"tag=zeekdns ax\n| alias \"id.orig_h\" Host\n| stats count by Host\n| table count Host\n","UUID":"2ee1be2e-30bc-42d8-970d-00f262506bf1"},"Hash":[98,173,132,55,155,157,250,100,230,236,183,0,48,230,75,252,87,4,156,177,118,112,210,10,224,8,77,178,23,28,93,33]},{"Name":"2f349bd2-d02c-47bd-843a-fa80a5b293b1","Type":"searchlibrary","AdditionalInfo":{"Name":"Failed SSH Connections By Country \u0026 Server","Description":"For each server, list the number of failed connections by originating country.","Query":"tag=zeekssh ax auth_success != \"T\"\n| alias \"id.orig_h\" client \"id.resp_h\" server\n| geoip client.CountryName\n| stats count by CountryName server\n| table count server CountryName\n","UUID":"2f349bd2-d02c-47bd-843a-fa80a5b293b1"},"Hash":[52,63,153,62,18,165,54,152,184,223,143,36,181,210,174,192,5,109,165,219,11,138,134,186,191,1,39,102,181,147,228,64]},{"Name":"2f618b6a-aa5a-41f6-b67a-c37414d08107","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek DNS Total Queries by Type","Description":"Numbercards showing the total number of queries by each time","Query":"tag=zeekdns ax qtype_name | stats count by qtype_name | numbercard count","UUID":"2f618b6a-aa5a-41f6-b67a-c37414d08107"},"Hash":[180,245,145,232,171,180,153,118,87,250,26,160,98,210,8,18,221,177,15,49,69,212,157,208,67,234,66,96,186,44,65,17]},{"Name":"34229f03-8c98-4c3b-8534-b1adc734f45b","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek DHCP MAC Address Count","Description":"A gauge displaying the count of unique MAC addresses. Useful as a number card.","Query":"tag=zeekdhcp ax |\nunique mac |\ncount mac |\ngauge (count \"Unique MAC Addresses\")","UUID":"34229f03-8c98-4c3b-8534-b1adc734f45b"},"Hash":[33,118,230,31,115,62,169,213,175,243,95,226,101,184,218,51,40,230,16,30,43,148,246,135,138,193,3,11,172,198,224,150]},{"Name":"34593ced-332b-44a1-be9c-33f7d8d9a321","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek SMB share types","Description":"","Query":"tag=zeeksmb_mapping ax \"id.resp_h\" share_type\n| count by \"id.resp_h\" share_type\n| stackgraph \"id.resp_h\" share_type count\n","UUID":"34593ced-332b-44a1-be9c-33f7d8d9a321"},"Hash":[65,94,137,56,168,157,223,174,211,153,50,169,218,168,48,101,239,48,53,58,96,140,152,159,224,141,247,139,29,252,106,87]},{"Name":"3537e42b-683c-4355-a7aa-9cfbf977d1a0","Type":"template","AdditionalInfo":{"UUID":"3537e42b-683c-4355-a7aa-9cfbf977d1a0","Name":"Zeek DNS Queries by Resource Record Type","Description":""},"Hash":[9,59,153,139,26,5,67,185,202,255,205,0,233,254,209,124,103,112,153,131,13,124,181,238,173,210,113,121,230,17,146,11]},{"Name":"3617cf34-af25-488e-9aec-b5cd6cdd79a3","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek All Files","Description":"files.log","Query":"tag=zeekfiles ax | table","UUID":"3617cf34-af25-488e-9aec-b5cd6cdd79a3"},"Hash":[136,45,241,81,195,23,34,68,116,27,238,99,39,11,219,53,68,216,132,127,255,214,139,186,78,141,133,85,88,189,147,91]},{"Name":"368fc26d-07a4-40f8-9051-b63f3bd76c03","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek Upload/Download Traffic Chart","Description":"Chart the upload and download traffic as seen by zeek","Query":"tag=zeekconn ax orig_bytes != \"-\" resp_bytes != \"-\" service !=\"-\"\n| stats sum(orig_bytes) as upload sum(resp_bytes) as download\n| chart upload download\n","UUID":"368fc26d-07a4-40f8-9051-b63f3bd76c03"},"Hash":[142,121,187,10,139,219,154,93,240,78,46,98,34,11,197,26,128,16,77,169,231,178,110,131,26,83,252,182,73,215,135,108]},{"Name":"37389320-51c0-4488-ba6f-6bd46931c7a3","Type":"template","AdditionalInfo":{"UUID":"37389320-51c0-4488-ba6f-6bd46931c7a3","Name":"Zeek service usage chart","Description":"Chart of service activity by IP as seen by Zeek"},"Hash":[184,191,133,191,8,197,209,199,188,176,111,66,115,181,244,75,205,38,218,155,36,222,112,162,125,217,59,169,222,15,174,60]},{"Name":"374f57e2-2de2-451c-aeed-9fbdb9dda4ff","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek x509 Key Length/Type Counts","Description":"Table showing frequency of different x509 key types \u0026 key lengths.","Query":"tag=zeekx509 ax | stats count by key_length key_type | table key_type key_length count","UUID":"374f57e2-2de2-451c-aeed-9fbdb9dda4ff"},"Hash":[135,108,74,7,2,86,164,182,98,128,99,70,127,30,162,6,173,38,64,225,11,168,64,5,80,20,247,98,70,28,165,243]},{"Name":"3931778492176","Type":"dashboard","AdditionalInfo":{"UUID":"3824e3c3-2ca6-4e94-a678-0001b4400fde","Name":"Zeek UID Investigation","Description":"Show any records related to a given Zeek UID"},"Hash":[233,5,138,42,249,83,16,183,253,141,113,213,3,251,246,253,165,54,148,52,135,229,199,159,83,228,144,142,132,244,42,93]},{"Name":"3ad9b6d6-d891-478c-880e-01bcb1893e7a","Type":"playbook","AdditionalInfo":{"UUID":"4b0419b2-f2ba-48f0-9c86-14b8e6b4483b","Name":"Zeek Gravwell Kit","Description":"Zeek Overview Playbook"},"Hash":[101,126,105,94,90,69,75,99,104,75,45,144,72,239,132,191,188,146,130,34,218,64,104,1,47,138,183,128,158,176,247,210]},{"Name":"3b30a350-70e3-4846-a18b-e2045f174e04","Type":"file","AdditionalInfo":{"UUID":"3b30a350-70e3-4846-a18b-e2045f174e04","Name":"bits banner","Description":"","Size":20199,"ContentType":"image/png"},"Hash":[81,35,114,37,130,243,23,207,13,47,49,182,13,29,152,253,70,200,233,223,139,101,197,138,226,81,135,99,90,26,129,30]},{"Name":"3c8c01cb-18ce-4493-8a86-88738ffaf1be","Type":"template","AdditionalInfo":{"UUID":"3c8c01cb-18ce-4493-8a86-88738ffaf1be","Name":"Zeek 10 most common service ports for IP","Description":"Table of the most commonly used service ports for an IP as seen by Zeek"},"Hash":[116,85,248,241,89,188,61,169,214,4,160,27,176,244,171,180,53,157,54,119,48,220,38,93,138,71,216,7,197,191,171,156]},{"Name":"3ce01f76-6642-4558-98ff-e810a40f14ed","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek Connection Count Chart","Description":"Chart of total sessions as seen by Zeek","Query":"tag=zeekconn stats count | chart count","UUID":"3ce01f76-6642-4558-98ff-e810a40f14ed"},"Hash":[93,84,80,40,82,236,17,159,26,100,64,89,110,241,156,236,197,245,219,133,234,111,112,218,206,211,131,160,54,28,145,59]},{"Name":"3f0a9936-9437-4678-bcd3-6f91bce0cf92","Type":"file","AdditionalInfo":{"UUID":"3f0a9936-9437-4678-bcd3-6f91bce0cf92","Name":"Screenshot from 2020-10-05 14-13-49.png","Description":"Dashboard overview","Size":502524,"ContentType":"image/png"},"Hash":[18,223,11,84,218,18,121,3,168,35,200,144,179,53,3,77,127,71,3,194,90,60,93,29,117,22,56,254,18,170,130,20]},{"Name":"46f9b926-5776-488d-baa0-517a429805f6","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek All DHCP","Description":"","Query":"tag=zeekdhcp ax | table","UUID":"46f9b926-5776-488d-baa0-517a429805f6"},"Hash":[250,229,136,168,101,20,222,173,28,193,238,135,136,147,170,248,194,31,34,241,104,28,240,37,40,134,223,249,61,81,172,140]},{"Name":"4f8e2ab6-48bb-4a5e-beec-f254fec10610","Type":"template","AdditionalInfo":{"UUID":"4f8e2ab6-48bb-4a5e-beec-f254fec10610","Name":"Zeek All SMTP for IP","Description":""},"Hash":[101,112,76,106,217,104,212,213,192,46,240,248,227,147,179,191,51,243,179,128,245,223,217,76,109,169,116,53,234,250,160,198]},{"Name":"5016d227-e29e-4d9e-807b-fddb89faa0fa","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek All SMB Mapping","Description":"","Query":"tag=zeeksmb_mapping ax | table","UUID":"5016d227-e29e-4d9e-807b-fddb89faa0fa"},"Hash":[8,120,153,122,73,251,165,246,143,250,46,134,56,96,0,238,222,176,51,178,195,26,156,58,3,144,126,203,72,65,244,130]},{"Name":"513f6704-cf98-41a9-a94e-28c70869fb82","Type":"template","AdditionalInfo":{"UUID":"513f6704-cf98-41a9-a94e-28c70869fb82","Name":"Zeek Associated Records","Description":"All records associated with a specific zeek flow"},"Hash":[122,116,180,102,190,178,159,29,91,187,102,16,7,178,67,135,159,231,18,47,17,113,108,89,181,109,100,22,221,156,31,14]},{"Name":"51b0d89d-bf0f-47c5-a0b7-c8a88ae29484","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek HTTP Most Requested Hosts","Description":"","Query":"tag=zeekhttp ax | stats count by host | sort by count desc | table count host","UUID":"51b0d89d-bf0f-47c5-a0b7-c8a88ae29484"},"Hash":[81,227,68,8,11,221,53,253,167,142,209,9,185,253,105,140,66,226,157,105,103,14,129,232,46,204,192,247,100,186,74,99]},{"Name":"51e3cc6f-d368-47f6-8ace-52514bc55e8f","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek HTTP OS Distribution","Description":"","Query":"tag=zeekhttp ax \n| regex -e user_agent \"\\((?P\u003cOS\u003e[^\\)]*)\\)\" \n| count by OS \n| chart count by OS","UUID":"51e3cc6f-d368-47f6-8ace-52514bc55e8f"},"Hash":[236,43,35,17,224,104,113,17,4,173,185,50,146,245,236,217,28,166,41,139,78,249,146,54,233,128,13,102,229,98,24,171]},{"Name":"55d3f4d8-d273-4a37-9ca6-5befadd46e9e","Type":"template","AdditionalInfo":{"UUID":"55d3f4d8-d273-4a37-9ca6-5befadd46e9e","Name":"Zeek SMB actions","Description":""},"Hash":[164,136,180,183,146,228,30,47,212,210,182,185,102,84,220,57,79,226,10,138,110,26,71,7,184,45,70,86,78,242,150,77]},{"Name":"599916f0-124f-4511-95e6-8beef8eec8b8","Type":"template","AdditionalInfo":{"UUID":"599916f0-124f-4511-95e6-8beef8eec8b8","Name":"Zeek Connection activity for IP","Description":"Chart of connection activity for a given IP as seen by Zeek"},"Hash":[80,230,2,202,50,208,177,140,49,243,178,49,228,241,133,52,207,250,157,1,39,73,243,176,73,64,159,98,151,240,181,91]},{"Name":"5a61cd1c-a1bd-4430-9ad4-c9cf9b3fd7a5","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek DNS Server counts","Description":"Table of DNS Servers in use and their respective counts","Query":"tag=zeekdns ax \"id.resp_h\"\n| stats count by \"id.resp_h\"\n| geoip -r asn_db \"id.resp_h\".ASNOrg\n| table count \"id.resp_h\" ASNOrg\n","UUID":"5a61cd1c-a1bd-4430-9ad4-c9cf9b3fd7a5"},"Hash":[236,216,49,199,161,70,119,209,122,243,26,45,31,223,3,174,111,50,116,127,198,115,50,26,179,53,234,138,255,188,152,97]},{"Name":"5a6eb9fb-a4fe-4ee1-a617-e2ae07b8ff9c","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek DNS TXT Records","Description":"DNS TXT Records","Query":"tag=zeekdns ax qtype == 16 | alias query Name answers Payload | table Name Payload","UUID":"5a6eb9fb-a4fe-4ee1-a617-e2ae07b8ff9c"},"Hash":[0,41,234,53,237,28,189,246,189,93,115,8,45,204,1,186,19,154,92,84,99,57,38,226,254,108,104,3,49,91,140,184]},{"Name":"625796b6-cd85-417c-874d-32232d4bcc85","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek All MYSQL","Description":"","Query":"tag=zeekmysql ax | table","UUID":"625796b6-cd85-417c-874d-32232d4bcc85"},"Hash":[185,214,107,48,6,174,164,15,41,118,198,160,218,224,69,175,170,196,180,6,142,249,36,68,30,111,254,184,218,193,208,211]},{"Name":"652e42b4-1d46-44be-9c4d-335de4bd1b3d","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek DHCP rejections","Description":"Table of DHCP address rejections and cause","Query":"tag=zeekdhcp ax msg_types==NAK mac server_message |\nstats count by mac server_message |\nmaclookup -r mac_prefixes mac.Manufacturer |\ntable mac Manufacturer server_message count","UUID":"652e42b4-1d46-44be-9c4d-335de4bd1b3d"},"Hash":[177,201,87,227,128,158,181,205,110,178,156,111,135,146,172,225,44,99,248,194,158,13,93,128,149,226,157,2,255,157,186,75]},{"Name":"653c3bb6-b457-4e85-b517-4e3336252bcc","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek SMB Client actions","Description":"Client action types (e.g. open, rename, etc)","Query":"tag=zeeksmb_files ax \"id.orig_h\" action\n| count by \"id.orig_h\" action\n| stackgraph \"id.orig_h\" action count\n","UUID":"653c3bb6-b457-4e85-b517-4e3336252bcc"},"Hash":[155,25,244,8,9,24,225,159,90,104,71,118,2,169,246,69,234,130,18,115,242,43,248,221,9,120,121,91,205,146,123,241]},{"Name":"6929e79a-c532-40dc-8ca6-35ed2ee36f74","Type":"template","AdditionalInfo":{"UUID":"6929e79a-c532-40dc-8ca6-35ed2ee36f74","Name":"Zeek SSH Clients Authenticated to Server","Description":"Generate a list of which clients have successfully authenticated to a server."},"Hash":[255,153,95,127,60,253,127,248,150,45,181,8,109,229,38,113,137,181,158,59,95,223,195,218,142,138,100,59,212,132,137,216]},{"Name":"69ee6854-33dd-4ace-9c19-3b9376bf54a5","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek most active service ports","Description":"The most active service ports as seen by Zeek conn log","Query":"tag=zeekconn ax \"id.resp_p\"\n| stats count as connections by \"id.resp_p\"\n| sort by connections\n| table \"id.resp_p\" connections\n","UUID":"69ee6854-33dd-4ace-9c19-3b9376bf54a5"},"Hash":[177,138,64,9,253,136,244,253,0,153,227,151,250,99,92,155,174,45,46,170,69,221,139,177,159,247,74,236,79,195,214,184]},{"Name":"6b5839d1-490b-489f-938c-0346c68fb16a","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek All Connections","Description":"All entries from conn.log","Query":"tag=zeekconn ax | table","UUID":"6b5839d1-490b-489f-938c-0346c68fb16a"},"Hash":[31,138,162,213,119,92,230,202,46,144,130,206,117,168,92,3,8,251,189,146,123,40,244,66,46,243,44,193,14,60,54,134]},{"Name":"6ba62295-6002-492a-b3da-26c251648596","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek SMB infrequent files","Description":"","Query":"tag=zeeksmb_files ax | count by name | sort by count asc | table name count","UUID":"6ba62295-6002-492a-b3da-26c251648596"},"Hash":[61,31,16,41,129,63,36,79,176,117,248,47,29,175,27,210,27,74,253,68,106,35,188,194,57,40,63,142,74,252,66,98]},{"Name":"6bd08e7d-0162-43c4-8a97-fca58a2f6c49","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek most common TLDs","Description":"Most common queried TLDs as seen by Zeek","Query":"tag=zeekdns ax \"id.resp_h\" query answers qtype_name == \"A\"\n| regex -e \"query\" \"(?P\u003cTLD\u003e[^\\.]+)$\"\n| stats count by TLD\n| table count TLD\n","UUID":"6bd08e7d-0162-43c4-8a97-fca58a2f6c49"},"Hash":[90,120,104,0,220,22,40,216,151,228,154,47,105,84,117,80,40,209,15,176,55,169,87,251,26,236,226,104,79,8,24,69]},{"Name":"6c63dfd6-c022-40c6-ac89-2d3e3ce2d5ea","Type":"file","AdditionalInfo":{"UUID":"6c63dfd6-c022-40c6-ac89-2d3e3ce2d5ea","Name":"Screenshot from 2020-10-05 14-16-23.png","Description":"Zeek Point to point","Size":267556,"ContentType":"image/png"},"Hash":[234,157,51,88,245,251,232,34,253,49,64,45,23,97,79,115,211,181,190,117,13,102,180,5,9,107,82,127,87,151,59,244]},{"Name":"704405ea-53cd-48cb-a5af-4260c29aebbf","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek HTTP Potential Command Injection in URI","Description":"A table of info for requests with URIs that contain common escape characters","Query":"tag=zeekhttp ax\n| regex -e uri \"\\;|\u0026\u0026|\\|`|\u003e|\u003c|\\\\|\\!\"\n| table","UUID":"704405ea-53cd-48cb-a5af-4260c29aebbf"},"Hash":[88,253,68,241,109,36,63,1,22,106,232,123,178,243,135,255,75,52,144,157,89,79,220,43,165,82,223,179,100,75,13,10]},{"Name":"7115784a-558b-4703-85b1-5db363344f5e","Type":"template","AdditionalInfo":{"UUID":"7115784a-558b-4703-85b1-5db363344f5e","Name":"Zeek Rare DNS Queries","Description":""},"Hash":[29,200,155,231,243,187,182,216,132,242,220,53,53,96,33,144,192,137,95,178,135,223,144,63,145,112,73,211,102,12,135,244]},{"Name":"757209ab-0c62-4f94-b092-5a1ce5ad7e34","Type":"template","AdditionalInfo":{"UUID":"757209ab-0c62-4f94-b092-5a1ce5ad7e34","Name":"Zeek DNS SLDs with the Most Subdomains by Client","Description":""},"Hash":[47,179,47,8,191,239,203,223,107,24,146,23,163,227,193,192,64,115,133,64,58,206,25,126,27,251,34,211,66,234,70,101]},{"Name":"759f8ccb-2646-4d47-93bb-944c989046e0","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek All Syslog","Description":"syslog.log","Query":"tag=zeeksyslog ax | table","UUID":"759f8ccb-2646-4d47-93bb-944c989046e0"},"Hash":[34,110,217,173,24,149,128,30,198,233,186,160,228,213,52,44,234,221,7,42,121,84,253,142,247,89,139,211,224,244,78,5]},{"Name":"7835355e-f9ef-49b2-bbff-1ddf876b15cc","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek Upload/Download Numbercards","Description":"Numbercards showing total upload/download traffic as seen by Zeek","Query":"tag=zeekconn ax orig_bytes != \"-\" resp_bytes != \"-\"\n| stats sum(orig_bytes) as upload sum(resp_bytes) as download\n| numbercard upload download\n","UUID":"7835355e-f9ef-49b2-bbff-1ddf876b15cc"},"Hash":[87,220,121,155,228,209,17,250,231,114,155,42,155,183,24,228,245,151,233,38,105,80,141,75,175,220,77,42,126,46,143,24]},{"Name":"78367645-e76f-473e-be59-fab8f333cd52","Type":"template","AdditionalInfo":{"UUID":"78367645-e76f-473e-be59-fab8f333cd52","Name":"Zeek All SNMP","Description":""},"Hash":[171,193,241,126,247,100,32,128,51,35,160,180,217,74,190,247,76,71,84,145,202,42,69,194,100,153,65,171,110,116,214,63]},{"Name":"78f963f0-e436-49d9-9c8f-78f689338256","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek SSH Server Locations","Description":"","Query":"tag=zeekssh ax\n| geoip \"id.resp_h\".Location\n| pointmap \"id.resp_h\"\n","UUID":"78f963f0-e436-49d9-9c8f-78f689338256"},"Hash":[98,133,104,191,53,231,58,54,4,191,154,172,137,83,64,1,148,163,37,128,100,232,123,191,63,241,238,26,254,116,205,153]},{"Name":"79b1b816-0a97-4604-89be-090331d8bf24","Type":"template","AdditionalInfo":{"UUID":"79b1b816-0a97-4604-89be-090331d8bf24","Name":"Zeek All DNS for IP","Description":""},"Hash":[212,86,254,189,116,253,154,132,38,61,80,12,216,211,5,237,52,100,248,222,224,66,190,178,24,226,122,204,105,109,92,85]},{"Name":"7d78581b-f1cb-42b1-a9b6-920af905bc67","Type":"template","AdditionalInfo":{"UUID":"7d78581b-f1cb-42b1-a9b6-920af905bc67","Name":"Zeek all SSH for IP","Description":""},"Hash":[221,61,171,136,211,12,78,171,129,53,230,102,82,169,106,32,13,186,101,231,54,213,102,173,116,151,119,30,122,10,216,59]},{"Name":"7dc9ddf7-2f29-41c7-83cb-0408afb87b4d","Type":"template","AdditionalInfo":{"UUID":"7dc9ddf7-2f29-41c7-83cb-0408afb87b4d","Name":"Zeek Service traffic Totals for an IP","Description":"Show upstream/downstream traffic totals for service traffic on a given IP."},"Hash":[224,161,36,199,199,104,195,157,10,81,144,104,137,139,93,161,41,235,95,18,230,58,69,97,13,129,57,79,14,0,91,199]},{"Name":"7dcdd46d-76f0-4fee-b941-2a0553534286","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek HTTP Point-to-Point","Description":"A point-to-point map showing connections between hosts over HTTP","Query":"tag=zeekhttp ax \"id.orig_h\" \"id.resp_h\"\n| geoip \"id.resp_h\".Location as resp_host_loc \"id.orig_h\".Location as orig_host_loc\n| point2point -srcloc orig_host_loc -dstloc resp_host_loc\n","UUID":"7dcdd46d-76f0-4fee-b941-2a0553534286"},"Hash":[190,176,252,174,109,178,139,19,109,10,161,192,167,75,45,192,86,76,83,165,149,119,69,4,222,224,96,35,197,105,247,189]},{"Name":"802d55db-c15d-499e-9796-69f1459423a3","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek Tunnel Connections Map","Description":"A point-to-point map showing tunnel connections between hosts","Query":"tag=zeektunnel ax \"id.orig_h\" \"id.resp_h\"\n| geoip \"id.resp_h\".Location as resp_host_loc \"id.orig_h\".Location as orig_host_loc\n| point2point -srcloc orig_host_loc -dstloc resp_host_loc\n","UUID":"802d55db-c15d-499e-9796-69f1459423a3"},"Hash":[67,132,81,25,96,38,169,57,194,194,194,162,1,245,197,43,26,66,146,60,219,215,117,166,219,24,255,152,139,2,184,14]},{"Name":"84123640-bf99-415d-b69c-de438c46027e","Type":"template","AdditionalInfo":{"UUID":"84123640-bf99-415d-b69c-de438c46027e","Name":"Zeek Unique Clients for IP","Description":"Numbercard of active clients for a given machine"},"Hash":[189,85,172,12,166,222,23,10,234,108,148,246,155,128,33,62,201,231,85,183,66,253,99,39,91,102,113,46,196,30,234,238]},{"Name":"84474799356711","Type":"dashboard","AdditionalInfo":{"UUID":"fbc053a7-2c5e-455e-af50-c4fa5609b41f","Name":"Zeek SMB Investigator","Description":"Investigate a given IP address"},"Hash":[194,58,228,89,231,101,81,18,21,238,24,107,130,28,183,121,126,160,216,35,88,65,243,170,110,133,101,164,202,110,217,105]},{"Name":"84cb010e-d835-49dc-8b7f-24cb11296eb1","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek DHCP session counts","Description":"Chart of DHCP requests for each server","Query":"tag=zeekdhcp ax server_addr != - | stats count by server_addr | chart count by server_addr","UUID":"84cb010e-d835-49dc-8b7f-24cb11296eb1"},"Hash":[227,235,74,111,214,65,239,93,219,224,119,69,231,229,14,222,83,214,86,16,57,254,71,166,69,243,41,204,189,34,75,36]},{"Name":"85846e8b-622c-44f4-95ae-4ad9a5ad6cfe","Type":"template","AdditionalInfo":{"UUID":"85846e8b-622c-44f4-95ae-4ad9a5ad6cfe","Name":"Zeek Most Queried DNS Names by Client","Description":""},"Hash":[158,175,199,159,59,166,111,107,245,228,30,218,116,254,78,30,224,16,111,227,92,104,230,34,70,8,224,217,106,177,13,199]},{"Name":"8656ce24-86e2-41e3-ae79-c3789ae1ab85","Type":"file","AdditionalInfo":{"UUID":"8656ce24-86e2-41e3-ae79-c3789ae1ab85","Name":"Screenshot from 2020-10-05 14-12-37.png","Description":"zeek DNS overview","Size":191674,"ContentType":"image/png"},"Hash":[60,15,74,209,94,47,37,244,146,174,21,50,107,4,93,111,81,149,85,180,232,0,62,54,183,126,135,122,201,56,40,179]},{"Name":"866c0f2d-319b-4805-bb29-d8af1fbf857b","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek Tunnel Connections","Description":"A force directed graph showing tunnel connections between hosts","Query":"tag=zeektunnel ax \"id.orig_h\" \"id.resp_h\" tunnel_type\n| stats count by \"id.orig_h\" \"id.resp_h\" tunnel_type\n| fdg -v count -sg tunnel_type \"id.orig_h\" \"id.resp_h\"\n","UUID":"866c0f2d-319b-4805-bb29-d8af1fbf857b"},"Hash":[142,152,125,228,185,147,121,235,227,212,109,159,194,70,180,208,129,157,19,4,86,75,129,249,91,52,146,129,208,172,162,63]},{"Name":"87c96621-d41e-4f14-938b-cbda31065bff","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek SSH chart of ports","Description":"","Query":"tag=zeekssh ax\n| count by \"id.resp_p\"\n| chart count by \"id.resp_p\"\n","UUID":"87c96621-d41e-4f14-938b-cbda31065bff"},"Hash":[216,212,87,181,160,118,172,116,234,136,5,103,183,159,24,235,13,144,240,216,2,118,177,148,76,115,38,24,118,205,64,149]},{"Name":"88103c85-6747-4b52-bcf1-ab7225ee01ad","Type":"pivot","AdditionalInfo":{"UUID":"88103c85-6747-4b52-bcf1-ab7225ee01ad","Name":"Zeek IP Investigative Dashboards","Description":"Zeek Investigative Dashboards"},"Hash":[35,247,108,45,125,168,94,223,15,253,128,233,75,191,213,70,132,254,29,205,103,86,115,128,71,203,12,72,248,46,243,240]},{"Name":"8a5f7168-421e-4031-82fe-cb2b1fa50168","Type":"template","AdditionalInfo":{"UUID":"8a5f7168-421e-4031-82fe-cb2b1fa50168","Name":"Zeek All for UID","Description":"Raw zeek entries containing a given UID whatsoever"},"Hash":[212,187,162,142,129,242,122,62,43,171,232,209,30,253,198,215,194,50,107,119,11,116,176,52,21,51,39,147,94,94,233,172]},{"Name":"8af3bc72-5e0c-4107-8f9d-db45deb8715d","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek SMB Server heatmap","Description":"","Query":"tag=zeeksmb* ax \"id.resp_h\"\n| unique \"id.resp_h\"\n| geoip \"id.resp_h\".Location\n| heatmap \"id.resp_h\"\n","UUID":"8af3bc72-5e0c-4107-8f9d-db45deb8715d"},"Hash":[247,227,183,6,232,164,236,51,10,136,176,5,61,215,171,148,170,104,81,48,208,185,142,153,168,38,186,156,182,199,49,237]},{"Name":"903c5291-d58d-4da0-bfc2-f01555d13d01","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek Connection Map","Description":"Geospatial connection map of connections as seen by Zeek","Query":"tag=zeekconn ax \"id.orig_h\" \"id.resp_h\"\n| stats count by \"id.orig_h\" \"id.resp_h\"\n| geoip \"id.orig_h\".Location as oloc \"id.resp_h\".Location as rloc\n| point2point -srcloc oloc -dstloc rloc\n","UUID":"903c5291-d58d-4da0-bfc2-f01555d13d01"},"Hash":[132,44,121,210,233,181,170,25,247,101,139,102,177,109,14,34,56,14,153,140,111,90,142,132,135,40,85,12,238,215,117,53]},{"Name":"9270435e-3d51-40f5-980f-3deaf4f4163b","Type":"template","AdditionalInfo":{"UUID":"9270435e-3d51-40f5-980f-3deaf4f4163b","Name":"Zeek SMB private IP graph","Description":""},"Hash":[26,25,52,119,199,64,70,149,46,72,226,197,228,246,67,239,227,213,137,205,123,96,122,73,77,204,34,100,104,175,228,186]},{"Name":"972a28a1-8310-4223-a49c-b7574d31fecb","Type":"template","AdditionalInfo":{"UUID":"972a28a1-8310-4223-a49c-b7574d31fecb","Name":"Zeek service bandwidth graph","Description":"Service Upload and Download traffic for an IP as seen by Zeek"},"Hash":[163,1,75,245,153,42,124,107,191,54,57,103,230,235,32,253,180,245,145,114,200,253,233,240,167,197,136,32,242,35,45,72]},{"Name":"98e1a4ca-6152-4755-8fd9-4a3086ab5592","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek SSH Successful Authentications by Client","Description":"Display a table of which clients have successfully connected to which server the most. Also includes client country.","Query":"tag=zeekssh ax auth_success == \"T\"\n| alias \"id.orig_h\" client \"id.resp_h\" server\n| stats count by client server\n| geoip client.CountryName\n| table count server client CountryName\n","UUID":"98e1a4ca-6152-4755-8fd9-4a3086ab5592"},"Hash":[212,137,80,232,12,186,237,135,36,59,249,129,100,215,181,7,119,106,1,111,127,165,153,229,74,168,169,58,80,66,108,77]},{"Name":"99d15805-3c68-4844-b50f-eaa5961ed066","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek SSH Version 1 Auth Successes","Description":"Successful SSH authentications using SSH version 1","Query":"tag=zeekssh ax version == \"1\" auth_success == \"T\"\n| alias \"id.orig_h\" client \"id.resp_h\" server\n| table client server\n","UUID":"99d15805-3c68-4844-b50f-eaa5961ed066"},"Hash":[246,110,120,237,28,19,9,194,103,167,44,151,223,129,196,37,44,145,72,9,93,107,7,118,148,229,138,185,133,7,211,22]},{"Name":"9a48cd9e-8291-4ec9-808e-efeba2692941","Type":"template","AdditionalInfo":{"UUID":"9a48cd9e-8291-4ec9-808e-efeba2692941","Name":"Active services for an IP","Description":"Numbercard of active services for a host that have been seen responding as seen by Zeek"},"Hash":[222,97,91,242,127,226,28,133,38,220,108,70,27,223,113,50,206,169,211,4,241,39,247,225,44,36,201,72,142,46,119,232]},{"Name":"9b688a19-274f-4b57-8136-136412445778","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek All SMB Files","Description":"smb_files.log","Query":"tag=zeeksmb_files ax | table","UUID":"9b688a19-274f-4b57-8136-136412445778"},"Hash":[215,9,131,14,44,192,208,57,42,186,208,187,241,124,242,32,130,70,73,63,70,250,205,14,209,178,136,193,81,69,252,80]},{"Name":"9cf025ae-3a77-4a9a-b1e4-c238b689bec5","Type":"pivot","AdditionalInfo":{"UUID":"9cf025ae-3a77-4a9a-b1e4-c238b689bec5","Name":"IP Address","Description":"Zeek Actions on IP Addresses"},"Hash":[134,240,73,174,224,61,16,189,57,205,154,16,221,27,62,63,125,81,81,148,62,223,246,190,242,53,79,117,142,152,56,149]},{"Name":"9e0009e6-4051-4104-b33e-75cc75f39642","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek Rare DNS Queries","Description":"Least queried DNS names over time","Query":"tag=zeekdns ax | alias query Name |\nstats count by Name |\nsort by count asc |\nlimit 100 |\ntable Name count","UUID":"9e0009e6-4051-4104-b33e-75cc75f39642"},"Hash":[46,33,220,54,245,65,25,100,205,245,36,121,47,195,70,174,186,217,134,104,234,146,95,76,222,212,206,193,231,61,172,73]},{"Name":"a89ae873-7548-4fcb-9e8e-2ae14a9c0734","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek HTTP Browser Distribution","Description":"","Query":"tag=zeekhttp ax \n| regex -e user_agent \"(?P\u003cbrowser\u003e\\S*)/[0-9.]*$\" \n| count by browser \n| chart count by browser","UUID":"a89ae873-7548-4fcb-9e8e-2ae14a9c0734"},"Hash":[96,67,144,151,228,19,246,227,185,202,65,72,181,24,99,190,30,69,168,245,182,142,83,58,184,18,223,4,116,154,246,247]},{"Name":"a920414b-59c1-4811-a6e7-45e6b566a81a","Type":"file","AdditionalInfo":{"UUID":"a920414b-59c1-4811-a6e7-45e6b566a81a","Name":"zeek-cover.png","Description":"Cover for Zeek Gravwell Kit","Size":14384,"ContentType":"image/png"},"Hash":[251,94,57,112,194,240,184,175,70,127,192,103,8,160,50,46,212,245,115,93,64,10,239,175,154,176,176,82,65,189,107,11]},{"Name":"a9beb170-c1c5-431a-a75d-020762d9b532","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek DNS Beaconing","Description":"Frequent DNS requests with the smallest variance","Query":"tag=zeekdns ax | alias query Name | sort by time asc | diff TIMESTAMP by query | require -s diff | stats mean(diff) stddev(diff) count by query | eval (stddev \u003c mean \u0026\u0026 count \u003e 2) | eval r = stddev/mean; Duration = duration(mean); | sort by r asc | table Name Duration count\n","UUID":"a9beb170-c1c5-431a-a75d-020762d9b532"},"Hash":[147,66,180,87,19,221,23,241,203,90,26,147,54,122,78,172,60,74,99,178,8,212,123,35,57,177,145,230,61,43,153,151]},{"Name":"aa41a52e-d6d4-449e-a33c-2451d8a12ab7","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek Total Traffic By Service","Description":"Total traffic per service as seen by Zeek","Query":"tag=zeekconn ax service orig_bytes resp_bytes\n| stats sum(orig_bytes) as upload sum(resp_bytes) as download by service\n| eval bytes = upload+download; if(service==\"-\") {service = \"unknown\";}\n| stats sum(bytes) as traffic by service\n| chart traffic by service\n","UUID":"aa41a52e-d6d4-449e-a33c-2451d8a12ab7"},"Hash":[74,216,62,50,27,209,239,19,241,24,77,127,51,143,39,187,147,38,9,142,115,171,206,226,58,240,63,31,40,159,100,1]},{"Name":"ab107386-8aaf-4839-95cc-125e51da9592","Type":"file","AdditionalInfo":{"UUID":"ab107386-8aaf-4839-95cc-125e51da9592","Name":"bits cover","Description":"","Size":14384,"ContentType":"image/png"},"Hash":[138,245,252,249,121,248,65,26,191,123,205,70,163,36,157,65,205,163,142,30,129,153,101,163,174,146,63,137,78,176,247,100]},{"Name":"ab6ba1ae-3e0f-4bae-b798-4b91db89311a","Type":"template","AdditionalInfo":{"UUID":"ab6ba1ae-3e0f-4bae-b798-4b91db89311a","Name":"Zeek procotols for UID","Description":""},"Hash":[112,120,175,236,179,142,138,18,162,247,152,222,243,219,255,171,89,16,113,15,198,178,44,33,109,95,231,244,143,228,43,193]},{"Name":"abf1ca7c-aa93-42c2-a1e5-36a2ab522cfd","Type":"template","AdditionalInfo":{"UUID":"abf1ca7c-aa93-42c2-a1e5-36a2ab522cfd","Name":"Zeek 10 most common service ports for IP","Description":"Table of the most commonly used service ports for an IP as seen by Zeek"},"Hash":[43,78,127,133,156,2,149,18,38,206,252,190,2,109,14,202,4,99,58,118,209,56,74,197,253,95,158,119,108,199,47,115]},{"Name":"ac66437e-56f8-4067-bc4c-f86f9d559fdb","Type":"searchlibrary","AdditionalInfo":{"Name":"Invalid SSL Certificates","Description":"SSL connections which failed due to bad certificates","Query":"tag=zeekssl ax last_alert != \"-\"\n| alias \"id.orig_h\" client \"id.resp_h\" server last_alert alert\n| table client server server_name alert established\n","UUID":"ac66437e-56f8-4067-bc4c-f86f9d559fdb"},"Hash":[255,34,150,128,231,89,136,230,44,87,235,196,37,187,141,3,229,60,1,70,224,87,212,104,108,103,74,14,216,67,159,65]},{"Name":"ac8415d4-d3f2-4f36-9ff0-8e3f89505940","Type":"template","AdditionalInfo":{"UUID":"ac8415d4-d3f2-4f36-9ff0-8e3f89505940","Name":"Zeek Service Client heatmap","Description":"Heatmap of clients for a given service"},"Hash":[146,202,200,226,189,80,170,6,12,194,187,123,164,83,135,38,155,186,39,38,87,78,108,181,1,64,186,199,107,191,63,185]},{"Name":"adec21b8-4822-4310-a970-491f125ab01c","Type":"template","AdditionalInfo":{"UUID":"adec21b8-4822-4310-a970-491f125ab01c","Name":"Zeek Conn for UID","Description":""},"Hash":[84,9,165,97,124,212,109,179,46,249,31,108,173,98,207,11,75,83,207,77,143,224,144,145,254,120,164,124,195,47,211,55]},{"Name":"aeca96ea-2bb4-4e82-93bb-9946dbd7a09c","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek SSH login and brute force attempt analytics","Description":"Examine all successful SSH logins and compare against failures to product","Query":"tag=zeekssh ax auth_success != - client \"id.orig_h\" auth_attempts \"id.resp_h\" host_key\n| stats count sum(auth_attempts) as attempts by client \"id.resp_h\" auth_success\n| eval if(auth_success == \"T\"){success = count;}\n| geoip \"id.orig_h\".CountryName \"id.orig_h\".City\n| stats sum(success) as success by client \"id.resp_h\"\n| eval success \u003e 0\n| eval if ((float(attempts)/float(success)) \u003e 2.0) { Notes = \"Potential Brute Force Success\"; }\n| sort by success desc\n| table \"id.resp_h\" \"id.orig_h\" host_key CountryName City client attempts success Notes\n","UUID":"aeca96ea-2bb4-4e82-93bb-9946dbd7a09c"},"Hash":[91,149,115,135,16,137,238,221,149,108,189,160,164,161,0,216,235,98,241,25,212,74,48,186,228,169,181,203,1,214,29,146]},{"Name":"b09031b4-e09e-47c7-8c56-e6ed2cf84a33","Type":"template","AdditionalInfo":{"UUID":"b09031b4-e09e-47c7-8c56-e6ed2cf84a33","Name":"Zeek DNS Beaconing by Client","Description":""},"Hash":[226,169,199,54,129,46,113,209,247,145,127,59,87,2,98,197,156,140,81,93,240,100,36,87,213,185,33,9,127,55,96,216]},{"Name":"b23f8210-c4ef-464a-a2e8-64246d507ff3","Type":"template","AdditionalInfo":{"UUID":"b23f8210-c4ef-464a-a2e8-64246d507ff3","Name":"Zeek All Modbus for IP","Description":""},"Hash":[115,234,61,224,118,86,9,159,79,49,193,81,38,63,32,143,132,71,216,36,150,71,70,134,227,175,169,128,225,58,117,255]},{"Name":"b5f65972-71b1-40fa-a7b6-b8082e0f495f","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek service connection counts","Description":"Chart of connection counts per service as seen by Zeek","Query":"tag=zeekconn ax service |\nstats count by service |\neval if service==\"-\" {service = \"unknown\";} |\nchart count by service limit 32\n","UUID":"b5f65972-71b1-40fa-a7b6-b8082e0f495f"},"Hash":[224,68,168,166,251,92,231,49,72,100,5,205,215,132,61,244,235,239,192,19,161,136,72,216,245,139,193,175,35,174,56,233]},{"Name":"b6556ddf-f69b-409e-a83d-b3429e9b3e0c","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek Tunnel Types","Description":"Charts the types of tunnels. Best viewed as a pie chart or donut chart.","Query":"tag=zeektunnel ax tunnel_type |\ncount by tunnel_type |\nchart count by tunnel_type","UUID":"b6556ddf-f69b-409e-a83d-b3429e9b3e0c"},"Hash":[73,103,231,98,196,84,24,9,212,160,228,103,184,157,32,132,125,74,65,103,185,190,55,226,111,163,110,62,22,95,24,127]},{"Name":"b74b3006-8c12-429e-b9a9-97b8ba71a0d8","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek SSH re-used keys","Description":"","Query":"tag=zeekssh ax \"id.resp_h\" host_key != \"-\"\n| alias \"id.resp_h\" latestserver\n| stats unique_count(\"id.resp_h\") as unique_hosts by host_key unique_count(host_key) by \"id.resp_h\"\n| eval ( !has(unique_hosts) || unique_hosts \u003e 1 )\n| sort by host_key\n| geoip -r asn_db \"id.resp_h\".ASNOrg\n| table \"id.resp_h\" ASNOrg host_key unique_hosts\n","UUID":"b74b3006-8c12-429e-b9a9-97b8ba71a0d8"},"Hash":[183,123,213,84,16,150,235,51,19,216,68,189,27,200,9,96,175,148,40,82,79,80,119,87,2,29,24,54,59,236,124,193]},{"Name":"ba371dad-2c2a-4ecc-b133-a44d3ca308b9","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek Connection Counts by State","Description":"Chart the number of sessions by connection state as seen by Zeek","Query":"tag=zeekconn ax conn_state |\nstats count by conn_state |\nchart count by conn_state","UUID":"ba371dad-2c2a-4ecc-b133-a44d3ca308b9"},"Hash":[8,228,194,252,54,218,123,41,138,143,162,176,204,196,232,179,54,65,9,9,151,199,226,110,56,184,220,234,195,246,108,180]},{"Name":"bb6db0b3-6637-4a20-9189-8425141660c0","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek All HTTP","Description":"","Query":"tag=zeekhttp ax | table","UUID":"bb6db0b3-6637-4a20-9189-8425141660c0"},"Hash":[137,143,123,215,83,128,101,90,189,164,215,102,161,129,232,111,228,252,133,109,115,25,15,6,198,168,230,29,105,138,142,224]},{"Name":"bbeb4ceb-de1a-4fb6-9e9f-cb4ddd8efdb8","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek HTTP Method Counts","Description":"A chart showing the percentage of each HTTP Method","Query":"tag=zeekhttp ax\n| count by method\n| chart count by method","UUID":"bbeb4ceb-de1a-4fb6-9e9f-cb4ddd8efdb8"},"Hash":[73,17,123,126,170,178,187,107,68,207,43,70,164,135,148,169,51,44,137,93,120,144,82,79,11,153,122,213,121,108,43,61]},{"Name":"be0c5d64-10a3-4005-a875-c50b59a5208d","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek least common responding ports","Description":"Least common service ports that respond with data as seen by Zeek","Query":"tag=zeekconn ax \"id.resp_p\" resp_bytes\n| stats count by \"id.resp_p\"\n| eval resp_bytes \u003e 140 \u0026\u0026 \"id.resp_p\" \u003c 16000\n/* Only looking at ports in the lower range */\n| sort by count asc\n| table \"id.resp_p\" count\n","UUID":"be0c5d64-10a3-4005-a875-c50b59a5208d"},"Hash":[152,137,242,64,81,63,132,168,71,248,248,171,227,172,30,169,47,254,54,12,14,97,163,123,72,9,94,234,250,161,80,99]},{"Name":"be9a5c19-d13b-4a28-b08d-423f504b7a8e","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek Service Connection Reset Table","Description":"The number of connection resets per service as seen by zeek","Query":"tag=zeekconn ax conn_state ~ RST proto==tcp service |\nstats count by service conn_state |\nlookup -r zeek_conn_state conn_state state description |\ntable service conn_state count description","UUID":"be9a5c19-d13b-4a28-b08d-423f504b7a8e"},"Hash":[25,206,211,187,95,114,208,177,171,139,74,25,35,87,148,140,99,202,29,98,42,38,223,165,61,182,202,84,40,192,38,205]},{"Name":"becc7280-6d4b-4b38-8b76-5c818aff6cb0","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek All SSH","Description":"All entries from ssh.log","Query":"tag=zeekssh ax | table","UUID":"becc7280-6d4b-4b38-8b76-5c818aff6cb0"},"Hash":[211,179,151,235,14,223,251,75,224,151,175,153,115,83,210,96,135,87,42,39,95,90,93,138,248,114,66,158,134,46,127,79]},{"Name":"c1f75087-b7f7-4ffb-928a-15374ca770e6","Type":"template","AdditionalInfo":{"UUID":"c1f75087-b7f7-4ffb-928a-15374ca770e6","Name":"Zeek total client connections for a given IP","Description":"Numbercard of the total service connections as seen by zeek"},"Hash":[145,78,240,206,241,131,185,227,26,234,116,112,239,103,110,203,243,153,152,236,46,172,49,57,107,81,30,199,220,98,66,176]},{"Name":"c43ae566-ae71-436d-9de5-3a905c704a78","Type":"template","AdditionalInfo":{"UUID":"c43ae566-ae71-436d-9de5-3a905c704a78","Name":"Zeek All MYSQL for IP","Description":""},"Hash":[61,209,181,253,159,20,232,178,104,149,95,64,215,212,7,176,225,87,159,234,164,232,197,197,4,219,180,207,143,102,70,242]},{"Name":"c7a1c41e-2b8c-4b38-9551-40de2a1ac907","Type":"template","AdditionalInfo":{"UUID":"c7a1c41e-2b8c-4b38-9551-40de2a1ac907","Name":"Zeek All DHCP for IP","Description":""},"Hash":[225,62,69,77,196,0,132,33,5,163,5,234,153,90,0,164,27,239,103,184,138,67,97,98,7,188,140,73,151,55,56,218]},{"Name":"cd689d30-ac19-4640-8336-c7aa6135c03d","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek Connection Averages","Description":"Table showing averages for traffic, packets, and connection duration for each service","Query":"tag=zeekconn ax service duration orig_bytes resp_bytes orig_pkts resp_pkts\n| stats mean(orig_bytes) as \"Average Downstream Traffic\"\n  mean(resp_bytes) as \"Average Upstream Traffic\"\n  mean(duration) as \"Average Connection Duration\"\n  mean(orig_pkts) as \"Average Downstream Packets\"\n  mean(resp_pkts) as \"Average Upstream Packets\" by service\n| eval if (service == \"-\") {service = \"unknown\";}\n| table service \"Average Connection Duration\" \"Average Downstream Traffic\" \"Average Downstream Packets\" \"Average Upstream Traffic\" \"Average Upstream Packets\"\n","UUID":"cd689d30-ac19-4640-8336-c7aa6135c03d"},"Hash":[29,65,71,162,177,168,121,20,218,30,164,83,120,51,213,182,119,73,217,84,197,164,164,70,103,137,9,17,249,0,31,119]},{"Name":"cf20f05e-f1b4-49a6-b695-e70fa5484c08","Type":"template","AdditionalInfo":{"UUID":"cf20f05e-f1b4-49a6-b695-e70fa5484c08","Name":"Zeek Connection Graph for IP","Description":"FDG of IP Connections for a given IP as seen by Zeek"},"Hash":[11,103,11,223,223,170,150,114,114,125,139,70,136,54,120,239,178,67,248,144,6,187,253,119,6,91,210,156,176,100,16,5]},{"Name":"d1189e08-78fa-43a7-844b-f038a9cc52e9","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek DHCP Address Assignments","Description":"Table of DHCP address assignments","Query":"tag=zeekdhcp ax mac host_name assigned_addr |\nstats count by mac host_name assigned_addr |\nmaclookup -r mac_prefixes mac.Manufacturer |\ntable mac Manufacturer host_name assigned_addr count","UUID":"d1189e08-78fa-43a7-844b-f038a9cc52e9"},"Hash":[114,159,19,6,146,19,106,225,141,231,48,129,248,53,169,18,232,147,37,156,173,213,5,186,52,173,211,121,204,56,154,56]},{"Name":"d2ea37bd-69ce-4135-b90c-b8aca740de6e","Type":"pivot","AdditionalInfo":{"UUID":"d2ea37bd-69ce-4135-b90c-b8aca740de6e","Name":"Zeek Raw UID Records","Description":"Zeek UIDs (unique identifiers for each flow)"},"Hash":[55,104,44,213,13,116,29,204,70,89,104,35,115,7,45,165,20,33,146,159,130,55,200,5,178,65,249,64,160,108,235,108]},{"Name":"d2f6fe1d-9845-4a2e-a798-21c17012cb33","Type":"template","AdditionalInfo":{"UUID":"d2f6fe1d-9845-4a2e-a798-21c17012cb33","Name":"Zeek DNS Related Subdomains","Description":""},"Hash":[41,90,219,157,180,144,125,50,189,107,238,152,100,168,87,81,175,245,197,214,63,4,52,22,152,250,37,126,103,237,153,251]},{"Name":"d475467d-9bff-426e-ac42-a8a576a8da1f","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek SSH Client Locations","Description":"GeoIP locations for all SSH clients","Query":"tag=zeekssh ax \"id.orig_h\"\n| geoip \"id.orig_h\".Location\n| heatmap \"id.orig_h\"\n","UUID":"d475467d-9bff-426e-ac42-a8a576a8da1f"},"Hash":[202,196,175,233,138,207,193,29,198,230,18,150,137,173,90,4,191,249,171,107,136,139,115,104,145,204,194,111,120,55,205,175]},{"Name":"d6822317-6922-4467-bd6f-8579c16b7201","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek SMB top files","Description":"","Query":"tag=zeeksmb_files ax | count by name | table name count","UUID":"d6822317-6922-4467-bd6f-8579c16b7201"},"Hash":[76,237,247,60,161,118,105,29,150,181,117,205,37,16,101,178,123,249,162,179,120,52,255,177,91,72,135,59,95,175,134,224]},{"Name":"d6dbbc30-9fb4-4540-92cc-79bb62201a44","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek DNS SLDs with the most Subdomains","Description":"DNS SLDs with the most Subdomains","Query":"tag=zeekdns ax | unique query | regex -e query \"(?P\u003csld\u003e\\w+\\.\\w+\\s*$)\" | stats count by sld | sort by count desc | limit 100 | table sld count","UUID":"d6dbbc30-9fb4-4540-92cc-79bb62201a44"},"Hash":[126,67,134,239,221,88,240,151,50,204,195,94,189,33,115,69,178,42,133,0,100,100,132,255,226,255,109,47,79,232,111,148]},{"Name":"d8e5f41e-e1fd-4d67-99ee-b03e7750395b","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek Potential DNS Beaconing","Description":"Potential DNS Beacon activity as seen by Zeek","Query":"tag=zeekdns ax query |\nsort by time asc |\ndiff TIMESTAMP by query |\nrequire -s diff |\nstats mean(diff) stddev(diff) count by query |\neval (stddev \u003c mean \u0026\u0026 count \u003e 2) |\neval r = stddev/mean; Duration = duration(mean); |\nsort by r asc |\ntable query Duration count\n","UUID":"d8e5f41e-e1fd-4d67-99ee-b03e7750395b"},"Hash":[27,206,25,208,118,198,127,105,210,53,109,220,122,240,212,28,205,242,57,200,110,15,91,125,203,48,144,144,174,150,179,189]},{"Name":"da40e356-b1ec-43b5-9778-286b9cb983f3","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek Most Queried DNS Name","Description":"Most queried DNS names over time","Query":"tag=zeekdns ax | alias query Name |\nstats count by Name |\nsort by count desc |\nlimit 100 |\ntable Name count","UUID":"da40e356-b1ec-43b5-9778-286b9cb983f3"},"Hash":[148,238,203,77,23,141,158,97,181,59,223,0,238,162,105,137,171,36,176,254,163,219,48,161,83,163,155,137,90,189,131,14]},{"Name":"da541e53-395d-4595-aab5-5b31ee581de3","Type":"template","AdditionalInfo":{"UUID":"da541e53-395d-4595-aab5-5b31ee581de3","Name":"Zeek Connstate Chart","Description":"Count of connection states for a given IP as seen by Zeek"},"Hash":[5,43,179,100,126,76,78,187,83,82,29,26,73,211,12,140,61,90,219,122,183,115,83,62,144,28,85,144,27,27,246,58]},{"Name":"de6798c2-51c6-4f7c-8beb-f1e118ce2e9a","Type":"playbook","AdditionalInfo":{"UUID":"568f4ce4-11fb-4c60-8503-07f043c40d7b","Name":"Zeek DNS","Description":""},"Hash":[146,236,22,120,64,106,12,41,8,228,103,129,113,244,132,134,214,5,242,122,149,0,24,209,203,9,42,252,235,165,71,88]},{"Name":"df3b2e72-4416-4d37-96de-63bbffe012f2","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek All DNS","Description":"","Query":"tag=zeekdns ax | table","UUID":"df3b2e72-4416-4d37-96de-63bbffe012f2"},"Hash":[81,144,239,234,24,77,49,6,87,139,96,213,152,241,51,217,212,175,96,4,199,163,146,88,50,53,95,162,126,179,109,166]},{"Name":"e35508b0-15a7-4a0e-9f26-c56a74792547","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek DNS Queries by Resource Record Type","Description":"","Query":"tag=zeekdns ax | lookup -s -r dns_types qtype Value TYPE as dnstype | stats count by dnstype | chart count by dnstype","UUID":"e35508b0-15a7-4a0e-9f26-c56a74792547"},"Hash":[190,1,222,50,139,55,192,110,123,45,182,227,51,193,232,252,169,69,54,39,191,229,115,205,44,45,65,1,250,102,58,180]},{"Name":"e8256f26-e448-4720-a385-c9340cdc5b12","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek SSH Host Keys Seen Per Server","Description":"Count how many SSH host keys we've observed for each server","Query":"tag=zeekssh ax host_key != \"-\"\n| alias \"id.resp_h\" server\n| unique host_key server\n| stats count(host_key) by server\n| table count server\n","UUID":"e8256f26-e448-4720-a385-c9340cdc5b12"},"Hash":[73,103,67,168,43,21,43,17,150,107,1,27,39,173,38,163,218,159,121,240,64,107,9,254,149,206,135,181,82,210,193,11]},{"Name":"ea28dd16-8743-4bc4-8b32-2996809479a6","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek HTTP directory traversal requests","Description":"Show requests that may contain directory traversal attacks","Query":"tag=zeekhttp ax uri~\"../..\"\n| table \"id.orig_h\" \"id.resp_h\" host uri status_msg info_code\n","UUID":"ea28dd16-8743-4bc4-8b32-2996809479a6"},"Hash":[212,159,218,50,38,32,171,168,211,118,116,176,126,70,77,59,94,48,40,147,92,205,63,225,182,233,27,222,72,12,116,174]},{"Name":"eaa06af1-9478-4c8e-a78f-7e5a1c11e24f","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek DNS Over Time","Description":"","Query":"tag=zeekdns chart","UUID":"eaa06af1-9478-4c8e-a78f-7e5a1c11e24f"},"Hash":[175,219,99,113,203,140,207,175,98,152,214,89,144,92,85,192,225,48,21,90,30,247,98,42,241,172,86,56,207,206,70,115]},{"Name":"ebdd5381-8e3d-477b-8c2d-154069f156d4","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek SSH banners per server","Description":"Show the count of unique banners for each server IP address, as well as the most recent banner","Query":"tag=zeekssh ax server \"id.resp_h\" \"id.resp_p\"\n| unique server \"id.resp_h\" \"id.resp_p\"\n| alias \"id.resp_h\" serverIP \"id.resp_p\" port server latestbanner\n| count by serverIP port\n| table count serverIP port latestbanner\n","UUID":"ebdd5381-8e3d-477b-8c2d-154069f156d4"},"Hash":[152,35,31,46,210,200,180,202,110,194,180,151,6,49,4,118,144,7,24,20,25,207,165,96,134,84,74,104,26,81,126,253]},{"Name":"ec534f91-4636-4dd6-8dc0-8f4b5e9e0351","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek SMB nonstandard ports","Description":"","Query":"tag=zeeksmb* ax\n| grep -v -e \"id.resp_p\" 445 139\n| count by \"id.resp_h\" \"id.resp_p\"\n| table count \"id.resp_h\" \"id.resp_p\"\n","UUID":"ec534f91-4636-4dd6-8dc0-8f4b5e9e0351"},"Hash":[107,253,159,132,240,81,136,246,124,251,133,133,93,28,37,226,221,6,59,223,232,199,42,1,12,95,81,95,122,217,239,134]},{"Name":"ecd5e418-2ae9-4082-85bc-69265a7c199c","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek All SNMP","Description":"","Query":"tag=zeeksnmp ax | table","UUID":"ecd5e418-2ae9-4082-85bc-69265a7c199c"},"Hash":[64,216,154,216,34,91,136,162,134,31,3,183,112,171,76,215,21,204,12,21,39,233,248,175,245,115,43,9,75,228,85,97]},{"Name":"ece007c9-9423-435d-8f7b-7c8196e673e5","Type":"template","AdditionalInfo":{"UUID":"ece007c9-9423-435d-8f7b-7c8196e673e5","Name":"Zeek DNS Requests over Time","Description":""},"Hash":[36,152,230,48,242,165,95,43,57,236,18,99,47,233,110,122,251,26,126,29,0,24,60,209,118,143,22,55,147,108,10,163]},{"Name":"ed6b42ae-bf10-4a6b-9f81-212cfbbc0549","Type":"template","AdditionalInfo":{"UUID":"ed6b42ae-bf10-4a6b-9f81-212cfbbc0549","Name":"Zeek All Connections for IP","Description":""},"Hash":[54,124,196,161,159,103,60,36,168,208,163,123,139,206,80,67,14,77,242,26,0,97,56,213,162,78,24,34,70,20,128,16]},{"Name":"expired_x509","Type":"resource","AdditionalInfo":{"VersionNumber":10,"ResourceName":"expired_x509","Description":"Filter script for expired x509 certificates.","Size":501,"Labels":null},"Hash":[173,207,177,7,12,137,248,205,221,187,140,1,51,217,13,240,72,124,94,67,236,65,121,20,95,60,240,104,192,20,189,220]},{"Name":"f00f36ca-7c60-480c-b03e-3e383026ba91","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek All DNP3","Description":"","Query":"tag=zeekdnp3 ax | table","UUID":"f00f36ca-7c60-480c-b03e-3e383026ba91"},"Hash":[122,83,79,251,41,255,247,151,126,90,12,173,145,25,77,95,162,80,170,115,64,102,129,79,92,57,159,220,29,21,49,129]},{"Name":"f12292f2-6a00-4406-bbbc-3ca08ebff02d","Type":"template","AdditionalInfo":{"UUID":"f12292f2-6a00-4406-bbbc-3ca08ebff02d","Name":"Zeek DNS Totals by Client","Description":""},"Hash":[60,14,47,19,65,69,254,208,147,230,115,196,93,122,29,62,138,21,108,132,79,107,57,215,104,16,49,178,236,28,149,85]},{"Name":"f2082885-ed25-411c-b18a-e5fa6debe3d0","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek SSH server chart of client counts","Description":"","Query":"tag=zeekssh ax \"id.orig_h\" \"id.resp_h\"\n| count \"id.orig_h\" by \"id.resp_h\"\n| alias \"id.resp_h\" server\n| chart count by server\n","UUID":"f2082885-ed25-411c-b18a-e5fa6debe3d0"},"Hash":[50,102,123,154,61,102,51,5,72,158,217,144,1,131,48,11,84,49,232,32,63,81,196,194,137,149,109,61,112,98,4,166]},{"Name":"f411799f-a175-4290-ba2c-d45c9760a952","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek SMB private IP graph","Description":"","Query":"tag=zeeksmb* ax \"id.orig_h\" \"id.resp_h\"\n| ip \"id.orig_h\" ~ \"PRIVATE\" \"id.resp_h\" ~ \"PRIVATE\"\n| fdg \"id.orig_h\" \"id.resp_h\"\n","UUID":"f411799f-a175-4290-ba2c-d45c9760a952"},"Hash":[69,58,117,80,154,227,78,237,51,2,85,88,198,147,207,162,122,120,45,126,36,110,231,6,174,47,146,159,5,79,140,125]},{"Name":"f62eff4f-0eaa-4b70-91b3-48f0c11c32c2","Type":"template","AdditionalInfo":{"UUID":"f62eff4f-0eaa-4b70-91b3-48f0c11c32c2","Name":"Zeek All Syslog for IP","Description":"syslog.log"},"Hash":[158,146,83,8,242,204,93,151,226,86,46,56,103,94,169,54,141,38,99,155,71,254,145,85,74,87,26,106,4,85,222,66]},{"Name":"f88fd1bc-96c1-45e3-b79d-8ec1b26006da","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek x509 Find Expired Certificates","Description":"List certificates which have expired.","Query":"tag=zeekx509 ax | anko expired_x509 not_valid_after | time not_valid_after expired_on | table subject issuer dns expired_on","UUID":"f88fd1bc-96c1-45e3-b79d-8ec1b26006da"},"Hash":[142,255,74,27,89,43,127,162,203,242,111,250,20,78,18,84,231,190,206,198,4,253,187,238,73,61,63,240,59,10,212,136]},{"Name":"f8c87f18-bbd1-4e56-863c-682f81bf44a6","Type":"file","AdditionalInfo":{"UUID":"f8c87f18-bbd1-4e56-863c-682f81bf44a6","Name":"zeek-banner.png","Description":"Banner for Zeek Gravwell Kit","Size":20199,"ContentType":"image/png"},"Hash":[241,250,46,138,231,255,8,92,218,109,239,47,226,106,7,164,161,39,166,79,126,1,20,189,78,47,228,207,152,236,123,206]},{"Name":"f9b2a17b-06a3-4feb-86d4-cc118b240a76","Type":"searchlibrary","AdditionalInfo":{"Name":"Zeek SSH on unusual ports","Description":"","Query":"tag=zeekssh ax \"id.resp_p\" != 22\n| table\n","UUID":"f9b2a17b-06a3-4feb-86d4-cc118b240a76"},"Hash":[243,38,21,131,35,219,39,83,21,155,23,22,188,22,213,111,221,168,202,144,144,171,226,54,208,14,73,150,193,160,254,37]},{"Name":"fc2dcd57-0550-41a3-80f2-88b421acdd26","Type":"template","AdditionalInfo":{"UUID":"fc2dcd57-0550-41a3-80f2-88b421acdd26","Name":"Zeek Most Common SLDs by Client","Description":""},"Hash":[118,106,96,101,35,150,180,4,143,197,2,101,128,106,13,86,189,205,127,210,154,187,37,50,156,20,132,143,251,156,104,198]},{"Name":"fc4903f9-023c-42a5-a061-1cd5725e7f1a","Type":"template","AdditionalInfo":{"UUID":"fc4903f9-023c-42a5-a061-1cd5725e7f1a","Name":"Zeek All HTTP for IP","Description":""},"Hash":[223,46,57,112,243,81,80,115,61,241,117,114,233,165,9,213,49,164,243,224,25,29,131,128,200,219,247,33,215,2,167,214]},{"Name":"fdbd8988-3e8b-4bc7-895c-4dbe841d91d5","Type":"template","AdditionalInfo":{"UUID":"fdbd8988-3e8b-4bc7-895c-4dbe841d91d5","Name":"Zeek All SMB Mapping for IP","Description":""},"Hash":[18,199,52,73,182,51,30,238,124,158,100,68,114,121,200,14,107,221,189,82,73,187,45,223,240,43,192,96,47,139,111,160]},{"Name":"feb7147b-e462-40e0-ab54-b98f8e67b853","Type":"template","AdditionalInfo":{"UUID":"feb7147b-e462-40e0-ab54-b98f8e67b853","Name":"Zeek DNS Over Time","Description":""},"Hash":[82,219,185,113,201,200,175,106,131,241,180,231,240,159,110,50,251,44,228,250,181,163,233,255,150,178,102,152,182,172,126,64]},{"Name":"ffad28e0-2b62-44b9-ab43-443306a80d20","Type":"template","AdditionalInfo":{"UUID":"ffad28e0-2b62-44b9-ab43-443306a80d20","Name":"Zeek All SMB Files for IP","Description":""},"Hash":[25,165,91,110,79,80,179,40,88,189,222,248,233,96,100,27,22,252,117,116,198,171,136,88,207,65,239,129,181,100,43,72]},{"Name":"zeekconn","Type":"autoextractor","AdditionalInfo":{"name":"zeekconn","desc":"Zeek conn logs","module":"fields","tag":"zeekconn"},"Hash":[221,182,242,0,80,128,109,1,106,73,39,150,119,247,211,13,251,157,22,247,83,76,71,240,212,102,118,45,246,79,131,135]},{"Name":"zeek_conn_state","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"zeek_conn_state","Description":"Zeek conn_state connection state descriptions","Size":661,"Labels":null},"Hash":[227,13,13,183,206,231,34,96,197,115,7,72,210,114,142,39,200,31,37,167,145,74,33,189,107,112,109,177,142,138,86,152]},{"Name":"zeekdhcp","Type":"autoextractor","AdditionalInfo":{"name":"zeekdhcp","desc":"Zeek dhcp logs","module":"fields","tag":"zeekdhcp"},"Hash":[31,96,231,168,86,114,225,220,148,249,47,101,193,128,137,17,109,212,236,49,174,167,6,113,175,22,117,86,47,132,213,88]},{"Name":"zeekdnp3","Type":"autoextractor","AdditionalInfo":{"name":"Zeekdnp3","desc":"Zeek DNP3 AX","module":"fields","tag":"zeekdnp3"},"Hash":[61,145,173,99,235,136,2,239,52,122,3,235,203,194,205,206,99,63,232,37,5,184,234,56,139,108,177,145,215,101,29,158]},{"Name":"zeekdns","Type":"autoextractor","AdditionalInfo":{"name":"zeekdns","desc":"Zeek dns logs","module":"fields","tag":"zeekdns"},"Hash":[250,191,124,116,120,78,62,222,67,120,24,122,203,135,54,88,145,243,202,98,76,218,137,159,43,49,166,39,175,118,158,199]},{"Name":"zeekdpd","Type":"autoextractor","AdditionalInfo":{"name":"zeekdpd","desc":"Zeek DPD logs","module":"fields","tag":"zeekdpd"},"Hash":[167,3,182,98,75,43,26,105,186,123,242,72,93,130,116,13,128,25,80,24,81,151,222,152,219,3,228,172,78,41,48,143]},{"Name":"zeekfiles","Type":"autoextractor","AdditionalInfo":{"name":"zeekfiles","desc":"Zeek files logs","module":"fields","tag":"zeekfiles"},"Hash":[14,70,36,48,29,169,31,18,35,244,51,253,168,113,60,16,90,245,93,44,225,126,4,218,147,139,150,24,215,246,166,83]},{"Name":"zeekftp","Type":"autoextractor","AdditionalInfo":{"name":"zeekftp","desc":"Zeek FTP logs","module":"fields","tag":"zeekftp"},"Hash":[202,170,142,107,12,212,155,235,191,18,227,116,130,85,55,221,28,103,205,175,183,25,35,118,17,16,217,98,90,139,52,218]},{"Name":"zeekhttp","Type":"autoextractor","AdditionalInfo":{"name":"zeekhttp","desc":"Zeek http logs","module":"fields","tag":"zeekhttp"},"Hash":[22,132,87,211,184,112,31,203,134,212,93,178,240,45,26,88,82,10,195,111,136,242,165,145,255,244,151,96,54,16,1,119]},{"Name":"zeekintel","Type":"autoextractor","AdditionalInfo":{"name":"zeekintel","desc":"Zeek intel logs","module":"fields","tag":"zeekintel"},"Hash":[230,158,251,78,161,162,226,55,133,225,242,61,72,65,146,114,195,31,57,157,34,2,164,46,221,204,122,144,233,7,25,241]},{"Name":"zeekirc","Type":"autoextractor","AdditionalInfo":{"name":"zeekirc","desc":"Zeek IRC logs","module":"fields","tag":"zeekirc"},"Hash":[79,29,194,155,158,253,243,75,201,81,112,224,189,84,124,75,138,120,254,113,30,31,163,148,168,65,27,238,147,89,134,210]},{"Name":"zeekkerberos","Type":"autoextractor","AdditionalInfo":{"name":"zeekkerberos","desc":"Zeek Kerberos logs","module":"fields","tag":"zeekkerberos"},"Hash":[25,152,199,13,225,24,125,102,45,228,98,142,92,60,80,8,225,252,124,239,230,243,72,237,103,176,175,60,78,14,0,54]},{"Name":"zeekmodbus","Type":"autoextractor","AdditionalInfo":{"name":"zeekmodbus","desc":"Zeek modbus logs","module":"fields","tag":"zeekmodbus"},"Hash":[113,78,174,220,135,220,252,84,77,143,166,138,115,177,203,169,79,205,114,87,50,31,191,225,39,215,247,158,114,238,71,14]},{"Name":"zeekmysql","Type":"autoextractor","AdditionalInfo":{"name":"zeekmysql","desc":"Zeek mysql logs","module":"fields","tag":"zeekmysql"},"Hash":[171,71,83,171,161,155,137,243,104,240,88,24,104,174,227,205,165,73,44,30,11,69,195,154,77,230,150,84,20,78,153,50]},{"Name":"zeeknotice","Type":"autoextractor","AdditionalInfo":{"name":"zeeknotice","desc":"Zeek Notice logs","module":"fields","tag":"zeeknotice"},"Hash":[249,15,119,235,237,168,1,7,17,57,192,75,163,169,177,23,161,239,6,4,53,156,99,240,182,75,185,186,146,30,161,181]},{"Name":"zeekntp","Type":"autoextractor","AdditionalInfo":{"name":"zeekntp","desc":"Zeek NTP logs","module":"fields","tag":"zeekntp"},"Hash":[67,17,163,234,225,31,58,175,13,50,85,127,82,244,188,207,128,248,161,192,139,60,155,129,57,16,18,68,108,170,236,230]},{"Name":"zeekpe","Type":"autoextractor","AdditionalInfo":{"name":"zeekpe","desc":"Zeek PE logs","module":"fields","tag":"zeekpe"},"Hash":[116,61,26,4,238,66,244,154,119,139,108,57,114,114,29,68,166,20,78,242,252,185,44,28,149,46,123,155,39,143,226,96]},{"Name":"zeekradius","Type":"autoextractor","AdditionalInfo":{"name":"zeekradius","desc":"Zeek radius logs","module":"fields","tag":"zeekradius"},"Hash":[12,183,36,80,4,23,63,253,235,217,179,131,4,71,4,248,201,61,130,202,241,180,54,138,214,15,193,173,183,86,80,81]},{"Name":"zeekrdp","Type":"autoextractor","AdditionalInfo":{"name":"zeekrdp","desc":"Zeek rdp logs","module":"fields","tag":"zeekrdp"},"Hash":[186,57,31,216,43,246,200,128,165,26,59,230,112,151,186,77,84,202,27,122,247,207,230,231,164,236,42,168,15,171,90,56]},{"Name":"zeekrfb","Type":"autoextractor","AdditionalInfo":{"name":"zeekrfb","desc":"Zeek rfb logs","module":"fields","tag":"zeekrfb"},"Hash":[27,18,255,218,20,205,101,105,203,150,132,224,26,46,133,3,86,125,128,31,211,53,179,225,137,250,231,0,141,50,180,100]},{"Name":"zeeksignature","Type":"autoextractor","AdditionalInfo":{"name":"zeeksignature","desc":"Zeek signature logs","module":"fields","tag":"zeeksignature"},"Hash":[64,160,173,196,57,11,250,154,70,142,45,192,134,217,40,39,242,171,146,243,106,108,60,42,79,114,159,211,150,248,6,94]},{"Name":"zeeksip","Type":"autoextractor","AdditionalInfo":{"name":"zeeksip","desc":"Zeek SIP logs","module":"fields","tag":"zeeksip"},"Hash":[141,93,131,250,125,178,165,210,95,209,21,67,92,95,152,160,144,243,144,169,217,35,184,147,156,75,25,98,74,191,73,210]},{"Name":"zeeksmb_files","Type":"autoextractor","AdditionalInfo":{"name":"Zeek SMB Files","desc":"Zeek Samba File","module":"fields","tag":"zeeksmb_files"},"Hash":[92,205,231,183,23,91,119,237,18,71,208,148,58,63,233,45,186,231,209,58,186,176,215,136,139,135,141,91,163,18,93,93]},{"Name":"zeeksmb_mapping","Type":"autoextractor","AdditionalInfo":{"name":"Zeek SMB Mapping","desc":"Zeek Samba Mapping Log","module":"fields","tag":"zeeksmb_mapping"},"Hash":[121,0,36,132,195,27,129,181,62,28,36,249,21,51,61,147,226,125,31,165,149,156,234,156,75,96,251,238,101,113,96,166]},{"Name":"zeeksmtp","Type":"autoextractor","AdditionalInfo":{"name":"zeeksmtp","desc":"Zeek SMTP logs","module":"fields","tag":"zeeksmtp"},"Hash":[190,144,67,138,0,190,114,22,210,247,163,64,73,113,106,103,211,200,51,34,88,95,164,250,158,200,2,132,247,79,225,108]},{"Name":"zeeksnmp","Type":"autoextractor","AdditionalInfo":{"name":"zeeksnmp","desc":"Zeek SNMP logs","module":"fields","tag":"zeeksnmp"},"Hash":[160,75,179,16,137,64,176,88,33,219,144,69,162,246,241,147,18,122,89,69,39,87,14,71,135,61,25,56,135,109,17,10]},{"Name":"zeeksocks","Type":"autoextractor","AdditionalInfo":{"name":"zeeksocks","desc":"Zeek socks logs","module":"fields","tag":"zeeksocks"},"Hash":[226,228,249,253,154,148,248,103,97,244,115,202,36,156,38,67,213,26,222,242,80,105,130,243,255,171,197,67,158,40,113,155]},{"Name":"zeeksoftware","Type":"autoextractor","AdditionalInfo":{"name":"zeeksoftware","desc":"Zeek software logs","module":"fields","tag":"zeeksoftware"},"Hash":[245,210,206,199,84,34,163,151,190,10,5,21,192,174,67,44,125,197,42,212,85,107,33,220,229,197,130,130,117,174,221,184]},{"Name":"zeekssh","Type":"autoextractor","AdditionalInfo":{"name":"zeekssh","desc":"Zeek SSH logs","module":"fields","tag":"zeekssh"},"Hash":[110,132,150,24,11,196,199,64,232,88,12,141,211,172,135,223,208,213,111,237,14,123,179,159,152,124,68,4,198,58,100,165]},{"Name":"zeekssl","Type":"autoextractor","AdditionalInfo":{"name":"zeekssl","desc":"Zeek ssl logs","module":"fields","tag":"zeekssl"},"Hash":[119,105,216,41,88,4,196,46,176,114,31,147,125,231,23,197,55,93,204,165,186,210,34,41,164,238,68,135,63,133,121,108]},{"Name":"zeeksyslog","Type":"autoextractor","AdditionalInfo":{"name":"zeeksyslog","desc":"Zeek Syslog logs","module":"fields","tag":"zeeksyslog"},"Hash":[54,109,209,96,118,91,250,51,120,46,90,25,77,71,172,213,142,11,178,69,140,252,231,198,61,192,80,0,92,185,121,10]},{"Name":"zeektunnel","Type":"autoextractor","AdditionalInfo":{"name":"zeektunnel","desc":"Zeek tunnel logs","module":"fields","tag":"zeektunnel"},"Hash":[207,98,130,5,85,230,66,20,67,199,122,245,55,237,91,182,2,132,195,70,59,152,66,122,204,126,108,36,77,211,81,202]},{"Name":"zeekweird","Type":"autoextractor","AdditionalInfo":{"name":"zeekweird","desc":"Zeek weird logs","module":"fields","tag":"zeekweird"},"Hash":[4,42,53,74,185,86,244,238,29,28,1,42,59,241,102,195,234,134,34,76,45,21,26,210,83,127,113,53,52,121,6,217]},{"Name":"zeekx509","Type":"autoextractor","AdditionalInfo":{"name":"zeekx509","desc":"Zeek X509 logs","module":"fields","tag":"zeekx509"},"Hash":[108,247,60,40,254,75,190,202,34,137,170,192,209,155,160,112,95,234,181,9,35,103,93,134,231,213,48,225,179,236,154,93]},{"Name":"70149c86-e4a6-4385-82cd-12bc9e2e3e95","Type":"dashboard","AdditionalInfo":{"UUID":"70149c86-e4a6-4385-82cd-12bc9e2e3e95","Name":"Zeek Investigate Responder Port","Description":"Investigate given responder port using the Zeek conn.log"},"Hash":[15,81,30,118,98,22,87,226,224,53,187,56,15,186,51,109,196,187,175,86,77,157,50,211,38,108,225,160,244,31,218,221]},{"Name":"c3ceb661-4d6d-4bb8-8970-fad4c353b9d5","Type":"template","AdditionalInfo":{"UUID":"c3ceb661-4d6d-4bb8-8970-fad4c353b9d5","Name":"Zeek connection count details by host, service, org for id.resp_p","Description":"Table of connection count details by host, service, org with responder port"},"Hash":[124,118,253,65,84,169,154,15,237,198,19,38,238,92,246,34,224,195,32,140,24,124,12,150,211,102,57,190,39,59,183,130]},{"Name":"4c80351e-2fa9-4bee-8c1c-75933b202872","Type":"template","AdditionalInfo":{"UUID":"4c80351e-2fa9-4bee-8c1c-75933b202872","Name":"Zeek connection count overview for id.resp_p","Description":"Connection count overview as seen by Zeek using responder port variable"},"Hash":[176,59,153,181,208,9,139,253,171,183,198,241,168,194,37,167,165,132,205,247,182,174,132,46,149,101,68,15,28,140,141,15]},{"Name":"a3df4926-8c9f-4b7b-a0e7-bfffd62220a3","Type":"template","AdditionalInfo":{"UUID":"a3df4926-8c9f-4b7b-a0e7-bfffd62220a3","Name":"Zeek connection count by service for id.resp_p","Description":"Chart of connection counts per service as seen by Zeek with responder port"},"Hash":[13,95,190,183,200,48,221,129,113,22,48,103,248,58,78,1,251,198,169,118,35,181,219,32,91,141,188,135,80,161,95,168]},{"Name":"89daadc2-56da-4cae-94b7-e2e607b3eaf3","Type":"template","AdditionalInfo":{"UUID":"89daadc2-56da-4cae-94b7-e2e607b3eaf3","Name":"Zeek connection traffic total details by org for id.resp_p","Description":"Table of connection traffic details by org with responding port"},"Hash":[128,143,89,57,93,190,255,33,0,148,178,221,235,226,228,244,110,126,135,72,10,120,17,51,64,40,107,230,14,37,104,158]},{"Name":"1abce41f-2f29-44ca-8e89-8c3905b3bb4e","Type":"template","AdditionalInfo":{"UUID":"1abce41f-2f29-44ca-8e89-8c3905b3bb4e","Name":"Zeek totals by traffic direction for id.resp_p","Description":"Chart the upload and download traffic as seen by zeek with responder port"},"Hash":[113,31,177,99,195,20,57,8,253,187,164,195,96,166,202,178,234,73,207,72,204,58,198,124,108,36,217,24,119,139,142,94]},{"Name":"c3008942-a2af-41ab-801f-8745a5181559","Type":"template","AdditionalInfo":{"UUID":"c3008942-a2af-41ab-801f-8745a5181559","Name":"Zeek connection count by state for id.resp_p","Description":"Chart the number of sessions by connection state as seen by Zeek with responder port"},"Hash":[53,232,253,212,229,89,109,20,27,51,33,84,246,125,26,193,217,222,112,10,252,65,196,158,196,7,233,142,241,73,133,144]},{"Name":"801b18a6-4c1a-4161-9d2c-db8c0333b65a","Type":"pivot","AdditionalInfo":{"UUID":"801b18a6-4c1a-4161-9d2c-db8c0333b65a","Name":"Zeek Port number","Description":"Zeek actions on port numbers"},"Hash":[125,98,58,76,136,56,182,84,238,125,174,198,144,197,203,218,99,107,202,144,105,77,70,251,8,22,111,67,191,27,129,160]}],"ConfigMacros":null},{"ID":"io.gravwell.weather","Name":"Weather","UUID":"4d8477d8-45e9-4472-a2be-4675106afb12","Version":3,"Description":"Pulls and analyzes current weather conditions","Readme":"","Signed":true,"AdminRequired":false,"MinVersion":{"Major":0,"Minor":0,"Point":0},"MaxVersion":{"Major":0,"Minor":0,"Point":0},"Size":53760,"Created":"2021-09-14T20:51:01.924559804Z","Ingesters":[""],"Tags":[""],"Assets":[{"Type":"image","Source":"cover.jpg","Legend":"DNS","Featured":true,"Banner":false},{"Type":"readme","Source":"README.md","Legend":"","Featured":false,"Banner":false}],"Dependencies":null,"Items":[{"Name":"BSD-2","Type":"license","AdditionalInfo":"Copyright 2021 Gravwell Inc.\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:\n\n1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.\n\n2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.","Hash":[54,152,143,223,158,249,179,152,34,170,39,46,218,201,79,93,70,122,194,92,8,74,48,72,161,148,1,8,214,55,195,39]},{"Name":"75","Type":"dashboard","AdditionalInfo":{"UUID":"ff2f2ab5-8ef9-4e12-9b7c-371b6c6af57e","Name":"Weather Overview","Description":"An overview of weather conditions over the last week"},"Hash":[87,237,231,137,146,31,65,239,181,247,87,21,225,11,100,143,9,74,107,16,149,170,116,65,239,55,115,174,183,227,9,176]},{"Name":"Weather Fetcher","Type":"scheduled search","AdditionalInfo":{"Name":"Weather Fetcher","Description":"Hit openweathermap.org for current weather data","Schedule":"* * * * *","Script":"var strings = import(\"strings\")\nvar url = import(\"net/url\")\nvar fmt = import(\"fmt\")\nvar time = import(\"time\")\n\ntemplate = \"https://api.openweathermap.org/data/2.5/weather?q=%s\u0026APPID=%s\u0026units=%s\"\n\n# Read the API key config macro\napiKey, err = getMacro(\"$WEATHER_KIT_APIKEY\")\nif err != nil {\n    return err\n}\n\n# Read the location(s) config macro\nlocations, err = getMacro(\"$WEATHER_KIT_LOCATIONS\")\nif err != nil {\n    return err\n}\n\n# Read the location(s) config macro\nunits, err = getMacro(\"$WEATHER_KIT_UNITS\")\nif err != nil {\n    return err\n}\n\nif len(locations) == 0 {\n    return \"No location given\"\n}\n\n# Separate the locations (colon-separated list)\nlocs = strings.Split(locations,\":\")\n\n# Now hit the API for each one\nkey = url.QueryEscape(apiKey)\nents = make([]Entry)\nfor l in locs {\n    l = url.QueryEscape(l)\n    q = fmt.Sprintf(template, l, key, units)\n    println(q)\n    res, err = httpGet(q)\n    if err != nil {\n        println(err)\n        continue\n    }\n    println(res)\n    e = newEntry(time.Now(), res)\n    ents += e\n}\ningestEntries(ents, \"weather\")","DefaultDeploymentRules":{"Disabled":false,"RunImmediately":false}},"Hash":[121,226,14,113,192,191,185,104,168,224,79,76,152,174,35,128,130,129,109,61,221,247,203,105,22,75,41,247,84,253,30,129]},{"Name":"53131f80-d01d-49e0-ae86-f551424fc3c7","Type":"file","AdditionalInfo":{"UUID":"53131f80-d01d-49e0-ae86-f551424fc3c7","Name":"Weather icon","Description":"The icon for the weather kit","Size":27734,"ContentType":"image/jpeg"},"Hash":[123,126,232,23,132,204,50,142,95,219,178,95,138,110,207,60,121,125,2,237,140,125,72,156,176,230,33,60,222,199,68,58]}],"ConfigMacros":[{"MacroName":"WEATHER_KIT_APIKEY","Description":"Your OpenWeatherMap API key","DefaultValue":"replaceme","Value":"","Type":"","InstalledByID":""},{"MacroName":"WEATHER_KIT_LOCATIONS","Description":"Colon-separated list of locations to fetch weather for. Can be city names or zip codes.","DefaultValue":"Albuquerque:83814","Value":"","Type":"","InstalledByID":""},{"MacroName":"WEATHER_KIT_UNITS","Description":"Which units to use (imperial or metric)","DefaultValue":"imperial","Value":"","Type":"","InstalledByID":""}]},{"ID":"io.gravwell.gravwell","Name":"Gravwell Kit","UUID":"5ede859e-7014-417e-aeed-397807f39290","Version":12,"Description":"Gravwell infrastructure monitoring kit.","Readme":"","Signed":true,"AdminRequired":false,"MinVersion":{"Major":5,"Minor":5,"Point":0},"MaxVersion":{"Major":0,"Minor":0,"Point":0},"Size":192512,"Created":"2024-10-07T23:41:20.641271046Z","Ingesters":null,"Tags":["gravwell"],"Assets":[{"Type":"image","Source":"cover.png","Legend":"Gravwell","Featured":true,"Banner":false},{"Type":"image","Source":"banner.png","Legend":"Gravwell","Featured":true,"Banner":true},{"Type":"readme","Source":"README.md","Legend":"","Featured":false,"Banner":false}],"Dependencies":null,"Items":[{"Name":"05653c81-39af-4f60-8417-78ff25de6a4a","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Scheduled Script Execution Counts","Description":"Table of scheduled search activity","Query":"tag=gravwell syslog Hostname Appname==searchagent Message==\"start\" type language uid\n| stats count by type language uid\n| table type language Hostname uid count\n","UUID":"05653c81-39af-4f60-8417-78ff25de6a4a"},"Hash":[199,81,191,4,150,62,134,105,229,250,137,35,27,157,139,101,136,4,200,172,101,0,227,93,113,108,13,57,13,186,42,61]},{"Name":"72f78980-4314-11ec-bf89-53fcd52b4cb9","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Automations Failures","Description":"Table of automation failures with reason","Query":"tag=gravwell syslog Hostname Appname==searchagent Message==error id uid type runtime error\n| stats mean(runtime) as meanruntime count by id uid type error\n| table TIMESTAMP id uid type meanruntime count error\n","UUID":"72f78980-4314-11ec-bf89-53fcd52b4cb9"},"Hash":[184,22,6,238,224,52,44,65,184,52,22,98,40,208,27,34,249,1,209,38,3,76,246,123,114,56,96,176,158,27,66,107]},{"Name":"AGG_TAGS_MT","Type":"macro","AdditionalInfo":{"Name":"AGG_TAGS_MT","Description":"Maxtracked for Tag Aggregates Flow","Expansion":"2000000\n"},"Hash":[217,229,129,115,98,57,49,29,172,245,201,164,137,25,77,140,44,101,228,228,85,226,76,250,175,70,52,82,5,238,203,89]},{"Name":"CONVERT_BYTES_GB","Type":"macro","AdditionalInfo":{"Name":"CONVERT_BYTES_GB","Description":"Converts Bytes to GB","Expansion":"float(round((%%1%%/(1000*1000*1000))*1000)/1000)"},"Hash":[135,137,115,79,121,108,106,190,133,183,169,68,204,120,147,19,158,219,55,212,154,211,179,1,66,222,40,122,62,156,89,78]},{"Name":"TARGET_INGEST","Type":"macro","AdditionalInfo":{"Name":"TARGET_INGEST","Description":"Target Daily Ingestion Rate","Expansion":"15"},"Hash":[178,245,217,172,0,22,101,116,229,179,71,35,159,116,58,123,137,163,98,171,225,69,202,152,22,206,113,120,180,21,50,166]},{"Name":"09411e91-71cc-43c3-b4c7-5c8a2dc05180","Type":"file","AdditionalInfo":{"UUID":"09411e91-71cc-43c3-b4c7-5c8a2dc05180","Name":"Gravwell Kit banner","Description":"","Size":57145,"ContentType":"image/png"},"Hash":[241,203,24,66,185,150,60,186,15,125,251,58,16,5,158,232,107,235,49,1,246,220,135,224,143,45,255,29,3,215,167,25]},{"Name":"97e7479d-d284-4efb-afe4-f30848f6f851","Type":"file","AdditionalInfo":{"UUID":"97e7479d-d284-4efb-afe4-f30848f6f851","Name":"Gravwell Kit cover","Description":"","Size":13114,"ContentType":"image/png"},"Hash":[72,152,66,192,20,151,115,47,2,73,89,176,140,229,48,91,180,28,240,228,26,141,35,127,248,247,127,138,187,81,206,130]},{"Name":"7c0e72bc-c473-4eca-8fd5-82fc3c4da156","Type":"dashboard","AdditionalInfo":{"UUID":"7c0e72bc-c473-4eca-8fd5-82fc3c4da156","Name":"Gravwell: User Overview","Description":"Dashboard for monitoring user activity"},"Hash":[97,206,14,22,82,24,225,129,174,217,209,105,249,119,14,76,120,85,224,219,42,208,189,39,32,153,49,193,115,253,115,18]},{"Name":"8e3396a2-4d8e-4dad-b748-ebf8272d8594","Type":"dashboard","AdditionalInfo":{"UUID":"8e3396a2-4d8e-4dad-b748-ebf8272d8594","Name":"Gravwell: Data Ingestion","Description":"Dashboard for monitoring Data Ingestion"},"Hash":[94,170,224,60,14,30,152,49,242,163,63,98,24,3,171,162,210,53,64,60,121,72,66,181,198,141,122,74,69,125,226,38]},{"Name":"712eac62-4f7c-4844-8223-8c3480315c42","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Active Users","Description":"Display users active within the last 5 minutes","Query":"tag=gravwell syslog Structured.user as User \n| eval ( int(TIMESTAMP) \u003e int(NOW) - 300 ) \n| sort by User \n| unique User \n| table","UUID":"712eac62-4f7c-4844-8223-8c3480315c42"},"Hash":[143,24,194,124,63,219,98,12,43,102,144,122,6,168,180,102,35,168,50,167,135,42,106,49,26,246,36,235,110,27,101,27]},{"Name":"148974ef-3cd2-4945-8b1c-b88d5faca1ef","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Last Login by User","Description":"Display details for user's last login","Query":"tag=gravwell syslog Message==\"User logged in\" Structured.user as User \n| time -f \"Mon Jan _2 15:04:05 MST 2006\" TIMESTAMP Time \n| sort by User \n| unique User \n| table User Time","UUID":"148974ef-3cd2-4945-8b1c-b88d5faca1ef"},"Hash":[250,131,26,74,105,2,111,142,255,190,90,121,152,235,180,69,171,208,174,197,242,249,177,54,50,219,194,69,231,9,148,165]},{"Name":"751c88a0-741b-4a01-9191-499977b7cb40","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Total Queries by Tag","Description":"Count most queried Tags and associated users","Query":"@tags{\n    tag=gravwell syslog Message==\"Completed search launch\" Structured.query as Query Structured.user as User \n    | regex -e Query \"tag=(?P\u003cTag\u003e\\S+)\" \n    | unique User Tag \n    | transaction -rsep \", \" -e User Tag \n    | table transaction Tag\n};\n\ntag=gravwell  syslog Message==\"Completed search launch\" Structured.query as Query Structured.user as User \n| regex -e Query \"tag=(?P\u003cTag\u003e\\S+)\" \n| count by Tag User \n| lookup -r @tags Tag Tag transaction as Users \n| table count Tag Users","UUID":"751c88a0-741b-4a01-9191-499977b7cb40"},"Hash":[130,184,124,165,121,231,198,0,75,109,233,122,78,201,89,176,107,95,22,239,206,66,246,111,24,224,51,209,204,160,108,96]},{"Name":"99ddc0ad-87bb-4464-8e80-87ebb64464c1","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Total Queries by User","Description":"Count of total queries by user","Query":"tag=gravwell syslog Message==\"Completed search launch\" Structured.query as Query Structured.user as User \n| count by User \n| table count User","UUID":"99ddc0ad-87bb-4464-8e80-87ebb64464c1"},"Hash":[194,242,96,190,90,168,17,212,187,68,123,68,70,5,59,147,178,219,43,182,167,122,129,65,213,136,173,135,242,89,42,59]},{"Name":"8728d5e6-d323-4c86-829d-90deb6eac928","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Most Recent Queries by User","Description":"Display most recent successfully launched query per user","Query":"tag=gravwell syslog Message==\"Completed search launch\" Structured.query as Query Structured.user as User \n| stats max(TIMESTAMP) by User\n| table User Query TIMESTAMP\n","UUID":"8728d5e6-d323-4c86-829d-90deb6eac928"},"Hash":[203,220,252,229,105,150,167,73,124,104,175,48,211,200,213,208,65,62,227,42,193,114,43,81,83,176,219,16,186,136,158,85]},{"Name":"5a9ce4cd-0319-486d-b5ec-1d81219d86c5","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Number of Entries","Description":"Numbercard for total number of entries according to _ingesters_stats","Query":"tag=_ingesters_stats kv lastdaycount \n| stats sum(lastdaycount) as Entries \n| numbercard Entries\n","UUID":"5a9ce4cd-0319-486d-b5ec-1d81219d86c5"},"Hash":[147,216,83,3,65,227,156,251,89,27,125,76,131,144,94,134,146,0,147,46,190,76,179,46,154,4,185,95,95,239,168,234]},{"Name":"83f94374-2148-42d9-a5ff-0e9923a3a358","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Over Target Ingest","Description":"Chart ingest GB per day according to _ingesters_stats against target GB per day","Query":"tag=_ingesters_stats kv lastdaysize\n| eval GB_per_day=$CONVERT_BYTES_GB(lastdaysize);\n| eval target=$TARGET_INGEST \n| chart GB_per_day target","UUID":"83f94374-2148-42d9-a5ff-0e9923a3a358"},"Hash":[106,76,62,171,36,137,66,55,220,36,85,161,179,129,243,204,187,72,20,247,201,129,154,112,54,21,80,28,80,4,5,45]},{"Name":"b80d41b1-8044-4d6d-82be-4d9297032283","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Number of days over ingestion target in past 30.","Description":"This represents the number of days over ingestion target.","Query":"tag=_ingesters_stats kv lastdaysize\n| eval GB_per_day=$CONVERT_BYTES_GB(lastdaysize);\n| eval if (GB_per_day \u003e= $TARGET_INGEST ) { overTarget = 1; } else { overTarget = 0; }\n| stats sum(overTarget) as \"OverTarget\"\n| numbercard \"OverTarget\"","UUID":"b80d41b1-8044-4d6d-82be-4d9297032283"},"Hash":[182,15,12,60,219,215,108,183,158,138,207,71,100,131,16,197,223,38,219,215,60,138,187,50,192,98,133,61,112,155,221,180]},{"Name":"d2d276d6-966c-4268-9471-e1cbb70c083f","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: GBs Ingested","Description":"GBs Ingested","Query":"tag=_ingesters_stats kv lastdaysize\n| stats sum(lastdaysize) as Bytes\n| eval GB_ingested=$CONVERT_BYTES_GB(Bytes);\n| numbercard GB_ingested","UUID":"d2d276d6-966c-4268-9471-e1cbb70c083f"},"Hash":[224,183,181,221,181,143,236,156,191,44,106,0,193,222,188,124,253,128,80,19,103,55,92,67,74,228,158,11,39,102,113,128]},{"Name":"Update ingester table","Type":"scheduled search","AdditionalInfo":{"Name":"Update ingester table","Description":"Updates a resource (\"ingesters_seen\") which contains a list of all ingesters that have been seen on the system.","Schedule":"0 * * * *","SearchString":"tag=gravwell syslog Timestamp Message==\"Ingest routine exiting after ingesting normally\" Structured.ingester Structured.ingesterversion Structured.ingesteruuid Structured.client | sort by time desc | regex -p -e client \"://(?P\u003cclient\u003e.+):\\d+\" | unique ingesteruuid ingesterversion client | table -csv -save ingesters_seen -update ingesteruuid Timestamp ingester client ingesterversion ingesteruuid","Duration":-7200,"ScheduledType":"search","DefaultDeploymentRules":{"Disabled":false,"RunImmediately":false}},"Hash":[32,174,219,56,222,185,59,50,56,173,113,99,205,33,10,243,174,104,60,245,82,134,237,170,108,236,94,39,160,216,165,78]},{"Name":"a4e19037-6acc-4301-ab02-22b5e22084bf","Type":"scheduled search","AdditionalInfo":{"Name":"Aggregates_Ingestion","Description":"Generate lastdaysize and lastdaycount stats per ingested data, then ingest into the _ingester_stats tag.","Schedule":"0 0 * * *","Flow":"{\"id\":\"gravwell@0.0.1\",\"nodes\":{\"3568\":{\"id\":3568,\"name\":\"Go\",\"inputs\":{\"in\":{\"connections\":[]}},\"outputs\":{\"out\":{\"connections\":[{\"node\":3571,\"input\":\"in\",\"data\":{}}]}},\"data\":{\"outputs\":{\"type\":\"Array\",\"array_elements\":[{\"type\":\"Constant\",\"value\":\"output\"}]},\"code\":{\"type\":\"Constant\",\"value\":\"package main\\n\\nimport (\\n\\t\\\"bytes\\\"\\n\\t\\\"fmt\\\"\\n\\t\\\"gravwell\\\"\\n\\t\\\"strings\\\"\\n)\\n\\nvar payload = gravwell.Payload\\n\\nfunc addIngestersStats() (output string) {\\n\\tstats, err := gravwell.Ingesters()\\n\\tif err != nil {\\n\\t\\treturn\\n\\t}\\n\\n\\tvar lastDaySize uint64\\n\\tvar lastDayCount uint64\\n\\n\\tfor _, s := range stats {\\n\\t\\tlastDaySize += s.LastDaySize\\n\\t\\tlastDayCount += s.LastDayCount\\n\\t}\\n\\n\\tbuffer := new(bytes.Buffer)\\n\\tfmt.Fprintf(buffer, \\\"%s=%d \\\", \\\"lastdaysize\\\", lastDaySize)\\n\\tfmt.Fprintf(buffer, \\\"%s=%d \\\", \\\"lastdaycount\\\", lastDayCount)\\n\\n\\treturn buffer.String()\\n}\\n\\nfunc main() {\\n\\tvar output string\\n\\toutput += addIngestersStats()\\n\\n\\tpayload.Set(\\\"output\\\", strings.TrimSpace(output))\\n\\n\\treturn\\n}\\n\"},\"__meta\":{\"nickname\":null,\"notes\":null,\"inputs\":[],\"values\":{\"outputs\":[{\"type\":{\"kind\":\"string\"},\"value\":\"output\"}],\"code\":{\"type\":{\"default\":\"package main\\n\\nimport (\\n\\t\\\"gravwell\\\"\\n)\\n\\n/* payload implements a Get and Set, like this interface: \\ntype payload interface {\\n\\tGet(string) (interface{}, error)\\n\\tSet(string, interface{}) error\\n}\\n*/\\n\\nvar payload = gravwell.Payload\\n\\nfunc main() {\\n\\treturn\\n}\",\"kind\":\"string:code-go\"},\"value\":\"package main\\n\\nimport (\\n\\t\\\"bytes\\\"\\n\\t\\\"fmt\\\"\\n\\t\\\"gravwell\\\"\\n\\t\\\"strings\\\"\\n)\\n\\nvar payload = gravwell.Payload\\n\\nfunc addIngestersStats() (output string) {\\n\\tstats, err := gravwell.Ingesters()\\n\\tif err != nil {\\n\\t\\treturn\\n\\t}\\n\\n\\tvar lastDaySize uint64\\n\\tvar lastDayCount uint64\\n\\n\\tfor _, s := range stats {\\n\\t\\tlastDaySize += s.LastDaySize\\n\\t\\tlastDayCount += s.LastDayCount\\n\\t}\\n\\n\\tbuffer := new(bytes.Buffer)\\n\\tfmt.Fprintf(buffer, \\\"%s=%d \\\", \\\"lastdaysize\\\", lastDaySize)\\n\\tfmt.Fprintf(buffer, \\\"%s=%d \\\", \\\"lastdaycount\\\", lastDayCount)\\n\\n\\treturn buffer.String()\\n}\\n\\nfunc main() {\\n\\tvar output string\\n\\toutput += addIngestersStats()\\n\\n\\tpayload.Set(\\\"output\\\", strings.TrimSpace(output))\\n\\n\\treturn\\n}\\n\"}}},\"__disabled\":{\"type\":\"Constant\",\"value\":false}},\"position\":[-736,-208]},\"3571\":{\"id\":3571,\"name\":\"Ingest\",\"inputs\":{\"in\":{\"connections\":[{\"node\":3568,\"output\":\"out\",\"data\":{}}]}},\"outputs\":{\"out\":{\"connections\":[]}},\"data\":{\"tag\":{\"type\":\"Constant\",\"value\":\"_ingesters_stats\"},\"input\":{\"type\":\"Variable\",\"value\":\"output\"},\"splitlines\":{\"type\":\"Constant\",\"value\":false},\"extracttimestamp\":{\"type\":\"Constant\",\"value\":false},\"__meta\":{\"nickname\":null,\"notes\":null,\"inputs\":[],\"values\":{\"tag\":{\"type\":{\"kind\":\"string\"},\"value\":\"_ingesters_stats\"},\"input\":{\"type\":{\"kind\":\"variable\"},\"value\":\"output\"},\"splitlines\":{\"type\":{\"kind\":\"boolean\"},\"value\":false},\"extracttimestamp\":{\"type\":{\"kind\":\"boolean\"},\"value\":false}}},\"__disabled\":{\"type\":\"Constant\",\"value\":false}},\"position\":[-384,-208]}}}","ScheduledType":"flow","DefaultDeploymentRules":{"Disabled":false,"RunImmediately":true}},"Hash":[215,185,225,177,191,210,119,14,96,255,99,168,255,73,170,202,244,110,98,8,221,57,13,102,176,9,115,170,91,174,18,124]},{"Name":"ba7bd2e3-b086-4e9d-b0ee-2e1befd06ee7","Type":"template","AdditionalInfo":{"UUID":"ba7bd2e3-b086-4e9d-b0ee-2e1befd06ee7","Name":"User session history","Description":"History of login sessions for a specific user."},"Hash":[175,229,164,38,244,18,56,142,220,75,82,238,180,200,16,29,59,6,90,10,89,96,184,35,100,169,26,219,205,243,40,13]},{"Name":"98dc3591-a164-453d-a282-7e64311b305b","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Indexer reconnects by webserver","Description":"For each webserver + indexer combination, count how many times the webserver reconnected to the indexer.","Query":"tag=gravwell syslog Message==\"Indexer came online\" Hostname Structured.indexer \n| alias Hostname webserver \n| stats count by webserver indexer \n| table webserver indexer count","UUID":"98dc3591-a164-453d-a282-7e64311b305b"},"Hash":[169,99,255,160,250,149,108,196,21,162,13,234,174,93,28,236,4,115,135,134,87,178,147,83,137,193,17,224,161,18,233,185]},{"Name":"da3e51f9-6d59-4293-99fd-6bd73661617b","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Ingester authentication failures","Description":"Failed ingester authentications, as a table.","Query":"tag=gravwell syslog Timestamp Message==\"Ingest routine got invalid authentication\" Structured.conntype Structured.client Structured.error \n| sort by time desc \n| regex -p -e client \"://(?P\u003cclient\u003e.+):\\d+\" \n| stats count by client conntype error \n| table Timestamp conntype client error count","UUID":"da3e51f9-6d59-4293-99fd-6bd73661617b"},"Hash":[35,5,227,83,105,230,153,64,74,14,33,131,124,29,34,197,244,51,201,213,15,216,127,198,177,111,113,230,114,99,72,28]},{"Name":"a9189086-4887-4ab5-aa32-47c9f23a8bf4","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Login session history","Description":"All logins, with session duration","Query":"tag=gravwell syslog Timestamp Message~\"User logged\" Structured.sessionid Structured.uid Structured.user \n| require sessionid \n| sort by time desc \n| diff TIMESTAMP by sessionid \n| eval $(duration) = duration(-1*diff); \n| table Timestamp user uid sessionid duration\n","UUID":"a9189086-4887-4ab5-aa32-47c9f23a8bf4"},"Hash":[211,146,76,101,142,218,32,58,87,86,232,41,73,139,158,83,56,140,182,92,100,26,90,203,166,105,190,20,112,162,82,124]},{"Name":"b5aec7eb-62d2-45db-8100-1b2479a5c67c","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Query Count Chart","Description":"A chart showing how many queries have been executed.","Query":"tag=gravwell syslog Message==\"Search launched\" \n| stats count \n| chart count","UUID":"b5aec7eb-62d2-45db-8100-1b2479a5c67c"},"Hash":[14,146,231,250,232,226,251,0,56,128,13,112,119,30,201,30,220,237,35,226,164,6,18,210,35,97,91,55,25,16,30,151]},{"Name":"46e1c052-8f84-46a9-be1e-b207c3519afa","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Ingester disconnects","Description":"Count how many times each ingester gets disconnected from each indexer. This includes regular exits and timeouts due to network problems.","Query":"tag=gravwell syslog Hostname Message~\"Ingest routine exiting\" Structured.ingester Structured.ingesterversion Structured.ingesteruuid Structured.client \n| alias Hostname indexer \n| regex -p -e client \"://(?P\u003cclient\u003e.+):\\d+\" \n| stats count by indexer ingesteruuid client \n| table indexer ingester client ingesterversion ingesteruuid count","UUID":"46e1c052-8f84-46a9-be1e-b207c3519afa"},"Hash":[13,203,213,65,72,229,28,249,182,104,194,195,72,147,136,37,122,158,135,212,89,240,159,137,59,253,236,100,76,136,11,69]},{"Name":"891d9202-d77d-41ae-8aac-bd095d769d61","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Query Count by User","Description":"Charts how many queries each user has executed.","Query":"tag=gravwell syslog Message==\"Search launched\" Structured.user \n| stats count by user \n| chart count by user","UUID":"891d9202-d77d-41ae-8aac-bd095d769d61"},"Hash":[174,216,114,12,163,255,133,60,141,43,109,47,136,140,188,221,249,77,57,24,108,207,27,215,175,94,149,131,237,244,38,65]},{"Name":"bc364329-153f-42e6-896f-a754e07e163c","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Query Execution Time Statistics","Description":"Generate a table of statistics about the execution of queries: average, standard deviation, min, and max.","Query":"tag=gravwell syslog Message==\"Search finished\" Structured.elapsed \n| eval elapsed = duration(elapsed); \n| stats mean(elapsed) min(elapsed) max(elapsed) stddev(elapsed) \n| eval mean = duration(mean); stddev = duration(stddev); \n| table mean stddev min max\n","UUID":"bc364329-153f-42e6-896f-a754e07e163c"},"Hash":[97,63,89,80,116,126,233,138,76,163,206,227,5,205,33,8,92,172,39,137,201,150,170,7,5,94,165,50,124,113,192,176]},{"Name":"Ingester state tracker","Type":"scheduled search","AdditionalInfo":{"Name":"Ingester state tracker","Description":"Tracks ingesters and sends a notification email when states change.","Schedule":"* * * * *","Script":"fromAddr, err = getMacro(\"$INGESTER_STATE_FROMADDR\")\nif err != nil {\n    return err\n}\n\ntoAddr, err = getMacro(\"$INGESTER_STATE_TOADDR\")\nif err != nil {\n    return err\n}\n\nMinVer(3, 3, 6)\nrequire(`utils/ingesterTracker.ank`, `b100da945615976d846a5c0e21f0551eb3cf726e`)\nrequire(`email/htmlEmail.ank`, `b100da945615976d846a5c0e21f0551eb3cf726e`)\n\nvar pit = PersistentIngesterTracker\n\nerr = pit.Load()\nif err != nil {\n    return err\n}\nerr = pit.Scan()\nif err != nil {\n    return err\n}\n\nvar changed = pit.ChangedStates()\nif len(changed) == 0 {\n    return pit.Save() //we are done\n}\n\n//something changed, send an alert email\nvar online = pit.FilterState(`ONLINE`)\n\nvar em = htmlEmail\nem.SetTitle(`Ingester State Change Alert`)\nem.AddSubTitle(`Ingester State Changes`)\nem.AddTable(pit.Table(changed))\nem.AddSubTitle(`Online Ingesters`)\nem.AddTable(pit.Table(online))\n\nerr = em.SendEmail(fromAddr, toAddr, `Ingester State Change`)\nif err != nil {\n    return err\n}\n\n//we got the email off, its safe to save our state back\nreturn pit.Save()\n","ScheduledType":"script","DefaultDeploymentRules":{"Disabled":true,"RunImmediately":false}},"Hash":[61,160,82,184,139,255,61,125,160,71,169,96,120,106,222,240,156,11,45,13,159,110,194,27,192,34,226,219,149,11,144,252]},{"Name":"08f7c0a7-27e2-4596-9289-2ebdab28ca7f","Type":"dashboard","AdditionalInfo":{"UUID":"08f7c0a7-27e2-4596-9289-2ebdab28ca7f","Name":"Gravwell: Query Overview","Description":"Dashboard for monitoring query stats"},"Hash":[65,14,94,230,229,248,170,71,224,78,82,202,198,76,202,76,160,87,150,98,88,24,251,16,102,23,38,76,44,25,76,150]},{"Name":"5f370a03-7e82-4718-8dbf-20b432803b79","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Most used Modules","Description":"Count of most used modules in successfully launched searches","Query":"tag=gravwell syslog Message==\"Completed search launch\" Structured.query as Query \n| require Query \n| split -d \"|\" Query \n| regex -p -e Query \"tag=\\S+\\s+(?P\u003cQuery\u003e\\S+)\" \n| regex -e Query \"\\s+(?P\u003cModule\u003e\\S+)\" \n| count by Module \n| table count Module","UUID":"5f370a03-7e82-4718-8dbf-20b432803b79"},"Hash":[66,158,79,185,168,69,76,115,31,101,143,5,254,93,86,199,1,139,115,250,63,107,39,52,215,197,37,121,188,238,204,25]},{"Name":"45619375-dcb8-4049-95fe-5a84326937f0","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Query Overview","Description":"Display data for successfully launched searches","Query":"tag=gravwell syslog Message==\"Completed search launch\"","UUID":"45619375-dcb8-4049-95fe-5a84326937f0"},"Hash":[62,37,188,89,213,106,92,118,66,236,206,161,247,223,55,87,205,242,99,38,181,195,28,79,19,74,249,237,89,7,86,232]},{"Name":"b68ae88c-34ef-4afe-947f-da748a495443","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Total Queries","Description":"Count gauge of successfully launched queries","Query":"tag=gravwell syslog Message==\"Completed search launch\" Structured.query as Query Structured.user as User \n| regex \"tag=(?P\u003cTag\u003e\\S+)\" \n| count \n| gauge count","UUID":"b68ae88c-34ef-4afe-947f-da748a495443"},"Hash":[101,127,36,81,192,69,108,32,36,147,199,182,15,189,182,179,111,62,97,111,34,16,233,217,241,196,82,191,187,92,163,43]},{"Name":"9d905241-4114-4b27-9327-f0a5bfb6a22f","Type":"playbook","AdditionalInfo":{"UUID":"9d905241-4114-4b27-9327-f0a5bfb6a22f","Name":"Gravwell Kit","Description":"Analyze Gravwell Logs"},"Hash":[27,42,180,93,35,176,194,242,214,148,36,245,188,128,66,84,150,68,155,206,217,132,91,71,9,5,12,36,139,14,240,152]},{"Name":"0dc30b64-d251-4818-9e00-e036aa6ef46b","Type":"dashboard","AdditionalInfo":{"UUID":"0dc30b64-d251-4818-9e00-e036aa6ef46b","Name":"Gravwell: Ingester Overview","Description":"Dashboard for monitoring ingester errors and states"},"Hash":[94,175,84,25,230,13,229,181,114,36,127,230,197,248,109,216,136,229,208,184,217,100,128,15,60,123,201,37,145,75,146,194]},{"Name":"902861bf-1349-47e2-89de-86d360bfb5a7","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Ingester Activity Over Time","Description":"Chart ingester activity","Query":"tag=gravwell syslog -s Structured.ingester \n| chart","UUID":"902861bf-1349-47e2-89de-86d360bfb5a7"},"Hash":[219,185,156,173,176,73,57,13,184,65,245,55,211,110,244,59,146,135,81,131,111,1,60,72,188,56,26,134,241,147,17,192]},{"Name":"523c5984-650b-4d42-8bc7-f207f4c72dd7","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Ingester Connections","Description":"Display unique ingester to indexer connections","Query":"tag=gravwell syslog -s Structured.ingester Structured.indexer \n| unique ingester indexer \n| table ingester indexer","UUID":"523c5984-650b-4d42-8bc7-f207f4c72dd7"},"Hash":[251,106,127,222,50,226,215,130,46,113,135,120,77,96,111,237,16,151,167,120,237,180,251,46,225,73,130,135,141,122,213,128]},{"Name":"c39c05c4-cda8-433e-8095-37495cfd91d2","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Ingester Errors","Description":"Display error information by ingester","Query":"tag=gravwell syslog -s Structured.ingesteruuid as UUID Structured.ingester Structured.error \n| table UUID ingester error","UUID":"c39c05c4-cda8-433e-8095-37495cfd91d2"},"Hash":[235,81,10,235,89,99,76,213,18,176,112,133,168,142,103,27,248,225,232,241,105,74,145,76,111,213,186,146,45,230,254,114]},{"Name":"00a8f445-9c52-4088-b593-95c738f56fd0","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Ingester Reconnects Over Time","Description":"Chart count of ingester reconnections over time","Query":"tag=gravwell syslog -s Message==connected Structured.ingester \n| stats count by ingester \n| chart count by ingester","UUID":"00a8f445-9c52-4088-b593-95c738f56fd0"},"Hash":[134,186,223,115,240,156,47,112,55,11,183,94,75,156,193,251,187,69,238,108,34,64,33,17,127,167,128,12,149,50,123,209]},{"Name":"e2aa0d2f-7694-421e-b8cf-aa669650cbe8","Type":"scheduled search","AdditionalInfo":{"Name":"Tag Aggregates","Description":"Generate period counts entries and total data size, ingested into the _aggs_tags tag.","Schedule":"* * * * *","Flow":"{\"id\":\"gravwell@0.0.1\",\"nodes\":{\"1\":{\"id\":1,\"data\":{\"sleep\":{\"type\":\"Constant\",\"value\":30},\"__meta\":{\"nickname\":null,\"notes\":null,\"inputs\":[],\"values\":{\"sleep\":{\"type\":{\"kind\":\"int\"},\"value\":30}}}},\"inputs\":{\"in\":{\"connections\":[]}},\"outputs\":{\"out\":{\"connections\":[{\"node\":2,\"input\":\"in\",\"data\":{}}]}},\"position\":[176,352],\"name\":\"Sleep\"},\"2\":{\"id\":2,\"data\":{\"querystring\":{\"type\":\"Constant\",\"value\":\"tag=* length\\n| stats -maxtracked $AGG_TAGS_MT sum(length) as bytes count as entries by TAG \\n| sort by bytes desc \\n| table TAG entries bytes\"},\"duration\":{\"type\":\"Variable\",\"value\":\"flow.Interval\"},\"name\":{\"type\":\"Constant\",\"value\":\"search\"},\"__meta\":{\"nickname\":null,\"notes\":null,\"inputs\":[],\"values\":{\"querystring\":{\"type\":{\"kind\":\"string:query\"},\"value\":\"tag=* length\\n| stats -maxtracked $AGG_TAGS_MT sum(length) as bytes count as entries by TAG \\n| sort by bytes desc \\n| table TAG entries bytes\"},\"duration\":{\"type\":{\"kind\":\"variable\",\"default\":\"flow.Interval\"},\"value\":\"flow.Interval\"},\"name\":{\"type\":{\"kind\":\"string\",\"default\":\"search\"},\"value\":\"search\"}}}},\"inputs\":{\"in\":{\"connections\":[{\"node\":1,\"output\":\"out\",\"data\":{}}]}},\"outputs\":{\"out\":{\"connections\":[{\"node\":3,\"input\":\"in\",\"data\":{}}]}},\"position\":[448,352],\"name\":\"RunQuery\"},\"3\":{\"id\":3,\"data\":{\"tag\":{\"type\":\"Constant\",\"value\":\"_aggs_tags\"},\"input\":{\"type\":\"Variable\",\"value\":\"search\"},\"splitlines\":{\"type\":\"Constant\",\"value\":false},\"__meta\":{\"nickname\":null,\"notes\":null,\"inputs\":[],\"values\":{\"tag\":{\"type\":{\"kind\":\"string\"},\"value\":\"_aggs_tags\"},\"input\":{\"type\":{\"kind\":\"variable\"},\"value\":\"search\"},\"splitlines\":{\"type\":{\"kind\":\"boolean\"},\"value\":false}}}},\"inputs\":{\"in\":{\"connections\":[{\"node\":2,\"output\":\"out\",\"data\":{}}]}},\"outputs\":{\"out\":{\"connections\":[]}},\"position\":[752,352],\"name\":\"Ingest\"},\"4\":{\"id\":4,\"data\":{\"__meta\":{\"inputs\":[],\"values\":{},\"nickname\":\"Note\",\"notes\":\"Sleep to make sure any recent entries have made it into the indexer before we query.\"}},\"inputs\":{},\"outputs\":{},\"position\":[176,304],\"name\":\"Annotation\"},\"5\":{\"id\":5,\"data\":{\"__meta\":{\"inputs\":[],\"values\":{},\"nickname\":\"Note\",\"notes\":\"Now count how many entries/bytes are in each tag\"}},\"inputs\":{},\"outputs\":{},\"position\":[448,304],\"name\":\"Annotation\"},\"6\":{\"id\":6,\"data\":{\"__meta\":{\"inputs\":[],\"values\":{},\"nickname\":\"Note\",\"notes\":\"Note that manually running this script multiple times will result in multiple copies of the same aggregates being ingested.\"}},\"inputs\":{},\"outputs\":{},\"position\":[752,432],\"name\":\"Annotation\"},\"7\":{\"id\":7,\"data\":{\"__meta\":{\"inputs\":[],\"values\":{},\"nickname\":\"Note\",\"notes\":\"This query runs over the interval from the *previous* flow execution up to the *scheduled* execution time of the flow. This means that if the flow is scheduled to run every hour, the query will run from *exactly* e.g. 14:00 to 15:00, despite the sleep node at the start of the flow.\"}},\"inputs\":{},\"outputs\":{},\"position\":[448,432],\"name\":\"Annotation\"},\"8\":{\"id\":8,\"data\":{\"__meta\":{\"inputs\":[],\"values\":{},\"nickname\":\"Note\",\"notes\":\"Re-ingest the results\"}},\"inputs\":{},\"outputs\":{},\"position\":[752,304],\"name\":\"Annotation\"}}}\n","ScheduledType":"flow","DefaultDeploymentRules":{"Disabled":false,"RunImmediately":false}},"Hash":[162,79,104,240,52,165,92,18,178,70,244,217,69,193,203,0,29,131,152,161,212,5,168,80,246,233,168,178,229,222,22,205]},{"Name":"71ff395f-6e52-4e75-bc55-e50bcceb0714","Type":"dashboard","AdditionalInfo":{"UUID":"71ff395f-6e52-4e75-bc55-e50bcceb0714","Name":"Gravwell: Data Stats","Description":"Information about data ingested into Gravwell based on aggregates."},"Hash":[252,117,188,134,83,107,132,31,97,40,121,73,218,75,250,41,81,228,94,239,183,170,194,225,228,230,124,171,8,79,66,167]},{"Name":"_aggs_tags","Type":"autoextractor","AdditionalInfo":{"name":"Tag Aggregates","desc":"Extractor for the _aggs_tags tag, which contains counts \u0026 byte sums for each tag in the system.","module":"csv","tag":"_aggs_tags"},"Hash":[208,244,75,30,28,62,34,248,88,43,253,252,139,54,36,151,239,223,119,238,83,254,221,193,33,188,129,171,112,113,134,95]},{"Name":"c5288c96-0584-4ac0-94f5-66642e010c91","Type":"dashboard","AdditionalInfo":{"UUID":"c5288c96-0584-4ac0-94f5-66642e010c91","Name":"Gravwell: Automations","Description":"Dashboard for monitoring automation errors and states"},"Hash":[177,196,9,250,198,66,72,30,198,52,174,200,47,36,89,103,148,47,58,145,41,228,182,201,219,193,94,222,144,190,45,64]},{"Name":"48f27640-3792-4214-beb5-77f10494372a","Type":"dashboard","AdditionalInfo":{"UUID":"48f27640-3792-4214-beb5-77f10494372a","Name":"Gravwell: Ageout Activity","Description":"Dashboard monitoring shard ageout and management activity"},"Hash":[130,125,252,123,144,100,56,116,161,128,170,94,214,110,124,248,85,91,35,132,210,117,211,77,213,253,227,172,163,160,60,107]},{"Name":"gravwell","Type":"autoextractor","AdditionalInfo":{"name":"gravwell tag","desc":"syslog extraction for gravwell tag","module":"syslog","tag":"gravwell"},"Hash":[153,243,21,247,4,245,160,68,192,112,161,172,100,17,133,2,21,48,31,252,80,92,7,14,85,65,133,56,67,44,83,17]},{"Name":"aee40e10-baa8-4fed-89f1-566985681c1c","Type":"dashboard","AdditionalInfo":{"UUID":"aee40e10-baa8-4fed-89f1-566985681c1c","Name":"Gravwell: Alert Overview","Description":"Information about Alerts in the Gravwell system"},"Hash":[119,250,205,2,198,147,62,199,133,131,85,157,197,139,242,8,88,29,145,157,41,32,43,191,135,202,168,171,31,226,208,93]},{"Name":"50a0c257-b4b4-437e-9cc0-49da0a7a582e","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Component Errors","Description":"Count of errors by hostname, appname","Query":"tag=gravwell syslog -s Hostname Appname error\n| stats count by Hostname Appname error\n| table count error Hostname Appname","UUID":"50a0c257-b4b4-437e-9cc0-49da0a7a582e"},"Hash":[171,254,145,177,46,230,146,118,101,59,241,223,158,239,202,191,145,204,97,8,139,122,10,246,150,196,211,246,107,239,92,27]},{"Name":"18725e4f-7266-4167-a330-b3941177fdd7","Type":"searchlibrary","AdditionalInfo":{"Name":"Gravwell: Ingester Reconnection Counts","Description":"Count of Ingester reconnections by ingester","Query":"tag=gravwell syslog Message == \"successfully connected with ingest OK\" Hostname Appname Structured[gw@1].version Structured[gw@1].indexer as upstream\n| stats count by Hostname Appname version upstream\n| table","UUID":"18725e4f-7266-4167-a330-b3941177fdd7"},"Hash":[73,66,52,76,12,91,221,118,22,24,19,152,187,98,231,44,56,204,105,129,73,55,91,155,24,91,254,219,161,132,4,177]}],"ConfigMacros":[{"MacroName":"INGESTER_STATE_FROMADDR","Description":"This is the address from which ingester state notification emails will be sent.","DefaultValue":"sender@example.org","Value":"","Type":"","InstalledByID":""},{"MacroName":"INGESTER_STATE_TOADDR","Description":"This is the address to which ingester state notifications will be sent.","DefaultValue":"receipient@example.org","Value":"","Type":"","InstalledByID":""}]},{"ID":"io.gravwell.ipfix","Name":"IPFIX","UUID":"672ad542-f707-4b3e-90d4-decdf17f51d1","Version":7,"Description":"This kit provides ready-to-roll dashboards, queries, templates, playbooks, and actionables for analyzing IPFIX","Readme":"","Signed":true,"AdminRequired":false,"MinVersion":{"Major":5,"Minor":4,"Point":0},"MaxVersion":{"Major":0,"Minor":0,"Point":0},"Size":103936,"Created":"2023-10-05T14:14:03.823791292Z","Ingesters":["flow","ipfix"],"Tags":["ipfix"],"Assets":[{"Type":"image","Source":"cover.jpg","Legend":"IPFIX","Featured":true,"Banner":false},{"Type":"readme","Source":"README.md","Legend":"","Featured":false,"Banner":false}],"Dependencies":[{"ID":"io.gravwell.networkenrichment","MinVersion":8}],"Items":[{"Name":"1551412e-c773-4bc2-8134-695b8d928adb","Type":"template","AdditionalInfo":{"UUID":"1551412e-c773-4bc2-8134-695b8d928adb","Name":"IP Traffic accounting","Description":"Show inbound and outbound traffic graph for a specific IP"},"Hash":[134,168,150,68,162,204,41,40,2,95,121,33,67,217,182,74,219,111,204,24,112,3,16,184,178,158,211,143,99,47,255,110]},{"Name":"1cd92621-6144-470c-a6c8-33b710f5318f","Type":"template","AdditionalInfo":{"UUID":"1cd92621-6144-470c-a6c8-33b710f5318f","Name":"IP Service Chart","Description":"Show service traffic and packet rates"},"Hash":[160,229,129,146,91,109,161,253,113,84,190,34,11,65,116,239,192,43,20,127,200,126,155,122,37,101,127,23,78,211,182,10]},{"Name":"22","Type":"dashboard","AdditionalInfo":{"UUID":"db7c22b2-b0e0-11ea-bdbb-7b259a2981f0","Name":"IPFIX IP Investigation Dashboard","Description":"IP investigation dashboard for IPFIX\nProvides an overview of netflow activity for a given IP using IPFIX logs"},"Hash":[83,148,245,194,33,1,40,39,249,230,82,148,183,134,150,238,175,102,233,2,75,200,215,166,5,234,69,155,157,135,214,21]},{"Name":"23","Type":"dashboard","AdditionalInfo":{"UUID":"99f73064-b0e2-11ea-ac64-c7e7e248dd75","Name":"IPFIX Traffic Overview","Description":"General IPFIX Traffic Overview"},"Hash":[154,240,255,124,185,15,199,27,222,137,186,110,235,105,42,90,9,234,186,113,30,36,139,160,77,115,79,106,103,167,128,127]},{"Name":"24b02332-4e7c-425c-98a8-7a1afbc3e29b","Type":"template","AdditionalInfo":{"UUID":"24b02332-4e7c-425c-98a8-7a1afbc3e29b","Name":"IP Traffic Overview","Description":"Show average traffic rates for a target IP"},"Hash":[163,146,21,253,189,90,6,115,124,164,38,31,247,52,43,138,176,41,154,9,253,219,5,171,108,164,83,107,186,143,69,85]},{"Name":"3a97f21a-f443-40c8-9580-df76af544d49","Type":"template","AdditionalInfo":{"UUID":"3a97f21a-f443-40c8-9580-df76af544d49","Name":"Highest Outbound Traffic Peers","Description":"Show peers with the most outbound traffic"},"Hash":[40,1,215,97,108,77,206,129,11,96,36,71,177,247,45,185,224,80,105,176,28,234,236,109,82,138,18,169,23,224,196,71]},{"Name":"4363ccd4-e591-4ad7-a4dd-454547325f57","Type":"template","AdditionalInfo":{"UUID":"4363ccd4-e591-4ad7-a4dd-454547325f57","Name":"Traffic and packet sums for a specific IP","Description":"Line chart showing packet and traffic totals for a given IP"},"Hash":[75,119,186,161,38,45,199,192,196,239,66,73,86,224,44,252,101,156,158,80,144,31,173,205,88,237,188,51,35,222,179,142]},{"Name":"5aab22f0-e612-418a-a1d8-48287b89dcd4","Type":"template","AdditionalInfo":{"UUID":"5aab22f0-e612-418a-a1d8-48287b89dcd4","Name":"Long running flows IP investigator","Description":"Investigation template for identifying flows of over 20 minute duration for a given IP address"},"Hash":[77,202,138,54,84,111,0,225,75,90,255,204,196,154,111,176,194,213,187,84,69,60,184,198,129,33,20,219,18,246,27,136]},{"Name":"6dc9d900-3de8-49dd-85ae-55e462f0b263","Type":"template","AdditionalInfo":{"UUID":"6dc9d900-3de8-49dd-85ae-55e462f0b263","Name":"Rare Port Usage","Description":"Investigate rare port usage for a given IP"},"Hash":[212,82,114,120,89,131,186,137,57,50,172,194,90,11,205,60,52,247,146,242,248,141,161,199,105,204,232,228,119,33,229,128]},{"Name":"768e5c34-d681-4383-81a0-e7c527632417","Type":"playbook","AdditionalInfo":{"UUID":"ca74eb1f-276f-4369-b7de-cbeeca6198ff","Name":"IPFIX Playbook","Description":"Introduction to the IPFIX kit"},"Hash":[113,84,233,74,56,215,48,54,41,6,0,101,239,18,147,13,125,133,105,248,97,30,166,48,107,187,155,22,133,10,27,226]},{"Name":"9613393b-e201-4929-8744-55b2803d4c75","Type":"template","AdditionalInfo":{"UUID":"9613393b-e201-4929-8744-55b2803d4c75","Name":"Most common ports","Description":"Display the most common ports and their service names"},"Hash":[254,33,219,150,191,229,10,69,142,41,90,172,10,66,252,161,130,46,212,191,158,124,93,237,177,8,132,185,182,223,70,220]},{"Name":"aa58c1f0-00b0-4321-9f0e-3e1f7ff76393","Type":"template","AdditionalInfo":{"UUID":"aa58c1f0-00b0-4321-9f0e-3e1f7ff76393","Name":"Outbound Traffic Heatmap","Description":"Show inbound traffic heatmap for a specific IP"},"Hash":[82,215,100,96,210,66,68,9,147,236,44,225,17,224,200,82,64,244,239,235,56,83,193,167,47,236,227,38,80,61,163,159]},{"Name":"Average Connection Duration by Protocol","Type":"searchlibrary","AdditionalInfo":{"Name":"Average Connection Duration by Protocol","Description":"Chart the average connection duration by IP protocol","Query":"tag=$IPFIX_KIT_TAG ipfix protocolIdentifier as Protocol flowDuration as Duration |\neval dursec = Duration / 1000000000; |\nstats mean(dursec) as AverageConnectionDuration by Protocol |\nlookup -r ip_protocols Protocol Number Name as ProtocolName |\nchart AverageConnectionDuration by ProtocolName\n","UUID":"3d068d6c-2382-471a-a33d-7735a681427d"},"Hash":[65,170,178,72,127,109,43,16,248,15,224,221,1,55,89,161,15,172,73,114,1,187,162,118,152,228,202,156,90,77,192,198]},{"Name":"Average Packet Size by Protocol","Type":"searchlibrary","AdditionalInfo":{"Name":"Average Packet Size by Protocol","Description":"Charge the average packet size by protocol","Query":"tag=$IPFIX_KIT_TAG ipfix packets as Pkts bytes as Bytes protocolIdentifier as Protocol |\nstats sum(Pkts) as pktsum sum(Bytes) as bytesum by Protocol over 1m | eval pktsz = float(bytesum)/float(pktsum); |\nstats mean(pktsz) as AveragePacketSize by Protocol|\nlookup -r ip_protocols Protocol Number Name |\nchart AveragePacketSize by Name\n","UUID":"14f27aa6-f832-49b3-be49-8b626f07ba96"},"Hash":[218,108,229,202,154,249,97,113,144,76,245,185,110,219,240,54,101,245,163,85,163,57,251,236,151,144,20,7,132,222,85,205]},{"Name":"Average Traffic Throughput By Service","Type":"searchlibrary","AdditionalInfo":{"Name":"Average Traffic Throughput By Service","Description":"Average Traffic Throughput By Service","Query":"tag=$IPFIX_KIT_TAG ipfix port as Port bytes as Bytes |\nstats sum(Bytes) by Port over 1m |\neval throughput = float(sum) / 60.0; |\nstats count mean(throughput) as AvgMBps by Port |\nalias Port Service |\nlookup -r network_services Port service_port service_name as Service |\nchart AvgMBps by Service limit 20\n","UUID":"976d0d6e-e485-43ee-ae05-b901001a5265"},"Hash":[54,228,6,201,65,10,17,79,80,133,120,29,148,221,154,253,237,129,222,114,62,194,13,51,205,213,176,127,64,55,28,49]},{"Name":"bc51220c-2a3f-4071-bbdc-137a2a3baa50","Type":"template","AdditionalInfo":{"UUID":"bc51220c-2a3f-4071-bbdc-137a2a3baa50","Name":"Inbound traffic heatmap","Description":"Display inbound traffic heatmap for an IP"},"Hash":[217,66,215,160,171,93,204,113,228,39,219,123,223,41,37,7,115,142,184,24,250,170,98,105,28,132,97,249,175,203,95,151]},{"Name":"bd16f0b2-543d-420a-89c0-22c21cb0c6d6","Type":"template","AdditionalInfo":{"UUID":"bd16f0b2-543d-420a-89c0-22c21cb0c6d6","Name":"Service Intranet Communication Graph","Description":"FDG showing communications between non-routable IP addresses over a given port"},"Hash":[25,82,90,38,69,253,213,168,154,187,30,137,111,121,155,72,174,216,111,91,142,31,221,217,110,160,14,14,153,123,247,253]},{"Name":"c9881a5e-ea9e-431e-a6d8-56d6ec175867","Type":"pivot","AdditionalInfo":{"UUID":"c9881a5e-ea9e-431e-a6d8-56d6ec175867","Name":"IPFIX Network Port","Description":"Actions to take on a network port, e.g. 22"},"Hash":[66,84,220,213,245,7,184,32,193,68,125,209,190,11,9,192,75,72,218,160,62,22,104,138,154,188,14,65,163,220,33,31]},{"Name":"ca3883db-1eab-45ae-ad38-1b13c1a929dc","Type":"template","AdditionalInfo":{"UUID":"ca3883db-1eab-45ae-ad38-1b13c1a929dc","Name":"Most active peers by connectios","Description":"Show the most active peers by number of flows where traffic is sent"},"Hash":[197,249,82,76,218,91,36,45,150,233,197,66,126,97,100,169,168,87,165,73,136,240,189,65,138,79,9,158,206,143,146,98]},{"Name":"Connection Count By Protocol","Type":"searchlibrary","AdditionalInfo":{"Name":"Connection Count By Protocol","Description":"Chart Connection counts by Protocol","Query":"tag=$IPFIX_KIT_TAG ipfix protocolIdentifier as Protocol |\nstats count as Connections by Protocol |\nlookup -r ip_protocols Protocol Number Name as ProtocolName |\nchart Connections by ProtocolName","UUID":"421c017d-4ee6-42a7-bf71-03781dc9b6fb"},"Hash":[188,145,25,127,214,166,26,124,227,177,137,32,236,95,119,42,111,87,145,165,189,17,84,85,93,50,4,196,172,185,177,197]},{"Name":"Country to Country Traffic Aggregates","Type":"searchlibrary","AdditionalInfo":{"Name":"Country to Country Traffic Aggregates","Description":"Table showing total packets, connections, and traffic between countries","Query":"tag=$IPFIX_KIT_TAG ipfix src as Src dst as Dst packets as Pkts bytes as Bytes |\ngeoip Src.CountryName as SrcCountry Dst.CountryName as DstCountry |\nstats sum(Pkts) as Packets sum(Bytes) as Traffic count as Connections by SrcCountry DstCountry |\nsort by Traffic desc | \ntable SrcCountry DstCountry Connections Traffic Packets","UUID":"305bbded-9286-4f3a-9b37-72553c278416"},"Hash":[154,190,86,119,42,141,247,204,247,51,155,44,107,66,16,171,139,125,255,30,142,153,209,83,108,15,89,139,47,139,127,221]},{"Name":"e874b41e-8fc5-408e-ae91-591af5d988ba","Type":"file","AdditionalInfo":{"UUID":"e874b41e-8fc5-408e-ae91-591af5d988ba","Name":"IPFIX kit image","Description":"The image used to represent the IPFIX kit.","Size":17600,"ContentType":"image/jpeg"},"Hash":[6,235,17,5,249,13,130,16,77,147,0,86,169,38,165,196,151,82,114,71,239,228,45,211,117,159,32,209,189,192,98,55]},{"Name":"ea6ba4ea-fae0-493e-9c47-b9adf186e015","Type":"pivot","AdditionalInfo":{"UUID":"ea6ba4ea-fae0-493e-9c47-b9adf186e015","Name":"IP Address","Description":"Actionable based on detected IP addresses"},"Hash":[87,194,107,137,118,27,253,133,236,193,3,20,172,236,75,243,162,46,223,104,221,138,204,51,116,144,254,136,141,7,213,231]},{"Name":"Force Directed Graph of ASN Traffic","Type":"searchlibrary","AdditionalInfo":{"Name":"Force Directed Graph of ASN Traffic","Description":"Show Force Directed Graph of traffic between ASNs","Query":"tag=$IPFIX_KIT_TAG ipfix src as Src dst as Dst bytes as Bytes | geoip -r asn_db Src.ASNOrg as SrcASNOrg Dst.ASNOrg as DstASNOrg | stats sum(Bytes) by SrcASNOrg DstASNOrg | fdg -v sum SrcASNOrg DstASNOrg","UUID":"e70847b7-8636-4ce5-8a48-7f8ed687842e"},"Hash":[138,16,105,242,241,227,199,172,226,117,144,165,252,147,234,74,39,69,178,240,98,65,12,158,189,129,51,248,151,144,236,123]},{"Name":"Inbound Traffic Chart","Type":"searchlibrary","AdditionalInfo":{"Name":"Inbound Traffic Chart","Description":"Traffic from routable to non-routable","Query":"tag=$IPFIX_KIT_TAG ipfix src !~ PRIVATE as Src  dst ~ PRIVATE as Dst bytes as Bytes | stats sum(Bytes) by Dst | chart sum by Dst limit 20","UUID":"38c42730-160a-48a6-85b4-b7fdc2ed52e9"},"Hash":[153,46,127,156,191,30,90,157,29,18,243,129,161,228,207,217,248,31,66,218,60,115,24,70,254,115,229,249,56,190,225,204]},{"Name":"Intranet Communication Paths","Type":"searchlibrary","AdditionalInfo":{"Name":"Intranet Communication Paths","Description":"Connections between private IP addresses on any port.","Query":"tag=$IPFIX_KIT_TAG ipfix src ~ PRIVATE as Src dst ~ PRIVATE as Dst srcPort as SrcPort dstPort as DstPort bytes as Bytes | stats sum(Bytes) by Src Dst | fdg -v sum Src Dst","UUID":"7832aee2-c65d-468a-ba20-8606a113a437"},"Hash":[8,196,105,104,102,39,203,24,246,129,24,179,183,81,0,191,63,12,252,32,173,105,161,4,161,17,91,117,205,231,59,153]},{"Name":"IPFIX Traffic by Protocol","Type":"searchlibrary","AdditionalInfo":{"Name":"IPFIX Traffic by Protocol","Description":"Chart Traffic By Protocol","Query":"tag=$IPFIX_KIT_TAG ipfix protocolIdentifier as Protocol bytes as Bytes |\nstats sum(Bytes) as Traffic by Protocol |\nlookup -r ip_protocols Protocol Number Name as ProtocolName |\nchart Traffic by ProtocolName","UUID":"8edc0461-c9b8-4b77-96d1-20d8d67df327"},"Hash":[138,123,163,185,73,30,27,126,98,117,219,152,155,136,32,175,18,221,212,253,46,22,7,104,77,127,86,207,64,21,69,94]},{"Name":"IPs Hosting Services","Type":"searchlibrary","AdditionalInfo":{"Name":"IPs Hosting Services","Description":"Table of IPs, what servers they are hosting, and how many clients have been served","Query":"tag=$IPFIX_KIT_TAG ipfix src as Src dst as Dst srcPort as SrcPort dstPort as DstPort port as Port protocolIdentifier as Protocol\n| count by Src Dst SrcPort DstPort Protocol\n| eval if ( Port == SrcPort ) { Server = Src; Client = Dst; } else { Server = Dst; Client = Src; }\n| unique Server Client Port Protocol\n| lookup -r network_services Protocol proto_number proto_name as Proto \n| lookup -r network_services Port service_port service_name as Service\n| stats count as Clients by Server Port Protocol\n| sort by Clients desc\n| table Server Proto Port Service Clients\n","UUID":"be1b42d8-48b7-448b-9458-73529f86c4a8"},"Hash":[54,55,15,91,246,219,250,155,10,111,202,108,123,235,15,182,254,216,184,62,124,70,147,35,149,128,169,57,232,124,26,121]},{"Name":"Long Running Sessions","Type":"searchlibrary","AdditionalInfo":{"Name":"Long Running Sessions","Description":"Flows over 20 minutes in duration.","Query":"tag=$IPFIX_KIT_TAG ipfix src as Src dst as Dst srcPort as SrcPort dstPort as DstPort flowDuration \u003e 20m as Duration bytes as Bytes | table Src Dst SrcPort DstPort Bytes Duration","UUID":"a90a0028-3f4a-4b87-a632-2c77b71c0fa4"},"Hash":[235,34,38,9,240,141,78,209,215,133,177,31,184,143,219,131,155,138,160,241,24,239,1,93,64,39,159,49,49,117,31,148]},{"Name":"Most Common Port Flows","Type":"searchlibrary","AdditionalInfo":{"Name":"Most Common Port Flows","Description":"Show the 20 most common ports with averate flow duration and and total traffic","Query":"tag=$IPFIX_KIT_TAG ipfix port as Port bytes as Bytes packets as Pkts protocolIdentifier as Protocol flowDuration as Duration |\nstats count mean(Duration) as AvgDurationNS sum(Bytes) as TotalBytes sum(Pkts) as TotalPackets by Port\n| sort by count desc |\nlimit 20 |\nlookup -r network_services [Protocol Port] [proto_number service_port] (service_name service_desc) |\nlookup -r ip_protocols Protocol Number Name as ProtocolName |\ntable Port service_name count TotalBytes TotalPackets Protocol ProtocolName AvgDurationNS service_desc","UUID":"5180aadd-7808-46c4-bc55-5ce62ad674dc"},"Hash":[105,240,165,87,227,139,255,250,174,232,73,217,29,197,241,163,56,159,19,182,118,57,236,222,141,238,106,26,147,125,240,159]},{"Name":"Point-to-Point Map","Type":"searchlibrary","AdditionalInfo":{"Name":"Point-to-Point Map","Description":"Point to point map of geolocated network flows","Query":"tag=$IPFIX_KIT_TAG ipfix src as Src dst as Dst | stats count by Src Dst | geoip Src.Location as src Dst.Location as dst | point2point -mag count -srcloc src -dstloc dst\n","UUID":"8899bfd6-2207-43ef-83ba-dc5b273fae07"},"Hash":[65,18,38,236,253,29,40,38,85,131,159,23,189,207,134,99,182,90,240,146,175,153,169,111,112,50,57,121,155,242,150,21]},{"Name":"Potential Port Scanners","Type":"searchlibrary","AdditionalInfo":{"Name":"Potential Port Scanners","Description":"Show a list of IPs that have touched a very large number of unique ports","Query":"tag=$IPFIX_KIT_TAG ipfix src as Src dst as Dst dstPort as DstPort |\nstats unique_count(DstPort) as UniquePorts by Src |\neval UniquePorts \u003e 30 |\nsort by UniquePorts desc |\ntable Src UniquePorts","UUID":"7816e5ab-99a5-4f06-88e3-97e9fb0c59a3"},"Hash":[43,245,8,216,69,213,11,112,20,9,243,182,8,100,150,55,124,131,24,46,116,207,62,160,167,208,97,183,183,245,193,144]},{"Name":"Private-Public IP Traffic","Type":"searchlibrary","AdditionalInfo":{"Name":"Private-Public IP Traffic","Description":"Table summarizing bytes sent from a non-routable IP address to routable. Includes GeoIP country and ASN enrichments.","Query":"tag=$IPFIX_KIT_TAG ipfix ip ~ PRIVATE as IP src as Src dst as Dst port as Port bytes as Bytes\n| stats sum(Bytes) by Src Dst Port\n| eval if ( IP == Src ) { otherIP = Dst; } else { OtherIP = Src; } \n| ip otherIP !~ PRIVATE\n| geoip -r asn_db otherIP.ASNOrg\n| geoip otherIP.Country\n| table Src Dst Port Country ASNOrg sum\n","UUID":"c9efea3a-3faa-4d11-abb2-81ba2d0e72a3"},"Hash":[8,134,3,69,45,169,162,108,192,22,238,79,112,6,224,123,192,181,62,219,227,156,92,150,250,240,254,45,191,195,158,30]},{"Name":"Rare Port Usage","Type":"searchlibrary","AdditionalInfo":{"Name":"Rare Port Usage","Description":"Display the 25 least common ports seen in network flows","Query":"tag=$IPFIX_KIT_TAG ipfix port as Port src as Src dst as Dst srcPort as SrcPort dstPort as DstPort bytes as Bytes packets as Pkts protocolIdentifier as Protocol flowDuration as Duration |\nstats count by Port |\nsort by count asc |\nlimit 25 |\nlookup -r network_services [Protocol Port] [proto_number service_port] (service_name service_desc) |\nlookup -r ip_protocols Protocol Number Name as ProtocolName |\ntable Port service_name count Src SrcPort Dst DstPort Bytes Pkts Protocol Duration service_desc","UUID":"b243ae4e-546c-44ce-b56f-52daccf928a8"},"Hash":[118,168,228,77,191,246,37,178,118,15,123,103,229,28,79,90,179,153,221,195,82,54,63,32,7,48,94,33,223,64,120,9]},{"Name":"Service Activity Chart","Type":"searchlibrary","AdditionalInfo":{"Name":"Service Activity Chart","Description":"Chart of bytes sent organized by service","Query":"tag=$IPFIX_KIT_TAG ipfix src as Src dst as Dst port as Port protocolIdentifier as Protocol bytes as Bytes\n| stats sum(Bytes) by Port Protocol\n| lookup -r network_services Protocol proto_number proto_name as Proto \n| lookup -r network_services Port service_port service_name as Service\n| chart sum by Service Proto limit 10\n","UUID":"cb38f26c-d187-4e30-a621-1817d8558bd1"},"Hash":[135,214,247,3,63,17,85,107,248,238,45,206,89,190,1,185,59,226,91,63,145,240,178,5,68,59,6,179,202,174,149,10]},{"Name":"Service Usage By Country","Type":"searchlibrary","AdditionalInfo":{"Name":"Service Usage By Country","Description":"Stackgraph of Service usage grouped by Country","Query":"tag=$IPFIX_KIT_TAG ipfix ip!~PRIVATE as IP port as Port protocolIdentifier as Protocol bytes as Bytes |\ngeoip IP.CountryName |\nlookup -r network_services [Protocol Port] [proto_number service_port] (service_name as Service) |\nstats sum(Bytes) as Traffic by CountryName Service |\nstackgraph Traffic CountryName Service","UUID":"e7bb1f98-5ab9-4f5a-805b-40843743833d"},"Hash":[76,47,187,168,90,221,186,149,11,116,100,193,37,237,64,247,44,79,235,232,168,120,26,66,49,80,34,154,149,181,197,31]},{"Name":"Total Traffic and Connection Counts","Type":"searchlibrary","AdditionalInfo":{"Name":"Total Traffic and Connection Counts","Description":"Show total traffic and number of connections as number cards","Query":"tag=$IPFIX_KIT_TAG ipfix src as Src dst as Dst bytes as Bytes |\nstats unique_count(Src) as UniqueSrcIPs unique_count(Dst) as UniqueDstIPs sum(Bytes) as Traffic count as \"Connections\" over 1m |\ngauge UniqueSrcIPs UniqueDstIPs Connections Traffic","UUID":"8085b84f-8329-44d7-8356-148c563ac0f7"},"Hash":[131,74,69,2,218,224,223,244,182,214,12,121,234,174,61,78,221,71,17,152,149,233,1,239,164,105,52,104,40,231,247,198]},{"Name":"Traffic Heatmap","Type":"searchlibrary","AdditionalInfo":{"Name":"Traffic Heatmap","Description":"Global heatmap of total traffic","Query":"tag=$IPFIX_KIT_TAG ipfix ip !~ PRIVATE as IP bytes as Bytes | stats sum(Bytes) as traffic by IP | geoip IP.Location | heatmap traffic","UUID":"d05164b4-b668-43c3-b374-c8032b0ef3fb"},"Hash":[222,48,44,219,26,70,147,178,74,231,72,54,69,135,185,235,64,192,230,22,173,42,68,155,230,106,79,55,113,43,74,137]}],"ConfigMacros":[{"MacroName":"IPFIX_KIT_TAG","Description":"The tag(s) with IPFIX records","DefaultValue":"ipfix","Value":"","Type":"TAG","InstalledByID":""}]},{"ID":"io.gravwell.syslog","Name":"syslog","UUID":"77c40f6c-3632-4bb8-a2a8-fe51c9cc373b","Version":6,"Description":"This Syslog kit contains an overview dashboard and some investigative dashboards for easily viewing syslog activity. This kit is intended as a \"getting started with syslog\". It does not attempt to analyze any of the content in the actual syslog Message. The author does not know what syslog you are collecting.  :D\n\nLook for syslog derivative kits (e.g. sshd, dnsmasq) in the future!","Readme":"","Signed":true,"AdminRequired":false,"MinVersion":{"Major":5,"Minor":4,"Point":0},"MaxVersion":{"Major":0,"Minor":0,"Point":0},"Size":2332672,"Created":"2024-05-20T21:50:37.126448604Z","Ingesters":["simplerelay"],"Tags":["syslog"],"Assets":[{"Type":"image","Source":"cover.png","Legend":"Syslog","Featured":true,"Banner":false},{"Type":"image","Source":"banner.png","Legend":"Syslog","Featured":true,"Banner":true},{"Type":"readme","Source":"README.md","Legend":"","Featured":false,"Banner":false}],"Dependencies":null,"Items":[{"Name":"syslog_facility","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"syslog_facility","Description":"Lookup table to turn syslog facility codes into text names and descriptions","Size":561,"Labels":["syslog"]},"Hash":[155,249,203,57,148,45,139,163,63,70,73,116,86,177,43,53,158,179,176,55,31,152,96,252,120,134,208,203,44,154,212,98]},{"Name":"syslog_severity","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"syslog_severity","Description":"Lookup table to turn syslog severity codes into text names","Size":293,"Labels":["syslog"]},"Hash":[48,235,203,98,194,193,133,132,203,32,3,69,18,188,93,89,17,237,98,198,199,187,255,230,5,40,113,183,81,203,145,49]},{"Name":"0e799dc0-19b0-4f39-8628-f6b3e4e434bd","Type":"dashboard","AdditionalInfo":{"UUID":"0e799dc0-19b0-4f39-8628-f6b3e4e434bd","Name":"Syslog Host and Severity Overview","Description":"Basic overview of syslog severity distribution and active hosts."},"Hash":[251,210,137,46,201,220,86,170,96,227,18,252,20,5,68,43,16,44,21,152,95,120,89,45,47,71,47,214,58,10,212,0]},{"Name":"2ae9c7ea-f8e7-4aff-9837-372fd6c801a2","Type":"dashboard","AdditionalInfo":{"UUID":"2ae9c7ea-f8e7-4aff-9837-372fd6c801a2","Name":"Syslog Investigate Appname","Description":"Provide the Appname for a syslog view"},"Hash":[207,183,211,163,47,28,2,7,124,156,126,168,107,111,167,53,17,80,231,19,63,29,100,11,143,213,93,2,146,247,228,66]},{"Name":"212af6c8-1fe2-4092-baae-e3b60b863a32","Type":"dashboard","AdditionalInfo":{"UUID":"212af6c8-1fe2-4092-baae-e3b60b863a32","Name":"Syslog Overview","Description":"An overview dashboard of syslog activity"},"Hash":[123,53,168,45,177,172,39,42,210,107,251,234,46,105,237,195,128,92,143,50,109,159,97,50,40,10,36,192,94,194,3,208]},{"Name":"271fa2ab-6f47-4872-bb34-60dca7be20d3","Type":"dashboard","AdditionalInfo":{"UUID":"271fa2ab-6f47-4872-bb34-60dca7be20d3","Name":"Syslog investigate Host","Description":"Investigation dashboard for parsed syslog messages having a given Hostname field"},"Hash":[82,144,75,41,98,23,245,82,104,164,124,243,104,93,16,121,215,102,122,104,181,203,143,22,104,200,62,212,242,122,250,32]},{"Name":"ae274b27-aa9f-4489-8ecb-f38ad905e007","Type":"dashboard","AdditionalInfo":{"UUID":"ae274b27-aa9f-4489-8ecb-f38ad905e007","Name":"Syslog investigate SRC","Description":"Investigation dashboard showing all sysmon activity for a given SRC address."},"Hash":[237,69,98,164,100,162,197,151,107,113,50,68,142,53,236,81,10,111,78,244,66,200,234,72,10,51,174,213,57,222,182,30]},{"Name":"6236f4a7-a494-42bb-b357-806f399aa5fa","Type":"pivot","AdditionalInfo":{"UUID":"6236f4a7-a494-42bb-b357-806f399aa5fa","Name":"Syslog","Description":"Syslog actionable for investigative dashboards"},"Hash":[244,35,149,229,167,32,100,179,30,5,155,65,199,178,243,41,67,11,87,158,106,43,120,245,111,26,217,4,247,206,212,26]},{"Name":"efff782e-ea10-4f2d-945d-be07563bbd74","Type":"pivot","AdditionalInfo":{"UUID":"efff782e-ea10-4f2d-945d-be07563bbd74","Name":"IP Address","Description":"Syslog IP address triggers"},"Hash":[102,132,182,169,171,60,65,114,164,36,93,115,137,47,164,190,219,62,205,25,194,255,164,101,133,130,136,163,182,175,183,199]},{"Name":"0eddff74-100e-4bb0-b6a6-e8d0df82e169","Type":"template","AdditionalInfo":{"UUID":"0eddff74-100e-4bb0-b6a6-e8d0df82e169","Name":"Syslog apps by host","Description":"Count appnames by the hostname, all parsed from syslog"},"Hash":[78,187,14,252,222,151,229,213,24,145,193,138,9,31,147,182,95,243,187,176,149,99,110,226,253,39,80,247,207,222,126,0]},{"Name":"4c38a47e-b215-4bfe-a905-442cddb53c01","Type":"template","AdditionalInfo":{"UUID":"4c38a47e-b215-4bfe-a905-442cddb53c01","Name":"Syslog by IP SRC","Description":"Filter by Gravwell SRC Source IP. You can use the IP directly or provide a filter such as \"~ 10.0.1.0/24\""},"Hash":[51,149,88,61,252,205,104,48,16,216,228,89,57,15,11,30,172,178,173,56,249,23,248,2,102,216,33,114,35,0,177,203]},{"Name":"86ded222-2670-4994-b50a-707afeddff5b","Type":"template","AdditionalInfo":{"UUID":"86ded222-2670-4994-b50a-707afeddff5b","Name":"Syslog Sev by SRC","Description":"Syslog severity by SRC breakdown"},"Hash":[101,191,244,223,112,19,157,207,39,113,66,55,200,102,211,217,35,40,215,228,181,59,246,26,220,193,137,81,72,164,198,79]},{"Name":"276066ea-02c2-45cf-a0f1-dc9bd3e8d26f","Type":"template","AdditionalInfo":{"UUID":"276066ea-02c2-45cf-a0f1-dc9bd3e8d26f","Name":"Syslog by Hostname","Description":"Filter syslog for a given hostname as specified within the syslog entry. Note: entries that fail to parse as syslog will not be found using this template"},"Hash":[56,178,96,49,93,44,202,251,16,124,129,44,145,143,147,58,97,214,124,59,163,55,54,135,37,83,111,5,203,214,35,64]},{"Name":"a1753a07-f744-43c5-9140-7a7a5f6ce8ba","Type":"template","AdditionalInfo":{"UUID":"a1753a07-f744-43c5-9140-7a7a5f6ce8ba","Name":"Syslog sev by Hostname","Description":""},"Hash":[28,240,137,1,86,226,61,212,4,81,50,128,139,254,51,250,4,227,67,40,208,240,38,177,254,91,230,175,240,109,172,215]},{"Name":"c6604281-c67e-4bf3-8b4e-f46e40e7132e","Type":"template","AdditionalInfo":{"UUID":"c6604281-c67e-4bf3-8b4e-f46e40e7132e","Name":"Syslog Hosts by App","Description":""},"Hash":[162,160,58,209,197,22,45,10,243,78,79,77,35,147,248,238,225,170,188,226,67,158,215,62,23,198,223,81,153,254,104,244]},{"Name":"e6e306fc-c136-44d2-b129-edfb8f666829","Type":"template","AdditionalInfo":{"UUID":"e6e306fc-c136-44d2-b129-edfb8f666829","Name":"Syslog by Appname","Description":"All syslog for a given App"},"Hash":[173,211,65,210,59,134,254,127,104,49,152,250,148,153,152,109,34,143,197,99,13,113,241,84,241,121,200,251,98,155,250,67]},{"Name":"e2852eb0-6451-4f2e-8b4c-832b74f7f0f1","Type":"template","AdditionalInfo":{"UUID":"e2852eb0-6451-4f2e-8b4c-832b74f7f0f1","Name":"Syslog Apps by SRC","Description":"Appname by SRC"},"Hash":[29,142,177,83,74,33,105,75,170,75,160,114,176,160,112,128,208,186,57,232,27,8,22,93,173,89,25,60,121,21,102,114]},{"Name":"cee7c9ec-be90-499e-b955-4b8669138d31","Type":"template","AdditionalInfo":{"UUID":"cee7c9ec-be90-499e-b955-4b8669138d31","Name":"Syslog unparsable Hostname by SRC","Description":"Shows valid syslogs where a Hostname was not extracted."},"Hash":[172,148,22,55,159,125,119,213,182,89,24,127,235,72,39,244,168,43,69,36,225,107,101,169,54,149,86,70,144,94,200,11]},{"Name":"64cc610a-2a92-4a3c-a363-efcfa67e7d2a","Type":"file","AdditionalInfo":{"UUID":"64cc610a-2a92-4a3c-a363-efcfa67e7d2a","Name":"ff banner","Description":"","Size":1210605,"ContentType":"image/png"},"Hash":[211,39,134,23,166,243,251,242,94,45,200,252,66,245,209,218,45,81,179,142,211,24,186,195,156,175,18,126,169,183,186,45]},{"Name":"f9a79ae0-3820-4683-a819-2d48d8b50002","Type":"file","AdditionalInfo":{"UUID":"f9a79ae0-3820-4683-a819-2d48d8b50002","Name":"ff cover","Description":"","Size":497567,"ContentType":"image/png"},"Hash":[63,143,157,184,47,80,141,137,150,149,249,14,52,64,42,164,38,86,22,73,140,11,243,42,219,74,45,0,115,133,44,202]},{"Name":"SYSLOG","Type":"macro","AdditionalInfo":{"Name":"SYSLOG","Description":"Syslog tag (It's probably \"syslog\")","Expansion":"syslog"},"Hash":[202,161,43,19,138,54,186,22,150,250,246,119,172,64,193,99,103,106,234,142,215,79,177,137,196,3,178,94,147,205,133,33]},{"Name":"7e3ed14d-8b74-420f-bd45-f097a175f65d","Type":"searchlibrary","AdditionalInfo":{"Name":"Syslog: Appname","Description":"Table of Application Name Counts","Query":"tag=$SYSLOG syslog Appname \n| stats count by Appname \n| table Appname count","UUID":"7e3ed14d-8b74-420f-bd45-f097a175f65d"},"Hash":[156,205,22,244,83,175,152,91,156,196,52,30,67,197,42,19,27,172,178,133,196,188,213,19,206,248,169,182,154,11,77,18]},{"Name":"8fece70c-e5a7-4536-a7c0-bea0f6758bcd","Type":"searchlibrary","AdditionalInfo":{"Name":"Syslog: Lookup by Facility","Description":"Chart Top 16 Facilities with the most logs.","Query":"tag=$SYSLOG syslog Facility \n| stats count by Facility \n| lookup -r syslog_facility Facility code facility \n| chart count by facility limit 16","UUID":"8fece70c-e5a7-4536-a7c0-bea0f6758bcd"},"Hash":[63,213,77,103,170,188,38,136,109,136,233,151,78,24,174,137,10,37,232,209,93,28,144,107,52,5,124,37,50,141,141,32]},{"Name":"59bb1401-fdc9-4586-881a-2b84c1c7fa20","Type":"searchlibrary","AdditionalInfo":{"Name":"Syslog: Hostname","Description":"Table of Hostname Counts","Query":"tag=$SYSLOG syslog Hostname \n| stats count by Hostname \n| table Hostname count","UUID":"59bb1401-fdc9-4586-881a-2b84c1c7fa20"},"Hash":[89,181,11,175,27,189,209,25,58,204,26,201,52,50,88,76,184,17,234,214,2,43,251,2,1,56,235,8,147,63,202,227]},{"Name":"68d50b7d-662a-43bf-8964-afe66dad4d75","Type":"searchlibrary","AdditionalInfo":{"Name":"Syslog: chart by sev count","Description":"A chart of syslog severities.","Query":"tag=$SYSLOG syslog Severity\n| stats count by Severity\n| lookup -r syslog_severity Severity code severity\n| chart count by severity ","UUID":"68d50b7d-662a-43bf-8964-afe66dad4d75"},"Hash":[252,172,173,170,222,187,94,2,227,85,60,234,87,106,55,24,206,18,229,157,10,250,181,132,30,129,202,254,159,116,233,240]},{"Name":"72eb1ce6-cd98-4465-a709-c1cdb0726bb1","Type":"searchlibrary","AdditionalInfo":{"Name":"Syslog: chart by host+appname","Description":"A stackgraph of syslog messages broken out by hostname and appname.","Query":"tag=$SYSLOG syslog Severity Hostname Appname Message \n| stats count by Hostname Appname \n| stackgraph Hostname Appname count\n","UUID":"72eb1ce6-cd98-4465-a709-c1cdb0726bb1"},"Hash":[181,20,233,238,21,254,10,148,29,112,59,28,242,220,216,254,102,124,16,88,171,196,56,151,10,199,54,155,203,4,15,41]},{"Name":"780ef7b6-f638-4d5d-a15c-f7f610e9e23a","Type":"searchlibrary","AdditionalInfo":{"Name":"Syslog: Hosts and Apps with Errors","Description":"Table of Hosts and Apps with Errors","Query":"tag=$SYSLOG syslog Hostname Appname Severity \u003c 4 /* error or higher */ \n| stats count by Severity Hostname Appname \n| lookup -r syslog_severity Severity code severity as Severity \n| table Hostname Appname Severity count","UUID":"780ef7b6-f638-4d5d-a15c-f7f610e9e23a"},"Hash":[55,8,78,115,81,185,214,178,229,129,189,64,22,118,101,194,53,208,7,33,179,250,120,119,140,112,109,53,17,102,65,253]},{"Name":"376190ef-7bbc-4260-99c7-02c35b518a27","Type":"searchlibrary","AdditionalInfo":{"Name":"Syslog: last 100 results","Description":"Most recent 100 syslog entries","Query":"tag=$SYSLOG syslog Hostname Appname Severity Message \n| limit 100 \n| table SRC Hostname Appname Severity Message","UUID":"376190ef-7bbc-4260-99c7-02c35b518a27"},"Hash":[115,181,10,111,1,62,237,184,18,249,243,50,157,226,216,106,60,255,62,29,141,122,163,195,167,72,70,112,198,23,183,230]},{"Name":"a5c3527d-ca53-4396-83b5-39e248833ab7","Type":"searchlibrary","AdditionalInfo":{"Name":"Syslog: event counts by host","Description":"Count of events by Gravwell SRC and syslog Hostname","Query":"tag=$SYSLOG syslog Hostname \n| count by SRC Hostname \n| table SRC Hostname count\n","UUID":"a5c3527d-ca53-4396-83b5-39e248833ab7"},"Hash":[237,209,124,249,220,40,209,191,34,175,234,229,218,211,246,200,253,163,214,226,176,113,2,92,108,150,102,142,227,75,178,226]},{"Name":"c60a9022-e57e-4241-a1e5-6e7f38038939","Type":"searchlibrary","AdditionalInfo":{"Name":"Syslog: chart Src+app","Description":"Syslog breakdown of entries by SRC and Appname","Query":"tag=$SYSLOG syslog Hostname Appname Severity Message \n| stats count by SRC Appname \n| stackgraph SRC Appname count","UUID":"c60a9022-e57e-4241-a1e5-6e7f38038939"},"Hash":[89,66,75,212,100,40,198,35,178,57,190,161,161,239,186,44,185,53,183,26,159,95,81,54,51,35,141,26,235,204,170,73]},{"Name":"d8d2c4ad-046e-47d4-b383-98f2b5b253f2","Type":"searchlibrary","AdditionalInfo":{"Name":"Syslog: Num Crit and Errors","Description":"Number of Syslog Critical and Errors","Query":"tag=$SYSLOG syslog Severity \u003c 4 /* error or higher */ \n| stats count by Severity \n| lookup -r syslog_severity Severity code severity as Severity \n| numbercard count","UUID":"d8d2c4ad-046e-47d4-b383-98f2b5b253f2"},"Hash":[93,164,145,76,116,151,52,35,141,213,95,107,165,37,221,86,116,214,222,195,243,54,117,130,71,10,17,148,228,129,159,228]},{"Name":"ea206fcb-c2cb-4a67-9046-2c6c58e21173","Type":"searchlibrary","AdditionalInfo":{"Name":"Syslog: unparsable","Description":"Syslog that did not parse to populate Hostname","Query":"tag=$SYSLOG syslog Hostname==\"\" \n| table SRC DATA","UUID":"ea206fcb-c2cb-4a67-9046-2c6c58e21173"},"Hash":[22,245,194,201,108,71,68,104,75,229,152,157,70,78,144,96,244,1,20,198,8,116,172,42,116,250,157,75,143,185,95,243]}],"ConfigMacros":[{"MacroName":"SYSLOG","Description":"Syslog tag (It's probably \"syslog\")","DefaultValue":"syslog","Value":"","Type":"TAG","InstalledByID":""}]},{"ID":"io.gravwell.netflowv5","Name":"Netflow v5","UUID":"9164a6d3-1d01-443a-ae57-523cd920455b","Version":9,"Description":"This kit provides ready-to-roll dashboards, queries, templates, playbooks, and actionables for analyzing Netflow v5","Readme":"","Signed":true,"AdminRequired":false,"MinVersion":{"Major":5,"Minor":4,"Point":0},"MaxVersion":{"Major":0,"Minor":0,"Point":0},"Size":225792,"Created":"2023-12-22T23:24:08.015987481Z","Ingesters":["netflow","flow"],"Tags":["netflow"],"Assets":[{"Type":"image","Source":"cover.jpg","Legend":"Netflow v5","Featured":true,"Banner":false},{"Type":"readme","Source":"README.md","Legend":"","Featured":false,"Banner":false}],"Dependencies":[{"ID":"io.gravwell.networkenrichment","MinVersion":8}],"Items":[{"Name":"068864a8-a365-43dd-af12-efd940270e25","Type":"playbook","AdditionalInfo":{"UUID":"c9da126b-1608-4740-a7cd-45495e8341a3","Name":"Netflow V5 Playbook","Description":"A top-level playbook for netflow, with background and starting points."},"Hash":[170,195,215,18,222,117,222,57,101,231,48,224,170,13,206,171,201,251,155,144,44,79,28,30,33,193,245,34,82,168,157,3]},{"Name":"1f0571a5-2d34-4bab-a3ea-7ca16cf47f3f","Type":"template","AdditionalInfo":{"UUID":"1f0571a5-2d34-4bab-a3ea-7ca16cf47f3f","Name":"Service Intranet Communication Graph","Description":"FDG showing communications between non-routable IP addresses over a given port"},"Hash":[230,89,70,171,153,174,252,137,95,164,183,101,49,43,217,199,39,171,228,168,247,55,9,202,15,173,129,86,189,121,121,59]},{"Name":"22","Type":"dashboard","AdditionalInfo":{"UUID":"3c295e00-4c31-4bee-a41c-4e10d8fc8ec0","Name":"Netflow V5 IP Investigation Dashboard","Description":"IP investigation dashboard for Netflow V5\nProvide an overview of netflow activity for a given IP using Netflow V5 logs"},"Hash":[233,0,191,149,169,105,194,159,14,57,253,150,210,94,115,59,55,111,228,124,68,36,56,176,31,15,37,233,178,218,105,70]},{"Name":"23","Type":"dashboard","AdditionalInfo":{"UUID":"1e0c4c03-2f76-4879-a6c6-9daae30a8664","Name":"Netflow V5 Traffic Overview","Description":"General Netflow V5 Traffic Overview"},"Hash":[10,57,26,182,188,150,253,148,53,237,96,228,105,109,186,122,173,195,21,248,233,250,59,147,196,107,144,35,219,49,233,153]},{"Name":"30cc6bfb-77b8-46df-b68d-ed49c66e6e84","Type":"template","AdditionalInfo":{"UUID":"30cc6bfb-77b8-46df-b68d-ed49c66e6e84","Name":"Most active peers by connections","Description":"Show the most active peers by number of flows where traffic is sent"},"Hash":[124,206,95,94,235,223,26,99,51,34,190,130,129,109,69,244,120,79,135,132,149,233,192,26,245,220,112,188,9,2,59,188]},{"Name":"34ba8372-0314-460a-9742-5a65c18d6241","Type":"pivot","AdditionalInfo":{"UUID":"34ba8372-0314-460a-9742-5a65c18d6241","Name":"Network Port","Description":"Actions to take on a network port, e.g. 22"},"Hash":[19,128,2,207,88,177,38,16,1,110,68,222,106,167,75,23,129,250,164,44,55,122,239,68,21,49,112,2,83,98,179,92]},{"Name":"3bf5d876-8ecf-41ae-a8e8-934d6baea7b8","Type":"template","AdditionalInfo":{"UUID":"3bf5d876-8ecf-41ae-a8e8-934d6baea7b8","Name":"Rare Port Usage","Description":"Investigate rare port usage for a given IP"},"Hash":[250,156,189,158,115,148,117,252,188,179,221,11,87,128,218,103,191,57,183,99,82,97,121,186,206,75,0,240,17,156,104,230]},{"Name":"3e383fbc-8431-48b5-9c78-0fd019fd192b","Type":"template","AdditionalInfo":{"UUID":"3e383fbc-8431-48b5-9c78-0fd019fd192b","Name":"Highest Outbound Traffic Peers","Description":"Show peers with the most outbound traffic"},"Hash":[100,19,246,140,188,74,203,122,180,177,31,246,94,173,11,186,42,192,112,246,182,100,97,132,248,24,136,155,47,132,77,86]},{"Name":"4465a220-c668-4746-8ef7-ac0605845876","Type":"template","AdditionalInfo":{"UUID":"4465a220-c668-4746-8ef7-ac0605845876","Name":"Outbound Traffic Heatmap","Description":"Show inbound traffic heatmap for a specific IP"},"Hash":[167,49,60,85,69,25,238,99,142,4,69,185,245,248,42,182,169,11,176,22,252,77,60,197,128,77,3,43,13,120,189,235]},{"Name":"48c6b0ef-6e76-4208-bca7-0b95e4700bdd","Type":"file","AdditionalInfo":{"UUID":"48c6b0ef-6e76-4208-bca7-0b95e4700bdd","Name":"Netflow playbook cover","Description":"Cover image used for Netflow v5 playbook","Size":110135,"ContentType":"image/jpeg"},"Hash":[146,218,47,28,241,194,116,134,112,164,180,133,95,83,59,48,189,54,108,92,189,129,184,158,212,81,6,170,20,70,86,140]},{"Name":"646b23b2-fd48-432b-b1b7-5ad7be01cb71","Type":"template","AdditionalInfo":{"UUID":"646b23b2-fd48-432b-b1b7-5ad7be01cb71","Name":"Traffic and packet sums for a specific IP","Description":"Line chart showing packet and traffic totals for a given IP"},"Hash":[85,165,216,107,249,241,87,1,58,156,23,65,101,169,132,209,62,186,8,90,79,21,23,128,136,148,27,222,66,18,121,203]},{"Name":"6ab6bfe3-41c7-4081-b0e7-0f0a73afe837","Type":"template","AdditionalInfo":{"UUID":"6ab6bfe3-41c7-4081-b0e7-0f0a73afe837","Name":"Long running flows IP investigator","Description":"Investigation template for identifying flows of over 20 minute duration for a given IP address"},"Hash":[217,166,77,218,32,147,114,176,105,59,45,231,181,23,149,9,127,100,211,46,212,23,238,106,187,239,30,204,215,116,141,196]},{"Name":"ab6bdcf1-3ae7-460f-bbc8-02fc4c4c2b0a","Type":"template","AdditionalInfo":{"UUID":"ab6bdcf1-3ae7-460f-bbc8-02fc4c4c2b0a","Name":"Inbound traffic heatmap","Description":"Display inbound traffic heatmap for an IP"},"Hash":[221,24,97,235,115,44,87,190,34,0,19,162,96,46,123,241,56,226,187,14,70,67,202,162,78,29,178,102,199,211,122,93]},{"Name":"aeae08f3-00c1-4034-a86e-d6efcee7dc9b","Type":"template","AdditionalInfo":{"UUID":"aeae08f3-00c1-4034-a86e-d6efcee7dc9b","Name":"IP Service Chart","Description":"Show service traffic and packet rates"},"Hash":[208,208,37,133,243,234,203,143,227,27,208,189,243,21,142,2,43,182,235,170,144,226,19,149,204,90,11,155,9,100,13,87]},{"Name":"Average Connection Duration by Protocol","Type":"searchlibrary","AdditionalInfo":{"Name":"Average Connection Duration by Protocol","Description":"Chart the average connection duration by IP protocol","Query":"tag=netflow netflow Protocol Duration |\neval dursec = Duration / 1000000000; |\nstats mean(dursec) as AverageConnectionDuration by Protocol |\nlookup -r ip_protocols Protocol Number Name as ProtocolName |\nchart AverageConnectionDuration by ProtocolName\n","UUID":"dc828765-4b17-478e-bfeb-c018959c17d8"},"Hash":[142,8,4,139,122,226,211,102,167,177,187,107,110,60,55,3,204,142,111,86,43,148,130,125,54,67,123,37,89,122,157,118]},{"Name":"Average Packet Size by Protocol","Type":"searchlibrary","AdditionalInfo":{"Name":"Average Packet Size by Protocol","Description":"Charge the average packet size by protocol","Query":"tag=netflow netflow Pkts Bytes Protocol |\nstats sum(Pkts) as pktsum sum(Bytes) as bytesum by Protocol over 1m | eval pktsz = float(bytesum) / float(pktsum); | \nstats mean(pktsz) as AveragePacketSize by Protocol|\nlookup -r ip_protocols Protocol Number Name |\nchart AveragePacketSize by Name\n","UUID":"9d61117e-6fa7-4485-99b6-6f4fbe3dbfaf"},"Hash":[211,44,242,200,136,221,162,165,149,135,12,231,38,138,12,86,184,95,203,73,173,35,142,55,203,208,185,208,224,220,227,68]},{"Name":"Average Traffic Throughput By Service","Type":"searchlibrary","AdditionalInfo":{"Name":"Average Traffic Throughput By Service","Description":"Average Traffic Throughput By Service","Query":"tag=netflow netflow Port Bytes |\nstats sum(Bytes) by Port over 1m |\neval throughput = float(sum) / 60.0 |\nstats count mean(throughput) as AvgMBps by Port |\nalias Port Service |\nlookup -r network_services Port service_port service_name as Service |\nchart AvgMBps by Service limit 20\n","UUID":"22166a78-48b1-4c68-be19-8bd75145b6d2"},"Hash":[150,222,11,34,156,231,37,114,254,200,6,14,67,9,170,212,200,170,176,217,73,68,90,66,153,138,205,16,250,57,82,196]},{"Name":"b5652f0d-a3b9-42ed-8b03-cc6382cde248","Type":"template","AdditionalInfo":{"UUID":"b5652f0d-a3b9-42ed-8b03-cc6382cde248","Name":"Most common ports","Description":"Display the most common ports and their service names"},"Hash":[154,60,20,134,190,55,85,183,177,202,7,25,16,232,207,9,214,180,174,56,105,4,200,49,119,243,217,213,148,63,171,3]},{"Name":"c6420707-be44-4880-8933-0319571b7ca9","Type":"template","AdditionalInfo":{"UUID":"c6420707-be44-4880-8933-0319571b7ca9","Name":"IP Traffic Overview","Description":"Show average traffic rates for a target IP"},"Hash":[57,63,87,51,96,163,88,104,208,144,169,44,164,215,113,70,197,181,224,161,66,29,195,83,226,99,228,172,207,202,224,209]},{"Name":"cab59988-1506-4cac-b33f-747f7f723fcf","Type":"template","AdditionalInfo":{"UUID":"cab59988-1506-4cac-b33f-747f7f723fcf","Name":"IP Traffic accounting","Description":"Show inbound and outbound traffic graph for a specific IP"},"Hash":[33,235,167,151,168,157,14,69,49,153,166,105,172,134,96,151,105,144,229,253,243,105,150,161,245,59,29,118,188,241,101,69]},{"Name":"Connection Count By Protocol","Type":"searchlibrary","AdditionalInfo":{"Name":"Connection Count By Protocol","Description":"Chart Connection counts by Protocol","Query":"tag=netflow netflow Protocol |\nstats count as Connections by Protocol |\nlookup -r ip_protocols Protocol Number Name as ProtocolName |\nchart Connections by ProtocolName","UUID":"04d3bdd4-4d1a-403b-9757-9a6bc0105127"},"Hash":[136,194,152,86,91,249,85,118,141,116,112,89,157,227,250,60,28,68,141,223,183,93,118,200,98,35,93,34,108,18,96,152]},{"Name":"Country to Country Traffic Aggregates","Type":"searchlibrary","AdditionalInfo":{"Name":"Country to Country Traffic Aggregates","Description":"Table showing total packets, connections, and traffic between countries","Query":"tag=netflow netflow Src Dst Pkts Bytes |\ngeoip Src.CountryName as SrcCountry Dst.CountryName as DstCountry |\nstats sum(Pkts) as Packets sum(Bytes) as Traffic count as Connections by SrcCountry DstCountry |\nsort by Traffic desc | \ntable SrcCountry DstCountry Connections Traffic Packets","UUID":"ebcdf3da-ee7f-4a48-810c-78b1a213d01e"},"Hash":[98,214,115,220,238,187,67,80,83,60,230,227,187,240,193,180,83,93,51,154,155,42,95,203,245,185,91,53,16,136,12,167]},{"Name":"dbcde89d-2f54-4f59-bc56-3793635e7e4b","Type":"pivot","AdditionalInfo":{"UUID":"dbcde89d-2f54-4f59-bc56-3793635e7e4b","Name":"IP Address","Description":"Actionable based on detected IP addresses"},"Hash":[245,198,190,236,191,45,236,44,178,218,137,50,57,1,54,122,120,3,89,191,51,248,151,230,66,171,127,42,92,144,253,13]},{"Name":"Force Directed Graph of ASN Traffic","Type":"searchlibrary","AdditionalInfo":{"Name":"Force Directed Graph of ASN Traffic","Description":"Show Force Directed Graph of traffic between ASNs","Query":"tag=netflow netflow Src Dst Bytes | geoip -r asn_db Src.ASNOrg as SrcASNOrg Dst.ASNOrg as DstASNOrg | stats sum(Bytes) by SrcASNOrg DstASNOrg | fdg -v sum SrcASNOrg DstASNOrg","UUID":"7780db62-f960-48ba-8e6f-5f809919c6f0"},"Hash":[254,68,40,74,129,193,165,136,127,214,64,207,99,41,13,233,201,101,135,16,44,35,79,249,252,207,2,50,210,92,14,73]},{"Name":"Inbound Traffic Chart","Type":"searchlibrary","AdditionalInfo":{"Name":"Inbound Traffic Chart","Description":"Traffic from routable to non-routable","Query":"tag=netflow netflow Src !~ PRIVATE Dst ~ PRIVATE Bytes | stats sum(Bytes) by Dst | chart sum by Dst limit 20","UUID":"0befd828-b22a-4275-aa31-cc47c3d87227"},"Hash":[47,146,59,50,174,59,163,119,120,69,144,22,235,27,188,233,46,16,97,116,10,225,156,213,13,115,147,250,93,188,144,215]},{"Name":"Intranet Communication Paths","Type":"searchlibrary","AdditionalInfo":{"Name":"Intranet Communication Paths","Description":"Connections between private IP addresses on any port.","Query":"tag=netflow netflow Src ~ PRIVATE Dst ~ PRIVATE SrcPort DstPort Bytes | stats sum(Bytes) by Src Dst | fdg -v sum Src Dst","UUID":"688a52e3-4791-415a-a0fb-7765c1f27dd7"},"Hash":[7,15,89,199,214,112,103,27,237,12,48,109,162,206,103,68,1,249,231,233,111,218,85,223,90,173,128,125,46,82,23,93]},{"Name":"IPs Hosting Services","Type":"searchlibrary","AdditionalInfo":{"Name":"IPs Hosting Services","Description":"Table of IPs, what servers they are hosting, and how many clients have been served","Query":"tag=netflow netflow Src Dst SrcPort DstPort Port Protocol\n| count by Src Dst SrcPort DstPort Protocol\n| eval if ( Port == SrcPort ) { Server = Src; Client = Dst; } else { Server = Dst; Client = Src; }\n| unique Server Client Port Protocol\n| lookup -r network_services Protocol proto_number proto_name as Proto \n| lookup -r network_services Port service_port service_name as Service\n| stats count as Clients by Server Port Protocol\n| sort by Clients desc\n| table Server Proto Port Service Clients\n","UUID":"987fd879-d22c-45d7-bdbd-4af91be83dd8"},"Hash":[8,72,179,188,185,167,168,21,42,176,206,32,88,145,44,193,240,6,9,19,30,223,200,52,31,113,208,201,18,90,185,190]},{"Name":"Long Running Sessions","Type":"searchlibrary","AdditionalInfo":{"Name":"Long Running Sessions","Description":"Flows over 20 minutes in duration. Calculated by Server Uptime First and Uptime Last properties of Netflow v5.","Query":"tag=netflow netflow Src Dst SrcPort DstPort UptimeFirst UptimeLast Duration \u003e 20m Bytes Timestamp Uptime | table Src Dst SrcPort DstPort Bytes Duration","UUID":"01bc7a00-f489-45df-ab09-87360260e424"},"Hash":[17,38,220,24,58,232,236,77,93,224,28,175,208,152,148,6,61,163,42,172,173,116,200,108,152,143,243,163,200,121,166,20]},{"Name":"Most Common Port Flows","Type":"searchlibrary","AdditionalInfo":{"Name":"Most Common Port Flows","Description":"Show the 20 most common ports with averate flow duration and and total traffic","Query":"tag=netflow netflow Port Bytes Pkts Protocol Duration |\nstats count mean(Duration) as AvgDurationNS sum(Bytes) as TotalBytes sum(Pkts) as TotalPackets by Port\n| sort by count desc |\nlimit 20 |\nlookup -r network_services [Protocol Port] [proto_number service_port] (service_name service_desc) |\nlookup -r ip_protocols Protocol Number Name as ProtocolName |\ntable Port service_name count TotalBytes TotalPackets ProtocolName Protocol AvgDurationNS service_desc\n","UUID":"cf9312f4-0384-4d4e-b0cb-febc4573e912"},"Hash":[133,186,7,142,148,200,163,26,27,27,20,167,11,80,122,29,80,93,96,180,47,7,78,206,182,126,237,41,102,88,68,198]},{"Name":"Netflow Traffic by Protocol","Type":"searchlibrary","AdditionalInfo":{"Name":"Netflow Traffic by Protocol","Description":"Chart Traffic By Protocol","Query":"tag=netflow netflow Protocol Bytes |\nstats sum(Bytes) as Traffic by Protocol |\nlookup -r ip_protocols Protocol Number Name as ProtocolName |\nchart Traffic by ProtocolName","UUID":"195644a4-bc46-4702-9d4f-f082ea3dbeef"},"Hash":[249,77,33,140,207,85,20,245,214,149,187,114,133,185,160,79,208,91,45,144,10,246,102,120,161,24,53,231,203,154,100,135]},{"Name":"Point-to-Point Map","Type":"searchlibrary","AdditionalInfo":{"Name":"Point-to-Point Map","Description":"Point to point map of geolocated network flows","Query":"tag=netflow netflow Src Dst | stats count by Src Dst | geoip Src.Location as src Dst.Location as dst | point2point -mag count -srcloc src -dstloc dst\n","UUID":"b8bd4938-a511-4bbd-844a-55efef18deb7"},"Hash":[24,158,103,85,60,85,169,15,11,217,105,160,176,87,44,85,158,103,155,151,220,53,34,176,50,76,210,23,232,171,254,25]},{"Name":"Potential Port Scanners","Type":"searchlibrary","AdditionalInfo":{"Name":"Potential Port Scanners","Description":"Show a list of IPs that have touched a very large number of unique ports","Query":"tag=netflow netflow Src Dst DstPort |\nstats unique_count(DstPort) as UniquePorts by Src |\neval UniquePorts \u003e 30 |\nsort by UniquePorts desc |\ntable Src UniquePorts","UUID":"59927e19-621d-43f2-a38e-b2e80af85e88"},"Hash":[116,49,246,129,93,252,114,54,36,94,157,135,11,24,204,134,36,67,244,150,162,193,136,157,214,223,164,166,132,61,44,82]},{"Name":"Private \u003c\u003e Public IP Traffic","Type":"searchlibrary","AdditionalInfo":{"Name":"Private \u003c\u003e Public IP Traffic","Description":"Table summarizing bytes sent from a non-routable IP address to routable. Includes GeoIP country and ASN enrichments.","Query":"tag=netflow netflow IP ~ PRIVATE Src Dst Port Bytes\n| stats sum(Bytes) by Src Dst Port\n| eval if( IP == Src ) { otherIP = Dst; } else { otherIP = Src; }\n| ip otherIP !~ PRIVATE\n| geoip -r asn_db otherIP.ASNOrg\n| geoip otherIP.Country\n| table Src Dst Port Country ASNOrg sum\n","UUID":"6b9d4d4a-c164-43c1-b201-3b92d310b1d3"},"Hash":[231,52,145,33,228,45,26,71,75,68,158,63,78,239,85,24,57,197,209,99,63,105,17,59,10,166,168,29,115,29,7,7]},{"Name":"Rare Port Usage","Type":"searchlibrary","AdditionalInfo":{"Name":"Rare Port Usage","Description":"Display the 25 least common ports seen in network flows","Query":"tag=netflow netflow Port Src Dst SrcPort DstPort Bytes Pkts Protocol Duration |\nstats count by Port |\nsort by count asc |\nlimit 25 |\nlookup -r network_services [Protocol Port] [proto_number service_port] (service_name service_desc) |\nlookup -r ip_protocols Protocol Number Name as ProtocolName |\ntable Port service_name count Src SrcPort Dst DstPort Bytes Pkts ProtocolName Protocol Duration service_desc\n","UUID":"7a2364c2-7ba2-417c-adbd-67e9874f5fac"},"Hash":[167,226,10,107,228,229,198,198,152,50,15,14,240,238,59,118,246,74,108,44,196,198,187,32,122,29,134,0,49,166,250,158]},{"Name":"Service Activity Chart","Type":"searchlibrary","AdditionalInfo":{"Name":"Service Activity Chart","Description":"Chart of bytes sent organized by service","Query":"tag=netflow netflow Src Dst Port Protocol Bytes\n| stats sum(Bytes) by Port Protocol\n| lookup -r network_services Protocol proto_number proto_name as Proto \n| lookup -r network_services Port service_port service_name as Service\n| chart sum by Service Proto limit 10\n","UUID":"9fe37aaa-3217-4b71-838e-d94692860fb3"},"Hash":[63,99,7,13,193,118,171,162,122,225,79,230,171,202,106,18,33,210,230,130,187,93,32,135,238,240,108,177,28,152,131,207]},{"Name":"Service Usage By Country","Type":"searchlibrary","AdditionalInfo":{"Name":"Service Usage By Country","Description":"Stackgraph of Service usage grouped by Country","Query":"tag=netflow netflow IP!~PRIVATE Port Protocol Bytes |\ngeoip IP.CountryName |\nlookup -r network_services [Protocol Port] [proto_number service_port] (service_name as Service) |\nstats sum(Bytes) as Traffic by CountryName Service |\nstackgraph Traffic CountryName Service","UUID":"fd86e6a6-dccd-4438-b470-70693c004218"},"Hash":[214,85,141,206,94,105,53,106,243,105,186,183,226,101,177,131,99,152,209,229,145,57,199,57,229,193,10,69,120,59,41,49]},{"Name":"Total Traffic and Connection Counts","Type":"searchlibrary","AdditionalInfo":{"Name":"Total Traffic and Connection Counts","Description":"Show total traffic and number of connections as number cards","Query":"tag=netflow netflow Src Dst Bytes |\nstats unique_count(Src) as UniqueSrcIPs unique_count(Dst) as UniqueDstIPs sum(Bytes) as Traffic count as \"Connections\" over 1m |\ngauge UniqueSrcIPs UniqueDstIPs Connections Traffic","UUID":"59d3a7d7-eb34-432f-953c-f773e7a03479"},"Hash":[91,123,177,64,237,146,110,181,209,213,43,73,207,129,174,222,72,1,67,34,151,28,20,120,166,152,195,146,59,35,133,253]},{"Name":"Traffic Heatmap","Type":"searchlibrary","AdditionalInfo":{"Name":"Traffic Heatmap","Description":"Global heatmap of total traffic","Query":"tag=netflow netflow IP !~ PRIVATE Bytes | stats sum(Bytes) as traffic by IP | geoip IP.Location | heatmap traffic","UUID":"83c33cd1-5cbb-4986-af69-d5e067597c15"},"Hash":[6,167,217,226,194,219,166,39,100,187,16,177,165,216,204,72,130,128,135,244,96,140,246,95,170,174,120,87,253,242,235,63]}],"ConfigMacros":null},{"ID":"io.gravwell.juniper","Name":"Juniper","UUID":"95cba468-011d-406f-b211-fe31133c0a5d","Version":5,"Description":"The Gravwell Juniper Kit provides a baseline set of queries, dashboards, templates, and investigative resources for Juniper devices.","Readme":"","Signed":true,"AdminRequired":false,"MinVersion":{"Major":5,"Minor":5,"Point":0},"MaxVersion":{"Major":0,"Minor":0,"Point":0},"Size":355840,"Created":"2025-05-05T19:08:37.373120611Z","Ingesters":null,"Tags":["juniper"],"Assets":[{"Type":"image","Source":"cover.png","Legend":"Juniper","Featured":true,"Banner":false},{"Type":"image","Source":"banner.png","Legend":"Juniper","Featured":true,"Banner":true},{"Type":"readme","Source":"README.md","Legend":"","Featured":false,"Banner":false}],"Dependencies":null,"Items":[{"Name":"Apache 2.0 License","Type":"license","AdditionalInfo":"                                 Apache License\n                           Version 2.0, January 2004\n                        http://www.apache.org/licenses/\n\n   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n   1. Definitions.\n\n      \"License\" shall mean the terms and conditions for use, reproduction,\n      and distribution as defined by Sections 1 through 9 of this document.\n\n      \"Licensor\" shall mean the copyright owner or entity authorized by\n      the copyright owner that is granting the License.\n\n      \"Legal Entity\" shall mean the union of the acting entity and all\n      other entities that control, are controlled by, or are under common\n      control with that entity. For the purposes of this definition,\n      \"control\" means (i) the power, direct or indirect, to cause the\n      direction or management of such entity, whether by contract or\n      otherwise, or (ii) ownership of fifty percent (50%) or more of the\n      outstanding shares, or (iii) beneficial ownership of such entity.\n\n      \"You\" (or \"Your\") shall mean an individual or Legal Entity\n      exercising permissions granted by this License.\n\n      \"Source\" form shall mean the preferred form for making modifications,\n      including but not limited to software source code, documentation\n      source, and configuration files.\n\n      \"Object\" form shall mean any form resulting from mechanical\n      transformation or translation of a Source form, including but\n      not limited to compiled object code, generated documentation,\n      and conversions to other media types.\n\n      \"Work\" shall mean the work of authorship, whether in Source or\n      Object form, made available under the License, as indicated by a\n      copyright notice that is included in or attached to the work\n      (an example is provided in the Appendix below).\n\n      \"Derivative Works\" shall mean any work, whether in Source or Object\n      form, that is based on (or derived from) the Work and for which the\n      editorial revisions, annotations, elaborations, or other modifications\n      represent, as a whole, an original work of authorship. For the purposes\n      of this License, Derivative Works shall not include works that remain\n      separable from, or merely link (or bind by name) to the interfaces of,\n      the Work and Derivative Works thereof.\n\n      \"Contribution\" shall mean any work of authorship, including\n      the original version of the Work and any modifications or additions\n      to that Work or Derivative Works thereof, that is intentionally\n      submitted to Licensor for inclusion in the Work by the copyright owner\n      or by an individual or Legal Entity authorized to submit on behalf of\n      the copyright owner. For the purposes of this definition, \"submitted\"\n      means any form of electronic, verbal, or written communication sent\n      to the Licensor or its representatives, including but not limited to\n      communication on electronic mailing lists, source code control systems,\n      and issue tracking systems that are managed by, or on behalf of, the\n      Licensor for the purpose of discussing and improving the Work, but\n      excluding communication that is conspicuously marked or otherwise\n      designated in writing by the copyright owner as \"Not a Contribution.\"\n\n      \"Contributor\" shall mean Licensor and any individual or Legal Entity\n      on behalf of whom a Contribution has been received by Licensor and\n      subsequently incorporated within the Work.\n\n   2. Grant of Copyright License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      copyright license to reproduce, prepare Derivative Works of,\n      publicly display, publicly perform, sublicense, and distribute the\n      Work and such Derivative Works in Source or Object form.\n\n   3. Grant of Patent License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      (except as stated in this section) patent license to make, have made,\n      use, offer to sell, sell, import, and otherwise transfer the Work,\n      where such license applies only to those patent claims licensable\n      by such Contributor that are necessarily infringed by their\n      Contribution(s) alone or by combination of their Contribution(s)\n      with the Work to which such Contribution(s) was submitted. If You\n      institute patent litigation against any entity (including a\n      cross-claim or counterclaim in a lawsuit) alleging that the Work\n      or a Contribution incorporated within the Work constitutes direct\n      or contributory patent infringement, then any patent licenses\n      granted to You under this License for that Work shall terminate\n      as of the date such litigation is filed.\n\n   4. Redistribution. You may reproduce and distribute copies of the\n      Work or Derivative Works thereof in any medium, with or without\n      modifications, and in Source or Object form, provided that You\n      meet the following conditions:\n\n      (a) You must give any other recipients of the Work or\n          Derivative Works a copy of this License; and\n\n      (b) You must cause any modified files to carry prominent notices\n          stating that You changed the files; and\n\n      (c) You must retain, in the Source form of any Derivative Works\n          that You distribute, all copyright, patent, trademark, and\n          attribution notices from the Source form of the Work,\n          excluding those notices that do not pertain to any part of\n          the Derivative Works; and\n\n      (d) If the Work includes a \"NOTICE\" text file as part of its\n          distribution, then any Derivative Works that You distribute must\n          include a readable copy of the attribution notices contained\n          within such NOTICE file, excluding those notices that do not\n          pertain to any part of the Derivative Works, in at least one\n          of the following places: within a NOTICE text file distributed\n          as part of the Derivative Works; within the Source form or\n          documentation, if provided along with the Derivative Works; or,\n          within a display generated by the Derivative Works, if and\n          wherever such third-party notices normally appear. The contents\n          of the NOTICE file are for informational purposes only and\n          do not modify the License. You may add Your own attribution\n          notices within Derivative Works that You distribute, alongside\n          or as an addendum to the NOTICE text from the Work, provided\n          that such additional attribution notices cannot be construed\n          as modifying the License.\n\n      You may add Your own copyright statement to Your modifications and\n      may provide additional or different license terms and conditions\n      for use, reproduction, or distribution of Your modifications, or\n      for any such Derivative Works as a whole, provided Your use,\n      reproduction, and distribution of the Work otherwise complies with\n      the conditions stated in this License.\n\n   5. Submission of Contributions. Unless You explicitly state otherwise,\n      any Contribution intentionally submitted for inclusion in the Work\n      by You to the Licensor shall be under the terms and conditions of\n      this License, without any additional terms or conditions.\n      Notwithstanding the above, nothing herein shall supersede or modify\n      the terms of any separate license agreement you may have executed\n      with Licensor regarding such Contributions.\n\n   6. Trademarks. This License does not grant permission to use the trade\n      names, trademarks, service marks, or product names of the Licensor,\n      except as required for reasonable and customary use in describing the\n      origin of the Work and reproducing the content of the NOTICE file.\n\n   7. Disclaimer of Warranty. Unless required by applicable law or\n      agreed to in writing, Licensor provides the Work (and each\n      Contributor provides its Contributions) on an \"AS IS\" BASIS,\n      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n      implied, including, without limitation, any warranties or conditions\n      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n      PARTICULAR PURPOSE. You are solely responsible for determining the\n      appropriateness of using or redistributing the Work and assume any\n      risks associated with Your exercise of permissions under this License.\n\n   8. Limitation of Liability. In no event and under no legal theory,\n      whether in tort (including negligence), contract, or otherwise,\n      unless required by applicable law (such as deliberate and grossly\n      negligent acts) or agreed to in writing, shall any Contributor be\n      liable to You for damages, including any direct, indirect, special,\n      incidental, or consequential damages of any character arising as a\n      result of this License or out of the use or inability to use the\n      Work (including but not limited to damages for loss of goodwill,\n      work stoppage, computer failure or malfunction, or any and all\n      other commercial damages or losses), even if such Contributor\n      has been advised of the possibility of such damages.\n\n   9. Accepting Warranty or Additional Liability. While redistributing\n      the Work or Derivative Works thereof, You may choose to offer,\n      and charge a fee for, acceptance of support, warranty, indemnity,\n      or other liability obligations and/or rights consistent with this\n      License. However, in accepting such obligations, You may act only\n      on Your own behalf and on Your sole responsibility, not on behalf\n      of any other Contributor, and only if You agree to indemnify,\n      defend, and hold each Contributor harmless for any liability\n      incurred by, or claims asserted against, such Contributor by reason\n      of your accepting any such warranty or additional liability.\n\n   END OF TERMS AND CONDITIONS","Hash":[89,137,156,96,145,181,64,88,46,214,23,232,238,170,196,145,157,201,133,204,252,53,69,158,233,117,43,105,155,229,32,91]},{"Name":"juniper_severity","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"juniper_severity","Description":"Juniper severity details","Size":690,"Labels":["juniper"]},"Hash":[179,176,210,235,118,82,85,167,116,242,184,3,68,37,181,95,89,185,6,93,209,189,155,242,19,214,145,203,41,95,173,49]},{"Name":"juniper_facility","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"juniper_facility","Description":"Juniper facility details","Size":995,"Labels":["juniper"]},"Hash":[65,130,20,252,218,240,61,124,202,154,52,103,21,74,11,252,241,212,64,255,96,117,21,176,166,46,215,4,12,253,64,176]},{"Name":"JUNIPER_TAG","Type":"macro","AdditionalInfo":{"Name":"JUNIPER_TAG","Description":"Set juniper tag name","Expansion":"juniper"},"Hash":[201,235,218,145,49,181,109,45,195,9,72,172,253,170,205,71,187,216,125,98,242,200,6,24,29,124,101,13,142,18,1,93]},{"Name":"378e7a2e-5365-41f8-b06b-42c058fb7c28","Type":"dashboard","AdditionalInfo":{"UUID":"378e7a2e-5365-41f8-b06b-42c058fb7c28","Name":"Juniper Overview","Description":"Overview of Juniper alarms and user logins"},"Hash":[30,207,92,7,66,25,16,231,166,251,220,172,177,80,121,204,13,49,64,82,2,141,34,64,107,124,46,252,17,72,116,189]},{"Name":"d72f19f8-59cc-49b4-a927-9aca7c350a8f","Type":"dashboard","AdditionalInfo":{"UUID":"d72f19f8-59cc-49b4-a927-9aca7c350a8f","Name":"Juniper User Overview","Description":"Overview of user commands, configuration changes, and logins"},"Hash":[56,252,61,9,163,97,197,50,141,215,141,144,62,180,4,231,7,237,3,96,188,155,251,180,73,24,138,6,146,216,14,132]},{"Name":"47783453-d543-4d32-8718-1a82cedf8717","Type":"dashboard","AdditionalInfo":{"UUID":"47783453-d543-4d32-8718-1a82cedf8717","Name":"Juniper User Detail","Description":"Overview of user commands, configuration changes, and logins by username"},"Hash":[13,39,92,68,101,131,156,3,93,164,119,48,41,253,233,148,227,64,169,11,179,57,128,182,152,143,167,178,18,140,7,245]},{"Name":"ac407515-ab46-4f78-862a-ffa6dc7934a5","Type":"template","AdditionalInfo":{"UUID":"ac407515-ab46-4f78-862a-ffa6dc7934a5","Name":"Juniper Config Set","Description":"Display configuration set per user, hostname"},"Hash":[76,158,224,176,55,210,217,152,214,87,50,192,135,152,154,83,223,202,194,29,217,90,124,216,232,66,97,32,152,212,21,155]},{"Name":"e8e18d4a-50a5-4481-9546-1b53b6410b4f","Type":"template","AdditionalInfo":{"UUID":"e8e18d4a-50a5-4481-9546-1b53b6410b4f","Name":"Juniper User Commands","Description":"Display executed commands per user, hostname"},"Hash":[160,177,74,56,212,255,157,225,25,49,66,245,185,207,67,54,176,211,191,64,6,161,226,49,180,44,214,37,48,61,53,28]},{"Name":"fc339912-7469-4071-ba07-604f2d998b34","Type":"template","AdditionalInfo":{"UUID":"fc339912-7469-4071-ba07-604f2d998b34","Name":"Juniper User Logins","Description":"Display logins per user, hostname"},"Hash":[225,57,53,244,62,216,98,30,195,228,11,64,69,63,157,201,7,82,51,236,119,238,173,146,48,158,158,25,168,237,128,110]},{"Name":"1f75573b-ab23-47dc-ab5f-81fb23507d4c","Type":"template","AdditionalInfo":{"UUID":"1f75573b-ab23-47dc-ab5f-81fb23507d4c","Name":"Juniper User Config Mode","Description":"Display users entering config mode per user, hostname"},"Hash":[100,42,12,111,59,202,217,158,208,95,113,179,181,148,28,37,222,17,14,87,254,18,129,209,33,208,27,153,115,165,93,20]},{"Name":"bcbdaa8e-2011-4d37-b096-9cd44ef2d859","Type":"searchlibrary","AdditionalInfo":{"Name":"Juniper Appname Count","Description":"Count by appname","Query":"tag=$JUNIPER_TAG ax Appname\r\n| eval len(Appname) \u003e 0 \r\n| stats count by Appname\r\n| sort by count desc \r\n| table Appname count\r\n","UUID":"bcbdaa8e-2011-4d37-b096-9cd44ef2d859"},"Hash":[211,40,213,40,189,116,183,244,199,152,188,94,189,14,219,140,210,74,153,20,35,81,160,102,77,149,178,163,162,240,102,85]},{"Name":"ac0a4c5d-8bd1-49a7-a102-de69de4269bc","Type":"searchlibrary","AdditionalInfo":{"Name":"Juniper Logins by Client Mode","Description":"Count logins by client mode","Query":"tag=$JUNIPER_TAG ax Appname==\"mgd\" Facility Hostname Message \n| regex -e Message `UI_LOGIN_EVENT\\:\\sUser\\s'(?P\u003cUser\u003e.+?)\\'\\slogin,\\sclass\\s\\'(?P\u003cclass\u003e.+?)\\'\\s.+ssh-connection\\s'(?P\u003csrc\u003e.+?)\\s.+,\\sclient-mode\\s\\'(?P\u003cclientMode\u003e.+?)\\'`\n| stats count by clientMode\n| chart count by clientMode","UUID":"ac0a4c5d-8bd1-49a7-a102-de69de4269bc"},"Hash":[76,105,204,233,85,113,118,130,247,96,199,103,194,199,127,184,96,198,252,243,151,154,164,161,239,125,120,17,20,65,4,168]},{"Name":"9b8c5a06-ae30-4939-9c4b-a6d88b3826e5","Type":"searchlibrary","AdditionalInfo":{"Name":"Juniper SSH Logins by User","Description":"Count SSH logins by user","Query":"tag=$JUNIPER_TAG  ax Appname==\"mgd\" Facility Hostname Message \n| regex -e Message `UI_LOGIN_EVENT\\:\\sUser\\s'(?P\u003cUser\u003e.+?)\\'\\slogin,\\sclass\\s\\'(?P\u003cclass\u003e.+?)\\'\\s.+ssh-connection\\s'(?P\u003csrc\u003e.+?)\\s.+,\\sclient-mode\\s\\'(?P\u003cclientMode\u003e.+?)\\'`\n| stats count by User\n| chart count by User","UUID":"9b8c5a06-ae30-4939-9c4b-a6d88b3826e5"},"Hash":[90,130,21,11,160,143,3,127,244,188,49,47,123,205,22,31,162,107,91,95,212,139,223,134,9,184,129,1,1,253,161,251]},{"Name":"5488c73a-6629-4682-bbe1-4e2c608ab05d","Type":"searchlibrary","AdditionalInfo":{"Name":"Juniper Alarms","Description":"Detail alarms by set, class, reason","Query":"tag=$JUNIPER_TAG ax Appname==\"alarmd\" Facility==3 Hostname Message \n| regex -e Message `Alarm\\sset\\:\\s(?P\u003cAlarmSet\u003e.+?)(id=.,)?\\scolor=(?P\u003ccolor\u003e.+?)\\,\\sclass=(?P\u003cclass\u003e.+?)\\,\\sreason=(?P\u003creason\u003e.+?)$`\n|table TIMESTAMP Hostname AlarmSet color class reason","UUID":"5488c73a-6629-4682-bbe1-4e2c608ab05d"},"Hash":[248,156,233,213,38,41,248,164,181,193,45,152,138,46,77,0,29,151,215,140,159,206,184,0,197,183,84,96,142,137,129,106]},{"Name":"d3414597-ff13-40ee-8511-4c0016dadf8f","Type":"searchlibrary","AdditionalInfo":{"Name":"Juniper Alarms by Hostname","Description":"Count alarms by hostname","Query":"tag=$JUNIPER_TAG ax Appname==\"alarmd\" Facility==3 Hostname Message \n//| regex -e Message `Alarm\\sset\\:\\s(?P\u003cAlarmSet\u003e.+?)(id=.,)?\\scolor=(?P\u003ccolor\u003e.+?)\\,\\sclass=(?P\u003cclass\u003e.+?)\\,\\sreason=(?P\u003creason\u003e.+?)$`\n| stats count by Hostname\n| table Hostname count","UUID":"d3414597-ff13-40ee-8511-4c0016dadf8f"},"Hash":[58,76,22,51,22,76,127,48,32,229,130,123,206,171,100,186,91,74,122,227,216,44,163,193,21,90,196,11,88,14,88,44]},{"Name":"6af60afa-93d3-48fb-b07d-09637a2956d1","Type":"searchlibrary","AdditionalInfo":{"Name":"Juniper Alarms by Class","Description":"Count by alarm class","Query":"tag=$JUNIPER_TAG ax Appname==\"alarmd\" Facility==3 Hostname Message \n| regex -e Message `Alarm\\sset\\:\\s(?P\u003cAlarmSet\u003e.+?)(id=.,)?\\scolor=(?P\u003ccolor\u003e.+?)\\,\\sclass=(?P\u003cclass\u003e.+?)\\,\\sreason=(?P\u003creason\u003e.+?)$`\n| stats count by class\n| chart count by class","UUID":"6af60afa-93d3-48fb-b07d-09637a2956d1"},"Hash":[29,137,120,168,189,147,127,164,45,99,131,35,53,43,196,177,40,214,129,44,48,33,80,241,138,253,196,91,248,201,121,47]},{"Name":"296a5fe1-9da7-4c3e-83f1-3c1b34ba01d0","Type":"searchlibrary","AdditionalInfo":{"Name":"Juniper Alarms Count by Color","Description":"Count by alarm color","Query":"tag=$JUNIPER_TAG ax Appname==\"alarmd\" Facility==3 Hostname Message \n| regex -e Message `Alarm\\sset\\:\\s(?P\u003cAlarmSet\u003e.+?)(id=.,)?\\scolor=(?P\u003ccolor\u003e.+?)\\,\\sclass=(?P\u003cclass\u003e.+?)\\,\\sreason=(?P\u003creason\u003e.+?)$`\n| stats count by color\n|chart count by color","UUID":"296a5fe1-9da7-4c3e-83f1-3c1b34ba01d0"},"Hash":[116,223,2,5,231,105,234,93,194,248,49,70,86,129,109,250,237,115,196,64,250,80,82,14,74,245,253,111,212,185,127,168]},{"Name":"ff684d70-c08c-4071-8b1d-55e3dbce000c","Type":"searchlibrary","AdditionalInfo":{"Name":"Juniper Latest Configuration Changes","Description":"Display configuration changes per user","Query":"tag=$JUNIPER_TAG ax Appname Facility==22 Hostname Message\n| regex -e Message `User\\s\\'(?P\u003cUser\u003e.+?)\\'\\sset:\\s(?P\u003cChange\u003e.+)`\n| table TIMESTAMP User Change\n","UUID":"ff684d70-c08c-4071-8b1d-55e3dbce000c"},"Hash":[27,240,66,67,143,8,167,68,141,236,53,255,145,104,107,205,149,165,236,230,59,192,192,45,209,132,99,225,24,56,44,169]},{"Name":"a9c65b19-cedd-48c9-b0d5-5263720a9d3f","Type":"searchlibrary","AdditionalInfo":{"Name":"Juniper Command Count","Description":"Count by command","Query":"tag=$JUNIPER_TAG ax Appname Facility==\"4\" Hostname Message\n| lookup -r juniper_facility Facility facility_number (facility as facility_name facility_desc as facility_desc)\n| regex -e Message `as\\s(?P\u003cusername\u003e.+?)\\:\\scmd=\\'(?P\u003ccmd\u003e.+?)\\s(?P\u003ccmd_params\u003e.+)\\'`\n| stats count by cmd\n| chart count by cmd","UUID":"a9c65b19-cedd-48c9-b0d5-5263720a9d3f"},"Hash":[168,145,147,122,229,230,14,150,0,141,241,115,146,250,190,30,89,199,81,155,37,218,255,12,207,57,148,11,63,186,32,2]},{"Name":"adf0a4b5-b09e-4e6b-b036-395044b7235c","Type":"searchlibrary","AdditionalInfo":{"Name":"Juniper Failed Logins by Src","Description":"Count failed login attempts by source with a count unique usernames and destinations","Query":"tag=$JUNIPER_TAG ax Severity != 6 Hostname Message ~ \"LOGIN\"\n| grep -e Message -i \"failed\"\n| $JUNIPER_LOGIN_HELPER\n| lookup -v -r juniper_logins_exclusion_list Username excluded_users\n| stats unique_count(Username) as UsernameCount unique_count(Hostname) as DestCount count by SrcIP\n| table SrcIP UsernameCount DestCount\n","UUID":"adf0a4b5-b09e-4e6b-b036-395044b7235c"},"Hash":[125,8,163,130,24,1,180,4,104,248,205,194,24,109,235,254,48,219,251,26,205,210,6,234,254,138,243,117,75,178,87,99]},{"Name":"036554e6-bcfd-4c92-aeca-ab69a508da4a","Type":"searchlibrary","AdditionalInfo":{"Name":"Juniper Latest Commands","Description":"Display commands per user hostname","Query":"tag=$JUNIPER_TAG ax Appname Facility==\"4\" Hostname Message\n| lookup -r juniper_facility Facility facility_number (facility as facility_name facility_desc as facility_desc)\n| regex -e Message `as\\s(?P\u003cUser\u003e.+?)\\:\\scmd=\\'(?P\u003ccmd\u003e.+?)\\'`\n| table TIMESTAMP Hostname User cmd","UUID":"036554e6-bcfd-4c92-aeca-ab69a508da4a"},"Hash":[212,16,182,64,46,67,251,6,224,99,53,221,81,48,217,238,5,180,75,155,186,83,53,159,229,240,36,80,176,146,213,98]},{"Name":"50b1a3c8-8af2-4c07-85a9-efcf73b5de01","Type":"searchlibrary","AdditionalInfo":{"Name":"Juniper Failed Logins by Destination","Description":"Count failed login attempts by destination with a count unique usernames and sources","Query":"tag=$JUNIPER_TAG ax Severity != 6 Hostname Message ~ \"LOGIN\"\n| grep -e Message -i \"failed\"\n| $JUNIPER_LOGIN_HELPER\n| lookup -v -r juniper_logins_exclusion_list Username excluded_users\n| stats unique_count(Username) as UsernameCount unique_count(SrcIP) as SourceCount count by Hostname\n| table Hostname UsernameCount SourceCount\n","UUID":"50b1a3c8-8af2-4c07-85a9-efcf73b5de01"},"Hash":[5,216,99,165,120,174,18,15,211,34,133,97,224,127,214,34,123,200,67,61,118,161,40,216,238,80,39,47,46,121,26,48]},{"Name":"a8d0fb86-f16d-4234-948c-99cfaaf82e1e","Type":"searchlibrary","AdditionalInfo":{"Name":"Juniper Configuration Changes by Hostname","Description":"Count configuration changes by hostname","Query":"tag=$JUNIPER_TAG ax Appname Facility==22 Hostname Message\n| regex -e Message `User\\s\\'(?P\u003cUser\u003e.+?)\\'\\sset:\\s(?P\u003cChange\u003e.+)`\n| stats count by Hostname\n| chart count by Hostname","UUID":"a8d0fb86-f16d-4234-948c-99cfaaf82e1e"},"Hash":[208,80,142,29,230,233,6,250,66,150,40,161,238,84,189,4,152,89,161,100,136,88,156,60,85,9,36,121,116,31,26,198]},{"Name":"ba4b0623-efa6-4986-b214-7b9a6f1b324c","Type":"searchlibrary","AdditionalInfo":{"Name":"Juniper Configuration Errors","Description":"Display configuration errors by hostname","Query":"tag=$JUNIPER_TAG ax Appname Facility==\"21\" Hostname Message\r\n| table TIMESTAMP Hostname Message","UUID":"ba4b0623-efa6-4986-b214-7b9a6f1b324c"},"Hash":[240,212,125,151,251,14,132,138,243,129,56,161,237,218,194,50,39,226,89,224,160,16,160,13,227,104,101,186,111,114,138,109]},{"Name":"bb6fe9e0-95bd-4bf4-b3ad-b28d30de9455","Type":"searchlibrary","AdditionalInfo":{"Name":"Juniper Facility Count","Description":"Count by logging facility","Query":"tag=$JUNIPER_TAG ax Appname Facility Hostname\n| lookup -r juniper_facility Facility facility_number (facility as Facility_Name facility_desc as Facility_Description)\n| stats count by Facility\n| table Facility Facility_Name Facility_Description count","UUID":"bb6fe9e0-95bd-4bf4-b3ad-b28d30de9455"},"Hash":[234,151,151,21,64,168,110,172,47,73,159,220,33,25,182,236,69,145,181,92,17,174,141,128,167,26,61,41,40,24,46,20]},{"Name":"b2826d6b-fd48-4f95-9fe9-4fea062fb878","Type":"searchlibrary","AdditionalInfo":{"Name":"Junper SSH Logins","Description":"Detail SSH logins by user and unique source","Query":"tag=$JUNIPER_TAG ax Appname==\"sshd\" Facility==\"4\" Hostname Message\n| grep -e Message \"Accepted password for\"\n| lookup -r juniper_facility Facility facility_number (facility as facility_name facility_desc as facility_desc)\n| regex -e Message `for\\s(?P\u003cuser\u003e.+?)\\sfrom\\s(?P\u003csrc\u003e.+?)\\s`\n| stats unique_count(src) as src_count count by user\n| table user src_count count","UUID":"b2826d6b-fd48-4f95-9fe9-4fea062fb878"},"Hash":[141,29,26,116,37,216,29,157,229,109,6,253,39,76,191,34,181,103,123,100,79,119,207,238,19,61,126,165,139,221,143,24]},{"Name":"95dcd4cb-adbf-4afb-8fe2-c3e74653618b","Type":"searchlibrary","AdditionalInfo":{"Name":"Juniper Count by SSH Login User ","Description":"Count SSH login by user","Query":"tag=$JUNIPER_TAG ax Appname==\"sshd\" Facility==\"4\" Hostname Message\n| grep -e Message \"Accepted password for\"\n| lookup -r juniper_facility Facility facility_number (facility as facility_name facility_desc as facility_desc)\n| regex -e Message `for\\s(?P\u003cuser\u003e.+?)\\sfrom\\s(?P\u003csrc\u003e.+?)\\s`\n| stats count by user\n| chart count by user","UUID":"95dcd4cb-adbf-4afb-8fe2-c3e74653618b"},"Hash":[134,196,223,237,239,200,139,80,13,214,230,189,179,34,235,48,178,138,36,56,6,83,237,83,31,46,193,195,126,67,14,141]},{"Name":"ef504c00-74a0-4421-9d29-7c8693d3332d","Type":"searchlibrary","AdditionalInfo":{"Name":"Juniper Alarms Overview","Description":"Count alarm by hostname, alarm set, color, class, reason","Query":"tag=$JUNIPER_TAG ax Appname==\"alarmd\" Facility==3 Hostname Message\n| regex -e Message `Alarm\\sset\\:\\s(?P\u003cAlarmSet\u003e.+?)(id=.,)?\\scolor=(?P\u003cColor\u003e.+?)\\,\\sclass=(?P\u003cClass\u003e.+?)\\,\\sreason=(?P\u003cReason\u003e.+?)$`\n//| printf -e AlarmInfo \"%v::%v::%v\" AlarmSet Color Class\n| stats count as Count by Hostname AlarmSet Color Class Reason\n| sort by Count desc\n| table Count Hostname AlarmSet Color Class Reason","UUID":"ef504c00-74a0-4421-9d29-7c8693d3332d"},"Hash":[204,210,121,131,255,186,211,179,75,89,111,26,70,231,189,55,17,104,40,181,35,85,113,151,82,204,109,148,128,171,68,154]},{"Name":"5615a9ac-75e6-44c0-b497-bc3d6047dd28","Type":"searchlibrary","AdditionalInfo":{"Name":"Juniper Alarms by Set","Description":"Count by alarm set","Query":"tag=$JUNIPER_TAG ax Appname==\"alarmd\" Facility==3 Hostname Message \n| regex -e Message `Alarm\\sset\\:\\s(?P\u003cAlarmSet\u003e.+?)(\\sid=.,)?\\scolor=(?P\u003ccolor\u003e.+?)\\,\\sclass=(?P\u003cclass\u003e.+?)\\,\\sreason=(?P\u003creason\u003e.+?)$`\n| stats count by AlarmSet\n| table AlarmSet count","UUID":"5615a9ac-75e6-44c0-b497-bc3d6047dd28"},"Hash":[177,108,162,189,90,214,86,4,9,94,69,26,212,247,108,182,219,0,229,66,14,47,174,207,196,241,29,145,31,4,99,183]},{"Name":"009150bf-c165-4b08-a45d-24cd7807f99e","Type":"file","AdditionalInfo":{"UUID":"009150bf-c165-4b08-a45d-24cd7807f99e","Name":"thomas-jensen-plL_yZ7vuxM-unsplash.jpg","Description":"Cover for Juniper Kit","Size":40441,"ContentType":"image/jpeg"},"Hash":[113,250,145,237,28,109,196,86,189,129,10,73,2,138,216,5,111,199,51,19,102,242,119,244,103,7,70,164,179,96,138,176]},{"Name":"11507305-19a0-44bd-9543-9792f5e6381c","Type":"file","AdditionalInfo":{"UUID":"11507305-19a0-44bd-9543-9792f5e6381c","Name":"thomas-jensen-plL_yZ7vuxM-unsplash.jpg","Description":"Banner for Juniper Kit","Size":40441,"ContentType":"image/jpeg"},"Hash":[121,100,142,228,190,67,101,185,76,162,36,108,142,82,3,158,213,193,102,221,190,223,42,253,107,81,100,46,204,59,177,202]},{"Name":"7d0f2703-12a2-426e-b519-b5bf640330b7","Type":"file","AdditionalInfo":{"UUID":"7d0f2703-12a2-426e-b519-b5bf640330b7","Name":"banner file for kit build \"Juniper v1\"","Description":"","Size":40441,"ContentType":"image/jpeg"},"Hash":[110,223,46,180,56,89,168,28,35,90,116,106,221,229,85,9,162,16,156,190,38,160,81,63,3,175,97,78,208,122,107,66]},{"Name":"11b69e21-c906-4c76-894b-22cd0c503ab5","Type":"file","AdditionalInfo":{"UUID":"11b69e21-c906-4c76-894b-22cd0c503ab5","Name":"icon file for kit build \"Juniper v1\"","Description":"","Size":40441,"ContentType":"image/jpeg"},"Hash":[36,77,246,190,189,48,128,161,177,101,56,121,68,255,85,110,189,32,113,219,148,100,81,252,178,101,159,99,241,247,77,17]},{"Name":"b56a0767-8259-4591-ba1d-ad56f51bd06a","Type":"file","AdditionalInfo":{"UUID":"b56a0767-8259-4591-ba1d-ad56f51bd06a","Name":"cover file for kit build \"Juniper v1\"","Description":"","Size":40441,"ContentType":"image/jpeg"},"Hash":[248,16,41,66,241,49,243,17,25,140,131,105,15,165,7,50,194,255,95,210,252,190,130,246,223,140,2,36,193,206,79,13]},{"Name":"21984059-3c42-4a69-ae50-de84c7ab3fbc","Type":"playbook","AdditionalInfo":{"UUID":"21984059-3c42-4a69-ae50-de84c7ab3fbc","Name":"Juniper Kit","Description":"Resources for understanding Juniper log data"},"Hash":[16,34,237,193,239,98,244,25,73,12,53,0,243,152,206,74,214,253,226,250,130,21,165,93,118,189,6,56,91,206,105,17]},{"Name":"juniper_tag","Type":"autoextractor","AdditionalInfo":{"name":"juniper_tag","desc":"syslog extraction for tag juniper","module":"syslog","tag":"juniper"},"Hash":[127,16,145,169,29,135,72,99,190,207,195,40,69,75,246,25,130,168,154,1,92,168,130,71,186,169,57,226,129,145,158,253]},{"Name":"026c2c1b-7945-4efe-8fd1-bd3a5f18a57c","Type":"searchlibrary","AdditionalInfo":{"Name":"Juniper Login Count by Hostname","Description":"Count logins by hostname","Query":"tag=$JUNIPER_TAG ax Appname==\"mgd\" Facility Hostname Message \r\n| stats count by Hostname\r\n| table Hostname count","UUID":"026c2c1b-7945-4efe-8fd1-bd3a5f18a57c"},"Hash":[229,251,184,39,129,6,233,127,73,123,17,0,142,100,245,14,134,18,91,4,236,69,12,56,208,123,229,186,1,118,152,37]},{"Name":"3fd2c70a-099a-409e-9e9b-c41c16c0a014","Type":"searchlibrary","AdditionalInfo":{"Name":"Juniper Logins","Description":"List of user logins","Query":"tag=$JUNIPER_TAG ax Appname==\"mgd\" Facility Hostname Message \r\n| regex -e Message `UI_LOGIN_EVENT\\:\\sUser\\s'(?P\u003cUser\u003e.+?)\\'\\slogin,\\sclass\\s\\'(?P\u003cclass\u003e.+?)\\'\\s.+ssh-connection\\s'(?P\u003csrc\u003e.+?)\\s.+,\\sclient-mode\\s\\'(?P\u003cclientMode\u003e.+?)\\'`\r\n| table TIMESTAMP Hostname User src clientMode","UUID":"3fd2c70a-099a-409e-9e9b-c41c16c0a014"},"Hash":[91,248,14,127,102,216,109,148,147,251,54,36,199,196,51,56,229,211,224,215,215,145,138,237,171,48,216,121,170,234,172,12]},{"Name":"juniper_logins_exclusion_list","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"juniper_logins_exclusion_list","Description":"List of users to exclude from \"Juniper Logins\" [excluded_users]","Size":17,"Labels":null},"Hash":[6,180,113,235,238,112,178,100,43,30,235,40,9,212,91,249,103,64,89,122,81,234,128,58,175,213,180,98,127,68,199,95]},{"Name":"JUNIPER_LOGIN_HELPER","Type":"macro","AdditionalInfo":{"Name":"JUNIPER_LOGIN_HELPER","Description":"Regular expression extractions for Juniper logs where the event_name EV contains \"LOGIN\"","Expansion":"regex -e Message `^(?P\u003cEvent_Name\u003e[0-9A-Z_]+?):`\n| regex -p -e Message `[Uu]ser\\s(\\')*(?P\u003cUsername\u003e.*?)(\\')*(\\s|from|$)`\n| regex -p -e Message `,\\sclass\\s\\'(?P\u003cUser_Class\u003e.*?)\\'`\n| regex -p -e Message `,\\sclient\\-mode\\s\\'(?P\u003cClient_Mode\u003e.*?)\\'`\n| regex -p -e Message `(\\'|from\\shost\\s)(?P\u003cSrcIP\u003e[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)(\\s|\\')*`\n| eval if (Event_Name == \"UI_DBASE_LOGIN_EVENT\") {Client_Mode = \"config_mode\";}\n| eval if (Event_Name == \"SSHD_LOGIN_FAILED\") {Client_Mode = \"ssh\";}"},"Hash":[245,35,124,191,31,166,117,126,214,196,45,3,119,3,225,88,73,196,6,107,114,11,109,202,246,122,235,245,33,163,122,82]}],"ConfigMacros":[{"MacroName":"JUNIPER_TAG","Description":"Set juniper tag name","DefaultValue":"juniper","Value":"","Type":"STRING","InstalledByID":""}]},{"ID":"io.gravwell.corelight","Name":"Gravwell Corelight","UUID":"9f9751fd-41af-4a27-9fe7-b1cb8603968a","Version":9,"Description":"The Gravwell Corelight Kit provides a baseline set of queries, dashboards, templates, and investigative resources for JSON logs originating from Corelight devices.","Readme":"","Signed":true,"AdminRequired":false,"MinVersion":{"Major":5,"Minor":4,"Point":2},"MaxVersion":{"Major":0,"Minor":0,"Point":0},"Size":1967616,"Created":"2025-06-09T22:57:38.697832036Z","Ingesters":["simplerelay"],"Tags":["corelight"],"Assets":[{"Type":"image","Source":"corelight-cover.png","Legend":"Corelight","Featured":true,"Banner":false},{"Type":"image","Source":"corelight-banner.png","Legend":"Banner Image","Featured":true,"Banner":true},{"Type":"readme","Source":"README.md","Legend":"","Featured":false,"Banner":false}],"Dependencies":[{"ID":"io.gravwell.networkenrichment","MinVersion":6},{"ID":"io.gravwell.gravwell","MinVersion":7}],"Items":[{"Name":"36e50b20-9679-4285-a4a4-69da6d94de5e","Type":"template","AdditionalInfo":{"UUID":"36e50b20-9679-4285-a4a4-69da6d94de5e","Name":"Corelight SMB Share types for IP","Description":""},"Hash":[155,246,21,226,102,236,195,77,111,191,223,47,215,88,241,159,50,219,122,244,113,118,42,232,117,49,106,113,71,158,225,47]},{"Name":"c059cce0-c934-49a5-ace1-fb55b61a2425","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight HTTP Unusual HTTP Methods","Description":"A table of info for requests with unusual HTTP request methods","Query":"tag=corelight_http ax\n| regex -v -e method \"^-|GET|HEAD|POST|PUT|DELETE|CONNECT|OPTIONS|PATCH|TRACE$\"\n| table \"id.orig_h\" \"id.resp_h\" method uri","UUID":"c059cce0-c934-49a5-ace1-fb55b61a2425"},"Hash":[177,171,75,173,59,41,225,90,23,167,9,23,47,124,239,71,153,207,233,40,109,112,167,113,102,67,48,30,131,109,109,45]},{"Name":"d11919a4-aeb7-4fe1-b0f3-8ee7c221c7ba","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight HTTP Internal Server Error Counts","Description":"Count of internal Server Errors per host","Query":"tag=corelight_http ax status_msg==500 | stats count by host | table host count","UUID":"d11919a4-aeb7-4fe1-b0f3-8ee7c221c7ba"},"Hash":[71,64,160,143,61,106,130,162,197,10,83,253,39,178,224,62,19,91,184,101,198,207,45,12,182,242,128,221,28,245,60,85]},{"Name":"5acdbd6a-5a44-4cff-9506-c234bf90ae58","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DNS Most Common SLDs","Description":"","Query":"tag=corelight_dns ax | regex -e query \"(?P\u003csld\u003e\\w+\\.\\w+\\s*$)\" | stats count by sld | sort by count desc | limit 100 | table sld count","UUID":"5acdbd6a-5a44-4cff-9506-c234bf90ae58"},"Hash":[11,64,8,81,210,41,49,215,191,91,1,213,221,167,29,114,137,57,97,70,19,219,116,186,102,38,91,202,36,46,5,46]},{"Name":"b9eeb6a1-4eb9-473e-a1b1-a8d95c0901be","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight All Modbus","Description":"","Query":"tag=corelight_modbus ax | table","UUID":"b9eeb6a1-4eb9-473e-a1b1-a8d95c0901be"},"Hash":[174,191,154,158,114,67,58,61,180,166,126,107,99,233,117,128,212,134,5,152,94,20,151,95,48,137,171,31,107,4,65,240]},{"Name":"ba1ff896-b6a8-4142-bdde-ae72d70e830c","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight SSH Successful Login Map","Description":"Map of successful logins via SSH","Query":"tag=corelight_ssh ax auth_success==\"true\" | alias \"id.orig_h\" client | stats count by client  | geoip client.Location |  pointmap client count","UUID":"ba1ff896-b6a8-4142-bdde-ae72d70e830c"},"Hash":[58,55,2,149,85,228,48,41,61,204,137,81,194,196,15,220,148,6,229,170,8,152,105,135,136,46,130,31,34,156,131,246]},{"Name":"2ac40296-4313-4329-8be1-579e996390e1","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Potential Port Scans","Description":"Potential port scans as seen by the Corelight conn log","Query":"tag=corelight_conn ax \"id.orig_h\" \"id.resp_h\" \"id.resp_p\" |\nstats unique_count(\"id.resp_p\") by \"id.orig_h\" \"id.resp_h\" |\neval unique_count \u003e 64 |\ngeoip \"id.orig_h\".Country \"id.orig_h\".City |\ntable \"id.orig_h\" Country City \"id.resp_h\" unique_count TIMESTAMP","UUID":"2ac40296-4313-4329-8be1-579e996390e1"},"Hash":[90,102,4,42,29,109,176,200,65,142,13,248,34,205,81,209,234,125,113,100,128,143,227,133,155,247,251,72,130,98,81,165]},{"Name":"281aa093-662f-4ed1-928e-b0befe993f29","Type":"file","AdditionalInfo":{"UUID":"281aa093-662f-4ed1-928e-b0befe993f29","Name":"bits icon","Description":"","Size":13937,"ContentType":"image/png"},"Hash":[74,83,4,125,59,14,193,126,36,237,177,161,129,146,183,15,48,199,92,93,6,117,120,225,178,79,22,128,232,77,74,138]},{"Name":"755f67e9-727c-4dbe-83f7-c2d0f1fd0767","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight All SMTP","Description":"","Query":"tag=corelight_smtp ax | table","UUID":"755f67e9-727c-4dbe-83f7-c2d0f1fd0767"},"Hash":[236,131,171,115,52,157,156,116,169,114,40,31,186,117,242,28,180,207,151,218,158,50,129,246,19,56,146,196,189,45,16,166]},{"Name":"cfc013bd-927e-464b-b647-cc26f19b5e4c","Type":"dashboard","AdditionalInfo":{"UUID":"cfc013bd-927e-464b-b647-cc26f19b5e4c","Name":"Corelight Investigate Responder Port","Description":"Investigate given responder port using the Corelight conn.log"},"Hash":[74,114,176,40,187,185,115,52,108,45,49,57,180,26,224,245,82,68,155,149,165,171,92,135,157,195,138,210,102,194,26,106]},{"Name":"e6c69caa-a8eb-4891-a386-70a127d31b3b","Type":"dashboard","AdditionalInfo":{"UUID":"e6c69caa-a8eb-4891-a386-70a127d31b3b","Name":"Corelight IP Investigation - AGG","Description":"IP Investigative Dashboard using Corelight Data"},"Hash":[31,135,28,49,111,58,50,221,213,35,246,136,19,86,0,166,236,99,191,77,157,154,53,214,97,162,140,85,82,54,130,145]},{"Name":"e0b2c0e3-046e-46f5-8148-7d7052ec637d","Type":"dashboard","AdditionalInfo":{"UUID":"e0b2c0e3-046e-46f5-8148-7d7052ec637d","Name":"Corelight Connection Overview - AGG","Description":"Basic overview of AGG connection data as seen by Corelight"},"Hash":[129,67,12,188,36,216,39,127,164,37,71,127,198,142,62,185,254,221,72,116,207,162,249,66,80,80,196,144,243,1,150,100]},{"Name":"afbba961-3b8e-4751-8d88-723e5885d747","Type":"dashboard","AdditionalInfo":{"UUID":"afbba961-3b8e-4751-8d88-723e5885d747","Name":"Corelight Investigate Responder Port - AGG","Description":"Investigate given responder port using the Corelight conn.log"},"Hash":[143,165,32,165,34,174,38,80,7,15,18,82,62,67,128,91,230,161,58,144,196,5,104,53,255,76,176,43,72,220,223,234]},{"Name":"af48171d-d848-4ee7-8d3b-e3da3cb893c1","Type":"dashboard","AdditionalInfo":{"UUID":"af48171d-d848-4ee7-8d3b-e3da3cb893c1","Name":"Corelight DNS Client Investigation - AGG","Description":""},"Hash":[98,130,255,35,143,49,62,245,217,29,177,75,1,154,109,8,190,247,175,129,102,10,91,199,238,126,35,227,57,69,120,251]},{"Name":"6d11957c-7090-4efe-a35b-293c21896c01","Type":"dashboard","AdditionalInfo":{"UUID":"6d11957c-7090-4efe-a35b-293c21896c01","Name":"Corelight HTTP - AGG","Description":""},"Hash":[215,115,146,243,142,239,251,122,179,6,42,137,241,21,124,84,83,19,80,54,59,62,213,41,117,177,99,61,191,183,234,161]},{"Name":"3928c5fe-affb-442f-a4fc-5a610ab8e50c","Type":"dashboard","AdditionalInfo":{"UUID":"3928c5fe-affb-442f-a4fc-5a610ab8e50c","Name":"Corelight DNS Overview - AGG","Description":""},"Hash":[111,26,50,159,15,43,220,247,192,238,76,170,195,63,233,12,22,236,194,19,78,124,139,139,68,19,196,32,155,232,87,213]},{"Name":"32fc7137-2fa4-4fad-a45b-fd54737bda2f","Type":"dashboard","AdditionalInfo":{"UUID":"32fc7137-2fa4-4fad-a45b-fd54737bda2f","Name":"Corelight DNS Domain Investigation - AGG","Description":""},"Hash":[235,217,247,112,127,216,142,104,222,233,27,25,19,51,16,179,30,87,228,49,187,152,65,17,206,131,115,93,242,153,61,11]},{"Name":"1bc67d4c-ec04-4a94-a559-e443c7b02204","Type":"dashboard","AdditionalInfo":{"UUID":"1bc67d4c-ec04-4a94-a559-e443c7b02204","Name":"Corelight Connection - Investigate IP - AGG","Description":"Investigation given IP using the Corelight conn.log"},"Hash":[133,252,61,102,4,93,1,105,114,244,80,77,203,117,94,91,1,142,114,146,0,88,203,212,247,137,147,26,248,169,169,79]},{"Name":"c22c294a-2eb3-4d1b-be1a-3ea8b076e3e0","Type":"dashboard","AdditionalInfo":{"UUID":"c22c294a-2eb3-4d1b-be1a-3ea8b076e3e0","Name":"Corelight DNS Domain Investigation","Description":""},"Hash":[237,95,135,240,119,16,209,242,241,162,160,49,36,143,77,161,140,219,81,143,197,113,163,196,244,121,50,81,228,36,221,250]},{"Name":"1afed318-3a62-4725-b6a5-3878b6432f09","Type":"dashboard","AdditionalInfo":{"UUID":"1afed318-3a62-4725-b6a5-3878b6432f09","Name":"Corelight IP Investigation","Description":"IP Investigative Dashboard using Corelight Data"},"Hash":[112,117,242,64,0,237,150,85,10,179,95,203,203,34,40,129,124,133,77,229,184,133,232,205,101,153,99,161,82,33,109,158]},{"Name":"9693c932-a2db-462e-8649-edd376acf611","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Tunnel Unique Orig Host Count","Description":"A gauge displaying the count of unique orig hosts. Useful as a number card.","Query":"tag=corelight_tunnel ax |\ncount \"id.orig_h\" |\ngauge (count \"Unique Orig Hosts\")","UUID":"9693c932-a2db-462e-8649-edd376acf611"},"Hash":[6,63,216,129,170,125,178,170,196,179,53,128,248,120,43,44,36,29,231,128,165,184,147,175,27,111,149,167,250,134,53,203]},{"Name":"ccd51bbc-de55-4d51-b55c-bfc03d3cecf5","Type":"dashboard","AdditionalInfo":{"UUID":"ccd51bbc-de55-4d51-b55c-bfc03d3cecf5","Name":"Corelight DHCP Overview","Description":""},"Hash":[206,95,140,20,0,151,218,24,164,86,125,96,54,109,50,180,97,191,39,240,185,172,220,23,69,105,24,71,97,212,197,205]},{"Name":"60e32113-ce1e-4c1b-bb24-a0942e677ace","Type":"dashboard","AdditionalInfo":{"UUID":"60e32113-ce1e-4c1b-bb24-a0942e677ace","Name":"Corelight SSL/x509 Overview","Description":"Information about SSL connections and x509 certificates"},"Hash":[154,237,199,176,3,216,181,16,34,78,186,186,254,28,135,9,6,106,105,69,140,144,2,244,215,228,179,183,216,201,81,146]},{"Name":"cadf57d6-dbbf-4e17-9247-7b18e8179733","Type":"dashboard","AdditionalInfo":{"UUID":"cadf57d6-dbbf-4e17-9247-7b18e8179733","Name":"Corelight DNS Overview","Description":""},"Hash":[200,1,145,196,214,46,111,170,89,149,121,10,233,117,176,191,152,157,67,243,106,33,28,225,109,56,177,223,17,50,23,107]},{"Name":"63d581e8-82bf-445d-8c2f-f74bab70366b","Type":"dashboard","AdditionalInfo":{"UUID":"63d581e8-82bf-445d-8c2f-f74bab70366b","Name":"Corelight HTTP","Description":""},"Hash":[68,251,175,192,160,32,243,26,73,92,244,11,4,246,20,185,246,92,186,137,27,6,255,146,106,93,160,204,42,66,252,76]},{"Name":"6c3b608c-7e04-4b50-bf74-47231cabea65","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DHCP unique client counts","Description":"Numbercard showing unique client counts for each DHCP server","Query":"tag=corelight_dhcp ax server_addr != - mac | stats unique_count(mac) as server by server_addr | numbercard server","UUID":"6c3b608c-7e04-4b50-bf74-47231cabea65"},"Hash":[19,162,15,33,215,89,170,60,134,242,154,75,68,148,219,167,137,11,94,135,225,179,203,66,254,208,121,151,253,166,17,152]},{"Name":"5e0531c7-1f5d-496b-814c-fa3f0664d42e","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight HTTP Password exposures","Description":"Table with exposed passwords in HTTP requests","Query":"tag=corelight_http ax password != - | table \"id.orig_h\" \"id.resp_h\" host uri username password info_code","UUID":"5e0531c7-1f5d-496b-814c-fa3f0664d42e"},"Hash":[14,181,9,70,238,201,132,147,81,145,77,14,92,246,56,119,87,92,242,31,109,192,59,218,235,63,236,45,86,43,240,38]},{"Name":"21debbd7-57cd-4697-a46d-05a922eed818","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DNS round trip time mean, min, and max","Description":"Chart of round trip times on DNS","Query":"tag=corelight_dns ax qtype_name == A rtt!=- |\nstats mean(rtt) max(rtt) min(rtt) |\nchart min mean max","UUID":"21debbd7-57cd-4697-a46d-05a922eed818"},"Hash":[5,140,200,245,3,255,158,223,19,21,65,170,238,244,253,33,214,179,166,181,154,99,19,155,155,7,45,232,220,187,189,236]},{"Name":"756a41c4-c412-43bf-929c-095df4895472","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight SMB Client Map","Description":"","Query":"tag=corelight_smb* ax | unique \"id.orig_h\" | geoip \"id.orig_h\".Location | heatmap \"id.orig_h\"\n","UUID":"756a41c4-c412-43bf-929c-095df4895472"},"Hash":[160,227,50,138,134,247,50,78,169,238,232,147,45,16,114,209,36,209,23,166,174,65,172,160,120,41,138,49,55,157,203,148]},{"Name":"78a11be0-5ea0-4c67-b865-9e21466fd61d","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DNS Totals","Description":"","Query":"tag=corelight_dns ax | stats unique_count(query) as \"Unique Queries\" count as \"Total Queries\" | gauge \"Unique Queries\" \"Total Queries\"","UUID":"78a11be0-5ea0-4c67-b865-9e21466fd61d"},"Hash":[117,180,64,78,250,47,54,199,142,28,216,195,52,203,243,172,228,152,99,184,59,135,162,165,29,94,123,222,224,99,93,74]},{"Name":"934af426-248e-4eef-953c-3b50a75efa79","Type":"pivot","AdditionalInfo":{"UUID":"934af426-248e-4eef-953c-3b50a75efa79","Name":"Corelight DNS FQDN/SLD combined actionables","Description":""},"Hash":[95,175,245,218,10,173,39,46,253,134,128,209,109,110,203,149,172,32,93,215,103,36,69,164,233,192,42,62,44,77,246,82]},{"Name":"f2803227-81ec-494c-a4c9-4c178d10f807","Type":"template","AdditionalInfo":{"UUID":"f2803227-81ec-494c-a4c9-4c178d10f807","Name":"Corelight DNS Clients Querying this Name","Description":""},"Hash":[121,124,223,181,4,9,241,58,166,251,17,100,78,134,11,221,182,173,110,125,241,19,158,50,185,217,178,77,12,200,24,102]},{"Name":"01e0af24-2e6d-4ea1-b0f7-88baf6aa1982","Type":"dashboard","AdditionalInfo":{"UUID":"01e0af24-2e6d-4ea1-b0f7-88baf6aa1982","Name":"Corelight SSH Overview","Description":"Overview of SSH activity using the corelight ssh.log"},"Hash":[237,23,207,19,121,139,248,105,130,22,111,160,14,43,220,220,111,219,201,169,85,187,185,70,20,201,99,225,200,93,97,100]},{"Name":"62e6ea73-3e8a-4b9a-9541-c77a47871bcd","Type":"dashboard","AdditionalInfo":{"UUID":"62e6ea73-3e8a-4b9a-9541-c77a47871bcd","Name":"Corelight Connection Overview","Description":"Basic overview of connection data as seen by Corelight"},"Hash":[232,20,1,134,27,0,100,45,10,76,226,10,62,193,166,124,10,34,159,167,173,116,172,37,182,38,26,136,4,220,247,172]},{"Name":"288dc72d-1de8-4bd1-9a5b-39cbf79d5d87","Type":"template","AdditionalInfo":{"UUID":"288dc72d-1de8-4bd1-9a5b-39cbf79d5d87","Name":"Corelight IP Service Usage","Description":"Aggregate count of connections by service as seen by Corelight"},"Hash":[186,69,24,79,233,38,239,250,203,197,150,70,215,93,3,84,9,11,119,205,195,116,89,2,207,85,24,8,129,196,222,130]},{"Name":"f05639fd-8a9a-4148-8d46-aa2646de4a91","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Tunnel Orig Host Counts","Description":"Table showing the number of events for each orig host","Query":"tag=corelight_tunnel ax |\ncount by \"id.orig_h\" |\ntable \"id.orig_h\" count","UUID":"f05639fd-8a9a-4148-8d46-aa2646de4a91"},"Hash":[8,219,50,165,181,110,71,114,181,44,180,237,235,79,224,182,134,234,92,96,234,230,42,84,121,134,7,35,0,85,117,249]},{"Name":"7581f9ad-62f8-4dd4-9dfd-6f964f6a7c49","Type":"template","AdditionalInfo":{"UUID":"7581f9ad-62f8-4dd4-9dfd-6f964f6a7c49","Name":"Corelight All DNP3 for IP","Description":""},"Hash":[249,52,24,11,70,179,206,32,35,151,125,135,33,105,99,189,73,211,202,91,40,108,249,204,48,190,135,115,177,65,83,246]},{"Name":"95158f21-9b6c-40e1-9474-d2bd2e12beb5","Type":"template","AdditionalInfo":{"UUID":"95158f21-9b6c-40e1-9474-d2bd2e12beb5","Name":"Corelight All Files for IP","Description":""},"Hash":[233,12,210,105,58,106,148,16,193,50,167,127,113,221,178,226,118,209,212,165,181,113,230,143,114,138,189,142,87,146,19,43]},{"Name":"54f5d3ed-9d84-4908-8b15-a91c0c40b529","Type":"dashboard","AdditionalInfo":{"UUID":"54f5d3ed-9d84-4908-8b15-a91c0c40b529","Name":"Corelight SMB Overview","Description":"Windows fileshare activity"},"Hash":[241,249,116,25,220,136,176,0,79,131,93,166,109,134,195,113,219,100,109,233,99,246,58,24,77,0,180,27,195,224,25,247]},{"Name":"f8faf246-299e-49c1-976e-bdcae8beda11","Type":"dashboard","AdditionalInfo":{"UUID":"f8faf246-299e-49c1-976e-bdcae8beda11","Name":"Corelight DNS Client Investigation","Description":""},"Hash":[23,83,85,237,248,16,18,37,197,236,221,16,22,27,191,223,75,9,168,31,218,61,181,12,165,171,21,72,131,112,160,243]},{"Name":"c56219b1-d26b-4964-a8f6-b543b1b443ba","Type":"dashboard","AdditionalInfo":{"UUID":"c56219b1-d26b-4964-a8f6-b543b1b443ba","Name":"Corelight Tunnels Overview","Description":""},"Hash":[236,81,250,95,51,156,169,76,126,69,255,0,83,212,66,59,240,51,89,57,108,126,111,30,171,171,186,98,141,173,138,40]},{"Name":"b7f8c6a6-0047-433c-a54f-c6123322897e","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Service Connection Reset Rates","Description":"Chart of connection reset rates by service as seen by Corelight","Query":"tag=corelight_conn ax conn_state ~ RST proto==tcp service |\nstats count by service |\nchart count by service","UUID":"b7f8c6a6-0047-433c-a54f-c6123322897e"},"Hash":[0,113,163,161,9,131,174,148,208,22,161,23,10,231,236,56,212,74,110,155,22,2,104,134,138,131,208,215,253,200,228,3]},{"Name":"3a988fcf-3ab8-41f1-973e-5aa7c8c250f2","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight SSL Version Chart","Description":"Display a chart of the SSL/TLS versions in use.","Query":"tag=corelight_ssl ax version!=\"-\" | stats count by version | chart count by version","UUID":"3a988fcf-3ab8-41f1-973e-5aa7c8c250f2"},"Hash":[121,38,45,17,25,60,11,102,32,91,152,185,217,196,183,115,16,63,247,93,93,16,37,168,150,166,249,15,21,94,220,53]},{"Name":"302f348f-a30d-4c2c-b9b0-d7e79c34dc75","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DNS Requests by Host","Description":"","Query":"tag=corelight_dns ax | alias \"id.orig_h\" Host | stats count by Host | table Host count","UUID":"302f348f-a30d-4c2c-b9b0-d7e79c34dc75"},"Hash":[234,121,67,39,234,95,147,97,133,149,65,102,50,174,177,91,206,238,238,150,81,188,30,130,107,16,25,144,140,208,118,135]},{"Name":"1e103246-fd3f-4920-8f31-dbd03b5db4a1","Type":"searchlibrary","AdditionalInfo":{"Name":"Failed SSH Connections By Country \u0026 Server","Description":"For each server, list the number of failed connections by originating country.","Query":"tag=corelight_ssh ax auth_success!=\"true\" | alias \"id.orig_h\" client \"id.resp_h\" server | geoip client.CountryName | stats count by CountryName server | table server CountryName count","UUID":"1e103246-fd3f-4920-8f31-dbd03b5db4a1"},"Hash":[163,242,44,76,250,171,162,170,182,105,249,76,154,230,222,133,24,255,47,180,142,106,165,97,231,163,205,100,103,1,54,11]},{"Name":"578c09b5-62f4-471f-8b1d-515afd021a2d","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DNS Total Queries by Type","Description":"Numbercards showing the total number of queries by each time","Query":"tag=corelight_dns ax qtype_name | stats count by qtype_name | numbercard count","UUID":"578c09b5-62f4-471f-8b1d-515afd021a2d"},"Hash":[72,36,98,210,64,64,122,213,48,88,77,195,176,194,181,243,109,215,158,52,8,75,140,26,167,120,85,152,179,77,231,252]},{"Name":"b543c0e3-e785-408a-a8d8-b988fc5c9ef7","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DHCP MAC Address Count","Description":"A gauge displaying the count of unique MAC addresses. Useful as a number card.","Query":"tag=corelight_dhcp ax |\nunique mac |\ncount mac |\ngauge (count \"Unique MAC Addresses\")","UUID":"b543c0e3-e785-408a-a8d8-b988fc5c9ef7"},"Hash":[48,13,70,227,227,186,208,89,242,226,143,113,120,209,226,112,30,238,131,243,188,255,81,12,4,22,128,78,168,0,41,227]},{"Name":"2f471f98-ace9-4cbe-80ae-1c589322dff9","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight SMB share types","Description":"","Query":"tag=corelight_smb_mapping ax | count by \"id.resp_h\" share_type | stackgraph \"id.resp_h\" share_type count","UUID":"2f471f98-ace9-4cbe-80ae-1c589322dff9"},"Hash":[168,83,159,204,245,238,65,208,208,124,71,232,237,224,156,160,178,155,198,1,31,4,64,241,8,160,17,8,244,35,116,126]},{"Name":"1ab5eb29-a19a-40d8-9f83-4004f0e65a1e","Type":"template","AdditionalInfo":{"UUID":"1ab5eb29-a19a-40d8-9f83-4004f0e65a1e","Name":"Corelight DNS Queries by Resource Record Type","Description":""},"Hash":[82,55,96,193,88,83,175,131,210,170,17,103,127,239,36,54,73,26,74,110,242,218,202,136,124,240,7,246,29,163,226,203]},{"Name":"45796b77-9662-4fed-8112-36fec41e726e","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight All Files","Description":"files.log","Query":"tag=corelight_files ax | table","UUID":"45796b77-9662-4fed-8112-36fec41e726e"},"Hash":[239,128,204,24,102,197,113,57,249,15,228,81,67,99,254,87,69,135,134,152,8,38,70,181,147,199,180,190,158,27,178,171]},{"Name":"44a5360e-4d80-4023-9e2d-a9dc68e44b78","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Upload/Download Traffic Chart","Description":"Chart the upload and download traffic as seen by corelight","Query":"tag=corelight_conn ax orig_bytes!=\"-\" resp_bytes!=\"-\" service !=\"-\" |\nstats sum(orig_bytes) as upload sum(resp_bytes) as download |\nchart upload download","UUID":"44a5360e-4d80-4023-9e2d-a9dc68e44b78"},"Hash":[59,226,191,14,10,40,251,58,232,110,203,154,252,158,80,70,183,250,169,179,177,0,24,217,182,216,157,71,156,229,81,59]},{"Name":"3dd9493a-d9ed-4409-bacd-0e4de9af4f80","Type":"template","AdditionalInfo":{"UUID":"3dd9493a-d9ed-4409-bacd-0e4de9af4f80","Name":"Corelight service usage chart","Description":"Chart of service activity by IP as seen by Corelight"},"Hash":[65,221,110,156,60,10,254,130,8,201,172,206,100,196,196,74,101,189,50,231,182,30,149,125,13,233,78,102,230,158,219,243]},{"Name":"083bf129-022a-4471-ae7f-b84f9bb40f10","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight x509 Key Length/Type Counts","Description":"Table showing frequency of different x509 key types \u0026 key lengths.","Query":"tag=corelight_x509 ax | alias \"certificate.key_length\" key_length \"certificate.key_type\" key_type | stats count by key_length key_type | table key_type key_length count","UUID":"083bf129-022a-4471-ae7f-b84f9bb40f10"},"Hash":[83,180,202,80,64,55,56,133,213,34,50,27,167,173,220,140,118,201,133,106,191,116,233,246,143,240,66,142,240,88,145,31]},{"Name":"b278909a-ab84-4e0b-a619-25cdb9788251","Type":"dashboard","AdditionalInfo":{"UUID":"b278909a-ab84-4e0b-a619-25cdb9788251","Name":"Corelight UID Investigation","Description":"Show any records related to a given Corelight UID"},"Hash":[3,132,219,89,118,3,224,11,251,180,37,148,168,66,198,42,77,30,157,253,127,232,246,20,137,17,245,169,127,174,126,5]},{"Name":"a1bea73b-6046-43b8-b13e-66df119ac402","Type":"playbook","AdditionalInfo":{"UUID":"77d4d80a-ed39-4efe-8eb7-aa2fa869335f","Name":"Corelight Gravwell Kit","Description":"Corelight Overview Playbook"},"Hash":[152,136,109,160,68,40,167,221,181,158,17,188,57,8,245,189,240,225,247,134,31,201,51,141,143,214,69,143,218,85,213,38]},{"Name":"c7079f84-4202-452d-95b0-20c87bcd0d07","Type":"template","AdditionalInfo":{"UUID":"c7079f84-4202-452d-95b0-20c87bcd0d07","Name":"Corelight 10 most common service ports for IP","Description":"Table of the most commonly used service ports for an IP as seen by Corelight"},"Hash":[130,41,118,29,134,102,7,119,241,21,7,76,40,247,7,46,16,163,248,124,142,6,239,204,235,141,238,26,145,116,103,94]},{"Name":"1403f741-50f0-4099-b1cc-72eceac3c7a0","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Connection Count Chart","Description":"Chart of total sessions as seen by Corelight","Query":"tag=corelight_conn stats count | chart count","UUID":"1403f741-50f0-4099-b1cc-72eceac3c7a0"},"Hash":[213,221,26,94,57,202,150,225,208,105,216,141,62,109,6,58,208,67,240,138,96,3,159,92,158,26,246,63,54,119,252,14]},{"Name":"e81de4fe-288e-429a-ac62-30c60cdcc6ab","Type":"file","AdditionalInfo":{"UUID":"e81de4fe-288e-429a-ac62-30c60cdcc6ab","Name":"Screenshot from 2020-10-05 14-13-49.png","Description":"Dashboard overview","Size":502524,"ContentType":"image/png"},"Hash":[95,87,234,143,55,197,57,174,184,83,123,181,110,173,241,232,146,55,196,249,158,86,43,184,16,70,250,247,150,69,178,67]},{"Name":"e27e16f5-5848-4477-82f5-b11a27ed35d2","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight All DHCP","Description":"","Query":"tag=corelight_dhcp ax | table","UUID":"e27e16f5-5848-4477-82f5-b11a27ed35d2"},"Hash":[149,200,233,205,27,18,23,141,220,73,143,24,96,174,220,28,152,101,60,133,232,247,171,54,69,31,149,176,231,8,130,6]},{"Name":"d3ce301b-a56f-47d0-8a76-33065ab04602","Type":"template","AdditionalInfo":{"UUID":"d3ce301b-a56f-47d0-8a76-33065ab04602","Name":"Corelight All SMTP for IP","Description":""},"Hash":[77,178,55,156,84,26,108,213,26,135,127,214,252,0,188,183,130,158,66,145,120,101,62,37,197,236,53,140,165,214,16,62]},{"Name":"c212315f-89b5-4db0-ac32-6b1ee86ef465","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight All SMB Mapping","Description":"","Query":"tag=corelight_smb_mapping ax | table","UUID":"c212315f-89b5-4db0-ac32-6b1ee86ef465"},"Hash":[59,31,183,191,236,182,44,87,211,166,126,229,157,129,244,145,141,185,209,47,224,226,62,252,64,201,154,87,158,180,38,182]},{"Name":"4d882ff0-d052-4999-8799-afc6b21e1fd2","Type":"template","AdditionalInfo":{"UUID":"4d882ff0-d052-4999-8799-afc6b21e1fd2","Name":"Corelight Associated Records","Description":"All records associated with a specific corelight flow"},"Hash":[81,44,220,185,17,134,246,166,121,251,63,57,189,228,131,229,170,242,30,36,224,101,9,130,5,165,62,30,236,36,63,179]},{"Name":"2d73a06e-1384-4b4b-9f84-55ee8c0b6e64","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight HTTP Most Requested Hosts","Description":"","Query":"tag=corelight_http ax | stats count by host | sort by count desc | table count host","UUID":"2d73a06e-1384-4b4b-9f84-55ee8c0b6e64"},"Hash":[87,116,93,78,121,49,171,22,200,183,52,35,136,112,35,92,114,118,242,67,45,97,142,87,34,136,168,108,143,236,171,116]},{"Name":"c4a880fe-dc54-4929-992a-8eaa81ef562a","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight HTTP OS Distribution","Description":"","Query":"tag=corelight_http ax \n| regex -e user_agent \"\\((?P\u003cOS\u003e[^\\)]*)\\)\" \n| count by OS \n| chart count by OS","UUID":"c4a880fe-dc54-4929-992a-8eaa81ef562a"},"Hash":[165,145,124,58,146,127,232,72,15,72,1,197,44,252,242,216,167,78,116,218,210,186,95,192,178,66,93,206,44,106,25,3]},{"Name":"ba8c3942-5106-4bda-9fb9-3c2294ecd7a3","Type":"template","AdditionalInfo":{"UUID":"ba8c3942-5106-4bda-9fb9-3c2294ecd7a3","Name":"Corelight SMB actions","Description":""},"Hash":[104,22,246,26,87,26,36,126,116,46,29,105,196,127,25,239,70,68,211,151,102,192,251,140,128,229,214,37,10,140,212,162]},{"Name":"598a46fe-0704-430f-9fe5-a73ba1f579b9","Type":"template","AdditionalInfo":{"UUID":"598a46fe-0704-430f-9fe5-a73ba1f579b9","Name":"Corelight Connection activity for IP","Description":"Chart of connection activity for a given IP as seen by Corelight"},"Hash":[134,61,234,109,43,230,59,7,67,249,85,170,57,199,98,70,101,241,41,6,159,216,119,154,118,69,202,162,237,61,5,126]},{"Name":"0815e5c9-e2f5-4a3e-9076-a72a39908c76","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DNS Server counts","Description":"Table of DNS Servers in use and their respective counts","Query":"tag=corelight_dns ax \"id.resp_h\" | stats count by \"id.resp_h\" | geoip -r asn_db \"id.resp_h\".ASNOrg | table \"id.resp_h\" ASNOrg count","UUID":"0815e5c9-e2f5-4a3e-9076-a72a39908c76"},"Hash":[61,95,17,168,96,87,48,99,197,205,8,43,107,249,89,27,238,57,169,137,26,173,255,73,120,51,186,55,251,91,24,100]},{"Name":"b7a120b4-4b44-4faa-aebc-5aea31041cf4","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DNS TXT Records","Description":"DNS TXT Records","Query":"tag=corelight_dns ax qtype == 16 | alias query Name answers Payload | table Name Payload","UUID":"b7a120b4-4b44-4faa-aebc-5aea31041cf4"},"Hash":[132,253,186,129,29,73,24,154,9,208,76,143,27,6,48,117,86,48,253,44,168,106,252,207,62,169,85,231,16,110,175,217]},{"Name":"baaae46c-90d0-4153-9c3c-e27274a46f40","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight All MYSQL","Description":"","Query":"tag=corelight_mysql ax | table","UUID":"baaae46c-90d0-4153-9c3c-e27274a46f40"},"Hash":[140,113,99,175,104,181,221,212,176,154,104,219,190,25,49,125,56,131,31,163,242,168,138,251,175,51,90,75,252,144,217,26]},{"Name":"3d7890b7-248e-4ac6-96a7-295318d66d50","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DHCP rejections","Description":"Table of DHCP address rejections and cause","Query":"tag=corelight_dhcp ax msg_types==NAK mac server_message |\nstats count by mac server_message |\nmaclookup -r mac_prefixes mac.Manufacturer |\ntable mac Manufacturer server_message count","UUID":"3d7890b7-248e-4ac6-96a7-295318d66d50"},"Hash":[157,41,118,43,7,32,140,239,4,101,227,88,41,97,219,239,218,156,165,78,59,130,216,66,169,193,140,118,169,202,76,223]},{"Name":"d9518c33-539f-4fe1-96b1-cf5317223387","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight SMB Client actions","Description":"Client action types (e.g. open, rename, etc)","Query":"tag=corelight_smb_files ax | count by \"id.orig_h\" action | stackgraph \"id.orig_h\" action count","UUID":"d9518c33-539f-4fe1-96b1-cf5317223387"},"Hash":[222,148,162,231,22,158,95,235,21,189,204,129,237,247,222,87,245,22,78,73,90,57,173,160,35,78,77,94,199,10,87,137]},{"Name":"70feed8b-6643-41f2-ad84-090d772be456","Type":"template","AdditionalInfo":{"UUID":"70feed8b-6643-41f2-ad84-090d772be456","Name":"Corelight SSH Clients Authenticated to Server","Description":"Generate a list of which clients have successfully authenticated to a server."},"Hash":[193,109,124,246,203,196,244,28,73,210,105,141,197,119,64,58,87,36,123,72,56,159,40,8,243,11,45,190,174,249,88,230]},{"Name":"af79ad48-c2cc-4b66-b32c-277612c929f9","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight most active service ports","Description":"The most active service ports as seen by Corelight conn log","Query":"tag=corelight_conn ax \"id.resp_p\" | stats count as connections by \"id.resp_p\" | sort by connections | table \"id.resp_p\" connections","UUID":"af79ad48-c2cc-4b66-b32c-277612c929f9"},"Hash":[112,102,75,23,206,158,11,205,201,157,75,99,85,220,11,76,234,160,0,42,7,114,58,198,47,237,147,87,124,145,202,73]},{"Name":"1acdb84b-2550-4664-8e18-667e749967af","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight All Connections","Description":"All entries from conn.log","Query":"tag=corelight_conn ax | table","UUID":"1acdb84b-2550-4664-8e18-667e749967af"},"Hash":[201,187,178,40,241,185,52,131,238,20,150,84,95,152,68,201,75,229,122,166,175,59,207,70,68,126,193,128,2,120,167,119]},{"Name":"d49da2c5-a358-45cb-9b4d-d341c1399936","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight SMB infrequent files","Description":"","Query":"tag=corelight_smb_files ax | count by name | sort by count asc | table name count","UUID":"d49da2c5-a358-45cb-9b4d-d341c1399936"},"Hash":[196,225,77,203,240,9,245,78,97,17,7,100,175,25,197,185,128,213,222,187,105,163,246,45,253,56,254,122,134,73,124,55]},{"Name":"f4a4c991-b89f-486d-a46d-43e833d44f90","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight most common TLDs","Description":"Most common queried TLDs as seen by Corelight","Query":"tag=corelight_dns ax \"id.resp_h\" query answers qtype_name == A |\nregex -e \"query\" \"(?P\u003cTLD\u003e[^\\.]+)$\" |\nstats count by TLD |\ntable TLD count","UUID":"f4a4c991-b89f-486d-a46d-43e833d44f90"},"Hash":[71,83,216,165,218,202,7,127,135,139,222,117,65,213,165,37,54,29,193,193,196,184,129,138,226,26,210,87,16,45,49,170]},{"Name":"d4508d81-40fd-49e3-85b7-e029434289eb","Type":"file","AdditionalInfo":{"UUID":"d4508d81-40fd-49e3-85b7-e029434289eb","Name":"Screenshot from 2020-10-05 14-16-23.png","Description":"Corelight Point to point","Size":267556,"ContentType":"image/png"},"Hash":[206,199,250,140,150,107,70,52,164,212,97,13,94,31,47,209,204,46,32,155,194,242,223,11,237,68,146,33,243,170,205,218]},{"Name":"4f3d9183-f657-4807-bccc-86337f809472","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight HTTP Potential Command Injection in URI","Description":"A table of info for requests with URIs that contain common escape characters","Query":"tag=corelight_http ax\n| regex -e uri \"\\;|\u0026\u0026|\\|`|\u003e|\u003c|\\\\|\\!\"\n| table","UUID":"4f3d9183-f657-4807-bccc-86337f809472"},"Hash":[196,204,251,13,48,81,0,25,110,45,178,48,235,175,192,66,67,102,59,20,76,167,84,236,0,136,241,224,24,20,224,185]},{"Name":"751b1b27-c2d7-4646-a89b-a04d6fbeb096","Type":"template","AdditionalInfo":{"UUID":"751b1b27-c2d7-4646-a89b-a04d6fbeb096","Name":"Corelight Rare DNS Queries","Description":""},"Hash":[107,55,107,218,163,130,69,232,28,51,128,162,78,104,124,46,60,167,118,42,16,53,212,249,54,100,22,235,144,78,184,13]},{"Name":"4a2bb62e-2980-446e-8689-3cf3b94a9e8f","Type":"template","AdditionalInfo":{"UUID":"4a2bb62e-2980-446e-8689-3cf3b94a9e8f","Name":"Corelight DNS SLDs with the Most Subdomains by Client","Description":""},"Hash":[50,158,88,40,0,152,201,51,253,42,235,78,227,157,118,62,163,86,161,36,2,79,226,187,105,44,123,213,153,102,54,44]},{"Name":"834a8e30-c36f-44e2-992b-c021aee0a5c2","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight All Syslog","Description":"syslog.log","Query":"tag=corelight_syslog ax | table","UUID":"834a8e30-c36f-44e2-992b-c021aee0a5c2"},"Hash":[182,59,191,83,144,16,142,181,193,210,220,80,20,161,79,80,46,220,129,34,141,125,219,83,245,173,98,10,133,90,181,190]},{"Name":"313816cf-f448-4d14-b91d-0d332a1569c3","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Upload/Download Numbercards","Description":"Numbercards showing total upload/download traffic as seen by Corelight","Query":"tag=corelight_conn ax orig_bytes!=\"-\" resp_bytes!=\"-\" |\nstats sum(orig_bytes) as upload sum(resp_bytes) as download |\nnumbercard upload download","UUID":"313816cf-f448-4d14-b91d-0d332a1569c3"},"Hash":[69,210,25,9,228,112,217,7,226,208,130,163,7,245,75,175,224,82,236,170,6,219,87,127,90,114,210,134,179,195,75,8]},{"Name":"4d1e543f-63b7-426e-b041-10a78da7ad4a","Type":"template","AdditionalInfo":{"UUID":"4d1e543f-63b7-426e-b041-10a78da7ad4a","Name":"Corelight All SNMP","Description":""},"Hash":[200,201,191,95,226,151,241,124,35,115,67,215,25,58,88,63,77,91,156,43,172,0,211,103,162,244,215,180,178,161,227,246]},{"Name":"f67d8107-9910-4166-a6d0-1621310d4c5b","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight SSH Server Locations","Description":"","Query":"tag=corelight_ssh ax\n| geoip \"id.resp_h\".Location\n| pointmap \"id.resp_h\"","UUID":"f67d8107-9910-4166-a6d0-1621310d4c5b"},"Hash":[201,245,207,83,14,173,119,87,217,217,22,4,155,130,124,192,64,215,215,43,222,41,60,37,207,89,23,135,41,166,246,148]},{"Name":"6a910b38-707c-400e-acb3-7c17067122bb","Type":"template","AdditionalInfo":{"UUID":"6a910b38-707c-400e-acb3-7c17067122bb","Name":"Corelight All DNS for IP","Description":""},"Hash":[178,55,246,121,9,167,161,32,218,183,76,153,149,186,248,111,7,225,189,130,150,7,56,24,180,137,136,101,3,4,142,139]},{"Name":"f204deb9-55f1-4edd-869f-b7e12ab4e4ab","Type":"template","AdditionalInfo":{"UUID":"f204deb9-55f1-4edd-869f-b7e12ab4e4ab","Name":"Corelight all SSH for IP","Description":""},"Hash":[165,0,121,105,16,4,146,14,68,142,177,133,138,35,247,71,74,72,152,34,151,48,46,194,82,22,108,125,18,98,118,65]},{"Name":"94a07abb-a0cd-498d-b1db-ab604634dac0","Type":"template","AdditionalInfo":{"UUID":"94a07abb-a0cd-498d-b1db-ab604634dac0","Name":"Corelight Service traffic Totals for an IP","Description":"Show upstream/downstream traffic totals for service traffic on a given IP."},"Hash":[215,231,107,211,188,255,174,34,239,182,170,87,87,226,101,130,134,108,95,142,32,189,152,222,68,135,206,13,216,109,170,72]},{"Name":"1a0c447b-cc75-4990-9113-64e8e7492b97","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight HTTP Point-to-Point","Description":"A point-to-point map showing connections between hosts over HTTP","Query":"tag=corelight_http ax \"id.orig_h\" \"id.resp_h\"\n| geoip \"id.resp_h\".Location as resp_host_loc \"id.orig_h\".Location as orig_host_loc\n| point2point -srcloc orig_host_loc -dstloc resp_host_loc","UUID":"1a0c447b-cc75-4990-9113-64e8e7492b97"},"Hash":[196,123,45,71,182,245,146,118,74,102,36,60,22,97,213,7,252,58,76,16,177,107,47,1,185,218,119,70,85,46,47,204]},{"Name":"a77fdfe8-feeb-4196-8781-675fea2f40b3","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Tunnel Connections Map","Description":"A point-to-point map showing tunnel connections between hosts","Query":"tag=corelight_tunnel ax \"id.orig_h\" \"id.resp_h\" |\ngeoip \"id.resp_h\".Location as resp_host_loc \"id.orig_h\".Location as orig_host_loc |\npoint2point -srcloc orig_host_loc -dstloc resp_host_loc","UUID":"a77fdfe8-feeb-4196-8781-675fea2f40b3"},"Hash":[15,88,7,189,79,107,126,52,152,81,28,209,43,143,158,242,243,190,50,254,94,241,139,31,219,19,129,110,203,240,166,182]},{"Name":"890c87e2-2c2c-4c6a-b22a-0548b0e5f261","Type":"template","AdditionalInfo":{"UUID":"890c87e2-2c2c-4c6a-b22a-0548b0e5f261","Name":"Corelight Unique Clients for IP","Description":"Numbercard of active clients for a given machine"},"Hash":[104,24,19,6,158,131,78,246,211,199,75,134,0,161,224,159,203,116,24,22,100,216,209,104,156,114,179,145,105,193,41,98]},{"Name":"19a5a5b3-b8d8-4f14-8ba5-c7fe7cfda935","Type":"dashboard","AdditionalInfo":{"UUID":"19a5a5b3-b8d8-4f14-8ba5-c7fe7cfda935","Name":"Corelight SMB Investigator","Description":"Investigate a given IP address"},"Hash":[56,183,30,192,162,133,183,94,86,225,101,219,24,124,249,150,128,179,135,94,121,84,23,192,209,78,157,78,19,158,219,150]},{"Name":"05a19963-4067-4d6f-b071-5fff4ecaa7c3","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DHCP session counts","Description":"Chart of DHCP requests for each server","Query":"tag=corelight_dhcp ax server_addr != - | stats count by server_addr | chart count by server_addr","UUID":"05a19963-4067-4d6f-b071-5fff4ecaa7c3"},"Hash":[136,81,108,197,19,150,146,17,219,75,196,110,28,230,106,179,173,88,15,119,173,119,69,166,152,76,70,133,91,216,165,30]},{"Name":"3bbcf97e-1bd6-476c-bf82-2e9b1affbdd5","Type":"template","AdditionalInfo":{"UUID":"3bbcf97e-1bd6-476c-bf82-2e9b1affbdd5","Name":"Corelight Most Queried DNS Names by Client","Description":""},"Hash":[11,146,70,186,174,123,129,122,81,184,31,109,179,248,18,206,239,57,62,44,222,66,80,73,29,79,60,216,172,80,60,97]},{"Name":"2c39877b-81df-4383-aca3-d0b840065715","Type":"file","AdditionalInfo":{"UUID":"2c39877b-81df-4383-aca3-d0b840065715","Name":"Screenshot from 2020-10-05 14-12-37.png","Description":"Corelight DNS overview","Size":98268,"ContentType":"image/png"},"Hash":[112,94,8,234,0,16,68,229,145,19,9,235,228,105,76,81,21,220,111,118,239,51,115,46,168,111,80,183,196,139,113,215]},{"Name":"67abac1f-b607-4cfd-bc1a-896f93f92649","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Tunnel Connections","Description":"A force directed graph showing tunnel connections between hosts","Query":"tag=corelight_tunnel ax \"id.orig_h\" \"id.resp_h\" tunnel_type |\nstats count by \"id.orig_h\" \"id.resp_h\" tunnel_type |\nfdg -v count -sg tunnel_type \"id.orig_h\" \"id.resp_h\"","UUID":"67abac1f-b607-4cfd-bc1a-896f93f92649"},"Hash":[45,38,101,64,125,148,80,103,53,239,165,206,238,21,22,20,71,66,186,196,7,23,224,123,112,55,214,21,201,195,219,112]},{"Name":"709af2b8-7309-4add-bb97-f556dac95b24","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight SSH chart of ports","Description":"","Query":"tag=corelight_ssh ax\n| count by \"id.resp_p\"\n| chart count by \"id.resp_p\"","UUID":"709af2b8-7309-4add-bb97-f556dac95b24"},"Hash":[178,127,157,135,112,252,2,87,7,205,191,177,254,88,141,249,216,88,236,86,55,134,4,192,201,1,228,154,174,217,249,178]},{"Name":"ea59a863-7656-4b71-99ab-f0bb10873a34","Type":"pivot","AdditionalInfo":{"UUID":"ea59a863-7656-4b71-99ab-f0bb10873a34","Name":"Corelight IP Investigative Dashboards","Description":"Corelight Investigative Dashboards"},"Hash":[230,21,137,93,174,200,228,204,13,251,9,140,146,21,52,104,45,159,141,28,122,141,126,241,94,115,217,149,184,109,190,191]},{"Name":"998e1c84-d0d7-43dd-9347-82e562daf348","Type":"template","AdditionalInfo":{"UUID":"998e1c84-d0d7-43dd-9347-82e562daf348","Name":"Corelight All for UID","Description":"Raw corelight entries containing a given UID whatsoever"},"Hash":[128,90,136,153,3,220,182,99,123,186,92,49,245,87,208,135,18,230,214,249,243,119,224,227,34,167,80,121,140,115,119,217]},{"Name":"dae7ec36-d2b2-489a-99ff-542474b549ec","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight SMB Server heatmap","Description":"","Query":"tag=corelight_smb* ax | unique \"id.resp_h\" | geoip \"id.resp_h\".Location | heatmap \"id.resp_h\"\n","UUID":"dae7ec36-d2b2-489a-99ff-542474b549ec"},"Hash":[146,194,16,251,43,8,47,109,71,51,86,194,138,111,176,135,40,41,175,194,97,161,138,199,62,165,197,25,8,97,27,134]},{"Name":"66536c4a-141c-4a53-ab0c-316d08171c33","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Connection Map","Description":"Geospatial connection map of connections as seen by Corelight","Query":"tag=corelight_conn ax \"id.orig_h\" \"id.resp_h\" |\nstats count by \"id.orig_h\" \"id.resp_h\" |\ngeoip \"id.orig_h\".Location as oloc \"id.resp_h\".Location as rloc |\npoint2point -srcloc oloc -dstloc rloc","UUID":"66536c4a-141c-4a53-ab0c-316d08171c33"},"Hash":[45,171,130,23,197,199,144,75,153,48,185,86,200,202,75,68,231,204,150,203,1,172,184,4,95,223,250,46,124,88,106,14]},{"Name":"0c1dc12a-8e1b-45bf-b946-a063bec0c0b8","Type":"template","AdditionalInfo":{"UUID":"0c1dc12a-8e1b-45bf-b946-a063bec0c0b8","Name":"Corelight SMB private IP graph","Description":""},"Hash":[28,3,77,2,83,217,81,50,160,205,201,91,191,184,185,237,121,44,151,178,79,206,177,138,205,88,197,164,104,185,66,114]},{"Name":"bcdb7175-2b05-4a64-9dd5-5edc54046e7e","Type":"template","AdditionalInfo":{"UUID":"bcdb7175-2b05-4a64-9dd5-5edc54046e7e","Name":"Corelight service bandwidth graph","Description":"Service Upload and Download traffic for an IP as seen by Corelight"},"Hash":[77,136,161,3,211,57,1,148,15,54,187,128,201,95,38,255,244,178,123,42,25,213,224,105,111,143,55,88,14,43,210,30]},{"Name":"276dbda5-0cf4-4f94-858d-588006e3e1c1","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight SSH Successful Authentications by Client","Description":"Display a table of which clients have successfully connected to which server the most. Also includes client country.","Query":"tag=corelight_ssh ax auth_success==\"true\" | alias \"id.orig_h\" client \"id.resp_h\" server | stats count by client server | geoip client.CountryName | table server client CountryName count","UUID":"276dbda5-0cf4-4f94-858d-588006e3e1c1"},"Hash":[1,126,216,176,168,236,31,250,76,228,121,68,171,213,190,78,122,27,192,86,198,83,197,141,240,158,100,11,228,9,148,170]},{"Name":"7cf2fd64-b919-4a7a-b2af-a7cb27271369","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight SSH Version 1 Auth Successes","Description":"Successful SSH authentications using SSH version 1","Query":"tag=corelight_ssh ax version==1 auth_success==\"true\" | alias \"id.orig_h\" client \"id.resp_h\" server | table client server","UUID":"7cf2fd64-b919-4a7a-b2af-a7cb27271369"},"Hash":[129,177,121,138,15,54,197,38,243,30,109,138,136,1,8,90,78,48,73,208,136,76,170,209,76,64,40,242,191,163,163,137]},{"Name":"3a77dd7b-dd80-449e-9a08-22003b561279","Type":"template","AdditionalInfo":{"UUID":"3a77dd7b-dd80-449e-9a08-22003b561279","Name":"Corelight Active services for an IP","Description":"Numbercard of active services for a host that have been seen responding as seen by Corelight"},"Hash":[109,157,88,214,89,112,120,185,119,112,117,153,199,4,184,17,74,145,164,187,194,113,213,126,158,78,17,147,94,7,96,138]},{"Name":"a4cd6f05-9edd-4133-91b9-d4ff7e4b4aae","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight All SMB Files","Description":"smb_files.log","Query":"tag=corelight_smb_files ax | table","UUID":"a4cd6f05-9edd-4133-91b9-d4ff7e4b4aae"},"Hash":[94,251,31,180,241,129,174,1,124,42,94,144,243,58,78,196,179,249,19,104,124,89,184,172,179,114,103,56,71,201,170,147]},{"Name":"733eb8c6-34cb-4355-bde6-5f691ca44bfc","Type":"pivot","AdditionalInfo":{"UUID":"733eb8c6-34cb-4355-bde6-5f691ca44bfc","Name":"IP Address","Description":"Corelight Actions on IP Addresses"},"Hash":[147,155,233,30,46,171,63,37,48,42,64,35,101,175,239,95,13,225,207,80,212,134,74,79,251,184,26,160,108,159,172,197]},{"Name":"b51a9936-db54-42b3-9fa0-16f8e03dd514","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Rare DNS Queries","Description":"Least queried DNS names over time","Query":"tag=corelight_dns ax | alias query Name |\nstats count by Name |\nsort by count asc |\nlimit 100 |\ntable Name count","UUID":"b51a9936-db54-42b3-9fa0-16f8e03dd514"},"Hash":[80,237,147,154,219,130,255,146,110,168,19,19,15,10,30,219,49,233,239,185,20,43,241,15,48,69,247,48,6,197,92,13]},{"Name":"bd4768cb-8bba-49eb-8e64-051800b58e99","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight HTTP Browser Distribution","Description":"","Query":"tag=corelight_http ax \n| regex -e user_agent \"(?P\u003cbrowser\u003e\\S*)/[0-9.]*$\" \n| count by browser \n| chart count by browser","UUID":"bd4768cb-8bba-49eb-8e64-051800b58e99"},"Hash":[221,83,31,101,163,173,231,131,250,159,234,39,250,173,159,188,238,251,6,44,64,165,125,145,220,66,73,165,246,209,38,201]},{"Name":"b48104e6-5206-4f0a-99ba-fb23c1534853","Type":"file","AdditionalInfo":{"UUID":"b48104e6-5206-4f0a-99ba-fb23c1534853","Name":"corelight-cover.png","Description":"Cover for Corelight Gravwell Kit","Size":163519,"ContentType":"image/png"},"Hash":[46,69,167,154,101,178,197,227,20,146,214,142,129,90,54,140,253,39,26,176,225,138,5,86,166,146,120,111,76,64,108,128]},{"Name":"f38fce68-8ec6-43c5-a243-8216fb54df7a","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DNS Beaconing","Description":"Frequent DNS requests with the smallest variance","Query":"tag=corelight_dns ax | alias query Name | sort by time asc | diff TIMESTAMP by query | require -s diff | stats mean(diff) stddev(diff) count by query | eval (stddev \u003c mean \u0026\u0026 count \u003e 2) | eval r = stddev/mean; Duration = duration(mean); | sort by r asc | table Name Duration count\n","UUID":"f38fce68-8ec6-43c5-a243-8216fb54df7a"},"Hash":[158,244,44,150,65,118,88,24,190,157,253,202,140,109,148,133,90,19,216,97,133,193,237,56,22,55,251,116,102,59,240,103]},{"Name":"ba2cd43f-0525-485e-8b56-7c091b4ac971","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Total Traffic By Service","Description":"Total traffic per service as seen by Corelight","Query":"tag=corelight_conn ax service orig_bytes resp_bytes | stats sum(orig_bytes) as upload sum(resp_bytes) as download by service |\neval bytes = upload + download; |\neval if ( service == \"-\" ) { service = \"unknown\"; }\n| stats sum(bytes) as traffic by service |\nchart traffic by service\n","UUID":"ba2cd43f-0525-485e-8b56-7c091b4ac971"},"Hash":[247,72,147,192,44,66,236,154,221,70,198,199,158,41,221,148,126,229,21,145,103,57,107,129,87,74,6,239,162,137,161,203]},{"Name":"eca05bb1-9fba-4930-a74b-b1143d246f1a","Type":"template","AdditionalInfo":{"UUID":"eca05bb1-9fba-4930-a74b-b1143d246f1a","Name":"Corelight procotols for UID","Description":""},"Hash":[244,238,146,82,80,75,242,115,69,47,244,32,169,16,10,123,111,117,150,160,248,255,99,133,46,143,105,40,138,31,94,132]},{"Name":"cac57607-950a-46a5-90b5-07fabf9b3c51","Type":"template","AdditionalInfo":{"UUID":"cac57607-950a-46a5-90b5-07fabf9b3c51","Name":"Corelight 10 least common service ports for IP","Description":"Table of the least commonly used service ports for an IP as seen by Corelight"},"Hash":[202,190,148,11,35,245,215,147,161,89,23,238,116,115,180,246,168,85,96,225,223,245,184,177,76,175,20,80,153,12,168,189]},{"Name":"82efb53a-ba7d-4497-9267-7b4439e9b9fe","Type":"searchlibrary","AdditionalInfo":{"Name":"SSL Alert Protocol Messages","Description":"SSL connections with associated alert messages","Query":"tag=corelight_ssl json -s last_alert \"id.orig_h\" \"id.resp_h\" server_name established\n| alias \"id.orig_h\" client \"id.resp_h\" server last_alert alert\n| table client server server_name last_alert established\n","UUID":"82efb53a-ba7d-4497-9267-7b4439e9b9fe"},"Hash":[99,240,134,212,243,251,39,41,115,44,253,110,95,22,191,9,246,201,157,86,145,236,60,52,88,238,69,47,121,128,166,179]},{"Name":"b46ca253-87d3-4e6c-82bf-ce0f379195f7","Type":"template","AdditionalInfo":{"UUID":"b46ca253-87d3-4e6c-82bf-ce0f379195f7","Name":"Corelight Service Client heatmap","Description":"Heatmap of clients for a given service"},"Hash":[198,138,217,57,43,221,248,118,13,85,151,89,122,138,51,243,188,60,126,221,252,3,85,44,108,46,144,37,138,227,194,155]},{"Name":"92e18262-c273-4659-9f8f-953bec4fc455","Type":"template","AdditionalInfo":{"UUID":"92e18262-c273-4659-9f8f-953bec4fc455","Name":"Corelight Conn for UID","Description":""},"Hash":[5,142,229,253,8,212,253,19,145,122,57,124,183,154,191,8,87,168,135,77,5,39,242,151,73,228,28,208,201,65,74,191]},{"Name":"0c0a67d1-3fa2-41d2-b778-b440b8a6dfee","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight SSH login and brute force attempt analytics","Description":"Examine all successful SSH logins and compare against failures to product","Query":"tag=corelight_ssh ax auth_success!=- client \"id.orig_h\" auth_attempts \"id.resp_h\" host_key | stats count sum(auth_attempts) as attempts by client \"id.resp_h\" auth_success | eval if( auth_success == \"true\" ) { success = count; } | geoip \"id.orig_h\".CountryName \"id.orig_h\".City | stats sum(success) as success by client \"id.resp_h\" | eval success \u003e 0 | eval if ((float(attempts)/float(success)) \u003e 2.0) { Notes = \"Potential Brute Force Success\"; } | sort by success desc | table \"id.resp_h\" \"id.orig_h\" host_key CountryName City client attempts success Notes\n","UUID":"0c0a67d1-3fa2-41d2-b778-b440b8a6dfee"},"Hash":[183,199,141,254,178,103,49,152,0,184,17,8,152,162,161,136,145,213,199,80,127,189,244,232,46,188,9,205,144,78,40,48]},{"Name":"1fcb678a-a41e-4371-88d0-a79c4ada9442","Type":"template","AdditionalInfo":{"UUID":"1fcb678a-a41e-4371-88d0-a79c4ada9442","Name":"Corelight DNS Beaconing by Client","Description":""},"Hash":[32,211,251,69,177,75,186,59,46,195,135,18,118,129,106,152,216,44,182,205,28,229,104,52,109,245,86,238,155,166,12,85]},{"Name":"c703e517-3138-4cb8-a50d-826318dc8dbd","Type":"template","AdditionalInfo":{"UUID":"c703e517-3138-4cb8-a50d-826318dc8dbd","Name":"Corelight All Modbus for IP","Description":""},"Hash":[40,181,196,192,238,195,5,20,100,36,220,234,14,222,43,16,67,254,191,192,187,250,105,219,99,71,61,73,43,101,29,115]},{"Name":"7e5b1227-0458-467e-bf79-6fe7e323c3a6","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight service connection counts","Description":"Chart of connection counts per service as seen by Corelight","Query":"tag=corelight_conn ax service |\nstats count by service |\neval if ( service == \"-\" ) { service = \"unknown\"; } |\nchart count by service limit 32\n","UUID":"7e5b1227-0458-467e-bf79-6fe7e323c3a6"},"Hash":[12,172,115,134,208,33,94,5,220,98,80,138,249,235,15,213,144,228,242,184,167,173,35,72,146,36,32,29,86,244,34,9]},{"Name":"265a2917-8796-44b5-a53f-78f77a3543cd","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Tunnel Types","Description":"Charts the types of tunnels. Best viewed as a pie chart or donut chart.","Query":"tag=corelight_tunnel ax tunnel_type |\ncount by tunnel_type |\nchart count by tunnel_type","UUID":"265a2917-8796-44b5-a53f-78f77a3543cd"},"Hash":[134,53,54,125,228,126,125,212,237,176,151,77,146,69,172,47,202,122,192,87,171,102,243,64,76,78,80,198,193,203,197,144]},{"Name":"a6044e23-6f2d-424c-9b52-ad4905010d92","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight SSH re-used keys","Description":"","Query":"tag=corelight_ssh ax \"id.resp_h\" host_key != -\n| alias \"id.resp_h\" latestserver\n| stats unique_count(\"id.resp_h\") as unique_hosts by host_key unique_count(host_key) by \"id.resp_h\"\n| eval ( !has(unique_hosts) || unique_hosts \u003e 1 )\n| sort by host_key\n| geoip -r asn_db \"id.resp_h\".ASNOrg\n| table \"id.resp_h\" ASNOrg host_key unique_hosts\n","UUID":"a6044e23-6f2d-424c-9b52-ad4905010d92"},"Hash":[65,18,246,191,106,9,235,173,212,130,4,83,249,57,149,98,43,20,194,166,168,239,213,229,79,154,110,223,188,207,134,54]},{"Name":"c5a1e3c6-2ed9-4306-9e11-95dcf513c1e0","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Connection Counts by State","Description":"Chart the number of sessions by connection state as seen by Corelight","Query":"tag=corelight_conn ax conn_state |\nstats count by conn_state |\nchart count by conn_state","UUID":"c5a1e3c6-2ed9-4306-9e11-95dcf513c1e0"},"Hash":[28,222,160,232,180,112,139,129,200,56,37,219,184,27,179,210,124,155,128,81,167,145,56,129,9,194,106,95,87,228,37,190]},{"Name":"b914f9a1-605a-4fcb-89d7-1dccfe9a3446","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight All HTTP","Description":"","Query":"tag=corelight_http ax | table","UUID":"b914f9a1-605a-4fcb-89d7-1dccfe9a3446"},"Hash":[29,219,134,211,105,181,211,71,103,202,164,29,244,131,112,43,95,68,216,219,60,87,230,62,5,138,60,249,172,97,236,205]},{"Name":"27c92489-b566-4907-ad78-9d6205921ceb","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight HTTP Method Counts","Description":"A chart showing the percentage of each HTTP Method","Query":"tag=corelight_http ax\n| count by method\n| chart count by method","UUID":"27c92489-b566-4907-ad78-9d6205921ceb"},"Hash":[90,81,189,143,42,99,78,19,138,244,68,9,119,188,93,236,120,244,58,38,20,180,255,20,4,143,49,86,58,125,185,232]},{"Name":"9dcf5b71-6751-49ce-990f-ae6d57d8a8e0","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight least common responding ports","Description":"Least common service ports that respond with data as seen by Corelight","Query":"tag=corelight_conn ax \"id.resp_p\" resp_bytes |\nstats count by \"id.resp_p\" |\neval resp_bytes \u003e 140 \u0026\u0026 $(id.resp_p) \u003c 16000 | /* Only looking at ports in the lower range */\nsort by count asc |\ntable \"id.resp_p\" count\n","UUID":"9dcf5b71-6751-49ce-990f-ae6d57d8a8e0"},"Hash":[49,202,170,156,203,131,224,129,151,166,90,132,86,226,244,180,174,161,175,174,165,143,244,97,11,138,84,108,102,91,176,14]},{"Name":"5e025123-bafe-4258-84fb-96694fd68c1b","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Service Connection Reset Table","Description":"The number of connection resets per service as seen by corelight","Query":"tag=corelight_conn ax conn_state ~ RST proto==tcp service |\nstats count by service conn_state |\nlookup -r corelight_conn_state conn_state state description |\ntable service conn_state count description","UUID":"5e025123-bafe-4258-84fb-96694fd68c1b"},"Hash":[56,33,167,119,158,69,139,20,126,178,123,139,115,239,242,98,12,148,233,93,134,84,144,56,177,52,87,148,132,119,107,41]},{"Name":"65d740a2-1527-49fa-a0a8-54f635427592","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight All SSH","Description":"All entries from ssh.log","Query":"tag=corelight_ssh ax | table","UUID":"65d740a2-1527-49fa-a0a8-54f635427592"},"Hash":[152,199,13,154,159,29,105,70,54,113,72,17,100,26,93,121,20,90,189,254,221,235,202,76,51,134,41,222,0,122,98,168]},{"Name":"0fd7045f-d2ab-4573-825f-aabdf6829a67","Type":"template","AdditionalInfo":{"UUID":"0fd7045f-d2ab-4573-825f-aabdf6829a67","Name":"Corelight total client connections for a given IP","Description":"Numbercard of the total service connections as seen by corelight"},"Hash":[240,186,223,135,212,69,78,231,126,97,69,212,44,29,34,89,11,62,193,132,47,236,208,44,254,63,230,14,224,215,60,139]},{"Name":"49a9a43c-14d8-46dd-b801-7d48c4ee40ab","Type":"template","AdditionalInfo":{"UUID":"49a9a43c-14d8-46dd-b801-7d48c4ee40ab","Name":"Corelight All MYSQL for IP","Description":""},"Hash":[220,137,128,136,92,68,36,133,22,190,190,153,91,235,74,50,113,206,214,156,80,143,1,28,40,8,15,209,87,255,170,138]},{"Name":"33c2c0cf-b7e1-417e-ba98-2a4707fe73b4","Type":"template","AdditionalInfo":{"UUID":"33c2c0cf-b7e1-417e-ba98-2a4707fe73b4","Name":"Corelight All DHCP for IP","Description":""},"Hash":[84,183,75,170,121,160,118,110,1,188,203,250,95,216,23,204,89,74,93,221,226,200,9,155,100,241,97,173,87,4,19,42]},{"Name":"99f518cb-da24-4170-b0d0-ff4d393ef306","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Connection Averages","Description":"Table showing averages for traffic, packets, and connection duration for each service","Query":"tag=corelight_conn ax service duration orig_bytes resp_bytes orig_pkts resp_pkts\n| stats mean(orig_bytes) as \"Average Downstream Traffic\"\nmean(resp_bytes) as \"Average Upstream Traffic\"\nmean(duration) as \"Average Connection Duration\"\nmean(orig_pkts) as \"Average Downstream Packets\"\nmean(resp_pkts) as \"Average Upstream Packets\" by service\n| eval if ( service == \"-\" ) { service = \"unknown\"; }\n| table service \"Average Connection Duration\" \"Average Downstream Traffic\" \"Average Downstream Packets\" \"Average Upstream Traffic\" \"Average Upstream Packets\"\n","UUID":"99f518cb-da24-4170-b0d0-ff4d393ef306"},"Hash":[90,66,115,44,157,24,179,3,66,137,224,181,196,146,15,109,234,179,49,23,135,115,142,201,238,171,41,97,29,240,172,194]},{"Name":"92a60422-ed19-4d81-9c5d-4fbaedc72eb4","Type":"template","AdditionalInfo":{"UUID":"92a60422-ed19-4d81-9c5d-4fbaedc72eb4","Name":"Corelight Connection Graph for IP","Description":"FDG of IP Connections for a given IP as seen by Corelight"},"Hash":[75,35,154,225,231,253,67,232,13,251,152,246,43,242,87,24,222,246,21,80,0,221,99,32,22,25,207,238,112,224,81,136]},{"Name":"45cdd4b5-7e75-43bb-adde-65b116c4d6c3","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DHCP Address Assignments","Description":"Table of DHCP address assignments","Query":"tag=corelight_dhcp ax mac host_name assigned_addr |\nstats count by mac host_name assigned_addr |\nmaclookup -r mac_prefixes mac.Manufacturer |\ntable mac Manufacturer host_name assigned_addr count","UUID":"45cdd4b5-7e75-43bb-adde-65b116c4d6c3"},"Hash":[214,44,127,211,90,191,48,64,110,210,97,67,95,218,101,182,61,123,190,238,113,53,43,233,231,169,38,21,108,56,7,182]},{"Name":"e45641ed-a10c-4180-b006-a68044af3cd0","Type":"pivot","AdditionalInfo":{"UUID":"e45641ed-a10c-4180-b006-a68044af3cd0","Name":"Corelight Raw UID Records","Description":"Corelight UIDs (unique identifiers for each flow)"},"Hash":[172,118,111,211,212,6,169,203,78,45,238,70,38,29,114,200,145,165,138,60,178,225,208,32,194,252,103,239,178,157,206,36]},{"Name":"cfa15ccb-13f0-4fbe-af68-51c0d74190f5","Type":"template","AdditionalInfo":{"UUID":"cfa15ccb-13f0-4fbe-af68-51c0d74190f5","Name":"Corelight DNS Related Subdomains","Description":""},"Hash":[145,140,95,3,209,100,224,71,29,148,244,192,120,140,51,13,77,87,80,72,123,87,129,220,137,204,67,125,156,162,225,114]},{"Name":"9c5172ca-f41b-4fba-bf41-eec9f5e88815","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight SSH Client Locations","Description":"GeoIP locations for all SSH clients","Query":"tag=corelight_ssh ax\n| geoip \"id.orig_h\".Location\n| heatmap \"id.orig_h\"","UUID":"9c5172ca-f41b-4fba-bf41-eec9f5e88815"},"Hash":[205,76,85,208,159,176,168,140,110,83,161,62,206,247,191,135,6,248,30,253,28,208,114,46,83,85,151,239,81,36,79,80]},{"Name":"a0e6a026-9034-463d-81ca-6085e9796a2b","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight SMB top files","Description":"","Query":"tag=corelight_smb_files ax | count by name | table name count","UUID":"a0e6a026-9034-463d-81ca-6085e9796a2b"},"Hash":[158,67,17,247,122,83,69,150,179,196,144,200,244,134,51,62,175,24,105,141,115,194,29,61,243,226,241,161,123,250,139,126]},{"Name":"e81c138d-dc95-4480-b68c-249e792ad2a2","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DNS SLDs with the most Subdomains","Description":"DNS SLDs with the most Subdomains","Query":"tag=corelight_dns ax | unique query | regex -e query \"(?P\u003csld\u003e\\w+\\.\\w+\\s*$)\" | stats count by sld | sort by count desc | limit 100 | table sld count","UUID":"e81c138d-dc95-4480-b68c-249e792ad2a2"},"Hash":[27,86,144,245,1,105,229,243,249,64,41,183,109,73,6,79,82,209,188,0,130,235,81,142,205,11,116,15,223,68,242,163]},{"Name":"0f3686cb-cbde-4b05-b45f-cb3adf116989","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Most Queried DNS Name","Description":"Most queried DNS names over time","Query":"tag=corelight_dns ax | alias query Name |\nstats count by Name |\nsort by count desc |\nlimit 100 |\ntable Name count","UUID":"0f3686cb-cbde-4b05-b45f-cb3adf116989"},"Hash":[22,89,220,212,97,123,204,183,137,254,242,149,18,54,146,248,5,31,91,107,110,49,166,31,56,111,86,5,151,224,30,166]},{"Name":"e5f0da24-644a-4d04-a3a1-96127acc0785","Type":"template","AdditionalInfo":{"UUID":"e5f0da24-644a-4d04-a3a1-96127acc0785","Name":"Corelight Connstate Chart","Description":"Count of connection states for a given IP as seen by Corelight"},"Hash":[148,6,109,184,216,77,190,239,200,91,37,124,239,102,140,100,20,49,221,144,41,237,113,175,34,220,77,64,70,45,104,169]},{"Name":"6659fced-2feb-419e-a655-21b3149939f1","Type":"playbook","AdditionalInfo":{"UUID":"568f4ce4-11fb-4c60-8503-07f043c40d7b","Name":"Corelight DNS","Description":""},"Hash":[11,144,160,80,235,245,13,79,35,156,129,206,206,70,116,138,82,241,80,22,52,103,141,94,11,234,205,69,188,159,43,142]},{"Name":"2dec4322-808f-4d2a-9b72-ef10154f2f20","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight All DNS","Description":"","Query":"tag=corelight_dns ax | table","UUID":"2dec4322-808f-4d2a-9b72-ef10154f2f20"},"Hash":[66,146,128,97,205,3,252,53,79,215,85,79,118,173,45,212,201,192,133,167,0,93,103,182,192,9,167,88,214,211,153,11]},{"Name":"f81da8a5-fbb9-43a3-9911-5ff6cc3fe45a","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DNS Queries by Resource Record Type","Description":"","Query":"tag=corelight_dns ax | lookup -s -r dns_types qtype Value TYPE as dnstype | stats count by dnstype | chart count by dnstype","UUID":"f81da8a5-fbb9-43a3-9911-5ff6cc3fe45a"},"Hash":[32,46,240,18,166,203,111,190,72,222,121,134,102,86,47,37,205,5,125,8,166,140,185,98,7,161,64,251,133,179,155,154]},{"Name":"2e1a32e3-a8e8-4d3a-8a8b-2e748a032d63","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight SSH Host Keys Seen Per Server","Description":"Count how many SSH host keys we've observed for each server","Query":"tag=corelight_ssh ax host_key != \"-\" | alias \"id.resp_h\" server | unique host_key server | stats count(host_key) by server | table server count","UUID":"2e1a32e3-a8e8-4d3a-8a8b-2e748a032d63"},"Hash":[86,68,126,208,151,225,127,252,148,50,208,100,116,158,120,174,125,6,58,247,127,231,250,221,142,229,156,127,195,244,244,100]},{"Name":"0372062e-820f-4a7d-aedb-ad1a8690b183","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight HTTP directory traversal requests","Description":"Show requests that may contain directory traversal attacks","Query":"tag=corelight_http ax uri ~ \"../..\"\n| table \"id.orig_h\" \"id.resp_h\" host uri status_msg\n","UUID":"0372062e-820f-4a7d-aedb-ad1a8690b183"},"Hash":[180,84,7,160,101,241,203,149,116,108,147,211,207,18,230,210,183,147,158,164,179,53,213,127,230,36,217,167,188,75,209,190]},{"Name":"e9e5aca1-ef17-41de-a514-890a12f91abb","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DNS Over Time","Description":"","Query":"tag=corelight_dns chart","UUID":"e9e5aca1-ef17-41de-a514-890a12f91abb"},"Hash":[44,83,170,233,210,160,90,144,221,73,82,6,110,42,231,197,175,116,141,149,119,40,158,23,69,216,130,106,221,90,247,4]},{"Name":"1688a96a-c444-4642-b0b4-731d0b51499f","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight SSH banners per server","Description":"Show the count of unique banners for each server IP address, as well as the most recent banner","Query":"tag=corelight_ssh ax\n| unique server \"id.resp_h\" \"id.resp_p\"\n| alias \"id.resp_h\" serverIP \"id.resp_p\" port server latestbanner\n| count by serverIP port\n| table serverIP port count latestbanner","UUID":"1688a96a-c444-4642-b0b4-731d0b51499f"},"Hash":[246,114,18,95,64,34,238,127,190,27,83,145,98,238,168,39,180,155,234,196,27,26,48,28,206,237,94,217,161,115,96,200]},{"Name":"5005ede7-6ece-4638-94d7-3fec2104904e","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight SMB nonstandard ports","Description":"","Query":"tag=corelight_smb* ax | grep -v -e \"id.resp_p\" 445 139 | count by \"id.resp_h\" \"id.resp_p\" | table \"id.resp_h\" \"id.resp_p\" count","UUID":"5005ede7-6ece-4638-94d7-3fec2104904e"},"Hash":[88,212,248,105,32,166,241,5,229,214,122,105,132,129,20,181,242,150,119,48,27,79,245,224,170,214,203,233,15,253,6,68]},{"Name":"a70f34f8-c671-4a2c-bfc5-d7e602ff2acb","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight All SNMP","Description":"","Query":"tag=corelight_snmp ax | table","UUID":"a70f34f8-c671-4a2c-bfc5-d7e602ff2acb"},"Hash":[6,11,143,15,130,205,12,116,250,16,178,147,11,6,205,91,28,62,0,76,235,167,197,161,46,131,25,85,24,143,249,149]},{"Name":"4792da69-bd6f-455d-9f03-ef1df25c1b64","Type":"template","AdditionalInfo":{"UUID":"4792da69-bd6f-455d-9f03-ef1df25c1b64","Name":"Corelight DNS Requests over Time","Description":""},"Hash":[205,73,167,190,21,242,120,81,105,221,129,4,109,146,131,197,22,224,74,186,181,248,242,221,140,55,129,78,113,73,8,165]},{"Name":"23a15141-ef51-41cb-8610-e7c26771855e","Type":"template","AdditionalInfo":{"UUID":"23a15141-ef51-41cb-8610-e7c26771855e","Name":"Corelight All Connections for IP","Description":""},"Hash":[233,210,95,199,2,97,141,108,41,40,150,62,106,52,59,178,192,233,212,222,149,51,65,167,232,58,37,218,8,12,123,38]},{"Name":"ab3c0439-5cce-4eaf-903f-775a36e77f6a","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight All DNP3","Description":"","Query":"tag=corelight_dnp3 ax | table","UUID":"ab3c0439-5cce-4eaf-903f-775a36e77f6a"},"Hash":[51,43,214,12,217,232,233,102,199,189,87,216,102,228,117,76,122,82,216,204,38,29,235,155,26,201,8,36,78,212,114,121]},{"Name":"dea1e2c0-2a23-4f1d-b166-99ff4333e0fb","Type":"template","AdditionalInfo":{"UUID":"dea1e2c0-2a23-4f1d-b166-99ff4333e0fb","Name":"Corelight DNS Totals by Client","Description":""},"Hash":[70,177,131,48,136,159,55,249,82,31,229,169,180,150,39,185,93,225,98,106,33,226,75,19,79,108,33,149,27,250,172,248]},{"Name":"05a32119-f1f0-4725-ae30-61b0be96258a","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight SSH server chart of client counts","Description":"","Query":"tag=corelight_ssh ax | count \"id.orig_h\" by \"id.resp_h\" | alias \"id.resp_h\" server | chart count by server","UUID":"05a32119-f1f0-4725-ae30-61b0be96258a"},"Hash":[178,14,236,191,145,100,73,155,174,201,4,103,126,86,199,140,159,23,133,247,149,168,128,154,134,186,43,180,254,180,98,195]},{"Name":"2f72164f-0752-4a4d-b133-e7e2fa28cdc4","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight SMB private IP graph","Description":"","Query":"tag=corelight_smb* ax | ip \"id.orig_h\"~PRIVATE \"id.resp_h\"~PRIVATE | fdg \"id.orig_h\" \"id.resp_h\"\n","UUID":"2f72164f-0752-4a4d-b133-e7e2fa28cdc4"},"Hash":[227,60,193,144,135,245,152,69,142,156,24,246,110,191,106,76,159,220,15,234,117,189,172,73,93,132,211,198,203,159,150,66]},{"Name":"6bc4fa71-a565-4f18-af1a-7f6f3e7e3c46","Type":"template","AdditionalInfo":{"UUID":"6bc4fa71-a565-4f18-af1a-7f6f3e7e3c46","Name":"Corelight All Syslog for IP","Description":"syslog.log"},"Hash":[231,30,160,233,191,50,122,97,82,244,178,60,67,135,106,152,104,155,117,58,188,112,229,128,23,146,131,213,196,207,247,224]},{"Name":"c8db7f5d-e8b4-4c58-81fa-baeb4ec76858","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight x509 Find Invalid Certificates","Description":"List certificates which have expired or are not yet valid.","Query":"tag=corelight_x509 ax\n| eval ( \nif (TIMESTAMP \u003c time($(certificate.not_valid_before))) {\n   validity=\"NOT_YET_VALID\";\n   return true; } \nelse if (TIMESTAMP \u003e time($(certificate.not_valid_after))) {\n   validity=\"EXPIRED\";\n   return true; } \nelse {\n   return false; })\n| table \"certificate.subject\" \"certificate.issuer\" \"san.dns\" \"certificate.not_valid_after\" \"certificate.not_valid_before\" validity","UUID":"c8db7f5d-e8b4-4c58-81fa-baeb4ec76858"},"Hash":[7,130,8,181,109,62,223,233,203,73,97,225,109,152,217,147,33,6,141,169,53,100,232,33,68,103,5,49,3,228,113,90]},{"Name":"dcf4a811-d1a1-4db5-9399-ff3934b19e13","Type":"file","AdditionalInfo":{"UUID":"dcf4a811-d1a1-4db5-9399-ff3934b19e13","Name":"corelight-banner.png","Description":"Banner for Corelight Gravwell Kit","Size":68410,"ContentType":"image/png"},"Hash":[200,89,99,71,72,89,166,46,204,245,232,176,181,250,57,36,56,14,154,221,87,146,27,164,0,165,233,199,62,66,236,22]},{"Name":"b6fde264-c02b-47ec-ba52-b52bb6c16872","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight SSH on unusual ports","Description":"","Query":"tag=corelight_ssh ax \"id.resp_p\"!=22 | table","UUID":"b6fde264-c02b-47ec-ba52-b52bb6c16872"},"Hash":[221,36,156,45,36,91,31,200,252,140,227,40,78,117,78,203,214,116,254,133,199,173,148,69,22,72,223,208,62,37,47,34]},{"Name":"12121a62-e9fd-4067-a9e3-a8efbd1c394a","Type":"template","AdditionalInfo":{"UUID":"12121a62-e9fd-4067-a9e3-a8efbd1c394a","Name":"Corelight Most Common SLDs by Client","Description":""},"Hash":[18,43,198,203,181,132,66,48,192,175,79,69,253,47,103,66,134,192,156,192,40,195,69,197,66,248,85,254,10,157,132,115]},{"Name":"fe0c49fa-75b7-4bdd-8bcb-e917cd106ac1","Type":"template","AdditionalInfo":{"UUID":"fe0c49fa-75b7-4bdd-8bcb-e917cd106ac1","Name":"Corelight All HTTP for IP","Description":""},"Hash":[232,33,221,93,225,170,214,235,9,108,107,229,181,165,182,13,211,181,167,252,184,139,16,46,143,54,61,121,216,64,216,108]},{"Name":"b0c78dd7-027d-409b-869e-61b32569716a","Type":"template","AdditionalInfo":{"UUID":"b0c78dd7-027d-409b-869e-61b32569716a","Name":"Corelight All SMB Mapping for IP","Description":""},"Hash":[237,74,209,240,253,102,78,143,52,17,186,38,227,251,24,140,145,37,188,159,141,103,220,160,184,118,63,151,144,139,75,203]},{"Name":"1b99a906-e626-44c2-8bfd-503920dff366","Type":"template","AdditionalInfo":{"UUID":"1b99a906-e626-44c2-8bfd-503920dff366","Name":"Corelight DNS Over Time","Description":""},"Hash":[239,40,62,16,159,56,220,211,170,204,137,152,157,8,212,99,39,51,198,185,129,12,11,199,69,230,200,170,112,156,189,196]},{"Name":"23bc4af4-b2e9-4c3a-a687-9e2a721941e8","Type":"template","AdditionalInfo":{"UUID":"23bc4af4-b2e9-4c3a-a687-9e2a721941e8","Name":"Corelight All SMB Files for IP","Description":""},"Hash":[233,132,169,160,89,227,132,177,236,6,97,188,110,179,23,48,0,4,161,59,86,148,211,197,147,34,182,18,54,9,59,191]},{"Name":"corelight_conn","Type":"autoextractor","AdditionalInfo":{"name":"corelight_conn","desc":"Corelight conn logs","module":"json","tag":"corelight_conn"},"Hash":[245,64,68,45,37,140,94,152,166,251,241,148,122,233,94,114,170,64,19,136,107,106,231,183,41,77,76,196,61,237,107,159]},{"Name":"corelight_conn_state","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"corelight_conn_state","Description":"Corelight conn_state connection state descriptions","Size":662,"Labels":null},"Hash":[172,30,21,241,107,210,236,157,85,60,193,155,100,144,198,177,186,77,66,49,14,40,154,73,223,73,53,135,245,19,155,178]},{"Name":"corelight_dhcp","Type":"autoextractor","AdditionalInfo":{"name":"corelight_dhcp","desc":"Corelight dhcp logs","module":"json","tag":"corelight_dhcp"},"Hash":[191,141,227,66,95,92,39,7,12,112,246,120,54,185,243,185,224,129,77,211,81,204,12,252,77,77,94,59,152,231,67,205]},{"Name":"corelight_dnp3","Type":"autoextractor","AdditionalInfo":{"name":"Corelightdnp3","desc":"Corelight DNP3 AX","module":"json","tag":"corelight_dnp3"},"Hash":[11,7,134,212,220,142,146,59,195,253,3,243,168,63,119,48,86,183,151,53,156,221,48,228,147,162,30,142,175,239,150,209]},{"Name":"corelight_dns","Type":"autoextractor","AdditionalInfo":{"name":"corelight_dns","desc":"Corelight dns logs","module":"json","tag":"corelight_dns"},"Hash":[187,186,247,7,5,193,222,72,218,136,162,23,151,107,163,94,201,127,89,85,211,91,200,180,218,67,231,47,27,223,164,68]},{"Name":"corelight_dpd","Type":"autoextractor","AdditionalInfo":{"name":"corelight_dpd","desc":"Corelight DPD logs","module":"json","tag":"corelight_dpd"},"Hash":[250,242,36,39,22,124,71,5,73,222,15,247,30,192,173,242,248,191,182,165,77,203,133,28,73,232,250,129,202,79,87,75]},{"Name":"corelight_files","Type":"autoextractor","AdditionalInfo":{"name":"corelight_files","desc":"Corelight files logs","module":"json","tag":"corelight_files"},"Hash":[106,19,186,119,212,155,242,181,226,63,169,122,112,166,137,169,182,98,41,106,125,143,100,216,127,180,249,173,75,250,140,148]},{"Name":"corelight_ftp","Type":"autoextractor","AdditionalInfo":{"name":"corelight_ftp","desc":"Corelight FTP logs","module":"json","tag":"corelight_ftp"},"Hash":[71,135,59,163,129,227,118,108,244,159,99,45,170,158,32,54,129,23,102,81,32,233,120,157,43,105,225,92,118,240,148,118]},{"Name":"corelight_http","Type":"autoextractor","AdditionalInfo":{"name":"corelight_http","desc":"Corelight http logs","module":"json","tag":"corelight_http"},"Hash":[102,68,202,30,85,137,48,92,251,113,105,92,49,81,177,116,22,40,79,135,113,36,60,40,121,167,118,81,78,174,104,186]},{"Name":"corelight_intel","Type":"autoextractor","AdditionalInfo":{"name":"corelight_intel","desc":"Corelight intel logs","module":"json","tag":"corelight_intel"},"Hash":[27,97,255,215,97,7,198,27,63,67,53,74,212,19,168,111,8,55,74,224,50,252,16,188,209,137,91,79,125,131,92,236]},{"Name":"corelight_irc","Type":"autoextractor","AdditionalInfo":{"name":"corelight_irc","desc":"Corelight IRC logs","module":"json","tag":"corelight_irc"},"Hash":[203,104,142,200,15,158,252,26,176,143,51,100,254,174,254,161,93,187,215,95,138,6,218,159,57,1,250,123,50,169,82,193]},{"Name":"corelight_kerberos","Type":"autoextractor","AdditionalInfo":{"name":"corelight_kerberos","desc":"Corelight Kerberos logs","module":"json","tag":"corelight_kerberos"},"Hash":[136,217,54,51,227,192,115,20,120,250,199,194,205,197,31,44,166,225,162,8,57,206,210,16,206,110,157,36,178,46,171,16]},{"Name":"corelight_modbus","Type":"autoextractor","AdditionalInfo":{"name":"corelight_modbus","desc":"Corelight modbus logs","module":"json","tag":"corelight_modbus"},"Hash":[76,119,102,126,216,172,105,131,42,155,139,88,152,74,249,5,221,253,248,212,13,140,67,46,236,23,128,169,151,3,178,116]},{"Name":"corelight_mysql","Type":"autoextractor","AdditionalInfo":{"name":"corelight_mysql","desc":"Corelight mysql logs","module":"json","tag":"corelight_mysql"},"Hash":[237,93,207,171,53,78,212,67,235,239,146,222,138,125,248,209,5,45,136,33,100,133,220,203,165,122,84,31,180,169,219,254]},{"Name":"corelight_notice","Type":"autoextractor","AdditionalInfo":{"name":"corelight_notice","desc":"Corelight Notice logs","module":"json","tag":"corelight_notice"},"Hash":[17,228,155,54,29,48,99,175,169,243,111,225,187,198,174,227,135,227,13,214,206,95,169,1,236,145,248,143,154,80,125,237]},{"Name":"corelight_ntp","Type":"autoextractor","AdditionalInfo":{"name":"corelight_ntp","desc":"Corelight NTP logs","module":"json","tag":"corelight_ntp"},"Hash":[95,34,139,181,22,118,143,142,117,102,39,172,104,128,164,5,213,193,172,180,246,22,120,229,107,167,7,167,131,35,53,6]},{"Name":"corelight_pe","Type":"autoextractor","AdditionalInfo":{"name":"corelight_pe","desc":"Corelight PE logs","module":"json","tag":"corelight_pe"},"Hash":[53,154,69,237,213,143,19,76,221,167,36,244,9,173,12,20,49,228,8,161,234,118,69,115,231,253,44,48,155,185,188,241]},{"Name":"corelight_radius","Type":"autoextractor","AdditionalInfo":{"name":"corelight_radius","desc":"Corelight radius logs","module":"json","tag":"corelight_radius"},"Hash":[125,104,216,234,94,134,105,143,238,19,22,129,94,154,97,122,138,154,227,158,71,57,255,40,98,205,140,190,69,251,11,134]},{"Name":"corelight_rdp","Type":"autoextractor","AdditionalInfo":{"name":"corelight_rdp","desc":"Corelight rdp logs","module":"json","tag":"corelight_rdp"},"Hash":[102,2,174,67,160,197,10,59,178,248,91,37,153,52,222,233,78,68,144,4,96,212,77,51,95,85,125,94,116,148,227,181]},{"Name":"corelight_rfb","Type":"autoextractor","AdditionalInfo":{"name":"corelight_rfb","desc":"Corelight rfb logs","module":"json","tag":"corelight_rfb"},"Hash":[227,12,129,239,151,183,36,56,116,58,83,23,159,95,207,148,171,165,136,171,80,53,177,92,130,248,57,63,144,235,82,73]},{"Name":"corelight_signature","Type":"autoextractor","AdditionalInfo":{"name":"corelight_signature","desc":"Corelight signature logs","module":"json","tag":"corelight_signature"},"Hash":[75,29,126,1,128,55,170,226,112,153,104,254,85,68,96,229,85,213,59,36,55,192,42,86,125,143,72,104,84,106,107,184]},{"Name":"corelight_sip","Type":"autoextractor","AdditionalInfo":{"name":"corelight_sip","desc":"Corelight SIP logs","module":"json","tag":"corelight_sip"},"Hash":[25,23,251,183,121,71,24,237,58,144,134,147,234,124,60,243,49,29,108,151,52,14,148,88,246,203,233,3,5,186,244,143]},{"Name":"corelight_smb_files","Type":"autoextractor","AdditionalInfo":{"name":"Corelight SMB Files","desc":"Corelight Samba File","module":"json","tag":"corelight_smb_files"},"Hash":[24,216,213,39,55,199,112,9,237,102,251,185,232,121,5,57,56,187,205,43,115,41,103,231,179,137,61,57,77,25,5,59]},{"Name":"corelight_smb_mapping","Type":"autoextractor","AdditionalInfo":{"name":"Corelight SMB Mapping","desc":"Corelight Samba Mapping Log","module":"json","tag":"corelight_smb_mapping"},"Hash":[219,54,207,162,52,122,16,13,131,192,115,79,0,181,35,35,102,164,74,188,82,234,93,138,18,78,34,57,42,43,153,64]},{"Name":"corelight_smtp","Type":"autoextractor","AdditionalInfo":{"name":"corelight_smtp","desc":"Corelight SMTP logs","module":"json","tag":"corelight_smtp"},"Hash":[230,146,203,7,159,41,112,177,11,57,218,83,98,37,19,9,220,63,180,162,156,199,172,79,55,67,119,214,129,20,29,163]},{"Name":"corelight_snmp","Type":"autoextractor","AdditionalInfo":{"name":"corelight_snmp","desc":"Corelight SNMP logs","module":"json","tag":"corelight_snmp"},"Hash":[182,87,63,14,59,75,236,135,134,6,18,173,156,218,180,4,17,51,30,67,129,174,187,156,29,146,196,181,66,79,97,138]},{"Name":"corelight_socks","Type":"autoextractor","AdditionalInfo":{"name":"corelight_socks","desc":"Corelight socks logs","module":"json","tag":"corelight_socks"},"Hash":[159,223,24,12,22,163,83,211,109,210,203,111,65,251,140,244,109,153,156,105,1,139,196,179,141,116,161,47,2,14,212,44]},{"Name":"corelight_software","Type":"autoextractor","AdditionalInfo":{"name":"corelight_software","desc":"Corelight software logs","module":"json","tag":"corelight_software"},"Hash":[252,91,118,24,83,77,206,111,95,180,19,196,28,83,36,199,110,173,136,1,83,248,38,242,159,93,129,95,41,59,8,106]},{"Name":"corelight_ssh","Type":"autoextractor","AdditionalInfo":{"name":"corelight_ssh","desc":"Corelight SSH logs","module":"json","tag":"corelight_ssh"},"Hash":[126,206,113,216,93,42,207,131,181,227,13,193,104,19,128,66,154,18,62,225,196,8,194,223,41,165,52,161,80,237,209,241]},{"Name":"corelight_ssl","Type":"autoextractor","AdditionalInfo":{"name":"corelight_ssl","desc":"Corelight ssl logs","module":"json","tag":"corelight_ssl"},"Hash":[220,225,66,187,191,216,233,83,72,206,93,82,83,9,18,251,170,34,146,123,244,175,9,31,14,233,150,167,14,138,12,211]},{"Name":"corelight_syslog","Type":"autoextractor","AdditionalInfo":{"name":"corelight_syslog","desc":"Corelight Syslog logs","module":"json","tag":"corelight_syslog"},"Hash":[184,145,104,143,64,187,52,240,70,156,225,113,116,36,166,252,132,194,84,120,196,224,54,171,248,191,100,187,217,182,88,52]},{"Name":"corelight_tunnel","Type":"autoextractor","AdditionalInfo":{"name":"corelight_tunnel","desc":"Corelight tunnel logs","module":"json","tag":"corelight_tunnel"},"Hash":[81,222,33,64,30,156,114,105,161,118,253,187,244,146,25,244,35,126,50,73,22,186,15,196,31,168,131,127,15,111,188,70]},{"Name":"corelight_weird","Type":"autoextractor","AdditionalInfo":{"name":"corelight_weird","desc":"Corelight weird logs","module":"json","tag":"corelight_weird"},"Hash":[129,159,60,178,2,187,217,109,153,0,154,200,67,171,82,52,174,23,255,203,48,180,3,81,113,128,91,74,155,239,179,187]},{"Name":"corelight_x509","Type":"autoextractor","AdditionalInfo":{"name":"corelight_x509","desc":"Corelight X509 logs","module":"json","tag":"corelight_x509"},"Hash":[67,62,136,90,185,197,103,151,144,110,31,240,51,10,28,173,159,209,232,193,0,165,213,7,1,144,187,157,27,92,201,149]},{"Name":"4a6a2042-faaf-4d0a-8fa4-df8a90d3aa65","Type":"dashboard","AdditionalInfo":{"UUID":"4a6a2042-faaf-4d0a-8fa4-df8a90d3aa65","Name":"Corelight Overview","Description":"Corelight status dashboard showing basic data rates, EPS, and summary statistics for corelight data streams"},"Hash":[154,2,109,39,170,153,198,24,32,92,150,227,223,191,15,40,231,17,223,105,64,32,216,123,47,218,197,111,68,178,229,222]},{"Name":"corelight_capture_loss","Type":"autoextractor","AdditionalInfo":{"name":"corelight_capture_loss","desc":"JSON extraction for tag corelight_capture_loss","module":"json","tag":"corelight_capture_loss"},"Hash":[75,101,246,185,180,39,172,177,225,195,247,168,70,255,126,61,178,133,192,42,122,167,171,35,149,242,40,100,135,92,48,242]},{"Name":"1099193c-c54c-4c42-92d5-fec0668301fe","Type":"dashboard","AdditionalInfo":{"UUID":"1099193c-c54c-4c42-92d5-fec0668301fe","Name":"Corelight Suricata Alerts","Description":""},"Hash":[53,233,202,116,231,2,180,129,119,166,242,103,187,16,52,216,82,162,84,209,60,27,213,4,107,186,124,180,140,161,136,207]},{"Name":"9f9220c6-e059-41ed-a391-d78f6553d311","Type":"template","AdditionalInfo":{"UUID":"9f9220c6-e059-41ed-a391-d78f6553d311","Name":"Corelight Suricata Alert Activations","Description":"Show count of src/dst ip pairs that have triggered a given Suricata alert ID"},"Hash":[225,110,172,255,252,155,99,130,183,154,1,111,235,248,110,181,84,25,95,135,42,115,250,220,64,241,3,114,246,135,97,73]},{"Name":"6295c77e-5ae6-4537-9cd5-f94a277269ff","Type":"template","AdditionalInfo":{"UUID":"6295c77e-5ae6-4537-9cd5-f94a277269ff","Name":"Corelight Suricata IP Alerts","Description":"Show Alerts associated with an IP address"},"Hash":[59,103,213,106,16,156,220,217,228,47,127,238,198,165,39,155,112,169,199,175,175,208,188,74,223,62,201,215,129,89,128,53]},{"Name":"4e9254eb-dc3c-4682-8d1d-fb7b7f8afed0","Type":"pivot","AdditionalInfo":{"UUID":"4e9254eb-dc3c-4682-8d1d-fb7b7f8afed0","Name":"Corelight Suricata Alert ID","Description":"Corelight Suricata alerts by ID"},"Hash":[36,41,158,246,42,253,223,109,253,155,122,92,109,120,214,243,0,124,189,158,12,210,202,97,124,121,197,192,3,44,65,106]},{"Name":"corelight_ldap","Type":"autoextractor","AdditionalInfo":{"name":"corelight_ldap","desc":"Auto-generated JSON extraction for tag corelight_ldap","module":"json","tag":"corelight_ldap"},"Hash":[39,76,34,54,163,104,63,215,242,83,193,115,208,220,201,86,57,165,31,70,44,7,196,127,46,39,4,219,115,154,213,149]},{"Name":"corelight_ldap_search","Type":"autoextractor","AdditionalInfo":{"name":"corelight_ldap_search","desc":"Auto-generated JSON extraction for tag corelight_ldap_search","module":"json","tag":"corelight_ldap_search"},"Hash":[244,111,194,224,203,64,25,25,161,3,49,240,83,173,26,12,137,138,123,234,99,55,230,119,43,166,239,56,133,53,238,156]},{"Name":"corelight_suricata_corelight","Type":"autoextractor","AdditionalInfo":{"name":"corelight_suricata_corelight","desc":"Auto-generated JSON extraction for tag corelight_suricata_corelight","module":"json","tag":"corelight_suricata_corelight"},"Hash":[60,83,89,55,199,191,226,162,238,56,251,153,56,40,188,218,77,76,12,31,172,117,109,206,62,241,109,138,63,88,227,155]},{"Name":"be127f58-d9b5-4d42-b510-01ea70b32edc","Type":"template","AdditionalInfo":{"UUID":"be127f58-d9b5-4d42-b510-01ea70b32edc","Name":"Corelight connection count details by host, service, org for id.resp_p","Description":"Table of connection count details by host, service, org with responder port"},"Hash":[23,253,46,125,5,17,43,146,100,229,241,47,255,136,211,54,250,138,190,30,241,121,68,13,60,250,41,175,160,126,116,154]},{"Name":"ec7df9d0-1200-40ef-961b-d63ab7f3ea14","Type":"template","AdditionalInfo":{"UUID":"ec7df9d0-1200-40ef-961b-d63ab7f3ea14","Name":"Corelight totals by traffic direction for id.resp_p","Description":"Chart the upload and download traffic as seen by corelight with responder port"},"Hash":[253,155,234,112,97,108,194,133,132,25,159,196,13,233,141,229,118,2,96,12,177,148,133,2,176,91,47,140,96,174,193,159]},{"Name":"0fd8fe81-d562-421f-b93a-09f80ffed7ca","Type":"template","AdditionalInfo":{"UUID":"0fd8fe81-d562-421f-b93a-09f80ffed7ca","Name":"Corelight connection traffic total details by org for id.resp_p","Description":"Table of connection traffic details by org with responding port"},"Hash":[99,191,111,212,103,2,196,199,22,72,230,62,45,67,247,30,68,153,56,222,26,45,146,81,232,135,211,46,174,10,141,180]},{"Name":"8586bddf-bc88-4de9-8a70-3eeeb2a79e96","Type":"template","AdditionalInfo":{"UUID":"8586bddf-bc88-4de9-8a70-3eeeb2a79e96","Name":"Corelight connection count overview for id.resp_p","Description":"Connection count overview as seen by Corelight using responder port variable"},"Hash":[237,246,205,53,5,190,198,52,209,46,183,131,77,239,213,42,121,199,201,205,176,245,70,160,21,176,252,105,37,41,174,170]},{"Name":"3427f21c-7a52-4472-b36b-6ff8211e11f4","Type":"template","AdditionalInfo":{"UUID":"3427f21c-7a52-4472-b36b-6ff8211e11f4","Name":"Corelight connection count by service for id.resp_p","Description":"Chart of connection counts per service as seen by Corelight with responder port"},"Hash":[220,1,105,138,37,12,135,137,105,106,83,10,64,146,110,80,61,63,143,203,218,138,13,117,46,54,23,11,97,114,242,155]},{"Name":"a0feb9ca-3e7c-479c-a27a-5598e034276d","Type":"template","AdditionalInfo":{"UUID":"a0feb9ca-3e7c-479c-a27a-5598e034276d","Name":"Corelight connection count by state for id.resp_p","Description":"Chart the number of sessions by connection state as seen by Corelight with responder port"},"Hash":[26,150,170,149,185,107,52,89,18,27,120,195,182,206,207,140,148,4,5,39,236,153,183,91,91,142,43,196,101,121,91,211]},{"Name":"b418c325-7cf5-4e23-9989-0f7ccc9034fc","Type":"pivot","AdditionalInfo":{"UUID":"b418c325-7cf5-4e23-9989-0f7ccc9034fc","Name":"Corelight Port number","Description":"Corelight actions on port numbers"},"Hash":[134,35,216,81,149,50,50,105,123,24,34,19,102,90,215,8,62,255,11,74,106,100,183,110,51,147,141,93,61,155,194,210]},{"Name":"04a70538-8ecd-4cff-9b23-877e3345db50","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight most active service ports - AGG","Description":"The most active service ports as seen by Corelight conn log","Query":"tag=corelight_conn_agg ax\n| stats sum(count) as connections by \"id.resp_p\"\n| sort by connections\n| table \"id.resp_p\" connections\n","UUID":"04a70538-8ecd-4cff-9b23-877e3345db50"},"Hash":[116,102,210,105,139,148,218,215,203,152,197,52,26,48,144,25,44,139,204,130,106,2,157,106,223,232,102,135,0,170,78,146]},{"Name":"0de1c219-85c7-4c84-8422-b68d57956ee1","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight HTTP OS Distribution - AGG","Description":"","Query":"tag=corelight_http_agg ax\n| json -x user_agents\n| regex -e user_agents \"\\((?P\u003cOS\u003e[^\\)]*)\\)\"\n| stats count by OS\n| chart count by OS\n","UUID":"0de1c219-85c7-4c84-8422-b68d57956ee1"},"Hash":[222,101,52,79,54,141,140,83,141,43,20,13,148,230,71,4,138,81,41,232,105,63,240,75,87,70,134,178,90,187,255,11]},{"Name":"0f6f2c0e-d865-474a-b330-35fad5af3d24","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DNS round trip time mean, min, and max - AGG","Description":"Chart of round trip times on DNS","Query":"tag=corelight_dns ax qtype_name == \"A\" rtt != \"-\"\n| stats mean(rtt) max(rtt) min(rtt)\n| chart min mean max\n","UUID":"0f6f2c0e-d865-474a-b330-35fad5af3d24"},"Hash":[198,9,114,152,130,77,138,190,143,193,77,22,200,16,23,205,21,102,68,195,97,118,115,203,3,184,209,19,251,200,78,26]},{"Name":"11f81d33-e4bf-4ad1-a3ec-14bc98a7dc5b","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Potential Port Scans - AGG","Description":"Potential port scans as seen by the Corelight conn log","Query":"tag=corelight_conn_agg ax\n| stats unique_count(\"id.resp_p\") by \"id.orig_h\" \"id.resp_h\"\n| eval unique_count \u003e 64\n| geoip \"id.orig_h\".Country \"id.orig_h\".City\n| table \"id.orig_h\" Country City \"id.resp_h\" unique_count TIMESTAMP\n","UUID":"11f81d33-e4bf-4ad1-a3ec-14bc98a7dc5b"},"Hash":[59,79,177,5,20,174,98,191,115,67,107,100,88,154,152,176,91,45,142,210,135,145,218,134,188,88,14,36,74,12,215,161]},{"Name":"14381d2d-4691-4ee9-bf3d-b682499cdcb1","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight HTTP Unusual HTTP Methods - AGG","Description":"A table of info for requests with unusual HTTP request methods","Query":"tag=corelight_http_agg ax\n| regex -v -e method \"^-|GET|HEAD|POST|PUT|DELETE|CONNECT|OPTIONS|PATCH|TRACE$\"\n| table count \"id.orig_h\" \"id.resp_h\" method uri\n","UUID":"14381d2d-4691-4ee9-bf3d-b682499cdcb1"},"Hash":[175,144,43,112,219,0,18,225,72,252,70,204,4,122,232,97,206,47,29,23,103,60,30,172,122,205,104,46,168,89,132,106]},{"Name":"16065b11-9a1a-4f28-b613-6b92f1f3fe74","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight SSL Version Chart - AGG","Description":"Display a chart of the SSL/TLS versions in use.","Query":"tag=corelight_ssl_agg ax version != \"-\"\n| stats sum(count) as count by version\n| chart count by version\n","UUID":"16065b11-9a1a-4f28-b613-6b92f1f3fe74"},"Hash":[180,169,236,247,227,180,116,58,85,113,90,190,173,139,140,133,101,102,35,125,200,133,44,254,103,200,155,88,36,116,68,141]},{"Name":"17c32a41-ee9e-453c-b986-01ecb551251a","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DNS Most Common SLDs - AGG","Description":"","Query":"tag=corelight_dns_agg ax\n| regex -e query \"(?P\u003csld\u003e\\w+\\.\\w+\\s*$)\"\n| stats sum(count) as Count by sld\n| sort by Count desc\n| limit 100\n| table sld Count\n","UUID":"17c32a41-ee9e-453c-b986-01ecb551251a"},"Hash":[60,203,218,21,115,141,196,129,237,246,66,96,176,188,15,46,250,185,233,236,160,96,197,190,19,242,0,167,172,6,69,108]},{"Name":"1cfe62ff-5bbd-447d-88a8-234912f36482","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight least common responding ports - AGG","Description":"Least common service ports that respond with data as seen by Corelight","Query":"tag=corelight_conn_agg ax\n| stats sum(count) as Count by \"id.resp_p\"\n| eval resp_bytes \u003e 140 \u0026\u0026 $(id.resp_p) \u003c 16000 // Only looking at ports in the lower range \n| sort by Count asc\n| table \"id.resp_p\" Count\n","UUID":"1cfe62ff-5bbd-447d-88a8-234912f36482"},"Hash":[105,53,43,195,61,205,246,122,52,242,86,102,24,157,198,34,4,115,231,73,255,47,240,144,159,26,164,37,168,203,205,118]},{"Name":"24cb789f-9114-41f6-bd80-da8ff9dfc473","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight most common TLDs - AGG","Description":"Most common queried TLDs as seen by Corelight","Query":"tag=corelight_dns_agg ax qtype_name == \"A\"\n| regex -e \"query\" \"(?P\u003cTLD\u003e[^\\.]+)$\"\n| stats sum(count) as Count by TLD\n| table TLD Count\n","UUID":"24cb789f-9114-41f6-bd80-da8ff9dfc473"},"Hash":[155,68,193,129,185,102,13,194,25,14,74,227,1,25,143,171,90,141,104,207,164,159,0,172,79,120,34,141,97,15,135,9]},{"Name":"2fc5ce4e-9282-47d5-b159-9316ffa9a994","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Connection Averages - AGG","Description":"Table showing averages for traffic, packets, and connection duration for each service","Query":"tag=corelight_conn_agg ax\n| stats mean(orig_bytes) as \"Average Downstream Traffic\" by service mean(resp_bytes) as \"Average Upstream Traffic\" by service mean(duration) as \"Average Connection Duration\" by service sum(count) as Count by service\n| eval if ( service == \"-\" ) { service = \"unknown\"; }\n| sort by Count desc\n| table Count service \"Average Connection Duration\" \"Average Downstream Traffic\" \"Average Upstream Traffic\"\n","UUID":"2fc5ce4e-9282-47d5-b159-9316ffa9a994"},"Hash":[40,99,32,156,57,179,97,3,94,185,206,52,244,139,98,208,81,138,62,189,32,79,94,235,49,155,141,98,156,248,13,236]},{"Name":"30030611-b0bb-4140-bfc0-d72dddadebda","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight HTTP Most Requested Hosts - AGG","Description":"","Query":"tag=corelight_http_agg ax\n| stats sum(count) as Count by host\n| sort by Count desc\n| table Count host\n","UUID":"30030611-b0bb-4140-bfc0-d72dddadebda"},"Hash":[60,165,168,55,195,151,133,68,92,230,220,167,202,164,40,153,173,200,234,34,22,12,184,26,142,93,50,61,7,13,22,225]},{"Name":"3528b3fb-3be5-46f0-acfd-e1ba27c6958a","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight All Files - AGG","Description":"files.log","Query":"tag=corelight_files_agg ax\n| table\n","UUID":"3528b3fb-3be5-46f0-acfd-e1ba27c6958a"},"Hash":[101,195,87,91,54,5,107,177,43,86,255,157,89,164,43,80,64,82,96,58,192,103,249,216,224,147,144,245,168,74,239,114]},{"Name":"37475788-2348-463c-af45-5a4c2ff7d5e7","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight HTTP Browser Distribution - AGG","Description":"","Query":"tag=corelight_http_agg json -s user_agents\n| json -x user_agents\n| regex -e user_agents \"(?P\u003cbrowser\u003e\\S*)/[0-9.]*$\"\n| stats count by browser\n| chart count by browser\n","UUID":"37475788-2348-463c-af45-5a4c2ff7d5e7"},"Hash":[52,27,133,201,104,0,173,1,31,20,161,127,247,168,77,254,31,22,25,207,32,95,83,246,206,154,228,136,171,174,133,54]},{"Name":"37d68598-941d-4fb5-b42a-6dae16e3818b","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight HTTP Potential Command Injection in URI - AGG","Description":"A table of info for requests with URIs that contain common escape characters","Query":"tag=corelight_http_agg ax\n| regex -e uri \"\\;|\u0026\u0026|\\|`|\u003e|\u003c|\\\\|\\!\"\n| table\n","UUID":"37d68598-941d-4fb5-b42a-6dae16e3818b"},"Hash":[98,164,198,67,116,110,201,120,97,231,34,168,145,99,75,103,183,45,182,38,69,147,200,88,27,198,128,35,53,171,98,98]},{"Name":"3d8471f9-f7a1-405a-980d-f58f365d327f","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Connection Map - AGG","Description":"Geospatial connection map of connections as seen by Corelight","Query":"tag=corelight_conn_agg ax\n| geoip \"id.orig_h\".Location as oloc \"id.resp_h\".Location as rloc\n| point2point -srcloc oloc -dstloc rloc\n","UUID":"3d8471f9-f7a1-405a-980d-f58f365d327f"},"Hash":[139,205,222,44,69,135,210,98,139,130,162,97,43,228,205,216,34,207,61,210,153,44,20,148,27,110,123,152,21,56,110,172]},{"Name":"42db797b-1cc0-4c96-8bca-dc831f005989","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Upload/Download Traffic Chart - AGG","Description":"Chart the upload and download traffic as seen by corelight","Query":"tag=corelight_conn_agg ax orig_bytes != \"-\" resp_bytes != \"-\" service != \"-\"\n| stats sum(orig_bytes) as upload sum(resp_bytes) as download\n| chart upload download\n","UUID":"42db797b-1cc0-4c96-8bca-dc831f005989"},"Hash":[19,55,78,176,226,218,60,215,163,96,224,62,132,39,234,232,175,217,64,63,110,86,255,128,162,140,196,76,96,217,8,157]},{"Name":"446fef72-d51e-4a62-8a79-24dab2598928","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Total Traffic By Service - AGG","Description":"Total traffic per service as seen by Corelight","Query":"tag=corelight_conn_agg ax\n| stats sum(orig_bytes) as upload sum(resp_bytes) as download by service\n| eval bytes = upload + download;\n| eval if ( service == \"-\" ) { service = \"unknown\"; }\n| stats sum(bytes) as traffic by service\n| chart traffic by service\n","UUID":"446fef72-d51e-4a62-8a79-24dab2598928"},"Hash":[189,174,78,253,193,207,43,64,9,68,187,127,134,96,238,186,224,63,237,17,26,204,150,52,128,195,20,219,208,250,245,241]},{"Name":"51a72867-bd6c-49c4-8d49-10da711a5467","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight HTTP Method Counts - AGG","Description":"A chart showing the percentage of each HTTP Method","Query":"tag=corelight_http_agg ax\n| stats sum(count) as Count by method\n| chart Count by method\n","UUID":"51a72867-bd6c-49c4-8d49-10da711a5467"},"Hash":[131,28,87,199,97,126,183,67,229,212,209,220,6,140,63,116,209,138,89,87,16,133,190,138,100,247,34,130,248,126,239,122]},{"Name":"54accc77-ffe6-4337-a9a5-4318452d2e1c","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Most Queried DNS Name - AGG","Description":"Most queried DNS names over time","Query":"tag=corelight_dns_agg ax\n| alias query Name\n| stats sum(count) as Count by Name\n| sort by Count desc\n| top -n 100 Count\n| table Name Count\n","UUID":"54accc77-ffe6-4337-a9a5-4318452d2e1c"},"Hash":[81,79,153,156,17,239,1,157,255,127,58,178,212,45,225,32,8,112,218,135,78,231,60,154,127,107,212,172,0,71,155,74]},{"Name":"5799d25b-6bd9-4963-81f3-a183fe269f88","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DNS Requests by Host - AGG","Description":"","Query":"tag=corelight_dns_agg ax\n| alias \"id.orig_h\" Host\n| stats sum(count) as Count by Host\n| table Host Count\n","UUID":"5799d25b-6bd9-4963-81f3-a183fe269f88"},"Hash":[139,236,64,161,220,172,25,147,153,11,35,149,29,106,227,255,137,92,139,192,230,146,188,27,31,130,224,100,99,161,33,188]},{"Name":"7a3391f8-2ff3-4106-a87d-90a25966cfb2","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Rare DNS Queries - AGG","Description":"Least queried DNS names over time","Query":"tag=corelight_dns_agg ax\n| alias query Name\n| stats sum(count) as Count by Name\n| sort by Count asc\n| limit 100\n| table Name Count\n","UUID":"7a3391f8-2ff3-4106-a87d-90a25966cfb2"},"Hash":[128,198,156,101,160,9,83,228,186,129,216,114,249,45,231,139,64,45,5,21,144,109,80,149,90,81,226,145,21,93,38,168]},{"Name":"7e083e30-0c06-4819-9346-2f3d4834c3b9","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Service Connection Reset Rates - AGG","Description":"Chart of connection reset rates by service as seen by Corelight","Query":"tag=corelight_conn_agg ax conn_state ~ \"RST\" proto == \"tcp\"\n| stats sum(count) as Count by service\n| chart Count by service\n","UUID":"7e083e30-0c06-4819-9346-2f3d4834c3b9"},"Hash":[170,57,24,30,93,146,102,11,224,23,232,211,159,175,23,243,217,99,6,117,189,225,120,65,236,20,148,193,151,153,251,134]},{"Name":"86cb88f0-0b5b-4d63-8e1f-71171ae04455","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight HTTP Point-to-Point - AGG","Description":"A point-to-point map showing connections between hosts over HTTP","Query":"tag=corelight_http_agg ax\n| geoip \"id.resp_h\".Location as resp_host_loc \"id.orig_h\".Location as orig_host_loc\n| point2point -srcloc orig_host_loc -dstloc resp_host_loc\n","UUID":"86cb88f0-0b5b-4d63-8e1f-71171ae04455"},"Hash":[163,134,96,132,246,194,123,24,131,67,122,117,232,134,173,201,18,37,157,95,62,134,221,38,71,190,115,89,117,121,80,112]},{"Name":"8a631c75-3ac6-4758-b4b2-f485c00fc437","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Connection Count Chart - AGG","Description":"Chart of total sessions as seen by Corelight","Query":"tag=corelight_conn_agg ax\n| stats sum(count) as Count\n| chart Count\n","UUID":"8a631c75-3ac6-4758-b4b2-f485c00fc437"},"Hash":[41,244,179,43,180,58,218,80,75,115,161,249,141,5,212,88,25,164,120,211,72,184,58,27,131,207,175,10,108,193,186,56]},{"Name":"8e846721-da4f-43a6-a5f2-c5eb0a019424","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Connection Counts by State - AGG","Description":"Chart the number of sessions by connection state as seen by Corelight","Query":"tag=corelight_conn_agg ax\n| stats sum(count) as Count by conn_state\n| chart Count by conn_state\n","UUID":"8e846721-da4f-43a6-a5f2-c5eb0a019424"},"Hash":[43,46,179,3,195,49,92,170,222,9,10,74,104,222,250,27,220,205,108,113,91,43,247,128,212,227,67,222,14,214,227,205]},{"Name":"8f89c90d-1004-4997-a0b8-c71c732d07e7","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Service Connection Reset Table - AGG","Description":"The number of connection resets per service as seen by corelight","Query":"tag=corelight_conn_agg ax conn_state ~ \"RST\" proto == \"tcp\"\n| stats sum(count) as Count by service conn_state\n| lookup -r corelight_conn_state conn_state state description\n| table service conn_state Count description\n","UUID":"8f89c90d-1004-4997-a0b8-c71c732d07e7"},"Hash":[6,27,17,192,90,197,206,162,225,167,194,178,212,112,23,211,35,53,193,142,156,73,219,93,122,206,78,206,234,103,162,206]},{"Name":"954d036c-512e-4491-9cc7-2b7a4bd43ba9","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight Upload/Download Numbercards - AGG","Description":"Numbercards showing total upload/download traffic as seen by Corelight","Query":"tag=corelight_conn_agg ax orig_bytes != \"-\" resp_bytes != \"-\"\n| stats sum(orig_bytes) as upload sum(resp_bytes) as download\n| numbercard upload download\n","UUID":"954d036c-512e-4491-9cc7-2b7a4bd43ba9"},"Hash":[100,205,51,11,83,219,78,77,0,241,204,231,159,85,103,77,161,104,80,23,214,16,92,227,4,46,145,131,233,28,86,247]},{"Name":"9e8c5a59-e44d-4795-91a8-5c75f50c04ce","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DNS Queries by Resource Record Type - AGG","Description":"","Query":"tag=corelight_dns_agg ax\n| lookup -s -r dns_types qtype Value TYPE as dnstype\n| stats sum(count) as Count by dnstype\n| chart Count by dnstype\n","UUID":"9e8c5a59-e44d-4795-91a8-5c75f50c04ce"},"Hash":[194,89,0,128,97,44,178,163,148,242,150,160,44,235,133,102,114,225,76,145,218,9,177,192,55,236,121,35,30,103,175,85]},{"Name":"a9692734-b244-4ced-932f-7fa377b82695","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DNS Total Queries by Type - AGG","Description":"Numbercards showing the total number of queries by each time","Query":"tag=corelight_dns_agg ax\n| stats sum(count) as Count by qtype_name\n| numbercard Count\n","UUID":"a9692734-b244-4ced-932f-7fa377b82695"},"Hash":[245,24,35,61,79,194,174,136,69,57,222,76,24,219,35,194,189,6,115,193,247,41,143,138,143,158,101,175,106,105,71,108]},{"Name":"aa8138e1-b1a8-42ee-bb6a-16aad7b92b62","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DNS SLDs with the most Subdomains - AGG","Description":"DNS SLDs with the most Subdomains","Query":"tag=corelight_dns_agg ax\n| unique query\n| regex -e query \"(?P\u003csld\u003e\\w+\\.\\w+\\s*$)\"\n| stats sum(count) as Count by sld\n| sort by Count desc\n| limit 100\n| table sld Count\n","UUID":"aa8138e1-b1a8-42ee-bb6a-16aad7b92b62"},"Hash":[215,18,235,250,93,4,109,142,20,238,251,93,187,209,104,111,49,208,84,236,8,115,237,137,113,105,22,122,51,58,92,136]},{"Name":"ac02a856-396e-46a5-a67f-e2749bcad4e8","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight All Connections - AGG","Description":"All entries from conn.log","Query":"tag=corelight_conn_agg ax\n| table\n","UUID":"ac02a856-396e-46a5-a67f-e2749bcad4e8"},"Hash":[87,167,82,76,21,224,10,27,50,227,176,86,194,87,117,167,58,0,105,13,25,104,105,237,40,242,69,237,209,2,241,198]},{"Name":"ad137c4a-669d-4a6f-9cee-d9a54323c798","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DNS Beaconing - AGG","Description":"Frequent DNS requests with the smallest variance","Query":"tag=corelight_dns_agg ax\n| alias query Name\n| sort by time asc\n| diff TIMESTAMP by query\n| require -s diff\n| stats mean(diff) stddev(diff) sum(count) as Count by query\n| eval (stddev \u003c mean \u0026\u0026 count \u003e 2)\n| eval r = stddev/mean; Duration = duration(mean);\n| sort by r asc\n| table Name Duration Count\n","UUID":"ad137c4a-669d-4a6f-9cee-d9a54323c798"},"Hash":[160,15,209,169,201,191,214,16,62,124,227,228,124,157,25,190,57,115,58,180,4,154,12,113,30,79,95,193,136,54,214,69]},{"Name":"b1505e2c-67eb-4050-b203-c19bfc25fa24","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DNS Over Time - AGG","Description":"","Query":"tag=corelight_dns_agg ax\n| stats sum(count) as Count\n| chart Count\n","UUID":"b1505e2c-67eb-4050-b203-c19bfc25fa24"},"Hash":[17,54,254,239,80,226,218,110,148,25,115,252,22,56,33,248,214,254,122,45,32,146,92,222,134,248,69,4,151,141,208,58]},{"Name":"b4feccbe-2856-43e3-bb8e-6836d38e10b3","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DNS Server counts - AGG","Description":"Table of DNS Servers in use and their respective counts","Query":"tag=corelight_dns_agg ax\n| stats sum(count) as Count by \"id.orig_h\"\n| geoip -r asn_db \"id.orig_h\".ASNOrg\n| table \"id.orig_h\" ASNOrg Count\n","UUID":"b4feccbe-2856-43e3-bb8e-6836d38e10b3"},"Hash":[67,132,146,115,144,156,230,40,119,47,240,52,3,164,164,144,215,209,134,75,14,143,172,59,182,131,89,218,212,231,117,87]},{"Name":"b6686f80-c3f2-4dc7-9336-3f7603832137","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DNS TXT Records - AGG","Description":"DNS TXT Records","Query":"tag=corelight_dns_agg ax qtype == \"16\"\n| alias query Name answers Payload\n| table Name Payload\n","UUID":"b6686f80-c3f2-4dc7-9336-3f7603832137"},"Hash":[228,179,146,11,182,192,195,52,234,203,5,93,178,155,60,171,128,101,38,96,103,246,246,16,229,14,141,26,202,135,41,91]},{"Name":"bd6b4ca4-5d80-46e1-a46d-1e8117e7c9fd","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight All DNS - AGG","Description":"","Query":"tag=corelight_dns_agg ax\n| table\n","UUID":"bd6b4ca4-5d80-46e1-a46d-1e8117e7c9fd"},"Hash":[133,121,197,138,119,212,110,43,100,172,13,221,72,220,36,103,237,121,109,94,128,125,222,196,8,101,133,222,167,255,237,158]},{"Name":"d799fa74-410a-4b07-9775-f431b2883703","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight All HTTP - AGG","Description":"","Query":"tag=corelight_http_agg ax\n| table\n","UUID":"d799fa74-410a-4b07-9775-f431b2883703"},"Hash":[236,104,179,199,62,38,79,28,110,195,11,134,25,186,60,56,190,237,2,34,246,121,211,160,208,218,164,95,144,228,202,25]},{"Name":"dca21c43-73b3-49d5-8693-353387d638ad","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight HTTP directory traversal requests - AGG","Description":"Show requests that may contain directory traversal attacks","Query":"tag=corelight_http_agg ax uri ~ \"../..\"\n| table count \"id.orig_h\" \"id.resp_h\" host uri status_msg\n","UUID":"dca21c43-73b3-49d5-8693-353387d638ad"},"Hash":[243,57,216,52,255,227,210,190,150,108,87,201,247,192,156,173,39,97,188,170,212,207,55,179,242,206,150,113,229,67,170,107]},{"Name":"e3f3b3c2-132c-4e8e-bc02-53afa70661e3","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight DNS Totals - AGG","Description":"","Query":"tag=corelight_dns_agg ax\n| stats unique_count(query) as \"Unique Queries\" sum(count) as \"Total Queries\"\n| gauge \"Unique Queries\" \"Total Queries\"\n","UUID":"e3f3b3c2-132c-4e8e-bc02-53afa70661e3"},"Hash":[71,68,202,63,232,157,63,18,176,220,40,88,4,97,133,12,247,22,213,100,84,6,170,103,108,19,160,81,9,18,116,124]},{"Name":"e778da56-d73c-43f7-86e0-b240c50575cf","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight HTTP Internal Server Error Counts - AGG","Description":"Count of internal Server Errors per host","Query":"tag=corelight_http_agg ax status_msg == \"500\"\n| stats sum(count) as Count by host\n| table host Count\n","UUID":"e778da56-d73c-43f7-86e0-b240c50575cf"},"Hash":[150,181,243,15,80,50,155,130,220,36,51,163,241,179,119,76,104,205,145,150,109,113,141,53,135,255,77,156,9,21,8,166]},{"Name":"f6f04eb9-7751-4a26-875a-f2a4c57e0031","Type":"searchlibrary","AdditionalInfo":{"Name":"Corelight service connection counts - AGG","Description":"Chart of connection counts per service as seen by Corelight","Query":"tag=corelight_conn_agg ax\n| stats sum(count) as Count by service\n| eval if ( service == \"-\" ) { service = \"unknown\"; }\n| chart Count by service limit 32\n","UUID":"f6f04eb9-7751-4a26-875a-f2a4c57e0031"},"Hash":[18,60,223,106,253,22,148,133,81,65,212,86,1,70,24,177,211,86,126,172,166,37,192,3,222,87,62,81,69,48,3,120]},{"Name":"01a60756-2eaa-4edd-a03e-9ff800f8d03b","Type":"template","AdditionalInfo":{"UUID":"01a60756-2eaa-4edd-a03e-9ff800f8d03b","Name":"Corelight DNS Queries by Resource Record Type - AGG","Description":""},"Hash":[253,178,76,238,208,197,64,116,35,156,197,60,195,208,234,28,161,190,3,51,179,235,110,144,217,29,251,163,57,237,120,178]},{"Name":"055c0322-ab7c-4f8c-9980-07ad14848370","Type":"template","AdditionalInfo":{"UUID":"055c0322-ab7c-4f8c-9980-07ad14848370","Name":"Corelight Unique Clients for IP - AGG","Description":"Numbercard of active clients for a given machine"},"Hash":[197,255,173,119,247,228,131,249,7,214,155,100,73,58,205,96,129,120,192,155,36,201,48,143,25,30,125,53,118,153,8,83]},{"Name":"07e82065-8ce3-4919-ab08-a9c250409304","Type":"template","AdditionalInfo":{"UUID":"07e82065-8ce3-4919-ab08-a9c250409304","Name":"Corelight Active services for an IP - AGG","Description":"Numbercard of active services for a host that have been seen responding as seen by Corelight"},"Hash":[182,72,210,211,48,47,224,16,149,254,236,183,14,106,32,70,163,140,66,246,181,155,231,176,114,75,44,26,169,148,207,135]},{"Name":"09aac6a5-6a7e-4641-8fbc-0842a81c4ef0","Type":"template","AdditionalInfo":{"UUID":"09aac6a5-6a7e-4641-8fbc-0842a81c4ef0","Name":"Corelight 10 most common service ports for IP - AGG","Description":"Table of the most commonly used service ports for an IP as seen by Corelight"},"Hash":[154,165,120,64,246,225,13,106,163,2,221,130,25,187,88,237,46,242,206,138,95,92,60,128,61,239,156,67,248,56,216,102]},{"Name":"0eade308-8b27-4d4d-a8c8-300de1ebddd6","Type":"template","AdditionalInfo":{"UUID":"0eade308-8b27-4d4d-a8c8-300de1ebddd6","Name":"Corelight connection count by state for id.resp_p - AGG","Description":"Chart the number of sessions by connection state as seen by Corelight with responder port"},"Hash":[119,247,144,10,220,65,238,130,122,227,199,17,187,29,169,164,15,73,229,209,142,137,253,161,203,182,219,172,200,170,171,181]},{"Name":"155b7717-9d3d-4f54-bfd3-fcfd96cfc55e","Type":"template","AdditionalInfo":{"UUID":"155b7717-9d3d-4f54-bfd3-fcfd96cfc55e","Name":"Corelight service usage chart - AGG","Description":"Chart of service activity by IP as seen by Corelight"},"Hash":[143,251,48,49,71,118,55,164,145,180,185,48,116,41,19,171,198,223,110,48,41,42,165,189,58,19,39,48,79,226,46,42]},{"Name":"1611eabc-631e-4f89-8a7c-def7941aa259","Type":"template","AdditionalInfo":{"UUID":"1611eabc-631e-4f89-8a7c-def7941aa259","Name":"Corelight connection traffic total details by org for id.resp_p - AGG","Description":"Table of connection traffic details by org with responding port"},"Hash":[77,20,131,19,123,138,170,44,60,92,235,213,48,26,128,55,237,127,186,1,177,46,197,94,160,151,15,130,29,59,217,76]},{"Name":"1708ba13-32f5-4f41-91e2-43495ac10ed0","Type":"template","AdditionalInfo":{"UUID":"1708ba13-32f5-4f41-91e2-43495ac10ed0","Name":"Corelight DNS Beaconing by Client - AGG","Description":""},"Hash":[124,121,183,51,168,150,173,56,30,179,71,135,111,188,236,103,169,167,78,243,50,79,211,71,192,131,136,169,184,197,29,160]},{"Name":"27521f96-62aa-4061-9313-8de6a324ba1d","Type":"template","AdditionalInfo":{"UUID":"27521f96-62aa-4061-9313-8de6a324ba1d","Name":"Corelight Conn for UID - AGG","Description":""},"Hash":[136,58,222,224,29,67,136,3,142,105,44,254,210,37,150,40,82,23,16,243,84,109,236,4,37,252,209,47,207,159,85,249]},{"Name":"369b0986-c1b2-4164-804b-2b81b8d1a840","Type":"template","AdditionalInfo":{"UUID":"369b0986-c1b2-4164-804b-2b81b8d1a840","Name":"Corelight DNS Over Time - AGG","Description":""},"Hash":[130,135,222,184,25,5,60,148,53,145,95,111,250,251,175,135,99,176,130,41,28,101,153,85,233,55,43,219,210,231,113,149]},{"Name":"396d018d-c9c0-4ca3-93ae-c11345f36784","Type":"template","AdditionalInfo":{"UUID":"396d018d-c9c0-4ca3-93ae-c11345f36784","Name":"Corelight Connstate Chart - AGG","Description":"Count of connection states for a given IP as seen by Corelight"},"Hash":[39,108,213,197,29,94,236,198,104,148,248,143,100,63,14,157,85,110,46,10,146,33,247,122,4,155,143,150,61,198,122,140]},{"Name":"486b1aac-858f-4bf5-82fa-8dc2e9634507","Type":"template","AdditionalInfo":{"UUID":"486b1aac-858f-4bf5-82fa-8dc2e9634507","Name":"Corelight connection count by service for id.resp_p - AGG","Description":"Chart of connection counts per service as seen by Corelight with responder port"},"Hash":[29,44,92,140,78,23,31,123,250,34,65,20,91,240,34,113,129,157,110,81,10,134,89,172,129,204,192,125,85,26,148,238]},{"Name":"48b413cd-f221-41ee-8456-07ebf2f84326","Type":"template","AdditionalInfo":{"UUID":"48b413cd-f221-41ee-8456-07ebf2f84326","Name":"Corelight IP Service Usage - AGG","Description":"Aggregate count of connections by service as seen by Corelight"},"Hash":[3,74,224,232,122,210,235,129,236,120,14,108,38,218,179,95,231,98,6,66,245,197,66,128,169,92,145,40,52,84,10,183]},{"Name":"49ae3356-3a0f-4705-a7a0-d289b234a882","Type":"template","AdditionalInfo":{"UUID":"49ae3356-3a0f-4705-a7a0-d289b234a882","Name":"Corelight All DNS for IP - AGG","Description":""},"Hash":[28,72,24,240,109,214,245,192,240,237,64,160,254,56,184,89,151,188,101,31,249,118,56,81,217,41,39,185,137,192,169,105]},{"Name":"49e00668-aba6-45c2-9bd7-76661e694f0c","Type":"template","AdditionalInfo":{"UUID":"49e00668-aba6-45c2-9bd7-76661e694f0c","Name":"Corelight Connection activity for IP - AGG","Description":"Chart of connection activity for a given IP as seen by Corelight"},"Hash":[180,101,39,42,154,139,40,90,15,45,227,229,120,228,140,33,181,105,185,241,59,107,167,53,79,200,32,92,163,99,214,193]},{"Name":"51b2166d-6f68-4f16-9507-6eb0a6c2031e","Type":"template","AdditionalInfo":{"UUID":"51b2166d-6f68-4f16-9507-6eb0a6c2031e","Name":"Corelight Most Queried DNS Names by Client - AGG","Description":""},"Hash":[201,229,224,55,87,40,116,149,24,39,133,4,132,245,199,159,223,238,200,125,102,98,81,25,209,238,145,210,253,209,112,31]},{"Name":"572ec6a7-87cf-4bef-9b0b-962ca0f8a398","Type":"template","AdditionalInfo":{"UUID":"572ec6a7-87cf-4bef-9b0b-962ca0f8a398","Name":"Corelight DNS Related Subdomains - AGG","Description":""},"Hash":[244,218,239,83,84,183,166,226,171,100,192,203,241,178,218,41,172,220,216,120,143,151,74,183,28,89,141,248,34,4,204,188]},{"Name":"5765ede8-7745-41ea-8484-1227bcedccd4","Type":"template","AdditionalInfo":{"UUID":"5765ede8-7745-41ea-8484-1227bcedccd4","Name":"Corelight DNS Requests over Time - AGG","Description":""},"Hash":[47,92,12,236,107,116,41,18,6,235,192,241,43,104,89,150,246,234,93,14,26,213,228,19,253,166,158,112,15,206,224,26]},{"Name":"593344b7-48d9-46ec-984f-2dcbb944fd6d","Type":"template","AdditionalInfo":{"UUID":"593344b7-48d9-46ec-984f-2dcbb944fd6d","Name":"Corelight Most Common SLDs by Client - AGG","Description":""},"Hash":[144,232,166,238,241,94,232,144,27,147,206,227,85,228,56,252,40,180,53,98,123,216,35,48,109,42,255,208,21,75,31,61]},{"Name":"72fad028-064d-4e4f-8592-c5ba616f9d5c","Type":"template","AdditionalInfo":{"UUID":"72fad028-064d-4e4f-8592-c5ba616f9d5c","Name":"Corelight DNS Totals by Client - AGG","Description":""},"Hash":[179,32,244,124,3,12,138,213,154,14,245,167,146,102,107,85,240,98,74,117,47,11,190,240,200,100,179,72,86,119,125,189]},{"Name":"8bed927f-6287-42f7-b4f9-a98590c9bccf","Type":"template","AdditionalInfo":{"UUID":"8bed927f-6287-42f7-b4f9-a98590c9bccf","Name":"Corelight service bandwidth graph - AGG","Description":"Service Upload and Download traffic for an IP as seen by Corelight"},"Hash":[202,115,123,113,109,195,96,69,77,11,238,252,211,35,85,177,150,229,207,180,105,57,151,182,148,214,24,68,122,183,78,237]},{"Name":"a52870fa-8a03-4532-8dd8-c98c354f77fc","Type":"template","AdditionalInfo":{"UUID":"a52870fa-8a03-4532-8dd8-c98c354f77fc","Name":"Corelight All Files for IP - AGG","Description":""},"Hash":[112,200,173,218,150,129,82,208,16,173,241,124,231,212,93,226,145,244,137,212,23,18,239,213,118,109,117,184,130,192,222,174]},{"Name":"a53b03d5-e9ba-4e41-b8eb-2740eb51dad6","Type":"template","AdditionalInfo":{"UUID":"a53b03d5-e9ba-4e41-b8eb-2740eb51dad6","Name":"Corelight 10 least common service ports for IP - AGG","Description":"Table of the least commonly used service ports for an IP as seen by Corelight"},"Hash":[3,146,53,237,131,31,201,140,161,95,119,109,222,55,127,126,133,205,231,166,138,2,68,231,211,201,93,3,19,20,244,225]},{"Name":"a6a89522-cd15-4043-81eb-14b0417e9a8b","Type":"template","AdditionalInfo":{"UUID":"a6a89522-cd15-4043-81eb-14b0417e9a8b","Name":"Corelight connection count overview for id.resp_p - AGG","Description":"Connection count overview as seen by Corelight using responder port variable"},"Hash":[177,125,48,188,48,225,84,0,231,46,235,235,197,121,97,196,59,113,123,34,128,174,88,156,38,190,159,236,124,114,18,218]},{"Name":"ade8841d-9f93-4e39-b2e1-2bafc04a6c34","Type":"template","AdditionalInfo":{"UUID":"ade8841d-9f93-4e39-b2e1-2bafc04a6c34","Name":"Corelight All HTTP for IP - AGG","Description":""},"Hash":[73,81,130,200,128,211,18,72,154,222,64,127,215,148,0,123,89,209,11,233,152,251,58,167,145,202,193,198,63,71,220,138]},{"Name":"c46228f2-403f-47da-9b9e-2d1de6d95bdc","Type":"template","AdditionalInfo":{"UUID":"c46228f2-403f-47da-9b9e-2d1de6d95bdc","Name":"Corelight Rare DNS Queries - AGG","Description":""},"Hash":[107,113,251,135,69,56,131,87,186,211,61,186,119,69,63,97,11,114,62,69,8,255,163,33,41,56,79,166,110,52,101,135]},{"Name":"c575ee97-333b-4625-9cc8-4c8a7331d94f","Type":"template","AdditionalInfo":{"UUID":"c575ee97-333b-4625-9cc8-4c8a7331d94f","Name":"Corelight Service Client heatmap - AGG","Description":"Heatmap of clients for a given service"},"Hash":[168,11,233,190,4,34,152,182,210,124,64,81,170,58,232,246,233,189,134,41,254,8,120,231,142,119,58,84,35,159,238,101]},{"Name":"ca87283f-2ed7-4cea-a53e-09c73c84d7f0","Type":"template","AdditionalInfo":{"UUID":"ca87283f-2ed7-4cea-a53e-09c73c84d7f0","Name":"Corelight All Connections for IP - AGG","Description":""},"Hash":[210,83,182,125,14,99,20,109,20,125,90,229,39,196,171,83,196,41,145,4,252,47,0,119,202,222,121,199,215,143,143,233]},{"Name":"cac8c74c-02b4-4cb2-9361-4e25c6f75f45","Type":"template","AdditionalInfo":{"UUID":"cac8c74c-02b4-4cb2-9361-4e25c6f75f45","Name":"Corelight total client connections for a given IP - AGG","Description":"Numbercard of the total service connections as seen by corelight"},"Hash":[69,42,137,55,126,42,112,83,133,145,35,39,35,157,197,117,22,156,82,182,185,224,166,194,45,79,214,201,75,105,31,243]},{"Name":"d2f564af-adb5-47fd-ba71-73e84eca1e70","Type":"template","AdditionalInfo":{"UUID":"d2f564af-adb5-47fd-ba71-73e84eca1e70","Name":"Corelight Connection Graph for IP - AGG","Description":"FDG of IP Connections for a given IP as seen by Corelight"},"Hash":[19,244,37,34,19,158,201,56,196,233,184,21,242,141,25,223,226,245,173,200,192,123,38,19,134,19,139,129,47,151,36,229]},{"Name":"d33babd6-a04a-4388-a06e-ca29a99093b1","Type":"template","AdditionalInfo":{"UUID":"d33babd6-a04a-4388-a06e-ca29a99093b1","Name":"Corelight connection count details by host, service, org for id.resp_p - AGG","Description":"Table of connection count details by host, service, org with responder port"},"Hash":[37,127,35,219,198,196,143,55,118,27,253,80,238,115,83,238,139,217,249,165,104,250,244,174,67,134,241,208,10,209,219,250]},{"Name":"d7f5a03e-d339-4ff6-b57f-e6c608e5ead9","Type":"template","AdditionalInfo":{"UUID":"d7f5a03e-d339-4ff6-b57f-e6c608e5ead9","Name":"Corelight DNS SLDs with the Most Subdomains by Client - AGG","Description":""},"Hash":[89,198,125,57,214,95,96,51,111,175,115,192,105,226,61,129,46,88,31,146,36,41,215,204,143,189,223,97,143,20,246,153]},{"Name":"d89b2430-a5e6-486c-b403-015502440f34","Type":"template","AdditionalInfo":{"UUID":"d89b2430-a5e6-486c-b403-015502440f34","Name":"Corelight DNS Clients Querying this Name - AGG","Description":""},"Hash":[238,148,160,190,201,135,64,83,199,89,243,74,75,170,125,117,144,153,39,178,225,58,29,182,86,157,72,4,86,176,172,250]},{"Name":"de7775a5-bdfa-4b0f-a531-07263ee8710a","Type":"template","AdditionalInfo":{"UUID":"de7775a5-bdfa-4b0f-a531-07263ee8710a","Name":"Corelight Service traffic Totals for an IP - AGG","Description":"Show upstream/downstream traffic totals for service traffic on a given IP."},"Hash":[144,181,149,173,157,170,14,190,30,159,10,134,227,230,143,51,102,57,216,41,252,200,159,7,191,205,247,151,88,174,112,37]},{"Name":"fa78d6e3-01f5-4d55-8c40-5a69a05b9b17","Type":"template","AdditionalInfo":{"UUID":"fa78d6e3-01f5-4d55-8c40-5a69a05b9b17","Name":"Corelight totals by traffic direction for id.resp_p - AGG","Description":"Chart the upload and download traffic as seen by corelight with responder port"},"Hash":[35,162,127,141,222,157,137,44,143,138,36,140,106,140,158,85,131,234,157,142,132,102,109,220,195,180,151,146,82,27,179,212]},{"Name":"corelight_weird_agg","Type":"autoextractor","AdditionalInfo":{"name":"corelight_weird_agg","desc":"Auto-generated JSON extraction for tag corelight_weird_agg","module":"json","tag":"corelight_weird_agg"},"Hash":[35,76,64,62,155,93,77,20,240,212,231,232,65,34,140,124,159,143,238,175,99,129,50,59,63,235,178,121,178,150,193,49]},{"Name":"corelight_ssl_agg","Type":"autoextractor","AdditionalInfo":{"name":"corelight_ssl_agg","desc":"Auto-generated JSON extraction for tag corelight_ssl_agg","module":"json","tag":"corelight_ssl_agg"},"Hash":[192,4,51,160,218,24,116,66,12,218,215,184,233,53,246,144,121,4,169,1,199,132,59,191,77,150,241,87,120,60,84,219]},{"Name":"corelight_http_agg","Type":"autoextractor","AdditionalInfo":{"name":"corelight_http_agg","desc":"Auto-generated JSON extraction for tag corelight_http_agg","module":"json","tag":"corelight_http_agg"},"Hash":[175,241,196,109,140,31,46,231,92,49,151,214,212,228,14,70,226,77,195,83,152,80,201,137,65,65,208,129,22,250,219,173]},{"Name":"corelight_conn_agg","Type":"autoextractor","AdditionalInfo":{"name":"corelight_conn_agg","desc":"Auto-generated JSON extraction for tag corelight_conn_agg","module":"json","tag":"corelight_conn_agg"},"Hash":[153,244,214,208,194,91,248,81,149,66,228,96,49,100,254,115,228,195,166,157,75,153,32,33,245,66,123,47,40,44,194,53]},{"Name":"corelight_dns_agg","Type":"autoextractor","AdditionalInfo":{"name":"corelight_dns_agg","desc":"Auto-generated JSON extraction for tag corelight_dns_agg","module":"json","tag":"corelight_dns_agg"},"Hash":[98,218,77,179,61,137,84,234,60,233,107,112,202,78,11,65,13,87,6,216,126,158,205,91,11,10,96,40,231,86,168,179]},{"Name":"corelight_files_agg","Type":"autoextractor","AdditionalInfo":{"name":"corelight_files_agg","desc":"Auto-generated JSON extraction for tag corelight_files_agg","module":"json","tag":"corelight_files_agg"},"Hash":[115,134,200,231,70,92,202,40,46,97,105,75,35,150,205,39,125,164,251,81,182,189,189,201,196,115,93,237,4,29,215,226]}],"ConfigMacros":null},{"ID":"io.gravwell.pihole","Name":"PiHole","UUID":"ce14d8c3-aa8d-451d-b1be-fede9ede7e2b","Version":2,"Description":"The Gravwell PiHole Kit provides a baseline set of queries, dashboards, and resources.","Readme":"","Signed":true,"AdminRequired":false,"MinVersion":{"Major":0,"Minor":0,"Point":0},"MaxVersion":{"Major":0,"Minor":0,"Point":0},"Size":806400,"Created":"2023-11-12T22:44:12.539741274Z","Ingesters":["simplerelay"],"Tags":["pihole"],"Assets":[{"Type":"image","Source":"cover.png","Legend":"PiHole","Featured":true,"Banner":false},{"Type":"image","Source":"banner.png","Legend":"PiHole","Featured":true,"Banner":true},{"Type":"readme","Source":"README.md","Legend":"","Featured":false,"Banner":false}],"Dependencies":null,"Items":[{"Name":"Apache 2.0 License","Type":"license","AdditionalInfo":"                                 Apache License\n                           Version 2.0, January 2004\n                        http://www.apache.org/licenses/\n\n   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n   1. Definitions.\n\n      \"License\" shall mean the terms and conditions for use, reproduction,\n      and distribution as defined by Sections 1 through 9 of this document.\n\n      \"Licensor\" shall mean the copyright owner or entity authorized by\n      the copyright owner that is granting the License.\n\n      \"Legal Entity\" shall mean the union of the acting entity and all\n      other entities that control, are controlled by, or are under common\n      control with that entity. For the purposes of this definition,\n      \"control\" means (i) the power, direct or indirect, to cause the\n      direction or management of such entity, whether by contract or\n      otherwise, or (ii) ownership of fifty percent (50%) or more of the\n      outstanding shares, or (iii) beneficial ownership of such entity.\n\n      \"You\" (or \"Your\") shall mean an individual or Legal Entity\n      exercising permissions granted by this License.\n\n      \"Source\" form shall mean the preferred form for making modifications,\n      including but not limited to software source code, documentation\n      source, and configuration files.\n\n      \"Object\" form shall mean any form resulting from mechanical\n      transformation or translation of a Source form, including but\n      not limited to compiled object code, generated documentation,\n      and conversions to other media types.\n\n      \"Work\" shall mean the work of authorship, whether in Source or\n      Object form, made available under the License, as indicated by a\n      copyright notice that is included in or attached to the work\n      (an example is provided in the Appendix below).\n\n      \"Derivative Works\" shall mean any work, whether in Source or Object\n      form, that is based on (or derived from) the Work and for which the\n      editorial revisions, annotations, elaborations, or other modifications\n      represent, as a whole, an original work of authorship. For the purposes\n      of this License, Derivative Works shall not include works that remain\n      separable from, or merely link (or bind by name) to the interfaces of,\n      the Work and Derivative Works thereof.\n\n      \"Contribution\" shall mean any work of authorship, including\n      the original version of the Work and any modifications or additions\n      to that Work or Derivative Works thereof, that is intentionally\n      submitted to Licensor for inclusion in the Work by the copyright owner\n      or by an individual or Legal Entity authorized to submit on behalf of\n      the copyright owner. For the purposes of this definition, \"submitted\"\n      means any form of electronic, verbal, or written communication sent\n      to the Licensor or its representatives, including but not limited to\n      communication on electronic mailing lists, source code control systems,\n      and issue tracking systems that are managed by, or on behalf of, the\n      Licensor for the purpose of discussing and improving the Work, but\n      excluding communication that is conspicuously marked or otherwise\n      designated in writing by the copyright owner as \"Not a Contribution.\"\n\n      \"Contributor\" shall mean Licensor and any individual or Legal Entity\n      on behalf of whom a Contribution has been received by Licensor and\n      subsequently incorporated within the Work.\n\n   2. Grant of Copyright License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      copyright license to reproduce, prepare Derivative Works of,\n      publicly display, publicly perform, sublicense, and distribute the\n      Work and such Derivative Works in Source or Object form.\n\n   3. Grant of Patent License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      (except as stated in this section) patent license to make, have made,\n      use, offer to sell, sell, import, and otherwise transfer the Work,\n      where such license applies only to those patent claims licensable\n      by such Contributor that are necessarily infringed by their\n      Contribution(s) alone or by combination of their Contribution(s)\n      with the Work to which such Contribution(s) was submitted. If You\n      institute patent litigation against any entity (including a\n      cross-claim or counterclaim in a lawsuit) alleging that the Work\n      or a Contribution incorporated within the Work constitutes direct\n      or contributory patent infringement, then any patent licenses\n      granted to You under this License for that Work shall terminate\n      as of the date such litigation is filed.\n\n   4. Redistribution. You may reproduce and distribute copies of the\n      Work or Derivative Works thereof in any medium, with or without\n      modifications, and in Source or Object form, provided that You\n      meet the following conditions:\n\n      (a) You must give any other recipients of the Work or\n          Derivative Works a copy of this License; and\n\n      (b) You must cause any modified files to carry prominent notices\n          stating that You changed the files; and\n\n      (c) You must retain, in the Source form of any Derivative Works\n          that You distribute, all copyright, patent, trademark, and\n          attribution notices from the Source form of the Work,\n          excluding those notices that do not pertain to any part of\n          the Derivative Works; and\n\n      (d) If the Work includes a \"NOTICE\" text file as part of its\n          distribution, then any Derivative Works that You distribute must\n          include a readable copy of the attribution notices contained\n          within such NOTICE file, excluding those notices that do not\n          pertain to any part of the Derivative Works, in at least one\n          of the following places: within a NOTICE text file distributed\n          as part of the Derivative Works; within the Source form or\n          documentation, if provided along with the Derivative Works; or,\n          within a display generated by the Derivative Works, if and\n          wherever such third-party notices normally appear. The contents\n          of the NOTICE file are for informational purposes only and\n          do not modify the License. You may add Your own attribution\n          notices within Derivative Works that You distribute, alongside\n          or as an addendum to the NOTICE text from the Work, provided\n          that such additional attribution notices cannot be construed\n          as modifying the License.\n\n      You may add Your own copyright statement to Your modifications and\n      may provide additional or different license terms and conditions\n      for use, reproduction, or distribution of Your modifications, or\n      for any such Derivative Works as a whole, provided Your use,\n      reproduction, and distribution of the Work otherwise complies with\n      the conditions stated in this License.\n\n   5. Submission of Contributions. Unless You explicitly state otherwise,\n      any Contribution intentionally submitted for inclusion in the Work\n      by You to the Licensor shall be under the terms and conditions of\n      this License, without any additional terms or conditions.\n      Notwithstanding the above, nothing herein shall supersede or modify\n      the terms of any separate license agreement you may have executed\n      with Licensor regarding such Contributions.\n\n   6. Trademarks. This License does not grant permission to use the trade\n      names, trademarks, service marks, or product names of the Licensor,\n      except as required for reasonable and customary use in describing the\n      origin of the Work and reproducing the content of the NOTICE file.\n\n   7. Disclaimer of Warranty. Unless required by applicable law or\n      agreed to in writing, Licensor provides the Work (and each\n      Contributor provides its Contributions) on an \"AS IS\" BASIS,\n      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n      implied, including, without limitation, any warranties or conditions\n      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n      PARTICULAR PURPOSE. You are solely responsible for determining the\n      appropriateness of using or redistributing the Work and assume any\n      risks associated with Your exercise of permissions under this License.\n\n   8. Limitation of Liability. In no event and under no legal theory,\n      whether in tort (including negligence), contract, or otherwise,\n      unless required by applicable law (such as deliberate and grossly\n      negligent acts) or agreed to in writing, shall any Contributor be\n      liable to You for damages, including any direct, indirect, special,\n      incidental, or consequential damages of any character arising as a\n      result of this License or out of the use or inability to use the\n      Work (including but not limited to damages for loss of goodwill,\n      work stoppage, computer failure or malfunction, or any and all\n      other commercial damages or losses), even if such Contributor\n      has been advised of the possibility of such damages.\n\n   9. Accepting Warranty or Additional Liability. While redistributing\n      the Work or Derivative Works thereof, You may choose to offer,\n      and charge a fee for, acceptance of support, warranty, indemnity,\n      or other liability obligations and/or rights consistent with this\n      License. However, in accepting such obligations, You may act only\n      on Your own behalf and on Your sole responsibility, not on behalf\n      of any other Contributor, and only if You agree to indemnify,\n      defend, and hold each Contributor harmless for any liability\n      incurred by, or claims asserted against, such Contributor by reason\n      of your accepting any such warranty or additional liability.\n\n   END OF TERMS AND CONDITIONS","Hash":[89,137,156,96,145,181,64,88,46,214,23,232,238,170,196,145,157,201,133,204,252,53,69,158,233,117,43,105,155,229,32,91]},{"Name":"CC BY-SA 4.0","Type":"license","AdditionalInfo":"Attribution-ShareAlike 4.0 International\n\n=======================================================================\n\nCreative Commons Corporation (\"Creative Commons\") is not a law firm and\ndoes not provide legal services or legal advice. Distribution of\nCreative Commons public licenses does not create a lawyer-client or\nother relationship. Creative Commons makes its licenses and related\ninformation available on an \"as-is\" basis. Creative Commons gives no\nwarranties regarding its licenses, any material licensed under their\nterms and conditions, or any related information. Creative Commons\ndisclaims all liability for damages resulting from their use to the\nfullest extent possible.\n\nUsing Creative Commons Public Licenses\n\nCreative Commons public licenses provide a standard set of terms and\nconditions that creators and other rights holders may use to share\noriginal works of authorship and other material subject to copyright\nand certain other rights specified in the public license below. The\nfollowing considerations are for informational purposes only, are not\nexhaustive, and do not form part of our licenses.\n\n     Considerations for licensors: Our public licenses are\n     intended for use by those authorized to give the public\n     permission to use material in ways otherwise restricted by\n     copyright and certain other rights. Our licenses are\n     irrevocable. Licensors should read and understand the terms\n     and conditions of the license they choose before applying it.\n     Licensors should also secure all rights necessary before\n     applying our licenses so that the public can reuse the\n     material as expected. Licensors should clearly mark any\n     material not subject to the license. This includes other CC-\n     licensed material, or material used under an exception or\n     limitation to copyright. More considerations for licensors:\n    wiki.creativecommons.org/Considerations_for_licensors\n\n     Considerations for the public: By using one of our public\n     licenses, a licensor grants the public permission to use the\n     licensed material under specified terms and conditions. If\n     the licensor's permission is not necessary for any reason--for\n     example, because of any applicable exception or limitation to\n     copyright--then that use is not regulated by the license. Our\n     licenses grant only permissions under copyright and certain\n     other rights that a licensor has authority to grant. Use of\n     the licensed material may still be restricted for other\n     reasons, including because others have copyright or other\n     rights in the material. A licensor may make special requests,\n     such as asking that all changes be marked or described.\n     Although not required by our licenses, you are encouraged to\n     respect those requests where reasonable. More considerations\n     for the public:\n    wiki.creativecommons.org/Considerations_for_licensees\n\n=======================================================================\n\nCreative Commons Attribution-ShareAlike 4.0 International Public\nLicense\n\nBy exercising the Licensed Rights (defined below), You accept and agree\nto be bound by the terms and conditions of this Creative Commons\nAttribution-ShareAlike 4.0 International Public License (\"Public\nLicense\"). To the extent this Public License may be interpreted as a\ncontract, You are granted the Licensed Rights in consideration of Your\nacceptance of these terms and conditions, and the Licensor grants You\nsuch rights in consideration of benefits the Licensor receives from\nmaking the Licensed Material available under these terms and\nconditions.\n\n\nSection 1 -- Definitions.\n\n  a. Adapted Material means material subject to Copyright and Similar\n     Rights that is derived from or based upon the Licensed Material\n     and in which the Licensed Material is translated, altered,\n     arranged, transformed, or otherwise modified in a manner requiring\n     permission under the Copyright and Similar Rights held by the\n     Licensor. For purposes of this Public License, where the Licensed\n     Material is a musical work, performance, or sound recording,\n     Adapted Material is always produced where the Licensed Material is\n     synched in timed relation with a moving image.\n\n  b. Adapter's License means the license You apply to Your Copyright\n     and Similar Rights in Your contributions to Adapted Material in\n     accordance with the terms and conditions of this Public License.\n\n  c. BY-SA Compatible License means a license listed at\n     creativecommons.org/compatiblelicenses, approved by Creative\n     Commons as essentially the equivalent of this Public License.\n\n  d. Copyright and Similar Rights means copyright and/or similar rights\n     closely related to copyright including, without limitation,\n     performance, broadcast, sound recording, and Sui Generis Database\n     Rights, without regard to how the rights are labeled or\n     categorized. For purposes of this Public License, the rights\n     specified in Section 2(b)(1)-(2) are not Copyright and Similar\n     Rights.\n\n  e. Effective Technological Measures means those measures that, in the\n     absence of proper authority, may not be circumvented under laws\n     fulfilling obligations under Article 11 of the WIPO Copyright\n     Treaty adopted on December 20, 1996, and/or similar international\n     agreements.\n\n  f. Exceptions and Limitations means fair use, fair dealing, and/or\n     any other exception or limitation to Copyright and Similar Rights\n     that applies to Your use of the Licensed Material.\n\n  g. License Elements means the license attributes listed in the name\n     of a Creative Commons Public License. The License Elements of this\n     Public License are Attribution and ShareAlike.\n\n  h. Licensed Material means the artistic or literary work, database,\n     or other material to which the Licensor applied this Public\n     License.\n\n  i. Licensed Rights means the rights granted to You subject to the\n     terms and conditions of this Public License, which are limited to\n     all Copyright and Similar Rights that apply to Your use of the\n     Licensed Material and that the Licensor has authority to license.\n\n  j. Licensor means the individual(s) or entity(ies) granting rights\n     under this Public License.\n\n  k. Share means to provide material to the public by any means or\n     process that requires permission under the Licensed Rights, such\n     as reproduction, public display, public performance, distribution,\n     dissemination, communication, or importation, and to make material\n     available to the public including in ways that members of the\n     public may access the material from a place and at a time\n     individually chosen by them.\n\n  l. Sui Generis Database Rights means rights other than copyright\n     resulting from Directive 96/9/EC of the European Parliament and of\n     the Council of 11 March 1996 on the legal protection of databases,\n     as amended and/or succeeded, as well as other essentially\n     equivalent rights anywhere in the world.\n\n  m. You means the individual or entity exercising the Licensed Rights\n     under this Public License. Your has a corresponding meaning.\n\n\nSection 2 -- Scope.\n\n  a. License grant.\n\n       1. Subject to the terms and conditions of this Public License,\n          the Licensor hereby grants You a worldwide, royalty-free,\n          non-sublicensable, non-exclusive, irrevocable license to\n          exercise the Licensed Rights in the Licensed Material to:\n\n            a. reproduce and Share the Licensed Material, in whole or\n               in part; and\n\n            b. produce, reproduce, and Share Adapted Material.\n\n       2. Exceptions and Limitations. For the avoidance of doubt, where\n          Exceptions and Limitations apply to Your use, this Public\n          License does not apply, and You do not need to comply with\n          its terms and conditions.\n\n       3. Term. The term of this Public License is specified in Section\n          6(a).\n\n       4. Media and formats; technical modifications allowed. The\n          Licensor authorizes You to exercise the Licensed Rights in\n          all media and formats whether now known or hereafter created,\n          and to make technical modifications necessary to do so. The\n          Licensor waives and/or agrees not to assert any right or\n          authority to forbid You from making technical modifications\n          necessary to exercise the Licensed Rights, including\n          technical modifications necessary to circumvent Effective\n          Technological Measures. For purposes of this Public License,\n          simply making modifications authorized by this Section 2(a)\n          (4) never produces Adapted Material.\n\n       5. Downstream recipients.\n\n            a. Offer from the Licensor -- Licensed Material. Every\n               recipient of the Licensed Material automatically\n               receives an offer from the Licensor to exercise the\n               Licensed Rights under the terms and conditions of this\n               Public License.\n\n            b. Additional offer from the Licensor -- Adapted Material.\n               Every recipient of Adapted Material from You\n               automatically receives an offer from the Licensor to\n               exercise the Licensed Rights in the Adapted Material\n               under the conditions of the Adapter's License You apply.\n\n            c. No downstream restrictions. You may not offer or impose\n               any additional or different terms or conditions on, or\n               apply any Effective Technological Measures to, the\n               Licensed Material if doing so restricts exercise of the\n               Licensed Rights by any recipient of the Licensed\n               Material.\n\n       6. No endorsement. Nothing in this Public License constitutes or\n          may be construed as permission to assert or imply that You\n          are, or that Your use of the Licensed Material is, connected\n          with, or sponsored, endorsed, or granted official status by,\n          the Licensor or others designated to receive attribution as\n          provided in Section 3(a)(1)(A)(i).\n\n  b. Other rights.\n\n       1. Moral rights, such as the right of integrity, are not\n          licensed under this Public License, nor are publicity,\n          privacy, and/or other similar personality rights; however, to\n          the extent possible, the Licensor waives and/or agrees not to\n          assert any such rights held by the Licensor to the limited\n          extent necessary to allow You to exercise the Licensed\n          Rights, but not otherwise.\n\n       2. Patent and trademark rights are not licensed under this\n          Public License.\n\n       3. To the extent possible, the Licensor waives any right to\n          collect royalties from You for the exercise of the Licensed\n          Rights, whether directly or through a collecting society\n          under any voluntary or waivable statutory or compulsory\n          licensing scheme. In all other cases the Licensor expressly\n          reserves any right to collect such royalties.\n\n\nSection 3 -- License Conditions.\n\nYour exercise of the Licensed Rights is expressly made subject to the\nfollowing conditions.\n\n  a. Attribution.\n\n       1. If You Share the Licensed Material (including in modified\n          form), You must:\n\n            a. retain the following if it is supplied by the Licensor\n               with the Licensed Material:\n\n                 i. identification of the creator(s) of the Licensed\n                    Material and any others designated to receive\n                    attribution, in any reasonable manner requested by\n                    the Licensor (including by pseudonym if\n                    designated);\n\n                ii. a copyright notice;\n\n               iii. a notice that refers to this Public License;\n\n                iv. a notice that refers to the disclaimer of\n                    warranties;\n\n                 v. a URI or hyperlink to the Licensed Material to the\n                    extent reasonably practicable;\n\n            b. indicate if You modified the Licensed Material and\n               retain an indication of any previous modifications; and\n\n            c. indicate the Licensed Material is licensed under this\n               Public License, and include the text of, or the URI or\n               hyperlink to, this Public License.\n\n       2. You may satisfy the conditions in Section 3(a)(1) in any\n          reasonable manner based on the medium, means, and context in\n          which You Share the Licensed Material. For example, it may be\n          reasonable to satisfy the conditions by providing a URI or\n          hyperlink to a resource that includes the required\n          information.\n\n       3. If requested by the Licensor, You must remove any of the\n          information required by Section 3(a)(1)(A) to the extent\n          reasonably practicable.\n\n  b. ShareAlike.\n\n     In addition to the conditions in Section 3(a), if You Share\n     Adapted Material You produce, the following conditions also apply.\n\n       1. The Adapter's License You apply must be a Creative Commons\n          license with the same License Elements, this version or\n          later, or a BY-SA Compatible License.\n\n       2. You must include the text of, or the URI or hyperlink to, the\n          Adapter's License You apply. You may satisfy this condition\n          in any reasonable manner based on the medium, means, and\n          context in which You Share Adapted Material.\n\n       3. You may not offer or impose any additional or different terms\n          or conditions on, or apply any Effective Technological\n          Measures to, Adapted Material that restrict exercise of the\n          rights granted under the Adapter's License You apply.\n\n\nSection 4 -- Sui Generis Database Rights.\n\nWhere the Licensed Rights include Sui Generis Database Rights that\napply to Your use of the Licensed Material:\n\n  a. for the avoidance of doubt, Section 2(a)(1) grants You the right\n     to extract, reuse, reproduce, and Share all or a substantial\n     portion of the contents of the database;\n\n  b. if You include all or a substantial portion of the database\n     contents in a database in which You have Sui Generis Database\n     Rights, then the database in which You have Sui Generis Database\n     Rights (but not its individual contents) is Adapted Material,\n     including for purposes of Section 3(b); and\n\n  c. You must comply with the conditions in Section 3(a) if You Share\n     all or a substantial portion of the contents of the database.\n\nFor the avoidance of doubt, this Section 4 supplements and does not\nreplace Your obligations under this Public License where the Licensed\nRights include other Copyright and Similar Rights.\n\n\nSection 5 -- Disclaimer of Warranties and Limitation of Liability.\n\n  a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE\n     EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS\n     AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF\n     ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,\n     IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,\n     WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR\n     PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,\n     ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT\n     KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT\n     ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.\n\n  b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE\n     TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,\n     NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,\n     INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,\n     COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR\n     USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN\n     ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR\n     DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR\n     IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.\n\n  c. The disclaimer of warranties and limitation of liability provided\n     above shall be interpreted in a manner that, to the extent\n     possible, most closely approximates an absolute disclaimer and\n     waiver of all liability.\n\n\nSection 6 -- Term and Termination.\n\n  a. This Public License applies for the term of the Copyright and\n     Similar Rights licensed here. However, if You fail to comply with\n     this Public License, then Your rights under this Public License\n     terminate automatically.\n\n  b. Where Your right to use the Licensed Material has terminated under\n     Section 6(a), it reinstates:\n\n       1. automatically as of the date the violation is cured, provided\n          it is cured within 30 days of Your discovery of the\n          violation; or\n\n       2. upon express reinstatement by the Licensor.\n\n     For the avoidance of doubt, this Section 6(b) does not affect any\n     right the Licensor may have to seek remedies for Your violations\n     of this Public License.\n\n  c. For the avoidance of doubt, the Licensor may also offer the\n     Licensed Material under separate terms or conditions or stop\n     distributing the Licensed Material at any time; however, doing so\n     will not terminate this Public License.\n\n  d. Sections 1, 5, 6, 7, and 8 survive termination of this Public\n     License.\n\n\nSection 7 -- Other Terms and Conditions.\n\n  a. The Licensor shall not be bound by any additional or different\n     terms or conditions communicated by You unless expressly agreed.\n\n  b. Any arrangements, understandings, or agreements regarding the\n     Licensed Material not stated herein are separate from and\n     independent of the terms and conditions of this Public License.\n\n\nSection 8 -- Interpretation.\n\n  a. For the avoidance of doubt, this Public License does not, and\n     shall not be interpreted to, reduce, limit, restrict, or impose\n     conditions on any use of the Licensed Material that could lawfully\n     be made without permission under this Public License.\n\n  b. To the extent possible, if any provision of this Public License is\n     deemed unenforceable, it shall be automatically reformed to the\n     minimum extent necessary to make it enforceable. If the provision\n     cannot be reformed, it shall be severed from this Public License\n     without affecting the enforceability of the remaining terms and\n     conditions.\n\n  c. No term or condition of this Public License will be waived and no\n     failure to comply consented to unless expressly agreed to by the\n     Licensor.\n\n  d. Nothing in this Public License constitutes or may be interpreted\n     as a limitation upon, or waiver of, any privileges and immunities\n     that apply to the Licensor or You, including from the legal\n     processes of any jurisdiction or authority.\n\n\n=======================================================================\n\nCreative Commons is not a party to its public\nlicenses. Notwithstanding, Creative Commons may elect to apply one of\nits public licenses to material it publishes and in those instances\nwill be considered the “Licensor.” The text of the Creative Commons\npublic licenses is dedicated to the public domain under the CC0 Public\nDomain Dedication. Except for the limited purpose of indicating that\nmaterial is shared under a Creative Commons public license or as\notherwise permitted by the Creative Commons policies published at\ncreativecommons.org/policies, Creative Commons does not authorize the\nuse of the trademark \"Creative Commons\" or any other trademark or logo\nof Creative Commons without its prior written consent including,\nwithout limitation, in connection with any unauthorized modifications\nto any of its public licenses or any other arrangements,\nunderstandings, or agreements concerning use of licensed material. For\nthe avoidance of doubt, this paragraph does not form part of the\npublic licenses.\n\nCreative Commons may be contacted at creativecommons.org.\n\n","Hash":[41,155,242,142,121,14,97,171,113,141,220,255,254,121,139,182,147,195,195,170,135,87,238,242,147,122,52,7,9,235,192,63]},{"Name":"pihole_status_codes","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"pihole_status_codes","Description":"PiHole query status codes","Size":1096,"Labels":null},"Hash":[250,58,57,152,122,171,9,226,144,41,206,186,16,209,209,212,136,128,235,47,68,157,195,178,116,140,50,150,150,233,83,130]},{"Name":"PIHOLE_DNS_QUERY","Type":"macro","AdditionalInfo":{"Name":"PIHOLE_DNS_QUERY","Description":"PiHole DNS query parsed and lookedup","Expansion":"tag=$PIHOLE_TAG ax client domain type reply status upstream\n| lookup -r pihole-rectypes type type (description as typeDescription)\n| lookup -r pihole-replytypes reply id (rtype as ReplyType)\n| lookup -r pihole_status_codes status id (action as action details as statusDescription)"},"Hash":[109,58,96,41,12,89,25,199,189,210,14,112,22,153,71,245,231,213,199,243,248,163,48,19,255,127,48,95,133,93,81,231]},{"Name":"16043961-d553-4b5a-998c-8ec8cc25238a","Type":"dashboard","AdditionalInfo":{"UUID":"16043961-d553-4b5a-998c-8ec8cc25238a","Name":"Pihole Overview","Description":"Pihole  Overview Dashboard"},"Hash":[28,182,135,247,148,169,100,44,154,149,233,171,3,139,40,159,25,189,84,198,51,76,107,94,75,231,40,14,253,22,73,174]},{"Name":"f9a79ae0-3820-4683-a819-2d48d8b50002","Type":"file","AdditionalInfo":{"UUID":"f9a79ae0-3820-4683-a819-2d48d8b50002","Name":"ff cover","Description":"","Size":497567,"ContentType":"image/png"},"Hash":[182,202,196,241,48,16,171,227,204,131,109,33,129,171,106,148,83,8,114,239,245,203,106,110,245,106,165,86,38,147,20,73]},{"Name":"d7996012-4b08-4139-b3f9-4af242a1982c","Type":"file","AdditionalInfo":{"UUID":"d7996012-4b08-4139-b3f9-4af242a1982c","Name":"icon file for kit build \"PiHole v1\"","Description":"","Size":23490,"ContentType":"image/png"},"Hash":[149,185,211,181,33,42,214,116,122,91,78,80,249,63,248,49,117,34,141,59,117,104,134,198,38,212,108,76,60,70,235,205]},{"Name":"987688bb-b613-4044-9adb-8c429e1ac086","Type":"file","AdditionalInfo":{"UUID":"987688bb-b613-4044-9adb-8c429e1ac086","Name":"cover file for kit build \"PiHole v1\"","Description":"","Size":23490,"ContentType":"image/png"},"Hash":[87,37,112,109,23,145,224,143,2,226,18,37,195,54,55,76,51,35,190,185,90,168,222,167,208,189,228,10,17,102,136,248]},{"Name":"a30ca40d-7f5c-4c70-a033-1748ac0b8ded","Type":"file","AdditionalInfo":{"UUID":"a30ca40d-7f5c-4c70-a033-1748ac0b8ded","Name":"banner file for kit build \"PiHole v1\"","Description":"","Size":13337,"ContentType":"image/png"},"Hash":[192,200,45,67,87,39,34,233,208,186,148,9,251,102,38,196,1,109,246,135,129,251,176,186,224,28,236,117,73,238,227,222]},{"Name":"pihole-queries","Type":"autoextractor","AdditionalInfo":{"name":"pihole-query","desc":"pihole query // array:         time      type     domain  client   status  dnssecStatus    reply    response_time   CNAMEDomain regexID  upstream destination    EDE","module":"csv","tag":"pihole-queries"},"Hash":[59,86,225,201,187,163,1,71,213,240,244,22,137,168,140,15,61,126,108,248,71,215,27,18,117,63,196,49,222,161,155,201]},{"Name":"67a56765-8964-4de5-b886-3b7ef31f1645","Type":"scheduled search","AdditionalInfo":{"Name":"PiHole Script","Description":"Fetches Pihole data","Schedule":"*/5 * * * *","Script":"var strings = import(\"strings\")\nvar url = import(\"net/url\")\nvar fmt = import(\"fmt\")\nvar time = import(\"time\")\nvar json = import(\"encoding/json\")\nvar regexp = import(\"regexp\")\nvar time = import(\"time\")\n\ntemplate = \"http://%s:%s/admin/api.php?getAllQueries\u0026from=%s\u0026until=%s\u0026auth=%s\"\n\n# Read the tag config macro\n# Example \"pihole-queries\"\n tag, err = getMacro(\"$PIHOLE_TAG\")\n if err != nil {\n     return err\n }\n\n# Read the API key config macro\n# Example \"56795c7e54d3ed6c7a6c3a5d8804ffcadcfbf9126acd3613d7d09ebbac4760dd\"\n apiKey, err = getMacro(\"$PIHOLE_APIKEY\")\n if err != nil {\n     return err\n }\n\n# Read the location(s) config macro\n# Example \"192.168.1.63\"\n piholeIp, err = getMacro(\"$PIHOLE_IP\")\n if err != nil {\n     return err\n }\n\n# Read the location(s) config macro\n# Example \"80\"\n piholePort, err = getMacro(\"$PIHOLE_PORT\")\n if err != nil {\n     return err\n }\n\n\n# Use if you want to hard code your secrets\n# apiKey = \"56795c7e54d3ed6c7a6c3a5d8804ffcadcfbf9126acd3613d7d09ebbac4760dd\"\n# piholeIp = \"192.168.1.63\"\n# piholePort = \"80\"\n\nnow = time.Now().Unix()\n\n\n# Set this equal to your time on the cron schedule\nthen = now - 300\n\n# Escape all the values \nkey = url.QueryEscape(apiKey)\nip = url.QueryEscape(piholeIp)\nport = url.QueryEscape(piholePort)\n\n# New entries\nents = make([]Entry)\n\n    # Make the new url \n\n\n    q = fmt.Sprintf(template, ip, port, then, now, key)\n\n    # Get data\n    res, err = httpGet(q)\n    if err != nil {\n        println(err)\n        continue\n        }\n\n    # Print result\n    # println(res)\n\n\ntarget = make(map[string]interface)\njson.Unmarshal(res, \u0026target)\n\ndata = target[\"data\"]\n\n\n# println(len(data))\n\n\n# TODO: Need to find a more elegant solution\nfor i in data{\n\n    temp = toString(i)\n    temp = strings.TrimLeft(temp, \"[\")\n    temp = strings.TrimRight(temp, \" ]\")\n    temp = strings.Split(temp, \" \")\n    t = time.Unix(toInt(temp[0]), 0)\n\n    record = \"\"\n    for j in temp{\n        record = record + j + \",\" \n    }\n    println(record)\n    e = newEntry(t, record)\n    ents += e\n}\n\n# Sets the tag for the data\ningestEntries(ents, tag)","ScheduledType":"script","DefaultDeploymentRules":{"Disabled":false,"RunImmediately":false}},"Hash":[2,137,149,76,120,54,152,10,77,76,137,73,155,73,164,185,59,33,185,108,156,107,20,246,142,233,58,143,101,90,248,143]},{"Name":"pihole-rectypes","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"pihole-rectypes","Description":"DNS record types","Size":1438,"Labels":null},"Hash":[151,217,250,180,192,180,189,233,182,45,78,101,147,99,1,2,18,62,71,143,224,98,39,207,186,85,189,216,159,199,250,151]},{"Name":"pihole-replytypes","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"pihole-replytypes","Description":"Pihole reply types","Size":177,"Labels":null},"Hash":[142,139,118,1,29,78,220,154,216,78,144,197,249,4,203,29,249,216,38,94,12,199,93,149,157,139,110,251,48,188,194,29]}],"ConfigMacros":[{"MacroName":"PIHOLE_IP","Description":"The IP of the pihole instance","DefaultValue":"192.168.1.5","Value":"","Type":"OTHER","InstalledByID":""},{"MacroName":"PIHOLE_PORT","Description":"The port of the pihole instance","DefaultValue":"80","Value":"","Type":"OTHER","InstalledByID":""},{"MacroName":"PIHOLE_APIKEY","Description":"The API key of the pihole instance","DefaultValue":"\u003cAPI_KEY\u003e","Value":"","Type":"OTHER","InstalledByID":""},{"MacroName":"PIHOLE_TAG","Description":"Set pihole tag name","DefaultValue":"pihole-queries","Value":"","Type":"TAG","InstalledByID":""}]},{"ID":"io.gravwell.networkenrichment","Name":"Network enrichment","UUID":"cf82af9a-d73a-465f-9275-d59b46906791","Version":19,"Description":"A kit which provides resources for network enrichment.","Readme":"","Signed":true,"AdminRequired":false,"MinVersion":{"Major":3,"Minor":4,"Point":0},"MaxVersion":{"Major":0,"Minor":0,"Point":0},"Size":103749120,"Created":"2025-06-04T15:44:43.57285043Z","Ingesters":["networkLog","flow","coredns"],"Tags":["pcap","netflow","ipfix","dns"],"Assets":[{"Type":"image","Source":"cover.jpg","Legend":"Network Enrichment","Featured":true,"Banner":false},{"Type":"image","Source":"banner.jpg","Legend":"Network Enrichment banner","Featured":true,"Banner":true},{"Type":"readme","Source":"README.md","Legend":"","Featured":false,"Banner":false}],"Dependencies":null,"Items":[{"Name":"8b0f4322-9653-4942-bd87-cf8ec966f6af","Type":"file","AdditionalInfo":{"UUID":"8b0f4322-9653-4942-bd87-cf8ec966f6af","Name":"markus-spiske-iar-afB0QQw-unsplash.jpg","Description":"undefined","Size":63196,"ContentType":"image/jpeg"},"Hash":[197,178,159,201,58,103,14,8,229,160,176,116,194,203,240,147,48,151,76,157,22,213,65,45,74,51,46,145,27,137,205,30]},{"Name":"31a248a6-4423-11ed-afd1-ebdae006f414","Type":"file","AdditionalInfo":{"UUID":"31a248a6-4423-11ed-afd1-ebdae006f414","Name":"cover.jpg","Description":"undefined","Size":56210,"ContentType":"image/jpeg"},"Hash":[145,212,13,252,198,120,4,162,129,84,29,37,189,236,58,4,200,212,244,178,251,21,132,134,21,210,254,216,48,208,119,204]},{"Name":"asn_db","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"asn_db","Description":"Autonomous System lookup database","Size":9309616,"Labels":null},"Hash":[192,23,84,35,113,55,224,250,52,191,47,0,195,172,6,247,125,175,191,76,190,55,65,240,11,58,217,173,38,137,109,103]},{"Name":"asn_db_v6","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"asn_db_v6","Description":"Autonomous System IPv6 lookup database","Size":3824614,"Labels":null},"Hash":[190,158,214,94,245,151,168,16,210,71,115,11,150,72,202,151,41,196,129,233,211,177,43,115,84,178,76,178,183,175,8,133]},{"Name":"d359729a-00e3-46fd-b785-1b6595c8b38b","Type":"playbook","AdditionalInfo":{"UUID":"dbd84b95-11b7-450d-9111-9bb33d63741b","Name":"Network Enrichment Kit Overview","Description":""},"Hash":[120,23,182,52,238,179,8,252,186,118,181,215,87,12,27,40,23,140,136,154,176,117,46,22,69,10,142,0,35,163,175,191]},{"Name":"dns_types","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"dns_types","Description":"DNS Resource Record Types","Size":5356,"Labels":null},"Hash":[13,51,98,62,240,199,36,180,66,41,91,69,223,63,32,16,113,122,241,168,251,235,188,50,98,144,124,40,198,200,27,184]},{"Name":"ieee_802","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"ieee_802","Description":"IEEE 802 Ethernet Types","Size":12048,"Labels":null},"Hash":[139,151,222,164,93,164,71,120,236,184,112,152,88,25,72,48,234,188,134,250,216,221,47,84,46,215,34,201,115,125,7,172]},{"Name":"ip_protocols","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"ip_protocols","Description":"IP Protocol lookup resource","Size":8990,"Labels":null},"Hash":[35,216,73,55,140,131,65,111,57,118,82,199,68,18,60,105,44,108,165,206,234,6,102,90,157,112,201,37,162,248,1,174]},{"Name":"LICENSE","Type":"license","AdditionalInfo":"SEE FULL LICENSE AT https://www.maxmind.com/en/geolite2/eula\n\nGeoLite2 End User License Agreement\n\nRevised on December 20, 2019\n\nBy downloading or using our GeoLite2 Database, you are accepting and agreeing to the terms and conditions set forth in this GeoLite2 End User License Agreement (this \"Agreement\").\n\nMaxMind, Inc. (\"MaxMind\"), a Delaware Corporation,  offers a line of free databases that provide geographic information and other data associated with specific Internet protocol addresses (each a \"GeoLite2 Database\" and collectively the \"GeoLite2 Databases\"). The data available through the GeoLite2 Databases is referred to in this Agreement as the \"GeoLite2 Data\".  The term “Services” as used in this Agreement means the Geolite2 Databases and the GeoLite2 Data available at GeoLite2 Free Downloadable Databases on the MaxMind website, www.maxmind.com (the \"Website\").\n\nADDITIONAL POLICIES, TERMS AND CONDITIONS.\n\nThe following policies are incorporated into this Agreement by reference and provide additional terms and conditions incorporated herein by this reference and/or related to the use of the Website:\n\nCreative Commons Corporation Attribution-ShareAlike 4.0 International License (the “Creative Commons License”)\nMaxMind Data Processing Addendum (“DPA”)\nMaxMind Privacy Policy (“PP”)\nMaxMind Website Terms of Use (“WT”)\nThis Agreement controls in the event of any conflict with the above-referenced documents.  Thereafter, for any conflicts among the above 4 documents, the priority and precedence of interpretation is DPA, PP, WT and Creative Commons License.\n\nOTHER DATABASES AND PRODUCTS.\n\nThis Agreement does not apply to your use of any databases or products offered by MaxMind other than the Services. If you use other MaxMind databases or products, additional or other terms and conditions shall apply to your use of such databases and products, and you agree to pay all applicable charges.\n\nLIMITED GRANT OF RIGHTS.\n\nSubject to the terms and conditions of this Agreement, to the extent the Services contain any copyrightable elements those copyrightable elements are governed by the Creative Commons License.  You must provide attribution of your use to MaxMind (an example of attribution: “This product includes GeoLite2 data created by MaxMind, available from \u003ca href=\"https://www.maxmind.com\"\u003ehttps://www.maxmind.com\u003c/a\u003e“).\n\nIn addition and if you are using the Services for internal use, subject to the terms and conditions of this Agreement, MaxMind also hereby grants you a non-exclusive, non-transferable limited license to access and use the Services for your own internal business purposes.\n\nWith respect to either or both of the above licenses, (i) you agree to use the Services only in a manner that is consistent with applicable laws and (ii) you may not remove or obscure any copyright notice or other notice or terms of use contained in the Services.\n\nNO USE OF GEOLITE2 DATA FOR FCRA PURPOSES.\n\nThe parties understand and agree that MaxMind is not a consumer reporting agency as defined by the Fair Credit Reporting Act, 15 U.S.C. §1681 et seq. (\"FCRA\"), and that the Services do not constitute \"consumer reports\" as defined in the FCRA. You agree that you will not use the Services to determine any consumer's eligibility for any product or service to be used by a consumer for personal, family, or household purposes. You also agree that you will not use the Services (i) as a factor in establishing a consumer's eligibility for credit, (ii) as a factor in establishing a consumer's eligibility for insurance, (iii) for employment purposes, (iv) in connection with a determination of an individual's eligibility for a license or other benefit granted by a governmental authority, or (v) in connection with any permissible purpose as defined by the FCRA.\n\nACCURACY EXPECTATION: NO USE OF GEOLITE2 DATA FOR IDENTIFYING SPECIFIC HOUSEHOLDS OR INDIVIDUALS. \n\nDue to the nature of geolocation technology and other factors beyond its control, MaxMind cannot and does not guarantee the accuracy of the GeoLite2 Data. The GeoLite2 Databases contain only the geographic data available and the availability of such data is not consistent for all regions. Furthermore, none of the GeoLite2 Data reliably identifies any geographic level or division more precise than the zip code or postal code associated with an IP address. Accordingly, it is imperative that you and your end users not rely on the GeoLite2 Data to identify a specific household, individual,  or street address. You acknowledge the foregoing limitation of the GeoLite2 Data and agree represent and warrant that you will not use or encourage others to use the GeoLite2 Data for the purpose of identifying or locating a specific household, individual,  or street address.\n\nADDITIONAL RESTRICTIONS.\n\nDisclosure of Services.  Except as explicitly permitted by the Creative Commons License, you will not disclose the Services to any third party or after notifying MaxMind of the anticipated disclosure and obtaining MaxMind’s prior written consent to the disclosure. To the extent you disclose the Services to a third party as permitted by this Agreement, you will impose upon the third party the same or substantially similar contractual duties imposed on you  and the rights provided to MaxMind as in this Agreement, including those in LIMITED GRANT OF RIGHTS, ADDITIONAL RESTRICTIONS, and DATA PROCESSING and, where not inconsistent with the other terms of this Agreement, as in the Creative Commons License.  You are responsible for the acts or omissions of any third parties with which you share the Services.\nSecurity of the Services. You will maintain reasonable and appropriate technical and organizational measures for the protection of the security, confidentiality, and integrity of the Services (including protection against unauthorized or unlawful processing and against accidental or unlawful destruction, loss, or alteration or damage, unauthorized disclosure of, or access to, such data). In the event you discover a data incident involving the Services, you shall promptly notify MaxMind and fully cooperate with MaxMind, at your own expense, in remediating the incident.\nDestructions of GeoLite2 Database and GeoLite2 Data. From time to time, MaxMind will release an updated version of the GeoLite2 Databases, and you agree to promptly use the updated version of the GeoLite2 Databases. You shall cease use of and destroy (i) any old versions of the Services within thirty (30) days following the release of the updated GeoLite2 Databases; and (ii) all Services immediately upon termination of the license under this Agreement. Upon request, you shall provide MaxMind with written confirmation of such destruction.\nProvision of Data to MaxMind. The Services provided by MaxMind under this Agreement do not require MaxMind to process Personal Information on behalf of Licensee. Licensee shall not provide any Personal Information to MaxMind nor cause MaxMind to process any Personal Information on its behalf.\nINDEMNIFICATION.\n\nYou will indemnify and hold MaxMind and its affiliates harmless from and against any and all claims, causes of action, liabilities, penalties, costs or expenses (including reasonable attorney’s fees) incurred by MaxMind or any affiliate thereof as a result of your breach of any of the terms of this Agreement.\n\nFEES.\n\nThe Services are made available to you free of charge. MaxMind reserves the right to stop offering the Services free of charge at any time, and charge for future updates to the Services.\n\nCHANGES TO THE AGREEMENT/TERMINATION.\n\n(a) MaxMind may amend this Agreement at any time. Any such amendment(s) shall be binding and effective upon the earlier of (i) the date that is thirty (30) days after the posting of the amended Agreement on the Website or (ii) the date that MaxMind provides notice to you of the amended Agreement. You may immediately terminate this Agreement upon written notice to MaxMind if a change is unacceptable to you. Your continued use of the Services following notice to you of a change shall constitute your acceptance of the change.\n\n(b) This Agreement shall terminate immediately if, within the reasonable judgment of MaxMind, you materially breach any material term or condition of this Agreement and fail to remedy the breach within ten (10) days of receipt of written notice thereof stating MaxMind's intent to terminate upon non-cure of the breach. Your failure to comply with the Restrictions on Use is a breach of a material term of this Agreement.\n\nNO CONSEQUENTIAL DAMAGES/LIMITATION ON LIABILITY.\n\nUnder no circumstances, including negligence, shall MaxMind or any related party or supplier be liable for indirect, incidental, special, consequential, or punitive damages, or for loss of profits, revenue, or data, that are directly or indirectly related to the use of or the inability to access and use the Services, whether in an action in contract, tort, product liability, strict liability, statute, or otherwise, even if MaxMind has been advised of the possibility of those damages. The total liability of MaxMind, in connection with a loss or damages arising hereunder (an \"Occurrence\") is limited to the greater of $100 or the lowest amount permitted by applicable law.\n\nNO WARRANTIES/AVAILABILITY.\n\nMaxMind furnishes the Services on an as-is, as-available basis. MaxMind makes no warranty, express or implied, with respect to their capability, accuracy, or completeness. All warranties of any type, express or implied, including the warranties of merchantability, fitness for a particular purpose, and non-infringement of third party rights are expressly disclaimed. Furthermore, since the availability of Services offered through the Website is dependent upon many factors beyond MaxMind's control, MaxMind does not guarantee uninterrupted availability of any such Services. Any such Services may be inoperative and/or unavailable due to technical difficulties or for maintenance purposes, at any time and without notice. While MaxMind does not warrant that the MaxMind Website is free of harmful components, MaxMind shall make commercially reasonable efforts to maintain the Website free of viruses and malicious code.\n\nGOVERNING LAW.\n\nThis Agreement shall be governed and interpreted pursuant to the laws of the Commonwealth of Massachusetts, applicable to contracts made and to be performed wholly in Massachusetts, without regard to principles of conflicts of laws. You specifically consent to personal jurisdiction in Massachusetts in connection with any dispute between you and MaxMind arising out of this Agreement. You agree that the exclusive venue for any dispute hereunder shall be in the state and federal courts in Boston, Massachusetts. This Agreement shall be construed and interpreted in English, and any translation hereof to a language other than English shall be for convenience only.\n\nNOTICES.\n\nNotices given under this Agreement shall be in writing and sent by facsimile, email, or by first class mail or equivalent. MaxMind shall direct notice to you at the email address or physical mailing address you provided in the registration process. You shall direct notice to MaxMind at the following address:\n\nMaxMind, Inc.\n\n14 Spring Street, Suite 3\n\nWaltham, MA 02451\n\nU.S.A.\n\nEmail: legal@maxmind.com\n\nEither party may change its notice contact information at any time by giving notice of the new contact information as provided in this section.\n\nCOMPLETE AGREEMENT.\n\nThis Agreement (which includes the policies, terms and conditions referenced above and incorporated herein) represents the entire agreement between you and MaxMind with respect to the subject matter hereof and supersedes all previous representations, understandings, or agreements, oral and written, between the parties regarding the subject matter hereof.  The headings contained in this Agreement are for convenience only and shall not govern its interpretation.\n\nASSIGNMENT.\n\nYou may not assign this Agreement without MaxMind's prior written consent. MaxMind may assign its rights and obligations under this Agreement without your consent.\n\nSEVERABILITY.\n\nShould any provision of this Agreement be held void, invalid, or inoperative, such decision shall not affect any other provision hereof, and the remainder of this Agreement shall be effective as though such void, invalid, or inoperative provision had not been contained herein.\n\nCOMPLIANCE WITH LAW.\n\nNotwithstanding any provisions of this Agreement to the contrary, you shall in performance of this Agreement comply with all applicable laws, executive orders, regulations ordinances and rules of all governments (“Applicable Laws”), including all applicable export and re-export control laws and regulations, such as the Export Administration Regulations (“EAR”) maintained by the USA Department of Commerce, trade and economic sanctions maintained by the USA Treasury Department’s Office of Foreign Assets Control, and the International Traffic in Arms Regulations (“ITAR”) maintained by the USA Department of State.  Specifically, and without limitation, you agree that you shall not, directly or indirectly, sell, export, re-export, transfer, divert, or otherwise dispose of any Services (including products derived from or based on such Services) to any destination, entity, or person prohibited by the laws or regulations of the USA, without obtaining prior authorization from the competent government authorities as required by those laws and regulations.\n","Hash":[140,78,175,14,143,41,238,37,214,105,192,209,96,48,67,103,17,126,20,19,100,143,163,153,53,107,250,32,110,169,157,189]},{"Name":"mac_prefixes","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"mac_prefixes","Description":"Database of MAC address prefixes","Size":3477306,"Labels":null},"Hash":[202,37,222,121,236,175,9,133,58,27,211,77,104,223,236,213,233,108,5,4,61,208,73,32,255,201,24,102,78,220,234,194]},{"Name":"maxmind","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"maxmind","Description":"The MaxMind GeoIP database","Size":60495914,"Labels":null},"Hash":[166,155,28,231,36,167,30,38,8,16,200,215,50,154,171,40,52,49,189,120,21,24,19,148,22,149,16,157,49,44,237,141]},{"Name":"network_services","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"network_services","Description":"Network services (protocol + port) database","Size":531213,"Labels":null},"Hash":[184,127,112,75,55,88,31,242,143,174,53,86,164,158,36,23,173,20,212,243,156,251,138,131,220,18,39,234,136,145,91,102]}],"ConfigMacros":null},{"ID":"io.gravwell.windows.sysmon","Name":"Windows Sysmon","UUID":"dcdf0488-0767-4aff-9ef5-137a65a11676","Version":6,"Description":"The Gravwell Sysmon kit provides a wide array of queries, dashboards, templates, and actionables to support monitoring and investigating Sysmon data.  The sysmon kit helps you monitor DNS, network, file, and registry activity provided by the Sysmon toolkit, it can be an invaluable resource for day-to-day monitoring as well as hunting misbehaving applications and malware.","Readme":"","Signed":true,"AdminRequired":false,"MinVersion":{"Major":5,"Minor":4,"Point":11},"MaxVersion":{"Major":0,"Minor":0,"Point":0},"Size":3085824,"Created":"2024-08-05T16:24:04.505993536Z","Ingesters":["winevent"],"Tags":["windows","sysmon"],"Assets":[{"Type":"image","Source":"cover.png","Legend":"Windows Sysmon","Featured":true,"Banner":false},{"Type":"image","Source":"banner.png","Legend":"Windows Sysmon","Featured":true,"Banner":true},{"Type":"readme","Source":"README.md","Legend":"","Featured":false,"Banner":false}],"Dependencies":[{"ID":"io.gravwell.windows.resource","MinVersion":1},{"ID":"io.gravwell.networkenrichment","MinVersion":6}],"Items":[{"Name":"sysmon_event_ids","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"sysmon_event_ids","Description":"Sysmon Event IDs","Size":723,"Labels":["sysmon","windows"]},"Hash":[28,57,55,251,90,228,51,105,146,170,70,0,249,39,22,113,86,31,133,194,247,207,22,229,75,114,61,175,1,195,223,99]},{"Name":"2e916960-c531-4577-8d85-68ba5cca6c81","Type":"dashboard","AdditionalInfo":{"UUID":"2e916960-c531-4577-8d85-68ba5cca6c81","Name":"Sysmon Network Overview","Description":"Overview of network activity as seen by Sysmon"},"Hash":[135,108,51,71,200,217,184,209,57,218,226,190,111,241,137,66,28,89,220,211,106,157,92,98,216,135,181,160,48,131,245,86]},{"Name":"5ac40515-573f-42b7-94ca-05fdb9fdeead","Type":"dashboard","AdditionalInfo":{"UUID":"5ac40515-573f-42b7-94ca-05fdb9fdeead","Name":"Sysmon DNS Overview","Description":"Overview dashboard of DNS activity as seen by Sysmon"},"Hash":[135,223,88,116,160,5,227,136,216,38,157,193,250,56,248,84,213,16,146,190,161,109,33,87,143,179,218,122,115,93,67,98]},{"Name":"6a1a19eb-3a20-433b-8e6a-c667ec047c48","Type":"dashboard","AdditionalInfo":{"UUID":"6a1a19eb-3a20-433b-8e6a-c667ec047c48","Name":"Sysmon Investigate Computer","Description":"Investigate activity on a particular computer"},"Hash":[49,24,131,12,250,211,231,234,76,195,67,19,181,254,105,62,182,21,228,126,205,175,6,160,208,112,235,137,167,239,188,45]},{"Name":"50b06309-c8c3-46b0-af80-6ddd496b0a73","Type":"dashboard","AdditionalInfo":{"UUID":"50b06309-c8c3-46b0-af80-6ddd496b0a73","Name":"Sysmon Process Overview","Description":"Sysmon Process Activity Overview"},"Hash":[169,104,119,125,97,195,37,54,0,182,69,250,239,203,49,150,81,102,213,185,48,124,226,28,13,208,191,137,183,137,50,208]},{"Name":"69049b3c-b83d-4cae-9071-9b24a1f0baba","Type":"dashboard","AdditionalInfo":{"UUID":"69049b3c-b83d-4cae-9071-9b24a1f0baba","Name":"Sysmon Registry Overview","Description":"Activity on registry keys"},"Hash":[61,98,44,229,121,204,213,172,12,144,196,217,211,157,136,89,23,25,3,211,159,42,29,31,67,46,253,11,33,202,7,234]},{"Name":"90918c39-5748-48ab-a0db-91a6534e0911","Type":"dashboard","AdditionalInfo":{"UUID":"90918c39-5748-48ab-a0db-91a6534e0911","Name":"Sysmon Process GUID Investigation","Description":"Investigate Process Activity via Sysmon"},"Hash":[68,111,192,106,30,176,101,184,1,191,40,38,83,213,110,105,213,120,140,207,155,175,136,216,30,49,253,176,11,32,81,32]},{"Name":"ae15b1b7-8cb7-48d4-84e9-b850754346c9","Type":"dashboard","AdditionalInfo":{"UUID":"ae15b1b7-8cb7-48d4-84e9-b850754346c9","Name":"Sysmon Process Name Investigator","Description":"Use the name of an EXE to search for related activity across all sysmon logs"},"Hash":[103,109,79,223,248,194,167,76,53,21,197,42,185,137,72,61,211,20,128,168,44,122,190,238,216,233,225,39,64,146,2,61]},{"Name":"d0905e72-ecad-49c3-9f7b-23560608258f","Type":"dashboard","AdditionalInfo":{"UUID":"d0905e72-ecad-49c3-9f7b-23560608258f","Name":"Sysmon DNS Domain Investigation","Description":"Investigate activity for a specified domain"},"Hash":[199,167,90,239,134,6,179,209,237,119,242,92,16,32,223,3,2,29,183,51,179,93,76,142,49,4,72,41,67,129,17,118]},{"Name":"0a0e1528-17ea-4104-a56a-fe198cfc4a87","Type":"pivot","AdditionalInfo":{"UUID":"0a0e1528-17ea-4104-a56a-fe198cfc4a87","Name":"Sysmon Executable","Description":"Examine Windows Executable Events"},"Hash":[189,101,227,120,166,112,239,232,13,241,194,226,124,191,88,90,185,46,215,92,50,141,212,148,191,60,221,101,210,86,201,142]},{"Name":"b131ba07-2b35-44d5-85cb-fe2d3c1f229a","Type":"pivot","AdditionalInfo":{"UUID":"b131ba07-2b35-44d5-85cb-fe2d3c1f229a","Name":"Sysmon SHA256 Match","Description":"Search sysmon events for matches on a SHA256"},"Hash":[26,101,83,128,227,62,200,56,134,140,2,158,5,70,92,50,157,78,109,214,135,65,91,63,158,83,151,159,38,7,105,239]},{"Name":"baa2801b-9973-4b49-8845-8463523f4a05","Type":"pivot","AdditionalInfo":{"UUID":"baa2801b-9973-4b49-8845-8463523f4a05","Name":"Process GUID","Description":"Investigate Process GUIDs"},"Hash":[83,13,18,214,10,33,186,154,243,200,228,76,50,49,128,57,193,236,225,214,27,129,129,79,160,5,157,52,116,127,205,47]},{"Name":"be668521-d078-4898-a9e7-3b8bd5bd8c4d","Type":"pivot","AdditionalInfo":{"UUID":"be668521-d078-4898-a9e7-3b8bd5bd8c4d","Name":"Sysmon DNS","Description":""},"Hash":[79,247,23,112,239,157,38,146,65,98,45,245,130,206,252,104,8,0,36,153,249,216,202,90,3,212,157,145,37,16,201,221]},{"Name":"0f2f186e-7c89-4036-953b-7a786cf0bd2d","Type":"template","AdditionalInfo":{"UUID":"0f2f186e-7c89-4036-953b-7a786cf0bd2d","Name":"Sysmon application launches by Computer","Description":"For a given computer, list the applications launched and frequency of launches."},"Hash":[230,28,169,217,72,204,237,212,39,217,245,2,204,26,209,114,34,68,231,78,86,1,214,145,153,38,125,250,232,223,20,146]},{"Name":"0f280f0e-1a35-4f51-8318-075a6fdf2844","Type":"template","AdditionalInfo":{"UUID":"0f280f0e-1a35-4f51-8318-075a6fdf2844","Name":"Sysmon EventID Frequency by Computer","Description":"Charts the frequency of various event types for a given computer."},"Hash":[110,179,17,172,120,214,95,249,230,83,138,4,207,248,47,37,152,34,21,152,18,142,94,25,207,108,185,122,209,185,101,218]},{"Name":"4e152397-2e75-4da4-b124-a5b68bb6e39b","Type":"template","AdditionalInfo":{"UUID":"4e152397-2e75-4da4-b124-a5b68bb6e39b","Name":"Sysmon ProcessName Created","Description":"All Sysmon created events for a given process name"},"Hash":[0,32,67,86,137,254,12,179,189,133,196,60,64,199,217,167,32,16,197,116,214,112,226,200,207,211,145,124,121,32,131,116]},{"Name":"5d186b5c-ba5d-429a-a838-8e5909d648f8","Type":"template","AdditionalInfo":{"UUID":"5d186b5c-ba5d-429a-a838-8e5909d648f8","Name":"Sysmon ProcessGuid Files Created","Description":"Show all files created by a specific process GUID"},"Hash":[7,20,168,72,254,224,46,119,17,188,110,32,37,49,215,89,185,222,41,230,41,83,163,103,132,125,241,237,79,130,102,5]},{"Name":"8bcf72d8-dfe1-4773-8b44-c5d9ca42ef67","Type":"template","AdditionalInfo":{"UUID":"8bcf72d8-dfe1-4773-8b44-c5d9ca42ef67","Name":"Sysmon ProcessName Files created","Description":"Files created by a given process name"},"Hash":[57,10,109,211,241,39,179,113,100,7,232,159,140,43,124,252,196,78,33,189,220,19,53,88,161,5,226,145,84,114,88,14]},{"Name":"34c5d680-8882-44ff-9543-2ffbc2520866","Type":"template","AdditionalInfo":{"UUID":"34c5d680-8882-44ff-9543-2ffbc2520866","Name":"Sysmon Process Guid Loaded Images","Description":"Show all loaded images by a specific process"},"Hash":[188,42,63,54,66,37,142,162,88,29,118,218,109,71,195,10,190,204,173,39,61,69,216,221,2,182,206,131,22,234,159,210]},{"Name":"43b1c029-9f41-4c76-a32d-d65ff9785864","Type":"template","AdditionalInfo":{"UUID":"43b1c029-9f41-4c76-a32d-d65ff9785864","Name":"Sysmon ProcessGuid","Description":"Identify all other images that match the SHA256 from a process"},"Hash":[106,32,221,67,170,173,32,56,123,159,191,169,187,215,87,169,196,49,64,37,222,28,78,103,141,144,20,102,110,47,148,142]},{"Name":"57deb1d0-aab2-479b-82a9-853144ffd6ef","Type":"template","AdditionalInfo":{"UUID":"57deb1d0-aab2-479b-82a9-853144ffd6ef","Name":"Sysmon DNS Totals","Description":""},"Hash":[231,77,61,90,167,12,3,50,194,157,133,226,176,185,89,116,205,50,76,235,33,245,233,139,221,244,138,129,63,54,199,98]},{"Name":"63d69f47-9b2a-4aa0-9f60-32f1997bc9e1","Type":"template","AdditionalInfo":{"UUID":"63d69f47-9b2a-4aa0-9f60-32f1997bc9e1","Name":"Sysmon DNS queries by Computer","Description":"Total DNS queries by specified Computer."},"Hash":[231,240,148,16,70,184,20,163,182,196,158,171,46,36,129,3,8,127,132,91,177,200,153,153,231,199,192,133,147,232,104,172]},{"Name":"77e6fa1e-ac8d-4d05-9fbe-18e4e7f207b8","Type":"template","AdditionalInfo":{"UUID":"77e6fa1e-ac8d-4d05-9fbe-18e4e7f207b8","Name":"Sysmon ProcessName Users","Description":"Chart of Users who have executed this process"},"Hash":[97,111,254,243,66,4,46,251,228,177,23,76,238,218,137,58,39,34,198,198,126,187,237,4,24,116,175,240,193,165,71,251]},{"Name":"082be707-d9a1-4188-902b-041cd16be576","Type":"template","AdditionalInfo":{"UUID":"082be707-d9a1-4188-902b-041cd16be576","Name":"Sysmon ProcessName Event Chart","Description":"A chart of all EventIDs related to a given process name"},"Hash":[183,174,201,34,128,6,145,200,122,224,76,132,25,123,115,214,131,152,24,30,111,218,216,217,73,72,19,48,162,18,76,194]},{"Name":"87d7b1c8-2aa4-4b09-816a-295d548b797b","Type":"template","AdditionalInfo":{"UUID":"87d7b1c8-2aa4-4b09-816a-295d548b797b","Name":"Sysmon Matching SHA256 Process Creation","Description":"Show all processes that match a given SHA256"},"Hash":[154,158,67,163,230,66,106,148,23,26,37,189,54,24,172,73,47,76,236,158,130,122,99,224,116,126,58,95,20,90,113,161]},{"Name":"461f93f2-86be-4122-a4f3-f6eb751f018c","Type":"template","AdditionalInfo":{"UUID":"461f93f2-86be-4122-a4f3-f6eb751f018c","Name":"Sysmon Process DNS Query Activity Summary","Description":"Table of DNS query activity for a given process"},"Hash":[115,20,72,209,59,67,230,158,90,244,140,69,116,219,225,61,146,241,246,235,13,107,178,173,211,68,151,44,29,155,11,83]},{"Name":"948b682a-f154-4561-ab95-7ab602beb73a","Type":"template","AdditionalInfo":{"UUID":"948b682a-f154-4561-ab95-7ab602beb73a","Name":"Sysmon DNS Client Querying this Name","Description":""},"Hash":[92,118,99,65,250,69,48,100,82,149,2,90,106,41,21,170,251,145,173,77,133,35,119,118,208,233,219,229,244,14,193,170]},{"Name":"1668ea7e-a44b-4cb5-9a21-037de26db297","Type":"template","AdditionalInfo":{"UUID":"1668ea7e-a44b-4cb5-9a21-037de26db297","Name":"Sysmon ProcessName DNS","Description":"DNS requests by a given process name"},"Hash":[24,29,134,241,45,134,91,218,51,207,25,100,213,42,105,151,39,164,16,118,98,147,187,194,172,209,176,102,155,215,152,218]},{"Name":"7944efa0-8ba4-461f-9f13-c192dfc04571","Type":"template","AdditionalInfo":{"UUID":"7944efa0-8ba4-461f-9f13-c192dfc04571","Name":"Sysmon ProcessName network","Description":"Network communications from a given Image name"},"Hash":[130,4,203,60,114,97,84,65,49,182,249,59,32,108,250,32,128,220,148,112,70,215,113,116,53,213,19,236,192,157,93,130]},{"Name":"168623c9-1069-4880-80e2-c80d2ff81de3","Type":"template","AdditionalInfo":{"UUID":"168623c9-1069-4880-80e2-c80d2ff81de3","Name":"Sysmon ProcessGuid Registry Activity","Description":""},"Hash":[56,139,45,239,33,128,229,246,49,220,206,192,37,150,78,251,92,82,209,35,134,164,41,188,56,17,151,28,189,216,0,157]},{"Name":"74852262-a4cb-4ff7-85f6-ecf09a7f3a77","Type":"template","AdditionalInfo":{"UUID":"74852262-a4cb-4ff7-85f6-ecf09a7f3a77","Name":"Event Counts by ProcessGuid","Description":"Numbercard of total Event Counts by Process Guid"},"Hash":[81,141,229,209,164,100,40,71,27,156,171,87,0,28,154,234,186,234,75,219,39,239,157,122,244,165,123,84,80,252,39,30]},{"Name":"b5324425-596a-4ede-bd17-0847c90c3c34","Type":"template","AdditionalInfo":{"UUID":"b5324425-596a-4ede-bd17-0847c90c3c34","Name":"Sysmon network connections by Computer","Description":"For the specified Computer, find network connection counts by service."},"Hash":[172,121,158,147,6,170,162,179,132,91,182,76,170,62,43,194,193,124,185,155,241,9,107,218,16,162,184,230,205,176,89,176]},{"Name":"bcb5c951-d4ce-47be-ae72-f41167dfbcb9","Type":"template","AdditionalInfo":{"UUID":"bcb5c951-d4ce-47be-ae72-f41167dfbcb9","Name":"Sysmon DNS Processes Querying this Name","Description":""},"Hash":[130,223,109,233,18,168,116,96,111,246,211,114,83,224,242,138,114,74,165,250,181,239,222,153,136,84,20,218,222,63,85,75]},{"Name":"c0d16c9d-d112-45fd-a89f-851b02b91170","Type":"template","AdditionalInfo":{"UUID":"c0d16c9d-d112-45fd-a89f-851b02b91170","Name":"Sysmon ProcessGuid Network Connections","Description":"Sysmon outbound process activity"},"Hash":[85,216,139,158,82,33,133,98,83,246,171,99,108,54,250,163,171,244,229,35,180,3,96,31,47,211,230,201,192,140,215,97]},{"Name":"d19183fe-5928-41d8-a58a-30c9341405ff","Type":"template","AdditionalInfo":{"UUID":"d19183fe-5928-41d8-a58a-30c9341405ff","Name":"Sysmon ProcessGuid DNS Acvtivity","Description":"Show all DNS activity for a given process"},"Hash":[61,192,2,122,106,57,55,232,253,63,82,219,236,165,184,134,99,229,216,236,190,161,20,75,172,34,202,0,77,173,212,32]},{"Name":"db7e06bc-d35a-4cbe-a7ea-786be9921482","Type":"template","AdditionalInfo":{"UUID":"db7e06bc-d35a-4cbe-a7ea-786be9921482","Name":"Sysmon DNS Requests over Time","Description":""},"Hash":[222,227,149,127,85,215,60,151,32,250,127,152,141,146,206,234,124,60,247,86,105,193,11,50,18,27,230,94,45,77,80,86]},{"Name":"e679c3e2-59bc-4190-8181-0a2716e5d4b5","Type":"template","AdditionalInfo":{"UUID":"e679c3e2-59bc-4190-8181-0a2716e5d4b5","Name":"Sysmon ProcessGuid File Delete","Description":"Show all files deleted by a specific process GUID"},"Hash":[89,89,2,213,228,123,93,230,236,60,84,144,214,42,102,146,114,30,182,204,251,223,253,63,113,23,40,170,118,84,174,6]},{"Name":"67c215e7-1b00-4300-91c7-23b387c19f25","Type":"file","AdditionalInfo":{"UUID":"67c215e7-1b00-4300-91c7-23b387c19f25","Name":"SysmonProcessChart.png","Description":"Chart of Sysmon process creation","Size":29861,"ContentType":"image/png"},"Hash":[72,42,221,204,207,249,106,91,108,135,246,223,223,194,171,73,95,70,125,128,63,165,98,65,50,228,79,218,244,157,118,60]},{"Name":"261b4a66-95d8-4725-9b2e-2c367e287bc5","Type":"file","AdditionalInfo":{"UUID":"261b4a66-95d8-4725-9b2e-2c367e287bc5","Name":"SysmonMicAccess.png","Description":"Screenshot of Sysmon microphone access","Size":28547,"ContentType":"image/png"},"Hash":[154,200,181,226,50,66,46,121,187,5,209,161,245,255,15,46,52,4,20,53,162,194,251,184,197,197,132,168,68,250,143,55]},{"Name":"cee6ccc0-dd78-4b4c-bb5d-207bf78977a5","Type":"file","AdditionalInfo":{"UUID":"cee6ccc0-dd78-4b4c-bb5d-207bf78977a5","Name":"Cover Image","Description":"","Size":551444,"ContentType":"image/png"},"Hash":[27,173,147,95,181,92,232,41,78,91,241,70,48,97,216,150,201,226,35,174,202,37,236,184,83,60,37,212,32,22,128,236]},{"Name":"d329d4fb-1392-4c96-a9a1-5cf75be39436","Type":"file","AdditionalInfo":{"UUID":"d329d4fb-1392-4c96-a9a1-5cf75be39436","Name":"Banner Image","Description":"","Size":1544565,"ContentType":"image/png"},"Hash":[228,222,241,33,193,105,168,101,20,3,216,128,138,175,136,215,188,103,110,19,107,18,163,162,252,120,141,79,87,119,2,76]},{"Name":"PROVIDER","Type":"macro","AdditionalInfo":{"Name":"PROVIDER","Description":"The Sysmon Provider value (Default: Provider==\"Microsoft-Windows-Sysmon\")","Expansion":"Provider==\"Microsoft-Windows-Sysmon\""},"Hash":[43,174,238,241,71,178,68,141,161,205,99,14,243,208,55,167,225,233,94,245,243,119,117,108,164,210,235,246,51,116,76,88]},{"Name":"SYSMON","Type":"macro","AdditionalInfo":{"Name":"SYSMON","Description":"The Sysmon tag value (Default: sysmon)","Expansion":"sysmon"},"Hash":[166,202,114,76,139,194,175,1,120,175,62,243,111,215,176,140,84,190,64,148,174,7,220,95,136,0,155,112,209,106,195,84]},{"Name":"0c94f3a1-4577-4211-a946-9b792844e21b","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Unique Process Creations","Description":"Table of parent processes that are only seen executing other processes once","Query":"tag=$SYSMON winlog $PROVIDER EventID==1 ParentImage Computer User CommandLine |\nstats count by ParentImage |\neval count == 1 |\ntable ParentImage Computer User CommandLine","UUID":"0c94f3a1-4577-4211-a946-9b792844e21b"},"Hash":[200,194,68,237,214,120,104,92,242,49,163,83,88,55,230,194,47,179,56,12,95,235,65,119,78,140,118,118,211,134,151,223]},{"Name":"2c356ee9-c791-4285-b99c-c101089ee1d6","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Process Creation Events Table as Share of Whole","Description":"Table of process creation event counts by computer with a calculation of the share of total process events across all machines","Query":"@count{tag=$SYSMON winlog $PROVIDER EventID==1 | stats count as total};\ntag=$SYSMON winlog $PROVIDER EventID==1 Computer |\nstats count by Computer |\nenrich -r @count total |\neval share = (float(count)/float(total))*100.0; |\nsort by share desc |\ntable Computer count share\n","UUID":"2c356ee9-c791-4285-b99c-c101089ee1d6"},"Hash":[95,64,200,35,208,165,46,73,93,38,174,205,90,134,48,124,166,76,90,241,58,153,166,50,107,63,59,94,144,255,226,136]},{"Name":"2c357cbd-2e46-4322-ac1b-4038b8802dc3","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: DNS Beaconing","Description":"Table of hosts that are queried at regular intervals","Query":"tag=$SYSMON winlog $PROVIDER EventID==22 QueryName |\ndiff TIMESTAMP by QueryName |\nrequire -s diff |\nstats mean(diff) stddev(diff) count by QueryName |\neval (stddev \u003c mean \u0026\u0026 count \u003e 2) |\neval r = stddev/mean; Duration = duration(mean); |\nsort by r asc |\ntable QueryName Duration count\n","UUID":"2c357cbd-2e46-4322-ac1b-4038b8802dc3"},"Hash":[41,19,230,15,224,109,221,252,188,214,245,58,52,41,190,50,250,41,30,119,18,86,245,185,75,235,140,144,104,76,234,77]},{"Name":"2eb3cdf6-7666-4f42-b186-d2d9784f197c","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Process Termination by Computer","Description":"Table of Process Terminations by Computer","Query":"tag=$SYSMON winlog $PROVIDER EventID==5 Computer |\nstats count by Computer |\ntable Computer count","UUID":"2eb3cdf6-7666-4f42-b186-d2d9784f197c"},"Hash":[176,197,117,186,123,130,155,93,133,5,127,245,41,50,9,139,247,30,113,94,163,0,240,70,245,168,21,236,25,233,58,187]},{"Name":"3dd5db6b-11af-423e-a606-371ed93bfce7","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Registry Technique Frequency","Description":"Frequency of potential attack techniques via registry modification","Query":"tag=$SYSMON winlog $PROVIDER EventID\u003c=14 RuleName!=\"-\" |\neval EventID\u003e=12 |\nregex -e RuleName \"technique_id=(?P\u003ctechnique_id\u003e[^,]+),technique_name=(?P\u003ctechnique_name\u003e.+)\" |\nstats count by technique_name technique_id |\ntable technique_name technique_id count","UUID":"3dd5db6b-11af-423e-a606-371ed93bfce7"},"Hash":[180,84,74,253,171,82,73,240,74,209,170,116,194,180,199,7,173,179,162,195,195,123,101,80,179,185,72,23,88,10,223,236]},{"Name":"4cada82e-f7cd-4605-a6ff-64ee5677b13e","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: DNS Requests by Computer over Time","Description":"Chart showing dns requests over time by computer","Query":"tag=$SYSMON winlog $PROVIDER EventID==22 TimeCreated ProcessID ThreadID Computer UserID UtcTime QueryName QueryStatus QueryResults Image |\ncount by Computer |\nchart count by Computer","UUID":"4cada82e-f7cd-4605-a6ff-64ee5677b13e"},"Hash":[0,72,87,131,219,61,54,56,48,86,250,178,247,132,114,97,6,7,196,63,223,140,249,130,158,77,160,68,24,250,59,189]},{"Name":"4cc4926f-7f27-4a32-8166-c90a5e72100b","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Network Connection Detected","Description":"Chart of total number of network connections over time","Query":"tag=$SYSMON winlog $PROVIDER EventID == 3 \n| stats count \n| chart count ","UUID":"4cc4926f-7f27-4a32-8166-c90a5e72100b"},"Hash":[219,155,241,247,96,119,51,143,239,20,12,179,166,13,146,144,237,60,39,66,80,117,42,229,130,156,0,202,131,164,86,51]},{"Name":"5fe00171-5a46-4aa9-9ff8-5ad8df442cdc","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Network Connections","Description":"Chart of network connection counts by protocol","Query":"tag=$SYSMON winlog $PROVIDER EventID == 3 Protocol |\nstats count by Protocol |\nchart count by Protocol","UUID":"5fe00171-5a46-4aa9-9ff8-5ad8df442cdc"},"Hash":[184,198,74,127,59,131,169,254,128,6,172,156,90,66,126,58,2,14,150,51,245,131,104,77,41,216,128,153,245,72,228,63]},{"Name":"6aad4b56-12ed-4fb7-939f-df15fc6e3a9d","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Process Creation Rate","Description":"Chart of total process creation rate","Query":"tag=$SYSMON winlog $PROVIDER EventID==1 |\nstats count |\nchart count","UUID":"6aad4b56-12ed-4fb7-939f-df15fc6e3a9d"},"Hash":[168,123,189,229,115,37,58,65,133,72,146,153,181,222,3,86,119,99,204,89,108,54,93,211,41,112,126,46,126,209,215,130]},{"Name":"6dc79f5e-5955-49bf-9b88-81c09c685455","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Most Queried DNS Names","Description":"Table of total number of queries for a given DNS Name","Query":"tag=$SYSMON winlog $PROVIDER EventID==22 TimeCreated ProcessID ThreadID Computer UserID UtcTime QueryName QueryStatus QueryResults Image |\ncount by QueryName |\ntable count QueryName","UUID":"6dc79f5e-5955-49bf-9b88-81c09c685455"},"Hash":[220,237,164,202,124,46,112,70,36,47,166,12,29,154,190,76,122,30,47,32,155,25,110,75,70,198,192,98,77,252,105,121]},{"Name":"7d85f0aa-4cb0-4aa6-b6e4-fdf4f7a59c16","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: DNS Errors Over Time","Description":"Chart categorizing the DNS errors by error type over time","Query":"tag=$SYSMON winlog $PROVIDER EventID==22 QueryStatus!=0 |\nstats count by QueryStatus |\nlookup -r windows_error_codes QueryStatus hex name |\nchart count by name","UUID":"7d85f0aa-4cb0-4aa6-b6e4-fdf4f7a59c16"},"Hash":[170,59,1,170,210,19,40,85,116,137,77,48,68,241,235,106,178,157,230,128,42,35,248,243,0,12,39,124,184,198,37,29]},{"Name":"8a2c4d44-f1bf-42a8-b73a-ceade2add2cf","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: DNS Errors","Description":"Table showing DNS errors by type with description","Query":"tag=$SYSMON winlog $PROVIDER EventID==22 QueryStatus!=0 |\nstats count by QueryStatus |\nlookup -r windows_error_codes QueryStatus hex (name desc) |\ntable count name QueryStatus desc","UUID":"8a2c4d44-f1bf-42a8-b73a-ceade2add2cf"},"Hash":[97,182,46,48,92,21,227,90,244,213,121,59,122,219,47,198,90,167,124,170,76,244,134,255,158,150,86,253,119,215,241,149]},{"Name":"9d1f75a6-e533-4e29-ac08-7dd809941b9d","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Unsigned Driver Loads","Description":"Unsigned driver activity","Query":"tag=$SYSMON winlog $PROVIDER EventID==6 Computer ImageLoaded Hashes Signed!=true SignatureStatus Signature |\nkv -e Hashes -sep \"=\" -d \",\" SHA256 |\ntable TIMESTAMP Computer Signature SignatureStatus Signed ImageLoaded SHA256","UUID":"9d1f75a6-e533-4e29-ac08-7dd809941b9d"},"Hash":[15,98,98,152,158,90,85,204,101,166,85,210,252,152,74,140,39,65,81,16,109,218,89,230,253,12,217,195,151,69,116,164]},{"Name":"9f404f9a-812a-4d82-a46b-ab194d51b77a","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: DNS Most Active Clients","Description":"Table of most active DNS clients as seen by sysmon","Query":"tag=$SYSMON winlog $PROVIDER EventID==22 TimeCreated ProcessID ThreadID Computer UserID UtcTime QueryName QueryStatus QueryResults Image |\ncount by Computer |\ntable count Computer","UUID":"9f404f9a-812a-4d82-a46b-ab194d51b77a"},"Hash":[106,247,122,5,26,49,249,119,243,231,130,39,229,33,148,219,252,83,230,191,103,126,113,162,135,36,134,23,126,89,213,161]},{"Name":"10ecb70c-2806-453b-aa22-a3ebdd31060a","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Registry Modifications by Image","Description":"Chart which programs are modifying the registry the most","Query":"tag=$SYSMON winlog $PROVIDER EventID Image |\neval ( EventID==12 || EventID==13 || EventID==14 ) |\nregex -e Image \".+\\\\(?P\u003cexename\u003e[^\\\\]+.exe)\" |\nstats count by exename |\nchart count by exename\n","UUID":"10ecb70c-2806-453b-aa22-a3ebdd31060a"},"Hash":[149,161,137,231,51,217,32,97,97,89,185,1,221,135,94,33,45,66,108,164,76,59,218,71,223,196,84,18,50,242,157,8]},{"Name":"23a60041-0f1d-4212-9534-280e6ea06e8a","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Process Creation","Description":"Table of all Sysmon process creation events","Query":"tag=$SYSMON winlog $PROVIDER EventID==1 Computer User OriginalFileName FileVersion Description Product ParentCommandLine |\ntable Computer User OriginalFileName Product Description ParentCommandLine","UUID":"23a60041-0f1d-4212-9534-280e6ea06e8a"},"Hash":[80,170,252,21,199,57,248,249,167,3,127,234,211,63,208,66,200,115,149,40,114,255,19,93,93,235,97,24,76,117,219,243]},{"Name":"45fa6e57-add4-4c85-80bd-04528f427101","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: DNS Most Active Processes","Description":"Most active DNS processes as seen by sysmon","Query":"tag=$SYSMON winlog $PROVIDER EventID==22 TimeCreated ProcessID ThreadID Computer UserID UtcTime QueryName QueryStatus QueryResults Image |\ncount by Image |\ntable count Image","UUID":"45fa6e57-add4-4c85-80bd-04528f427101"},"Hash":[120,164,207,172,67,135,77,211,51,62,130,29,99,238,19,186,187,72,105,254,112,134,202,236,253,163,235,58,167,184,145,45]},{"Name":"59f849d7-b608-4106-b21f-51818f5dd5bc","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Process Creation Rates by Computer","Description":"Count of process creation events by Computer","Query":"tag=$SYSMON winlog $PROVIDER EventID==1 Computer |\nstats count by Computer |\nchart count by Computer limit 25","UUID":"59f849d7-b608-4106-b21f-51818f5dd5bc"},"Hash":[156,40,114,79,131,18,99,222,83,132,192,53,202,205,97,246,147,98,247,132,179,42,205,195,245,117,176,68,187,229,238,241]},{"Name":"69f4e0a6-df57-4120-98f1-d3a0bd181d37","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: DNS Queries by Resource Record Type","Description":"Chart of DNS Record types","Query":"tag=$SYSMON winlog $PROVIDER EventID==22 QueryResults |\nregex -p -e QueryResults \"type:\\s+(?P\u003cRRType\u003e[0-9]+)\" |\nenrich RRType 1 |\nlookup -r dns_types RRType Value TYPE |\ncount by TYPE |\nchart count by TYPE","UUID":"69f4e0a6-df57-4120-98f1-d3a0bd181d37"},"Hash":[80,249,91,112,182,91,248,151,119,160,245,83,82,132,190,145,155,57,207,57,167,177,119,46,26,198,135,64,238,221,77,149]},{"Name":"83a531a3-2e8a-4859-b0dd-b7c892881fc0","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Network connection by IP Protocol","Description":"Chart of IPv4 vs IPv6 Connection activity","Query":"tag=$SYSMON winlog $PROVIDER EventID == 3 DestinationIsIpv6 |\neval if (DestinationIsIpv6 == \"true\") { $(type) = \"IPv6\"; } else { $(type) = \"IPv4\"; } |\nstats count by type |\nchart count by type\n","UUID":"83a531a3-2e8a-4859-b0dd-b7c892881fc0"},"Hash":[87,123,239,65,220,55,18,82,83,89,246,82,159,218,37,214,226,127,106,159,177,63,111,250,69,106,125,58,11,25,16,171]},{"Name":"83ae1edf-97c1-483c-8b05-98c1d08331f3","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Windows Registry Environment Modification","Description":"Query to show all registry write activity to system wide environment variables","Query":"tag=$SYSMON winlog $PROVIDER EventID == 13 Image Computer TargetObject ~ \"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\Environment\" Details |\ntable Computer Image TargetObject Details TIMESTAMP","UUID":"83ae1edf-97c1-483c-8b05-98c1d08331f3"},"Hash":[32,154,190,25,245,147,135,30,180,46,38,121,82,114,190,249,47,159,30,188,175,41,182,183,105,105,195,52,67,113,217,38]},{"Name":"84cdc657-d87b-4247-a2fd-0b5f7a173b77","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: DNS Totals","Description":"Gauge of DNS Unique Domains, Unique Queries and Total Queries","Query":"tag=$SYSMON winlog $PROVIDER EventID==22 QueryName QueryStatus |\nregex -e QueryName \"(?P\u003cdomain\u003e[^\\.]+\\.[^\\.]+)\\.?$\" |\nstats unique_count(domain) as \"Unique Domains\" unique_count(QueryName) as \"Unique Queries\" count as \"Total Queries\" |\ngauge \"Unique Queries\" \"Unique Domains\" \"Total Queries\"","UUID":"84cdc657-d87b-4247-a2fd-0b5f7a173b77"},"Hash":[196,161,55,91,237,94,248,10,17,192,249,68,176,82,224,160,141,167,155,81,95,52,209,123,0,221,68,188,216,95,69,22]},{"Name":"84eb34b6-cbbf-47e3-8e76-d1e65dadbf0f","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Driver Load Activity","Description":"Table of driver activity","Query":"tag=$SYSMON winlog $PROVIDER EventID==6 Computer ImageLoaded Hashes Signed Signature SignatureStatus |\nkv -e Hashes -sep \"=\" -d \",\" SHA256 |\nstats count as LoadCount by Computer ImageLoaded SHA256 |\ntable Computer Signed Signature SignatureStatus LoadCount ImageLoaded SHA256","UUID":"84eb34b6-cbbf-47e3-8e76-d1e65dadbf0f"},"Hash":[47,75,175,244,231,149,203,156,43,174,146,142,234,58,160,27,42,12,24,95,84,119,157,146,79,216,162,110,226,194,218,235]},{"Name":"90ce6904-4e47-45e8-975a-3fa7b0783c13","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: CreateRemoteThread unique activity","Description":"Table of source applications creating remote threads in many other target applications","Query":"tag=$SYSMON winlog $PROVIDER EventID==8 Computer SourceImage TargetImage StartModule StartFunction |\nstats unique_count(TargetImage) by SourceImage |\nsort by unique_count desc |\ntable SourceImage unique_count","UUID":"90ce6904-4e47-45e8-975a-3fa7b0783c13"},"Hash":[151,249,252,29,177,204,203,123,113,166,193,106,99,242,150,138,250,128,124,104,246,56,255,82,46,66,135,126,197,160,190,189]},{"Name":"227e9dbf-ae59-4995-b17b-6a346ff0042f","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: DNS Requests by Process over Time","Description":"Chart of Process DNS Requests over Time","Query":"tag=$SYSMON winlog $PROVIDER EventID==22 TimeCreated ProcessID ThreadID Computer UserID UtcTime QueryName QueryStatus QueryResults Image |\ncount by Image |\nchart count by Image","UUID":"227e9dbf-ae59-4995-b17b-6a346ff0042f"},"Hash":[101,86,225,230,232,110,224,128,164,42,118,81,138,48,215,238,78,4,114,182,216,194,173,93,113,95,65,49,133,125,181,224]},{"Name":"0308f7d1-dc1b-4ff1-a1e4-39d209d900b2","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Registry events by computer \u0026 image","Description":"Counts the number of registry events (creation, deletion, modification) per computer and image (executable file)","Query":"tag=$SYSMON winlog $PROVIDER EventID Computer Image \n| eval ( EventID==12 || EventID==13 || EventID==14 ) \n| stats count by Image Computer \n| table Image Computer count","UUID":"0308f7d1-dc1b-4ff1-a1e4-39d209d900b2"},"Hash":[220,92,3,118,193,30,51,160,252,162,49,19,100,206,41,178,239,52,18,166,3,53,102,247,252,16,224,63,70,160,234,209]},{"Name":"311bdf8d-5ec2-4e09-b77f-9c7615b90240","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Registry Techniques Detected","Description":"Count of triggered rules that indicate potential registry modification","Query":"tag=$SYSMON winlog $PROVIDER EventID RuleName!=\"-\" \n| eval ( EventID==12 || EventID==13 || EventID==14 ) \n| stats count by RuleName \n| table RuleName count ","UUID":"311bdf8d-5ec2-4e09-b77f-9c7615b90240"},"Hash":[38,93,152,216,15,32,148,143,160,65,225,160,130,162,46,197,173,103,84,121,57,58,196,91,137,128,207,250,114,30,196,102]},{"Name":"315c6cbb-d5a6-46d3-8a19-d4ac68c82d03","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Process Start Deviation by Integrity Level","Description":"Chart showing standard deviation of the count of process starts by Integrity Level","Query":"tag=$SYSMON winlog $PROVIDER EventID == 1 IntegrityLevel |\nstats count by IntegrityLevel |\nstats stddev(count) by IntegrityLevel over 5m |\nchart stddev by IntegrityLevel","UUID":"315c6cbb-d5a6-46d3-8a19-d4ac68c82d03"},"Hash":[220,187,155,17,189,8,57,126,12,1,151,8,199,3,161,0,64,207,99,113,124,79,166,173,57,44,243,131,97,58,169,171]},{"Name":"688f94a9-bf43-4b64-b5d0-e162c6763785","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Registry Overview","Description":"Chart of total registry activity","Query":"tag=$SYSMON winlog $PROVIDER EventID \u003c= 14 Computer Image \n| eval EventID \u003e= 12; \n| stats count \n| chart count ","UUID":"688f94a9-bf43-4b64-b5d0-e162c6763785"},"Hash":[140,121,160,207,153,133,14,233,247,23,9,129,239,174,57,91,58,232,108,31,59,210,82,211,8,232,205,248,252,233,123,151]},{"Name":"793f7fbd-d6a7-486d-af4d-fb17f42cbdbd","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Process Creation by User","Description":"Table of process creation event counts by physical users","Query":"tag=$SYSMON winlog $PROVIDER EventID==1 TerminalSessionId==1 User |\nstats count by User |\ntable User count","UUID":"793f7fbd-d6a7-486d-af4d-fb17f42cbdbd"},"Hash":[182,5,110,117,175,25,195,17,19,108,135,91,43,183,3,45,254,39,131,67,21,194,139,95,169,251,224,118,97,45,58,94]},{"Name":"2599dbf9-3a10-45bf-98b5-3d0e1a701276","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Windows Rule Tally","Description":"Table of total events by each rule technique","Query":"tag=$SYSMON winlog $PROVIDER RuleName != \"\" |\nkv -s -e RuleName -d \",\" -sep \"=\" technique_id technique_name |\nstats count by technique_name |\ntable technique_name count","UUID":"2599dbf9-3a10-45bf-98b5-3d0e1a701276"},"Hash":[166,60,155,164,51,4,191,14,149,235,75,136,151,48,101,7,72,31,113,195,144,119,63,59,206,70,223,133,166,77,52,1]},{"Name":"7192fbde-eb4d-41fc-b214-df8b8c4c7123","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Errors","Description":"Windows Sysmon Error events","Query":"tag=$SYSMON winlog $PROVIDER RuleName != \"\" EventID == 255 ID Description |\ntable TIMESTAMP ID Description","UUID":"7192fbde-eb4d-41fc-b214-df8b8c4c7123"},"Hash":[201,163,200,156,26,90,152,32,227,8,209,162,10,136,119,161,46,194,122,218,113,47,174,157,82,32,210,205,220,223,224,199]},{"Name":"22628ed0-f6f5-44ae-9284-8be6e930bdf9","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Least Common Network Service Ports","Description":"Table showing the least common network service ports","Query":"tag=$SYSMON winlog $PROVIDER EventID == 3 DestinationPort |\nstats count by DestinationPort |\nsort by count asc |\nlimit 100 |\ntable DestinationPort count","UUID":"22628ed0-f6f5-44ae-9284-8be6e930bdf9"},"Hash":[73,90,181,172,193,133,66,55,36,131,169,170,40,16,204,163,170,116,128,165,157,142,25,57,58,123,138,115,33,12,226,191]},{"Name":"78257dc2-ad67-45b5-86b6-852fec7a39ca","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Windows Low Integrity Process Starts","Description":"Table of process starts from Low Integrity Applications","Query":"tag=$SYSMON winlog $PROVIDER EventID==1 IntegrityLevel==Low Computer User OriginalFileName FileVersion Product Company Description |\nstats count by Computer User OriginalFileName FileVersion |\ntable count Product Computer User Company OriginalFileName FileVersion Description","UUID":"78257dc2-ad67-45b5-86b6-852fec7a39ca"},"Hash":[168,20,145,89,86,27,234,49,154,141,7,251,122,215,172,246,21,145,41,235,239,137,52,140,140,187,126,67,29,37,39,54]},{"Name":"453457d1-2fcf-4620-a963-ce9491d47d84","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Top 100 Parent Processes","Description":"Table of the 100 most common parent processes that execute other processes","Query":"tag=$SYSMON winlog $PROVIDER EventID==1 ParentImage |\nstats count by ParentImage |\neval count \u003e 1 |\nlimit 100 |\nsort by count desc |\ntable -nt ParentImage count","UUID":"453457d1-2fcf-4620-a963-ce9491d47d84"},"Hash":[49,225,224,147,77,158,199,37,186,112,210,106,230,0,236,106,128,220,114,237,216,124,112,126,53,66,16,57,107,224,123,200]},{"Name":"3171549f-ea97-4e1a-809b-0e9743fdd54e","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Windows Product Launch Counts","Description":"Table of product launch counts","Query":"tag=$SYSMON winlog $PROVIDER EventID==1 OriginalFileName FileVersion Description Product |\nstats count by Product |\ntable count Product Description OriginalFileName","UUID":"3171549f-ea97-4e1a-809b-0e9743fdd54e"},"Hash":[121,8,68,169,214,226,192,27,136,205,109,181,93,36,219,153,215,161,247,189,230,154,160,233,56,148,154,214,58,12,63,214]},{"Name":"a12de602-d24c-4767-936b-c1179bc9d1a7","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Microphone time by application","Description":"Totals up time each application spent listening to the microphone.","Query":"tag=$SYSMON winlog $PROVIDER EventID==13 TargetObject RuleName~\"Audio Capture\" Computer TimeCreated Details |\nsort by time asc |\nregex -e Details \"\\((?P\u003cqword\u003e.+)\\)\" qword != \"0x00000000-0x00000000\" |\nregex -e TargetObject \"#(?P\u003cappname\u003e[^#]+)\\\\LastUsedTime(?P\u003cmic_action\u003e\\S+)\" |\ndiff TIMESTAMP by Computer appname |\neval mic_action==\"Stop\" |\nstats count as Count sum(diff) as TotalTime by Computer appname |\ntable Computer TotalTime Count","UUID":"a12de602-d24c-4767-936b-c1179bc9d1a7"},"Hash":[105,186,99,171,120,203,144,89,97,21,153,252,110,198,76,46,107,110,0,79,173,139,155,149,99,136,127,105,161,99,49,48]},{"Name":"a020a61b-af5e-40b8-a44f-0690c8ad99e3","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Process Access with VM_WRITE Access on system32 images","Description":"Display all ProcessAccess requests where an image from outside the system32 directory accesses a process with an image inside system32 with the VM_WRITE permission bit","Query":"tag=$SYSMON winlog $PROVIDER EventID==10 Computer SourceImage!~system32 TargetImage~system32 GrantedAccess |\nanko windows_access_flags GrantedAccess has VM_WRITE |\nanko windows_access_flags GrantedAccess dump Flags |\nstats count by Computer SourceImage TargetImage GrantedAccess |\ntable Computer SourceImage TargetImage count Flags","UUID":"a020a61b-af5e-40b8-a44f-0690c8ad99e3"},"Hash":[120,105,203,236,5,74,92,74,132,56,85,229,70,182,95,149,195,90,201,5,30,119,83,169,66,191,24,148,180,128,242,204]},{"Name":"abbd6b9a-cf20-4b01-bf70-e532879d66ba","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Process Rare Extensions","Description":"Table of rarely image extensions on processes","Query":"tag=$SYSMON winlog $PROVIDER EventID==1 Computer Image |\nregex -e Image \"\\.(?P\u003cextension\u003e[a-zA-Z0-9]+)$\" |\nstats count by extension |\nsort by count asc |\nlimit 10 |\ntable extension count","UUID":"abbd6b9a-cf20-4b01-bf70-e532879d66ba"},"Hash":[41,28,248,251,191,212,95,136,127,164,203,0,211,174,230,80,40,77,146,73,140,182,174,178,78,149,37,44,188,8,144,32]},{"Name":"ac25e3ff-a24a-4d59-b211-266a8fa6a82e","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Registry Autorun","Description":"Show registry events where an autorun program is installed","Query":"tag=$SYSMON winlog $PROVIDER EventID == 13 Image Computer RuleName ~ \"Registry Run Keys\" Details TargetObject |\nwords Registry Run Keys |\ntable Computer Image Details TargetObject TIMESTAMP","UUID":"ac25e3ff-a24a-4d59-b211-266a8fa6a82e"},"Hash":[242,147,98,138,190,104,202,175,247,152,2,106,54,31,126,210,168,130,45,30,26,148,20,116,91,225,104,251,125,113,91,254]},{"Name":"bc1b77dd-a7ae-4235-8182-dae36f12e062","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Network Connection Pointmap","Description":"Pointmap of network connections with ASN Organization","Query":"tag=$SYSMON winlog $PROVIDER EventID == 3 DestinationIp |\nstats count by DestinationIp |\ngeoip DestinationIp.Location |\ngeoip -r asn_db DestinationIp.ASNOrg |\npointmap DestinationIp ASNOrg count","UUID":"bc1b77dd-a7ae-4235-8182-dae36f12e062"},"Hash":[193,109,240,195,163,153,25,7,116,25,124,187,230,45,221,111,215,225,90,30,114,91,86,29,245,161,208,203,183,103,145,107]},{"Name":"ce0ef618-9135-4860-9f6f-091c65925c44","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: DNS Queries over Time","Description":"Chart of total number DNS queries over time","Query":"tag=$SYSMON winlog $PROVIDER EventID==22 | chart","UUID":"ce0ef618-9135-4860-9f6f-091c65925c44"},"Hash":[114,157,205,147,153,36,8,254,128,230,121,119,54,161,24,214,61,77,64,217,221,179,48,106,222,215,133,62,170,174,115,151]},{"Name":"d22fec64-d6d8-421e-a554-07a702b3b571","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Network Connections by Computer","Description":"Table of total connection groups by computer","Query":"tag=$SYSMON winlog $PROVIDER EventID == 3 Computer DestinationIp |\nstats count by DestinationIp Computer |\ngeoip -r asn_db DestinationIp.ASNOrg |\nstats unique_count(DestinationIp) as \"Unique IPs\" sum(count) as \"Total Connections\" by ASNOrg Computer |\nsort by \"Unique IPs\" desc |\ntable Computer ASNOrg \"Unique IPs\" \"Total Connections\"","UUID":"d22fec64-d6d8-421e-a554-07a702b3b571"},"Hash":[236,110,29,230,41,151,146,186,238,255,254,196,187,99,56,251,140,38,108,181,202,168,181,6,70,54,33,80,198,243,68,72]},{"Name":"d661e0f9-d9fe-4e75-bc5a-ce0f57f12834","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Process CreateRemoteThread Activity","Description":"Table of processes creating remote threads in other processes","Query":"tag=$SYSMON winlog $PROVIDER EventID==8 Computer SourceImage TargetImage StartModule StartFunction |\nstats count by SourceImage TargetImage StartModule StartFunction |\ntable Computer SourceImage TargetImage StartModule StartFunction count","UUID":"d661e0f9-d9fe-4e75-bc5a-ce0f57f12834"},"Hash":[119,32,5,11,97,77,172,38,59,143,160,6,99,232,99,145,28,46,199,153,137,97,56,225,253,185,141,218,28,211,181,86]},{"Name":"da4f3eae-de63-45d3-9b58-42f8016580aa","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Process Tampering Event Counts by Type","Description":"Table of Sysmon process tampering events by type","Query":"tag=$SYSMON winlog $PROVIDER EventID==25 Type |\nstats count by Type |\ntable Type count","UUID":"da4f3eae-de63-45d3-9b58-42f8016580aa"},"Hash":[23,185,152,80,0,239,219,81,171,68,174,165,77,88,133,226,116,3,168,97,96,104,177,20,52,236,22,142,47,239,95,21]},{"Name":"da8c9621-b3b5-4daa-aa49-4eb0477e5a29","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Process Creation via Multiple Paths","Description":"Table showing a list of processes where the same image is seen executing from multiple image locations","Query":"tag=$SYSMON winlog $PROVIDER EventID==1 Image Hashes |\nkv -e Hashes -d \",\" -sep \"=\" SHA256 |\nstats unique_count(Image) by SHA256 |\neval unique_count\u003e1 |\nsort by unique_count desc |\ntable SHA256 unique_count Image","UUID":"da8c9621-b3b5-4daa-aa49-4eb0477e5a29"},"Hash":[183,210,45,90,196,12,64,105,0,209,131,162,187,143,223,87,254,121,56,65,241,161,202,192,199,157,6,138,11,72,24,222]},{"Name":"dd808c75-036d-489a-8e78-313ba2a32309","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: rare process image hashes","Description":"Table of rarely seen process SHA256 hashes","Query":"tag=$SYSMON winlog $PROVIDER EventID == 1 Computer Image Hashes |\nkv -sep \"=\" -d \",\" -e Hashes SHA256 |\nstats count by SHA256 |\neval count \u003c 2 |\nlimit 100 |\ntable Image count Computer SHA256","UUID":"dd808c75-036d-489a-8e78-313ba2a32309"},"Hash":[81,210,121,98,180,97,11,185,86,227,136,188,186,146,77,210,155,108,61,77,185,118,224,73,77,135,187,160,188,82,85,206]},{"Name":"ecf6c4e3-0212-4d34-9122-39c28a054f78","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Driver Loads with invalid signatures","Description":"Table of driver activity where the signature of a driver could not be validated","Query":"tag=$SYSMON winlog $PROVIDER EventID==6 Computer ImageLoaded Hashes Signed SignatureStatus!=\"Valid\" Signature |\nkv -e Hashes -sep \"=\" -d \",\" SHA256 |\ntable TIMESTAMP Computer Signature SignatureStatus Signed ImageLoaded SHA256","UUID":"ecf6c4e3-0212-4d34-9122-39c28a054f78"},"Hash":[175,50,71,87,172,237,2,8,38,74,161,214,229,23,253,155,156,149,93,83,141,246,118,150,95,177,171,246,42,250,26,140]},{"Name":"f1aaac81-d4ee-4d7e-b4d5-76a5ce0e67ec","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Network Peer Totals","Description":"Table of unique IPs and total connection counts by ASN Organization","Query":"tag=$SYSMON winlog $PROVIDER EventID == 3 DestinationIp | stats count by DestinationIp |\ngeoip -r asn_db DestinationIp.ASNOrg |\nstats unique_count(DestinationIp) as \"Unique IPs\" sum(count) as \"Total Connections\" by ASNOrg |\nsort by \"Unique IPs\" desc |\ntable ASNOrg \"Unique IPs\" \"Total Connections\"","UUID":"f1aaac81-d4ee-4d7e-b4d5-76a5ce0e67ec"},"Hash":[116,61,98,245,227,28,93,224,189,4,192,28,25,139,92,142,240,70,50,16,209,183,118,5,161,67,216,249,14,228,61,47]},{"Name":"fa0800a6-6b9e-4428-8ea5-b901872fa7dc","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Short Lived Processes","Description":"Table of short lived processes","Query":"@termination{tag=$SYSMON winlog $PROVIDER EventID==5 ProcessGuid | table ProcessGuid TIMESTAMP};\ntag=$SYSMON winlog $PROVIDER EventID==1 Computer User IntegrityLevel OriginalFileName ProcessGuid CurrentDirectory ParentImage |\nlookup -r @termination ProcessGuid ProcessGuid TIMESTAMP as endts |\ndiff endts TIMESTAMP as uptime | eval uptime \u003c duration(\"10s\") |\nsort by uptime asc |\ntable Computer User OriginalFileName CurrentDirectory IntegrityLevel ParentImage uptime\n","UUID":"fa0800a6-6b9e-4428-8ea5-b901872fa7dc"},"Hash":[50,163,7,78,23,59,212,151,29,193,51,63,221,194,245,130,27,118,211,55,138,241,82,183,57,253,34,12,71,211,103,239]},{"Name":"fd62f01b-634b-4e09-a42e-d03ce3ff1465","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Process Tampering Activity by Type","Description":"Chart of Sysmon process tampering events by type","Query":"tag=$SYSMON winlog $PROVIDER EventID==25 Type |\nstats count by Type |\nchart count by Type","UUID":"fd62f01b-634b-4e09-a42e-d03ce3ff1465"},"Hash":[133,187,12,69,73,61,6,98,126,219,54,196,15,126,120,6,178,145,112,203,101,87,198,166,152,85,228,44,191,23,105,50]},{"Name":"1169e587-973b-492a-a73f-e63aeecd023d","Type":"searchlibrary","AdditionalInfo":{"Name":"Sysmon: Computer Image Hash Totals","Description":"Total Unique Computer Images Hashes","Query":"tag=$SYSMON winlog $PROVIDER EventID == 1 Computer Image Hashes\n| kv -e Hashes SHA256\n| stats unique_count(SHA256) as \"Unique Images\" unique_count(Computer) as Computers\n| numbercard \"Unique Images\" Computers","UUID":"1169e587-973b-492a-a73f-e63aeecd023d"},"Hash":[164,66,89,195,227,142,152,244,218,221,123,120,180,44,221,198,122,106,242,103,126,7,139,182,217,54,91,59,251,236,57,30]},{"Name":"90784520-2e0b-4e2a-9fd6-dadf2f8bdeba","Type":"playbook","AdditionalInfo":{"UUID":"90784520-2e0b-4e2a-9fd6-dadf2f8bdeba","Name":"Sysmon Gravwell Kit","Description":"Gravwell Sysmon Kit"},"Hash":[149,71,215,8,151,127,107,178,36,57,93,50,13,228,86,93,242,120,78,217,244,62,192,195,206,90,72,248,9,71,70,82]}],"ConfigMacros":[{"MacroName":"SYSMON","Description":"The Sysmon tag value","DefaultValue":"sysmon","Value":"","Type":"TAG","InstalledByID":""}]},{"ID":"io.gravwell.pfsense","Name":"Gravwell for pfSense® Software","UUID":"df130230-9a43-45a9-9b66-5684ba10a0ef","Version":1,"Description":"Provides tools for working with pfSense® Software logs, including support for firewall logs.\n","Readme":"","Signed":true,"AdminRequired":false,"MinVersion":{"Major":5,"Minor":0,"Point":0},"MaxVersion":{"Major":0,"Minor":0,"Point":0},"Size":1457152,"Created":"2022-06-01T18:59:08.857559655Z","Ingesters":null,"Tags":["pfsensesyslog"],"Assets":[{"Type":"image","Source":"cover.png","Legend":"pfSense® software analytics kit","Featured":true,"Banner":false},{"Type":"image","Source":"banner.png","Legend":"pfSense® software analytics kit","Featured":true,"Banner":true},{"Type":"readme","Source":"README.md","Legend":"","Featured":false,"Banner":false}],"Dependencies":[{"ID":"io.gravwell.networkenrichment","MinVersion":8}],"Items":[{"Name":"Apache 2.0 License","Type":"license","AdditionalInfo":"                                 Apache License\n                           Version 2.0, January 2004\n                        http://www.apache.org/licenses/\n\n   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n   1. Definitions.\n\n      \"License\" shall mean the terms and conditions for use, reproduction,\n      and distribution as defined by Sections 1 through 9 of this document.\n\n      \"Licensor\" shall mean the copyright owner or entity authorized by\n      the copyright owner that is granting the License.\n\n      \"Legal Entity\" shall mean the union of the acting entity and all\n      other entities that control, are controlled by, or are under common\n      control with that entity. For the purposes of this definition,\n      \"control\" means (i) the power, direct or indirect, to cause the\n      direction or management of such entity, whether by contract or\n      otherwise, or (ii) ownership of fifty percent (50%) or more of the\n      outstanding shares, or (iii) beneficial ownership of such entity.\n\n      \"You\" (or \"Your\") shall mean an individual or Legal Entity\n      exercising permissions granted by this License.\n\n      \"Source\" form shall mean the preferred form for making modifications,\n      including but not limited to software source code, documentation\n      source, and configuration files.\n\n      \"Object\" form shall mean any form resulting from mechanical\n      transformation or translation of a Source form, including but\n      not limited to compiled object code, generated documentation,\n      and conversions to other media types.\n\n      \"Work\" shall mean the work of authorship, whether in Source or\n      Object form, made available under the License, as indicated by a\n      copyright notice that is included in or attached to the work\n      (an example is provided in the Appendix below).\n\n      \"Derivative Works\" shall mean any work, whether in Source or Object\n      form, that is based on (or derived from) the Work and for which the\n      editorial revisions, annotations, elaborations, or other modifications\n      represent, as a whole, an original work of authorship. For the purposes\n      of this License, Derivative Works shall not include works that remain\n      separable from, or merely link (or bind by name) to the interfaces of,\n      the Work and Derivative Works thereof.\n\n      \"Contribution\" shall mean any work of authorship, including\n      the original version of the Work and any modifications or additions\n      to that Work or Derivative Works thereof, that is intentionally\n      submitted to Licensor for inclusion in the Work by the copyright owner\n      or by an individual or Legal Entity authorized to submit on behalf of\n      the copyright owner. For the purposes of this definition, \"submitted\"\n      means any form of electronic, verbal, or written communication sent\n      to the Licensor or its representatives, including but not limited to\n      communication on electronic mailing lists, source code control systems,\n      and issue tracking systems that are managed by, or on behalf of, the\n      Licensor for the purpose of discussing and improving the Work, but\n      excluding communication that is conspicuously marked or otherwise\n      designated in writing by the copyright owner as \"Not a Contribution.\"\n\n      \"Contributor\" shall mean Licensor and any individual or Legal Entity\n      on behalf of whom a Contribution has been received by Licensor and\n      subsequently incorporated within the Work.\n\n   2. Grant of Copyright License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      copyright license to reproduce, prepare Derivative Works of,\n      publicly display, publicly perform, sublicense, and distribute the\n      Work and such Derivative Works in Source or Object form.\n\n   3. Grant of Patent License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      (except as stated in this section) patent license to make, have made,\n      use, offer to sell, sell, import, and otherwise transfer the Work,\n      where such license applies only to those patent claims licensable\n      by such Contributor that are necessarily infringed by their\n      Contribution(s) alone or by combination of their Contribution(s)\n      with the Work to which such Contribution(s) was submitted. If You\n      institute patent litigation against any entity (including a\n      cross-claim or counterclaim in a lawsuit) alleging that the Work\n      or a Contribution incorporated within the Work constitutes direct\n      or contributory patent infringement, then any patent licenses\n      granted to You under this License for that Work shall terminate\n      as of the date such litigation is filed.\n\n   4. Redistribution. You may reproduce and distribute copies of the\n      Work or Derivative Works thereof in any medium, with or without\n      modifications, and in Source or Object form, provided that You\n      meet the following conditions:\n\n      (a) You must give any other recipients of the Work or\n          Derivative Works a copy of this License; and\n\n      (b) You must cause any modified files to carry prominent notices\n          stating that You changed the files; and\n\n      (c) You must retain, in the Source form of any Derivative Works\n          that You distribute, all copyright, patent, trademark, and\n          attribution notices from the Source form of the Work,\n          excluding those notices that do not pertain to any part of\n          the Derivative Works; and\n\n      (d) If the Work includes a \"NOTICE\" text file as part of its\n          distribution, then any Derivative Works that You distribute must\n          include a readable copy of the attribution notices contained\n          within such NOTICE file, excluding those notices that do not\n          pertain to any part of the Derivative Works, in at least one\n          of the following places: within a NOTICE text file distributed\n          as part of the Derivative Works; within the Source form or\n          documentation, if provided along with the Derivative Works; or,\n          within a display generated by the Derivative Works, if and\n          wherever such third-party notices normally appear. The contents\n          of the NOTICE file are for informational purposes only and\n          do not modify the License. You may add Your own attribution\n          notices within Derivative Works that You distribute, alongside\n          or as an addendum to the NOTICE text from the Work, provided\n          that such additional attribution notices cannot be construed\n          as modifying the License.\n\n      You may add Your own copyright statement to Your modifications and\n      may provide additional or different license terms and conditions\n      for use, reproduction, or distribution of Your modifications, or\n      for any such Derivative Works as a whole, provided Your use,\n      reproduction, and distribution of the Work otherwise complies with\n      the conditions stated in this License.\n\n   5. Submission of Contributions. Unless You explicitly state otherwise,\n      any Contribution intentionally submitted for inclusion in the Work\n      by You to the Licensor shall be under the terms and conditions of\n      this License, without any additional terms or conditions.\n      Notwithstanding the above, nothing herein shall supersede or modify\n      the terms of any separate license agreement you may have executed\n      with Licensor regarding such Contributions.\n\n   6. Trademarks. This License does not grant permission to use the trade\n      names, trademarks, service marks, or product names of the Licensor,\n      except as required for reasonable and customary use in describing the\n      origin of the Work and reproducing the content of the NOTICE file.\n\n   7. Disclaimer of Warranty. Unless required by applicable law or\n      agreed to in writing, Licensor provides the Work (and each\n      Contributor provides its Contributions) on an \"AS IS\" BASIS,\n      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n      implied, including, without limitation, any warranties or conditions\n      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n      PARTICULAR PURPOSE. You are solely responsible for determining the\n      appropriateness of using or redistributing the Work and assume any\n      risks associated with Your exercise of permissions under this License.\n\n   8. Limitation of Liability. In no event and under no legal theory,\n      whether in tort (including negligence), contract, or otherwise,\n      unless required by applicable law (such as deliberate and grossly\n      negligent acts) or agreed to in writing, shall any Contributor be\n      liable to You for damages, including any direct, indirect, special,\n      incidental, or consequential damages of any character arising as a\n      result of this License or out of the use or inability to use the\n      Work (including but not limited to damages for loss of goodwill,\n      work stoppage, computer failure or malfunction, or any and all\n      other commercial damages or losses), even if such Contributor\n      has been advised of the possibility of such damages.\n\n   9. Accepting Warranty or Additional Liability. While redistributing\n      the Work or Derivative Works thereof, You may choose to offer,\n      and charge a fee for, acceptance of support, warranty, indemnity,\n      or other liability obligations and/or rights consistent with this\n      License. However, in accepting such obligations, You may act only\n      on Your own behalf and on Your sole responsibility, not on behalf\n      of any other Contributor, and only if You agree to indemnify,\n      defend, and hold each Contributor harmless for any liability\n      incurred by, or claims asserted against, such Contributor by reason\n      of your accepting any such warranty or additional liability.\n\n   END OF TERMS AND CONDITIONS","Hash":[89,137,156,96,145,181,64,88,46,214,23,232,238,170,196,145,157,201,133,204,252,53,69,158,233,117,43,105,155,229,32,91]},{"Name":"SyslogSeverityTable","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"SyslogSeverityTable","Description":"Maps syslog severity numerical codes to corresponding descriptions","Size":304},"Hash":[223,23,133,214,4,104,88,228,151,55,88,221,224,218,227,99,101,209,215,25,132,203,98,178,66,87,67,170,29,107,64,51]},{"Name":"ParseFilterlog","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"ParseFilterlog","Description":"Parses log entries ingested from a pfSense® firewall","Size":9456},"Hash":[192,66,119,72,91,102,162,124,198,78,142,249,9,120,181,132,63,225,66,59,251,20,85,164,24,160,148,239,200,96,174,212]},{"Name":"SyslogFacilityTable","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"SyslogFacilityTable","Description":"Maps syslog facility numerical codes to corresponding descriptions","Size":572},"Hash":[135,4,9,6,89,217,111,248,104,100,184,192,46,105,57,231,43,175,40,21,195,168,92,53,174,25,99,211,125,0,255,78]},{"Name":"4d7bfd79-6d71-44ac-9c95-43491eb445bf","Type":"dashboard","AdditionalInfo":{"UUID":"4d7bfd79-6d71-44ac-9c95-43491eb445bf","Name":"Firewall Investigation for pfSense® software","Description":"IP investigation dashboard for pfSense® firewall (filterlog) events"},"Hash":[216,139,85,241,162,7,142,149,32,82,8,169,35,83,79,223,202,203,7,94,10,253,142,121,141,101,249,239,186,23,190,0]},{"Name":"467f64a1-bdf0-44fa-ab9c-11fa50e2c675","Type":"dashboard","AdditionalInfo":{"UUID":"467f64a1-bdf0-44fa-ab9c-11fa50e2c675","Name":"Syslog Invesigation Dashboard for pfSense® software","Description":"Summarizes recent events from pfSense® syslog for a given search term"},"Hash":[16,227,8,44,163,188,128,177,199,63,147,186,127,170,190,70,39,1,131,39,83,138,224,47,93,210,233,185,129,111,137,130]},{"Name":"7647d826-3833-481c-a14c-9419278e411e","Type":"dashboard","AdditionalInfo":{"UUID":"7647d826-3833-481c-a14c-9419278e411e","Name":"Firewall Overview for pfSense® software","Description":"An overview of events from the pfSense® firewall (filterlog)"},"Hash":[91,228,134,152,235,128,42,15,149,193,119,93,233,20,0,151,126,146,136,222,244,251,225,31,99,248,175,126,245,164,94,225]},{"Name":"2798c4aa-469c-4e75-833b-ce1482bea6ff","Type":"dashboard","AdditionalInfo":{"UUID":"2798c4aa-469c-4e75-833b-ce1482bea6ff","Name":"Syslog Overview for pfSense® software","Description":"A summary of recent events from pfSense® syslog"},"Hash":[95,178,2,178,212,3,23,152,98,117,112,102,74,32,135,66,47,225,48,4,13,244,173,237,93,155,63,170,214,131,86,184]},{"Name":"0fcde021-7cc5-4324-b23e-bcc07dd7ce1f","Type":"template","AdditionalInfo":{"UUID":"0fcde021-7cc5-4324-b23e-bcc07dd7ce1f","Name":"Standard Deviation of pfSense® Firewall Actions","Description":"A chart showing the standard deviation of pfSense® firewall actions over time, where the target IP is the source IP or destination IP"},"Hash":[22,75,62,13,49,190,5,129,225,4,133,217,127,114,204,134,5,116,149,224,244,39,196,118,19,107,181,198,43,73,44,231]},{"Name":"b1e2c5f3-c6ba-467a-b47a-575805049c0c","Type":"template","AdditionalInfo":{"UUID":"b1e2c5f3-c6ba-467a-b47a-575805049c0c","Name":"pfSense® Syslog Severity Breakdown","Description":"Shows a breakdown of the severity of logged events that match the given search term"},"Hash":[28,251,60,56,61,60,83,70,167,46,157,201,45,112,227,235,76,148,152,157,25,40,169,57,86,80,255,26,13,69,187,202]},{"Name":"dfeee681-da79-44a1-9874-7908124a6802","Type":"template","AdditionalInfo":{"UUID":"dfeee681-da79-44a1-9874-7908124a6802","Name":"pfSense® Syslog Facility Breakdown","Description":"Shows a breakdown of the facilities of logged events that match the given search term"},"Hash":[33,20,208,6,29,206,247,195,61,91,110,58,22,66,160,170,182,109,98,148,247,134,24,145,93,47,248,176,184,240,140,90]},{"Name":"a27de6df-2b9e-4f2f-968f-ba0800819715","Type":"template","AdditionalInfo":{"UUID":"a27de6df-2b9e-4f2f-968f-ba0800819715","Name":"Syslog App Breakdown for pfSense® software","Description":"Shows a breakdown of which apps are logging events that match the given search term"},"Hash":[187,182,4,223,245,156,61,197,227,224,179,249,61,233,228,127,210,170,124,7,128,128,66,25,105,209,175,115,122,172,93,248]},{"Name":"5c1740d8-2caa-416b-98ae-37da4e89c500","Type":"template","AdditionalInfo":{"UUID":"5c1740d8-2caa-416b-98ae-37da4e89c500","Name":"pfSense® Syslog Events","Description":"A table of pfSense® syslog events that match the given search term"},"Hash":[195,70,246,117,61,94,94,180,129,82,228,63,52,159,3,49,74,82,81,211,43,166,2,62,247,255,78,39,34,155,143,67]},{"Name":"e80b2158-b1b7-4687-b54b-9ee33fe6a05f","Type":"template","AdditionalInfo":{"UUID":"e80b2158-b1b7-4687-b54b-9ee33fe6a05f","Name":"Firewall Pass Event Count for pfSense® software","Description":"Shows the total number of firewall (filterlog) \"pass\" events for a given time period where the target IP is the source IP or destination IP"},"Hash":[239,29,47,184,13,118,48,61,66,55,239,20,110,89,191,20,175,195,157,239,25,134,236,203,123,72,26,108,176,46,96,104]},{"Name":"b6e9c6ff-97e4-4e66-a82e-4da1838fb9ef","Type":"template","AdditionalInfo":{"UUID":"b6e9c6ff-97e4-4e66-a82e-4da1838fb9ef","Name":"Severe pfSense® Syslog Events","Description":"A table of pfSense® syslog events matching the given search term with severity codes between Emergency (0) and Warning (4)"},"Hash":[233,234,78,188,139,219,104,31,113,140,155,205,251,120,223,56,0,60,204,146,143,57,151,216,212,129,11,40,62,3,185,109]},{"Name":"a0024701-7598-4dac-ae5d-7219aeeb02bb","Type":"template","AdditionalInfo":{"UUID":"a0024701-7598-4dac-ae5d-7219aeeb02bb","Name":"Firewall Event Log for pfSense® software","Description":"A table of recent events from pfSense® firewall (filterlog), where the target IP is the source IP or destination IP"},"Hash":[91,241,250,46,189,111,171,206,154,146,248,59,131,144,171,228,6,254,151,121,201,171,22,102,34,39,103,139,44,138,130,184]},{"Name":"70184160-49c9-45d4-9f09-3505da37b913","Type":"template","AdditionalInfo":{"UUID":"70184160-49c9-45d4-9f09-3505da37b913","Name":"Syslog Events over Time for pfSense® software","Description":"Plots the number of pfSense® syslog events matching the search term over time"},"Hash":[205,5,169,233,60,90,175,202,116,44,105,90,169,83,24,103,148,109,42,91,82,176,233,207,176,118,139,61,12,82,15,35]},{"Name":"9e966934-54c7-45f1-aa16-f370263b61d4","Type":"template","AdditionalInfo":{"UUID":"9e966934-54c7-45f1-aa16-f370263b61d4","Name":"Syslog Event Count for pfSense® software","Description":"A gauge indicating the number of pfSense® syslog entries matching the given search term that occur during the selected time frame"},"Hash":[198,224,50,167,246,167,199,191,161,78,139,240,188,220,34,244,117,38,139,26,98,157,235,66,88,11,88,25,99,102,184,85]},{"Name":"8dc23dc4-0df4-4395-a039-c93d749baf1e","Type":"template","AdditionalInfo":{"UUID":"8dc23dc4-0df4-4395-a039-c93d749baf1e","Name":"Map of Source For pfSense® Firewall Actions","Description":"A point map showing the provided geolocated source IP with information about firewall actions"},"Hash":[87,16,161,60,201,206,134,195,40,198,134,195,76,169,113,148,14,244,250,103,79,24,149,178,178,80,66,157,17,87,186,233]},{"Name":"ef550483-f271-4469-8257-0692784001b8","Type":"template","AdditionalInfo":{"UUID":"ef550483-f271-4469-8257-0692784001b8","Name":"Firewall Actions for pfSense® software","Description":"A chart showing actions taken by the pfSense® firewall (filterlog) (e.g. pass, block) over time, where the target IP is the source IP or destination IP"},"Hash":[228,171,212,161,228,218,246,169,97,171,113,100,148,93,103,14,86,9,252,76,230,111,184,70,132,196,136,48,38,83,195,207]},{"Name":"83830292-d90a-41a4-a0f3-71704e182202","Type":"template","AdditionalInfo":{"UUID":"83830292-d90a-41a4-a0f3-71704e182202","Name":"Firewall Events over Time for pfSense® software","Description":"Plots pfSense® firewall (filterlog) events over time, where the source or destination IP matches the target IP"},"Hash":[32,229,186,166,57,87,76,204,143,68,20,216,209,178,16,134,117,126,50,248,6,217,136,22,104,254,69,21,178,139,120,66]},{"Name":"6ba5665b-972c-4cb4-89cd-48d381c891da","Type":"template","AdditionalInfo":{"UUID":"6ba5665b-972c-4cb4-89cd-48d381c891da","Name":"Firewall Event Count for pfSense® software","Description":"Shows the total number of firewall (filterlog) events for a given time period where the target IP is the source IP or destination IP"},"Hash":[178,96,59,135,209,214,141,12,213,5,15,234,44,214,234,193,57,132,200,88,233,164,12,31,72,91,202,246,159,109,183,41]},{"Name":"c91361c9-2939-4645-84e9-a99f9ebafd63","Type":"template","AdditionalInfo":{"UUID":"c91361c9-2939-4645-84e9-a99f9ebafd63","Name":"Firewall Block Event Count for pfSense® software","Description":"Shows the total number of firewall (filterlog) \"block\" events for a given time period where the target IP is the source IP or destination IP"},"Hash":[128,224,205,68,13,198,199,103,135,116,65,229,20,29,15,73,147,4,208,112,135,102,204,225,44,207,196,212,197,31,108,191]},{"Name":"06da9199-1104-4a62-8e37-ef2a2be1888b","Type":"pivot","AdditionalInfo":{"UUID":"06da9199-1104-4a62-8e37-ef2a2be1888b","Name":"IP Address","Description":"Actionable based on detected IP addresses"},"Hash":[154,21,248,72,111,179,249,208,34,5,84,77,234,208,130,178,180,200,236,40,68,23,77,226,211,77,251,244,48,44,40,137]},{"Name":"27aa0221-9564-47e4-b9b8-e96ccab9b168","Type":"searchlibrary","AdditionalInfo":{"Name":"Actions from pfSense® Firewall","Description":"A chart showing actions taken by the firewall (e.g. pass, block) over time","Query":"tag=$PFSENSE_SYSLOG_TAG syslog Appname == \"filterlog\" Message\n  | anko ParseFilterlog\n  | count by act\n  | chart count by act","UUID":"27aa0221-9564-47e4-b9b8-e96ccab9b168"},"Hash":[125,74,197,29,19,28,110,47,67,81,190,22,137,192,57,112,161,53,45,112,187,246,247,79,36,1,134,2,210,162,136,14]},{"Name":"62e5208a-4954-4a6f-a3ed-d143b1bce3be","Type":"searchlibrary","AdditionalInfo":{"Name":"Other pfSense® Firewall Actions","Description":"Firewall actions other than \"pass\" or \"block\"","Query":"tag=$PFSENSE_SYSLOG_TAG syslog Appname == \"filterlog\" Message Timestamp\n  | anko ParseFilterlog\n  | eval (act!=\"pass\" \u0026\u0026 act!=\"block\")\n  | table act Timestamp realint rulenum subrulenum srcip srcport dstip dstport proto","UUID":"62e5208a-4954-4a6f-a3ed-d143b1bce3be"},"Hash":[255,66,60,173,224,134,18,22,176,231,220,87,186,109,76,144,166,184,64,107,79,7,81,131,57,32,168,14,6,252,123,151]},{"Name":"bed89cfd-d44d-4d74-9341-3b793a3876e3","Type":"searchlibrary","AdditionalInfo":{"Name":"Facility Breakdown for Syslog from pfSense® software","Description":"Shows a breakdown of the facilities of logged events","Query":"tag=$PFSENSE_SYSLOG_TAG syslog Facility\n  | lookup -r SyslogFacilityTable Facility \"Numerical Code\" \"Facility\" as facility_description\n  | count by Facility\n  | chart count by facility_description","UUID":"bed89cfd-d44d-4d74-9341-3b793a3876e3"},"Hash":[61,86,43,59,228,208,154,107,0,58,114,252,111,163,109,237,189,14,167,3,215,188,30,148,209,197,62,59,153,127,74,62]},{"Name":"319ab006-626d-4eab-b382-b4595551a26e","Type":"searchlibrary","AdditionalInfo":{"Name":"Standard Deviation of pfSense® Firewall Actions","Description":"A chart showing the standard deviation of pfSense® firewall actions over time.","Query":"tag=$PFSENSE_SYSLOG_TAG syslog Appname == \"filterlog\" Message\n  | anko ParseFilterlog\n  | count by act\n  | stats stddev(count) by act\n  | chart stddev by act","UUID":"319ab006-626d-4eab-b382-b4595551a26e"},"Hash":[82,135,191,171,187,105,240,111,90,16,234,105,215,37,57,197,237,26,219,40,154,189,226,99,246,29,39,187,45,158,196,3]},{"Name":"2f90e151-1f4a-4d07-a4e1-57a666c72a3c","Type":"searchlibrary","AdditionalInfo":{"Name":"Pass Event Count for pfSense® Firewall","Description":"Shows the total number of firewall \"pass\" events for a given time period","Query":"tag=$PFSENSE_SYSLOG_TAG syslog Appname == \"filterlog\" Message\n  | anko ParseFilterlog\n  | eval act==\"pass\"\n  | count\n  | gauge (count \"Pass Events\")","UUID":"2f90e151-1f4a-4d07-a4e1-57a666c72a3c"},"Hash":[119,21,211,182,198,211,10,182,11,63,248,21,165,247,121,50,118,226,16,241,231,42,152,92,239,140,41,219,45,254,213,215]},{"Name":"5f0acd71-ca2a-451c-9906-b9f1dd0ee449","Type":"searchlibrary","AdditionalInfo":{"Name":"Severe Syslog Events from pfSense® Software","Description":"A table of syslog events with severity codes between Emergency (0) and Warning (4)","Query":"tag=$PFSENSE_SYSLOG_TAG syslog Timestamp Appname ProcID MsgID Severity \u003c= 4 Facility\n  | lookup -r SyslogFacilityTable Facility \"Numerical Code\" \"Facility\" as facility_desc\n  | lookup -r SyslogSeverityTable Severity \"Numerical Code\" \"Severity\" as severity_desc\n  | table severity_desc facility_desc Timestamp Appname ProcID MsgID","UUID":"5f0acd71-ca2a-451c-9906-b9f1dd0ee449"},"Hash":[111,11,186,193,13,198,227,129,72,85,104,50,1,181,234,232,231,179,108,24,2,43,190,246,243,220,29,158,152,7,114,66]},{"Name":"f5b7803b-73c9-49f8-9219-b34aec7729ba","Type":"searchlibrary","AdditionalInfo":{"Name":"Block Event Count for pfSense® Firewall","Description":"Shows the total number of firewall \"block\" events for a given time period","Query":"tag=$PFSENSE_SYSLOG_TAG syslog Appname == \"filterlog\" Message\n  | anko ParseFilterlog\n  | eval act==\"block\"\n  | count\n  | gauge (count \"Block Events\")","UUID":"f5b7803b-73c9-49f8-9219-b34aec7729ba"},"Hash":[43,158,90,39,77,70,168,8,13,101,22,183,157,242,102,208,52,132,114,121,75,138,18,22,89,244,173,99,100,193,241,139]},{"Name":"45c3df0e-c2c0-4eb2-ace3-59b78032f626","Type":"searchlibrary","AdditionalInfo":{"Name":"Syslog Events from pfSense® Software over Time ","Description":"Plots the number of pfSense® syslog events over time","Query":"tag=$PFSENSE_SYSLOG_TAG count\n  | chart","UUID":"45c3df0e-c2c0-4eb2-ace3-59b78032f626"},"Hash":[166,119,118,94,146,70,112,57,21,10,45,85,194,248,177,226,16,250,56,184,247,186,169,236,241,139,6,167,139,245,170,144]},{"Name":"68aaf5cb-8f1e-4bfa-b2fd-509d40403a73","Type":"searchlibrary","AdditionalInfo":{"Name":"Event Count for pfSense® Firewall","Description":"Shows the total number of firewall events for a given time period","Query":"tag=$PFSENSE_SYSLOG_TAG syslog Appname == \"filterlog\" Message\n  | anko ParseFilterlog\n  | count\n  | gauge (count \"Total Events\")","UUID":"68aaf5cb-8f1e-4bfa-b2fd-509d40403a73"},"Hash":[250,81,6,66,48,129,137,67,169,130,229,11,180,10,154,234,130,250,206,251,26,54,124,7,139,238,62,255,20,114,13,109]},{"Name":"7e6b1b8f-6863-49e2-a17b-510836ce202f","Type":"searchlibrary","AdditionalInfo":{"Name":"Event Log for pfSense® Firewall","Description":"A table of recent events from the firewall","Query":"tag=$PFSENSE_SYSLOG_TAG syslog Appname == \"filterlog\" Message Timestamp\n  | anko ParseFilterlog\n  | table act Timestamp realint rulenum subrulenum srcip srcport dstip dstport proto","UUID":"7e6b1b8f-6863-49e2-a17b-510836ce202f"},"Hash":[40,17,150,196,63,176,94,49,124,36,229,72,37,5,146,219,93,5,233,227,216,185,231,229,149,238,202,19,34,216,191,254]},{"Name":"7266dc8b-6d8a-4039-916a-4cdc2ed1549d","Type":"searchlibrary","AdditionalInfo":{"Name":"Syslog Events from pfSense® Software","Description":"A table of syslog events","Query":"tag=$PFSENSE_SYSLOG_TAG syslog Timestamp Appname ProcID MsgID Facility Severity\n  | lookup -r SyslogFacilityTable Facility \"Numerical Code\" \"Facility\" as facility\n  | lookup -r SyslogSeverityTable Severity \"Numerical Code\" \"Severity\" as severity\n  | table severity facility Timestamp Appname ProcID MsgID","UUID":"7266dc8b-6d8a-4039-916a-4cdc2ed1549d"},"Hash":[20,115,42,255,93,91,147,106,26,17,138,180,129,203,255,40,20,53,157,35,230,52,113,22,36,186,168,171,44,43,158,206]},{"Name":"ab4bbb76-0e3a-46c9-9cb1-ed7b375effca","Type":"searchlibrary","AdditionalInfo":{"Name":"Events over Time for pfSense® Firewall","Description":"Plots firewall events over time","Query":"tag=$PFSENSE_SYSLOG_TAG syslog Appname == \"filterlog\"\n  | chart","UUID":"ab4bbb76-0e3a-46c9-9cb1-ed7b375effca"},"Hash":[140,250,20,69,121,161,56,171,165,145,181,65,69,255,79,23,91,147,193,56,155,133,19,164,10,161,159,216,106,92,10,27]},{"Name":"92a7c464-6de0-4be4-917f-b59e0e275f48","Type":"searchlibrary","AdditionalInfo":{"Name":"Application/Severity Stackgraph for Syslog from pfSense® Software","Description":"Log entry counts -- grouped by severity and stacked by application","Query":"tag=$PFSENSE_SYSLOG_TAG syslog Appname == \"filterlog\" Severity Facility\n  | lookup -r SyslogSeverityTable Severity \"Numerical Code\" \"Severity\" as severity_name\n  | lookup -r SyslogFacilityTable Facility \"Numerical Code\" \"Facility\" as facility_description\n  | count by Appname severity_name\n  | stackgraph count severity_name Appname","UUID":"92a7c464-6de0-4be4-917f-b59e0e275f48"},"Hash":[152,13,26,200,138,87,64,145,179,239,153,154,123,232,82,175,156,54,72,63,195,87,125,79,98,207,93,196,98,15,201,25]},{"Name":"1c5abdf3-eea2-4e23-80d2-1bc6660226be","Type":"searchlibrary","AdditionalInfo":{"Name":"Event Count for Syslog from pfSense® Software","Description":"A gauge indicating the number of pfSense® syslog entries that occur during the selected time frame","Query":"tag=$PFSENSE_SYSLOG_TAG count\n  | gauge (count \"Total number of entries for this time frame\")","UUID":"1c5abdf3-eea2-4e23-80d2-1bc6660226be"},"Hash":[236,124,241,151,234,96,156,1,152,94,224,16,171,254,125,146,144,176,0,121,185,118,208,188,14,227,197,156,242,61,225,139]},{"Name":"0b54e471-5533-4543-8f18-b4621ee815c9","Type":"searchlibrary","AdditionalInfo":{"Name":"Severity Breakdown for Syslog from pfSense® Software","Description":"Shows a breakdown of the severity of logged events","Query":"tag=$PFSENSE_SYSLOG_TAG syslog Severity\n  | count by Severity\n  | lookup -r SyslogSeverityTable Severity \"Numerical Code\" \"Severity\" as severity_name\n  | chart count by severity_name","UUID":"0b54e471-5533-4543-8f18-b4621ee815c9"},"Hash":[112,190,129,146,113,36,178,18,93,186,40,240,3,235,108,152,194,49,139,97,189,196,25,66,99,108,236,6,221,237,27,144]},{"Name":"f481ee0c-10cd-4d65-94be-d25b6a6b7e57","Type":"searchlibrary","AdditionalInfo":{"Name":"Map of Sources For pfSense® Firewall Actions","Description":"A point map of geolocated source IPs with information about firewall actions","Query":"tag=$PFSENSE_SYSLOG_TAG syslog Appname == \"filterlog\" Message Timestamp\n  | anko ParseFilterlog\n  | stats count by srcip act\n  | geoip srcip.Location \n  | pointmap srcip count act","UUID":"f481ee0c-10cd-4d65-94be-d25b6a6b7e57"},"Hash":[153,220,60,235,60,184,42,24,161,105,88,134,45,58,145,189,193,46,140,28,13,106,192,238,96,112,173,188,19,60,203,38]},{"Name":"97068c27-f3e3-421a-83a7-31d7de1403ed","Type":"searchlibrary","AdditionalInfo":{"Name":"App Breakdown for Syslog from pfSense® Software","Description":"Shows a breakdown of which apps are logging events","Query":"tag=$PFSENSE_SYSLOG_TAG syslog Appname\n  | count by Appname\n  | chart count by Appname","UUID":"97068c27-f3e3-421a-83a7-31d7de1403ed"},"Hash":[251,224,203,49,206,14,177,221,84,238,37,192,65,92,206,12,217,201,249,107,226,77,37,194,38,196,91,198,206,127,56,226]},{"Name":"43b1c817-3ead-4c71-926a-6a4cc57242a9","Type":"file","AdditionalInfo":{"UUID":"43b1c817-3ead-4c71-926a-6a4cc57242a9","Name":"playbook-banner.jpeg","Description":"Banner for pfSense® Playbook","Size":417141,"ContentType":"image/jpeg"},"Hash":[149,41,211,30,21,124,110,140,161,191,77,85,17,18,80,89,66,161,174,62,225,250,107,172,31,153,168,147,149,209,111,101]},{"Name":"d034a461-e5eb-4661-9b29-7e496e72c917","Type":"file","AdditionalInfo":{"UUID":"d034a461-e5eb-4661-9b29-7e496e72c917","Name":"remote-logging-settings.png","Description":"pfSense® Remote Logging Settings","Size":297121,"ContentType":"image/png"},"Hash":[129,243,93,143,134,188,141,173,212,12,152,163,201,219,156,193,212,113,145,166,48,107,105,29,225,211,56,203,139,51,215,242]},{"Name":"0529b3c3-7f8a-45da-9e08-56a461b23b3d","Type":"file","AdditionalInfo":{"UUID":"0529b3c3-7f8a-45da-9e08-56a461b23b3d","Name":"syslog-settings-page.png","Description":"pfSense® syslog settings page","Size":251639,"ContentType":"image/png"},"Hash":[47,43,224,19,247,80,168,189,61,193,112,227,45,36,46,194,213,176,143,173,242,68,37,244,152,120,175,9,57,61,161,93]},{"Name":"ef9d1582-dac5-434d-8063-918f41169902","Type":"file","AdditionalInfo":{"UUID":"ef9d1582-dac5-434d-8063-918f41169902","Name":"cover file for kit build \"Gravwell for pfSense® Software v1\"","Description":"","Size":38322,"ContentType":"image/png"},"Hash":[117,24,54,187,67,128,131,103,139,247,59,201,13,88,56,110,143,226,77,129,195,116,97,251,51,128,137,241,71,247,50,4]},{"Name":"a037d96b-36db-47b5-9e2f-e839ccef7760","Type":"playbook","AdditionalInfo":{"UUID":"a037d96b-36db-47b5-9e2f-e839ccef7760","Name":"Gravwell for pfSense® Playbook","Description":"Kit Overview for pfSense® software"},"Hash":[243,158,48,238,49,120,249,154,227,4,228,229,250,73,63,162,228,39,67,122,242,232,43,75,246,173,186,162,91,48,38,134]}],"ConfigMacros":[{"MacroName":"PFSENSE_SYSLOG_TAG","Description":"The tag associated with syslog from pfSense® Software","DefaultValue":"pfsensesyslog","Value":"","Type":"STRING","InstalledByID":""}]},{"ID":"io.gravwell.linuxsyslog","Name":"Linux Syslog","UUID":"e50754ed-b9a8-401c-9dac-9b3829f79f6b","Version":8,"Description":"Provides tools for working with Linux system logs, including ssh, sudo, and cron.","Readme":"","Signed":true,"AdminRequired":false,"MinVersion":{"Major":5,"Minor":4,"Point":0},"MaxVersion":{"Major":0,"Minor":0,"Point":0},"Size":1703424,"Created":"2024-05-20T21:50:14.995098119Z","Ingesters":["simplerelay"],"Tags":["syslog"],"Assets":[{"Type":"image","Source":"cover.png","Legend":"Linux syslog","Featured":true,"Banner":false},{"Type":"image","Source":"banner.png","Legend":"Linux syslog banner","Featured":true,"Banner":true},{"Type":"readme","Source":"README.md","Legend":"","Featured":false,"Banner":false}],"Dependencies":[{"ID":"io.gravwell.networkenrichment","MinVersion":8}],"Items":[{"Name":"265182135221759","Type":"dashboard","AdditionalInfo":{"UUID":"ab482bdc-dd48-486d-8f86-336f61a553a8","Name":"Syslog SSH Dashboard","Description":"SSH server activity based on syslog"},"Hash":[88,11,0,239,213,137,14,29,233,180,37,188,107,191,172,50,20,57,241,176,174,156,31,2,98,241,107,97,221,159,22,90]},{"Name":"27018110783312","Type":"dashboard","AdditionalInfo":{"UUID":"abb1748c-e1f4-41b5-8a54-7799c1ee34d1","Name":"Syslog Sudo Dashboard","Description":"Looks at sudo activity from syslog"},"Hash":[59,117,250,45,138,143,70,249,107,2,204,199,38,207,222,77,38,79,169,152,5,36,138,236,88,180,85,81,241,167,30,200]},{"Name":"3860003387501","Type":"dashboard","AdditionalInfo":{"UUID":"874509f9-b2e7-4250-b8f5-648be1552973","Name":"Syslog Cron Dashboard","Description":"Shows information about cron jobs run and edits to the crontab."},"Hash":[244,50,107,225,44,130,80,180,0,131,228,187,111,149,120,241,125,64,78,137,184,208,134,214,151,163,58,156,100,229,231,183]},{"Name":"29028a7a-773f-4726-ae31-7d8d922682b0","Type":"template","AdditionalInfo":{"UUID":"29028a7a-773f-4726-ae31-7d8d922682b0","Name":"Cron invocations by user","Description":"Show all cron commands executed on behalf of a particular user"},"Hash":[38,44,4,102,41,103,66,84,176,206,243,250,60,20,197,87,135,218,147,29,164,141,65,105,11,136,148,240,64,198,81,123]},{"Name":"3e19b9b5-6e57-4c36-bf3a-bf442ba35051","Type":"template","AdditionalInfo":{"UUID":"3e19b9b5-6e57-4c36-bf3a-bf442ba35051","Name":"Failed auth by syslog hostname investigation","Description":"Investigates failed authentication attempts for a specific syslog hostname. Gives a table of which IPs are connecting to which servers, and GeoIP information about those IPs."},"Hash":[76,150,253,161,130,32,93,82,28,101,201,158,93,24,109,137,7,6,2,162,50,152,159,160,96,27,158,198,170,128,145,88]},{"Name":"c966b3bb-6aad-4498-9423-197697bc8233","Type":"template","AdditionalInfo":{"UUID":"c966b3bb-6aad-4498-9423-197697bc8233","Name":"Failed auth by IP investigation","Description":"Investigates failed authentication attempts for users which exist on the system. Gives a table of which IPs are connecting to which servers, and GeoIP information about those IPs."},"Hash":[188,120,86,18,91,147,78,26,139,189,41,61,17,72,49,60,196,124,167,7,244,33,205,26,134,12,227,65,66,32,150,166]},{"Name":"18ca7b0d-a4fe-44df-bc19-d4c41f760455","Type":"template","AdditionalInfo":{"UUID":"18ca7b0d-a4fe-44df-bc19-d4c41f760455","Name":"Failed auth by user investigation","Description":"Investigates failed authentication attempts for a specific username. Gives a table of which IPs are connecting to which servers, and GeoIP information about those IPs."},"Hash":[159,129,2,148,161,63,163,95,163,146,57,104,11,211,231,99,105,240,210,146,43,83,88,110,103,53,48,53,145,114,251,111]},{"Name":"52499b3d-3677-4113-baa7-3567c9a888c9","Type":"template","AdditionalInfo":{"UUID":"52499b3d-3677-4113-baa7-3567c9a888c9","Name":"Successful auth by hostname investigation","Description":"Investigates successful authentication attempts to a specific host. Gives a table of which IPs are connecting to that host, and GeoIP information about those IPs."},"Hash":[121,187,66,188,104,48,142,143,66,129,9,66,153,195,151,110,160,19,243,209,252,230,112,89,7,107,232,143,117,23,124,228]},{"Name":"e6ea3372-7c0f-469c-b0be-0783e4e6f186","Type":"template","AdditionalInfo":{"UUID":"e6ea3372-7c0f-469c-b0be-0783e4e6f186","Name":"Successful auth by IP investigation","Description":"Investigates successful authentication attempts from a specific IP address. Gives a table of which IPs are connecting to which servers, and GeoIP information about those IPs."},"Hash":[42,4,123,165,213,25,145,243,56,125,205,75,9,62,171,115,30,102,134,137,16,247,228,82,224,146,138,227,194,182,180,44]},{"Name":"00defa93-b7d6-428d-82ca-a883515ff1f1","Type":"template","AdditionalInfo":{"UUID":"00defa93-b7d6-428d-82ca-a883515ff1f1","Name":"Successful auth by public key investigation","Description":"Investigates successful authentication attempts using a specific public key, including GeoIP information."},"Hash":[134,176,110,129,161,77,106,55,218,145,187,190,180,88,190,100,55,102,245,222,251,75,171,148,84,137,248,28,188,229,154,133]},{"Name":"761da928-938a-4282-9e4d-fc7abe4c7451","Type":"template","AdditionalInfo":{"UUID":"761da928-938a-4282-9e4d-fc7abe4c7451","Name":"Successful auth by user investigation","Description":"Investigates successful authentication attempts for a specific username. Gives a table of which IPs are connecting to which servers, and GeoIP information about those IPs."},"Hash":[206,160,1,189,219,178,20,252,255,127,159,140,223,100,206,178,185,123,175,31,189,90,177,185,228,246,207,182,44,238,6,86]},{"Name":"396e1f71-5cf4-4ab3-bf40-4dd471007d21","Type":"pivot","AdditionalInfo":{"UUID":"396e1f71-5cf4-4ab3-bf40-4dd471007d21","Name":"Syslog SSH","Description":"IP address-based actions for Linux SSH logs"},"Hash":[50,197,56,158,192,108,12,0,239,30,79,27,105,106,210,196,130,117,37,123,46,250,224,187,128,175,163,233,219,158,128,39]},{"Name":"3ee74567-fc6a-4ca9-84d1-7a49e18bcf2f","Type":"pivot","AdditionalInfo":{"UUID":"3ee74567-fc6a-4ca9-84d1-7a49e18bcf2f","Name":"Syslog SSH","Description":"Investigate SSH authentication attempts \u0026 successes"},"Hash":[241,235,4,100,166,8,213,12,8,201,252,143,39,225,129,19,211,233,64,221,228,82,243,178,216,141,25,218,252,16,10,83]},{"Name":"fb7daf01-1cb4-47d1-beaa-2d3a0f1ba2df","Type":"searchlibrary","AdditionalInfo":{"Name":"Cron commands executed","Description":"Shows which commands cron has executed and for which user.","Query":"tag=$SYSLOG syslog Appname==CRON Message Hostname | regex -e Message \"\\((?P\u003cuser\u003e\\S+)\\) CMD \\((?P\u003ccommand\u003e.+)\\)\" | table TIMESTAMP Hostname user command","UUID":"fb7daf01-1cb4-47d1-beaa-2d3a0f1ba2df"},"Hash":[75,47,79,93,187,108,164,21,28,169,101,4,72,83,209,183,181,254,112,74,116,140,13,1,188,129,219,116,82,188,11,239]},{"Name":"25583ae3-9455-4ce9-b76a-f5ad0f936597","Type":"searchlibrary","AdditionalInfo":{"Name":"Crontab modifications","Description":"Parses syslog to find when someone has edited a crontab.","Query":"tag=$SYSLOG syslog Appname==crontab Message Hostname | regex -e Message \"\\((?P\u003cediting_user\u003e\\S+)\\) BEGIN EDIT \\((?P\u003ctarget_user\u003e\\S+)\\)\" | table TIMESTAMP Hostname editing_user target_user","UUID":"25583ae3-9455-4ce9-b76a-f5ad0f936597"},"Hash":[237,92,176,167,25,87,15,2,62,168,163,218,184,154,30,244,105,74,240,92,132,200,211,161,1,49,180,55,110,84,231,4]},{"Name":"7bc7cce6-dfab-4c54-8c63-53691fdf7f25","Type":"searchlibrary","AdditionalInfo":{"Name":"Cron invocations by user chart","Description":"Charts how many times each user has had cron jobs run.","Query":"tag=$SYSLOG syslog Appname==CRON Message Hostname | regex -e Message \"\\((?P\u003cuser\u003e\\S+)\\) CMD \\((?P\u003ccommand\u003e.+)\\)\" | stats count by user | chart count by user","UUID":"7bc7cce6-dfab-4c54-8c63-53691fdf7f25"},"Hash":[142,214,140,145,247,239,210,109,185,25,185,252,85,203,194,221,107,19,165,219,241,249,250,24,210,8,154,115,17,16,132,127]},{"Name":"d0c986ff-5010-48db-9f15-6d51639bd41a","Type":"searchlibrary","AdditionalInfo":{"Name":"Failed SSH Login Heatmap","Description":"Map failed SSH logins based on syslog data.","Query":"tag=$SYSLOG words authenticating user | syslog Appname==sshd Hostname Message\n| regex -e Message \"authenticating user (?P\u003cuser\u003e\\S+) (?P\u003csrcip\u003e\\S+)\"\n| geoip srcip.Location | heatmap","UUID":"d0c986ff-5010-48db-9f15-6d51639bd41a"},"Hash":[149,223,120,130,129,21,137,50,223,19,11,67,218,19,242,54,53,146,15,203,114,33,75,147,21,164,26,20,202,187,217,164]},{"Name":"3b1f2e46-cfe4-4f63-bf42-9d20a0c37eb9","Type":"searchlibrary","AdditionalInfo":{"Name":"Failed sudo attempts by user/hostname","Description":"Display a table of the number of times a user has failed to auth to sudo on each machine.","Query":"tag=$SYSLOG words authentication failure | syslog Appname==sudo Message Hostname | regex -e Message \"authentication failure; (?P\u003ckv\u003e.+)\" | kv -e kv -sep = user | stats count by user Hostname | table user Hostname count","UUID":"3b1f2e46-cfe4-4f63-bf42-9d20a0c37eb9"},"Hash":[176,94,41,65,24,122,165,182,127,155,230,241,244,136,250,125,175,199,14,175,169,202,25,3,175,123,12,170,216,63,245,64]},{"Name":"c985d5a7-d7d3-4142-8b8f-6f25b57e52a0","Type":"searchlibrary","AdditionalInfo":{"Name":"Failed SSH logins for existing users","Description":"Shows failed login counts for users which actually exist on the system. May help detect targeted brute-force attempts.","Query":"tag=$SYSLOG words authenticating user | syslog Appname==sshd Hostname Message\n| regex -e Message \"authenticating user (?P\u003cuser\u003e\\S+) (?P\u003csrcip\u003e\\S+)\"\n| stats count by Hostname user\n| table Hostname user count","UUID":"c985d5a7-d7d3-4142-8b8f-6f25b57e52a0"},"Hash":[98,248,198,71,63,105,202,240,160,32,209,172,119,154,37,165,12,3,181,194,239,115,130,100,69,33,58,112,62,241,236,162]},{"Name":"37f0ff83-dd75-42f6-812e-b20eb337a269","Type":"searchlibrary","AdditionalInfo":{"Name":"IPs with SSH failures \u0026 successes","Description":"Finds IPs who have both failed and successful SSH authentications.","Query":"@successful{tag=$SYSLOG words Accepted | syslog Appname==sshd Hostname Message | regex -e Message \"Accepted (?P\u003cmethod\u003e\\S+) for (?P\u003cuser\u003e\\S+) from (?P\u003cip\u003e\\S+)\" | unique method user ip Hostname | table user ip Hostname}; tag=$SYSLOG words authenticating user | syslog Appname==sshd Hostname Message | regex \"(Disconnected from|Connection closed by) authenticating user (?P\u003cfailed_user\u003e\\S+) (?P\u003cfailed_ip\u003e\\S+)\" | alias Hostname failed_hostname | lookup -s -r @successful failed_ip ip (Hostname as successful_hostname user as successful_user) | unique failed_ip failed_hostname failed_user successful_hostname successful_user | table failed_ip failed_hostname failed_user successful_hostname successful_user","UUID":"37f0ff83-dd75-42f6-812e-b20eb337a269"},"Hash":[75,44,164,106,211,9,37,174,132,239,44,219,7,141,192,3,82,236,114,226,82,29,45,139,5,160,163,66,237,128,74,132]},{"Name":"7f756338-f696-4ab7-a50b-a21b75b75f37","Type":"searchlibrary","AdditionalInfo":{"Name":"SSH login failure:success ratio","Description":"Calculates a ratio of failure:success for login attempts via SSH.","Query":"@failed{tag=$SYSLOG syslog Appname==sshd Message Hostname | regex \"(Invalid user|Connection closed by authenticating user)\" | stats count by Hostname | table Hostname count}; tag=$SYSLOG words Accepted | syslog Appname==sshd Message Hostname | regex -e Message \"Accepted (?P\u003cmethod\u003e\\S+) for (?P\u003cuser\u003e\\S+) from (?P\u003cip\u003e\\S+)\" | stats count as successes by Hostname | lookup -r @failed Hostname Hostname count as failures | eval if (successes \u003e 0 ) { ratio = string(int(failures) / int(successes)) +\":1\"; } | table Hostname failures successes ratio\n","UUID":"7f756338-f696-4ab7-a50b-a21b75b75f37"},"Hash":[88,95,32,209,63,246,193,66,248,93,231,96,106,161,145,58,134,55,133,22,1,52,56,16,30,166,65,238,78,243,88,237]},{"Name":"de11a60a-784a-41ef-84c5-e5283dc71438","Type":"searchlibrary","AdditionalInfo":{"Name":"SSH Login FDG","Description":"Force-directed graph showing which users have logged on to which machines.","Query":"tag=$SYSLOG words Accepted | syslog Appname==sshd Hostname Message | regex -e Message \"Accepted (?P\u003cmethod\u003e\\S+) for (?P\u003cuser\u003e\\S+) from (?P\u003cip\u003e\\S+)\" | stats count by user Hostname | fdg -v count user Hostname","UUID":"de11a60a-784a-41ef-84c5-e5283dc71438"},"Hash":[38,69,188,118,157,163,142,83,183,86,19,141,245,34,176,14,204,250,36,32,233,92,195,116,234,242,106,72,186,133,174,221]},{"Name":"9ad95f1d-4668-4806-b526-20ea8e0f1e56","Type":"searchlibrary","AdditionalInfo":{"Name":"Successful SSH Login Pointmap","Description":"Pointmap showing where successful SSH logins came from.","Query":"tag=$SYSLOG words Accepted | syslog Appname==sshd Hostname Message | regex -e Message \"Accepted (?P\u003cmethod\u003e\\S+) for (?P\u003cuser\u003e\\S+) from (?P\u003cip\u003e\\S+)\" | geoip ip.Location | pointmap Hostname user method ip","UUID":"9ad95f1d-4668-4806-b526-20ea8e0f1e56"},"Hash":[189,178,103,78,63,221,184,35,122,94,111,27,205,58,180,68,241,70,218,194,122,218,128,171,181,143,134,4,234,224,79,54]},{"Name":"ce8471b8-64b4-4980-a67d-8f87c56bf2ab","Type":"searchlibrary","AdditionalInfo":{"Name":"su invocations","Description":"Parses syslog to see when the \"su\" command is used and by whom. \"invoking_user\" is the user who ran su.","Query":"tag=$SYSLOG syslog Appname==su Hostname Message | regex \"\\(to (?P\u003csubstitute_user\u003e\\S+)\\) (?P\u003cinvoking_user\u003e\\S+)\" | table TIMESTAMP Hostname invoking_user substitute_user","UUID":"ce8471b8-64b4-4980-a67d-8f87c56bf2ab"},"Hash":[3,151,96,30,145,96,185,18,21,116,133,203,187,110,254,40,122,120,223,12,187,213,19,215,90,84,26,231,104,160,126,130]},{"Name":"6d124568-e705-47a4-a210-ce5f39565d7f","Type":"searchlibrary","AdditionalInfo":{"Name":"Successful SSH logins","Description":"Extracts successful SSH logins from syslog. Shows username, IP, and auth method.","Query":"tag=$SYSLOG words Accepted | syslog Appname==sshd Hostname Message | regex -e Message \"Accepted (?P\u003cmethod\u003e\\S+) for (?P\u003cuser\u003e\\S+) from (?P\u003cip\u003e\\S+)\" | stats count by method user ip | table user ip method count","UUID":"6d124568-e705-47a4-a210-ce5f39565d7f"},"Hash":[83,202,144,125,49,198,78,182,99,47,254,245,175,24,217,24,4,206,101,107,196,25,224,38,41,44,29,224,193,138,158,75]},{"Name":"1f1ff0f9-57c9-4b1d-8016-a49d92149749","Type":"searchlibrary","AdditionalInfo":{"Name":"Sudo invocation counts","Description":"Count how many times each user has invoked sudo per host.","Query":"tag=$SYSLOG syslog Appname==sudo Message Hostname | regex -e Message \"(?P\u003csudoing_user\u003e\\S+) : (?P\u003cargs\u003e.+)\" | stats count by sudoing_user Hostname | table sudoing_user Hostname count","UUID":"1f1ff0f9-57c9-4b1d-8016-a49d92149749"},"Hash":[32,37,72,200,153,195,214,241,166,198,245,132,246,113,96,242,93,75,73,182,183,181,193,221,81,53,62,105,242,199,80,20]},{"Name":"a0b84e45-82af-4068-8c01-eb998186c2e7","Type":"searchlibrary","AdditionalInfo":{"Name":"Sudo invocations","Description":"Extracts which command was executed by which user using sudo.","Query":"tag=$SYSLOG syslog Appname==sudo Message Hostname\n| regex -e Message \"(?P\u003csudoing_user\u003e\\S+) : (?P\u003cargs\u003e.+)\"\n| kv -e args -ld -sep \"=\" -dall \" ; \" TTY PWD COMMAND\n| table TIMESTAMP Hostname sudoing_user TTY PWD COMMAND\n","UUID":"a0b84e45-82af-4068-8c01-eb998186c2e7"},"Hash":[134,181,210,182,145,194,126,45,248,226,19,111,4,160,200,217,86,150,235,93,194,189,110,174,79,27,29,220,233,124,210,129]},{"Name":"fc5dba6d-2662-4470-b366-1d3a2239a340","Type":"searchlibrary","AdditionalInfo":{"Name":"SystemD Service Errors","Description":"Shows syslog messages from SystemD about services that did not start successfully.","Query":"tag=$SYSLOG syslog Appname==systemd Message Hostname | regex -e Message \"(?P\u003cservice\u003e\\S+).service: (?P\u003cstatus\u003e.+)\" | grep -v -e status \"Succeeded\" | table TIMESTAMP Hostname service status","UUID":"fc5dba6d-2662-4470-b366-1d3a2239a340"},"Hash":[34,19,65,228,244,4,66,170,145,93,92,47,135,54,135,225,52,189,66,79,186,7,110,126,242,99,55,246,96,126,138,198]},{"Name":"ef227a5b-484a-4c04-a06b-05462763e11c","Type":"searchlibrary","AdditionalInfo":{"Name":"Systems running apt-daily jobs","Description":"Discovers which systems are running apt-daily and apt-daily-upgrade by inspecting syslog for SystemD messages.","Query":"tag=$SYSLOG syslog Appname==systemd Message Hostname | regex -e Message \"(?P\u003cservice\u003e\\S+).service: (?P\u003cstatus\u003e.+)\" service==\"apt-daily\" | unique Hostname service | table Hostname service","UUID":"ef227a5b-484a-4c04-a06b-05462763e11c"},"Hash":[4,96,69,30,28,27,100,213,217,4,156,175,25,140,76,14,66,58,118,23,103,199,72,58,24,66,255,144,89,72,211,37]},{"Name":"72ed6d4b-1260-4098-956f-8f59c272464b","Type":"file","AdditionalInfo":{"UUID":"72ed6d4b-1260-4098-956f-8f59c272464b","Name":"Linux Syslog banner","Description":"Banner image for the Linux syslog kit","Size":869779,"ContentType":"image/png"},"Hash":[114,70,147,88,26,70,46,63,235,97,171,129,28,242,4,64,1,183,118,154,46,5,150,16,129,221,31,153,28,25,29,138]},{"Name":"5551e4f6-f167-4487-83de-83692468c6ba","Type":"file","AdditionalInfo":{"UUID":"5551e4f6-f167-4487-83de-83692468c6ba","Name":"Linux Syslog cover","Description":"Cover image for the Linux syslog kit","Size":251934,"ContentType":"image/png"},"Hash":[223,33,232,85,167,194,178,238,37,103,54,215,44,25,158,208,138,41,231,22,158,124,231,72,220,170,39,19,74,87,45,53]},{"Name":"2f1d91bc-5803-4d5e-85e7-bce607a513af","Type":"file","AdditionalInfo":{"UUID":"2f1d91bc-5803-4d5e-85e7-bce607a513af","Name":"Linux Syslog icon","Description":"Icon for the Linux syslog kit","Size":104906,"ContentType":"image/png"},"Hash":[48,159,53,167,106,61,122,201,25,177,83,25,142,69,192,13,173,66,96,115,244,145,230,242,103,93,104,44,127,68,192,24]},{"Name":"f7aedf96-7574-404f-9329-517e88cdaaae","Type":"playbook","AdditionalInfo":{"UUID":"2bf8f9b8-8b4b-4c54-9983-9d51ccb024a6","Name":"Linux Syslog Kit","Description":""},"Hash":[79,236,70,229,220,195,70,217,188,0,187,18,170,184,133,122,126,228,186,253,122,28,241,67,27,166,205,147,79,96,199,57]}],"ConfigMacros":[{"MacroName":"SYSLOG","Description":"The tag which contains syslog entries (probably \"syslog\")","DefaultValue":"syslog","Value":"","Type":"TAG","InstalledByID":""}]},{"ID":"io.gravwell.grok","Name":"Grok","UUID":"e578bcff-6ff3-4ac8-af2e-1b922de7aef5","Version":5,"Description":"The Grok kit provides some documentation and a pattern resource file of Grok patterns for data extraction within Gravwell.","Readme":"","Signed":true,"AdminRequired":false,"MinVersion":{"Major":3,"Minor":4,"Point":0},"MaxVersion":{"Major":0,"Minor":0,"Point":0},"Size":161792,"Created":"2024-05-06T19:49:36.964544103Z","Ingesters":["simplerelay","filefollow"],"Tags":["apache"],"Assets":[{"Type":"image","Source":"cover.jpg","Legend":"grok","Featured":true,"Banner":false},{"Type":"readme","Source":"readme.md","Legend":"","Featured":false,"Banner":false}],"Dependencies":null,"Items":[{"Name":"grok","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"grok","Description":"all grok patterns in the grokfile","Size":39854,"Labels":null},"Hash":[106,172,195,177,20,146,184,213,107,52,181,10,186,78,132,117,244,127,226,146,58,83,195,241,130,156,151,142,88,150,60,177]},{"Name":"bda6e5ae-6ff9-466d-8854-320fd7165fcb","Type":"playbook","AdditionalInfo":{"UUID":"ad489531-d2a7-4b21-aa28-4cc3e7f58bd3","Name":"Grok 101","Description":"This document provides background information on Grok and its usage within Gravwell."},"Hash":[175,106,34,214,218,91,136,186,255,107,200,29,135,15,159,115,29,213,28,17,47,213,120,22,4,85,62,69,6,84,253,7]},{"Name":"a00a50f4-e7e2-4875-8631-f81bae9e8d3e","Type":"file","AdditionalInfo":{"UUID":"a00a50f4-e7e2-4875-8631-f81bae9e8d3e","Name":"grok cover image","Description":"Cover/banner image for grok kit. Credit: Waldemar Brandt on Unsplash (https://unsplash.com/@waldemarbrandt67w?utm_source=unsplash\u0026utm_medium=referral\u0026utm_content=creditCopyText)","Size":65496,"ContentType":"image/jpeg"},"Hash":[29,101,136,206,141,42,131,43,254,38,131,245,17,21,148,226,86,149,255,90,93,135,85,169,236,157,233,227,165,97,103,168]}],"ConfigMacros":null},{"ID":"io.gravwell.windows","Name":"Windows","UUID":"f6a28404-15f9-4771-bcd9-31cb4d79fda7","Version":2,"Description":"# Gravwell Windows Kit\n\nThe Gravwell Windows Kit provides a baseline set of queries, dashboards, and investigative resources for builtin Windows audit logs.","Readme":"","Signed":true,"AdminRequired":false,"MinVersion":{"Major":5,"Minor":4,"Point":11},"MaxVersion":{"Major":0,"Minor":0,"Point":0},"Size":918016,"Created":"2024-10-07T23:40:55.771716417Z","Ingesters":["winevent"],"Tags":["windows"],"Assets":[{"Type":"image","Source":"cover.jpg","Legend":"Windows","Featured":true,"Banner":false},{"Type":"readme","Source":"README.md","Legend":"","Featured":false,"Banner":false}],"Dependencies":[{"ID":"io.gravwell.windows.resource","MinVersion":1}],"Items":[{"Name":"windows_event_level_criticality","Type":"resource","AdditionalInfo":{"VersionNumber":2,"ResourceName":"windows_event_level_criticality","Description":"Map level number to criticality description","Size":88,"Labels":null},"Hash":[4,248,247,241,186,77,147,131,255,63,26,36,247,57,159,30,207,74,183,66,197,38,85,183,22,104,166,93,226,9,118,247]},{"Name":"windows_eventid_messages","Type":"resource","AdditionalInfo":{"VersionNumber":2,"ResourceName":"windows_eventid_messages","Description":"Map Windows EventIDs to their rendered text description","Size":29510,"Labels":null},"Hash":[237,113,126,98,64,236,94,94,28,105,245,157,80,54,150,68,98,191,24,181,65,177,173,26,19,33,172,214,215,242,64,116]},{"Name":"windows_auth_fail_codes","Type":"resource","AdditionalInfo":{"VersionNumber":6,"ResourceName":"windows_auth_fail_codes","Description":"Map auth fail status in EventID 4625 with description","Size":1333,"Labels":null},"Hash":[74,183,231,161,232,241,65,220,162,219,237,21,87,222,20,175,184,133,192,129,128,52,239,97,152,139,90,3,12,189,29,231]},{"Name":"WINDOWS_ALL","Type":"macro","AdditionalInfo":{"Name":"WINDOWS_ALL","Description":"Expression for or list of all windows tags","Expansion":"windows_*"},"Hash":[113,72,118,11,187,215,5,85,214,255,134,80,46,119,135,4,38,188,23,200,217,230,109,79,191,107,209,2,205,108,118,21]},{"Name":"WINDOWS_LOGON","Type":"macro","AdditionalInfo":{"Name":"WINDOWS_LOGON","Description":"Windows tag containing logon events","Expansion":"windows_security"},"Hash":[56,215,81,59,190,222,18,231,18,168,155,32,114,190,119,173,149,209,81,231,24,150,4,47,121,59,143,108,27,244,213,100]},{"Name":"WINDOWS_GROUP","Type":"macro","AdditionalInfo":{"Name":"WINDOWS_GROUP","Description":"Windows tag containing logon events","Expansion":"windows_security"},"Hash":[233,207,5,69,134,85,108,219,197,168,81,69,210,64,62,242,100,48,157,162,253,128,153,192,237,55,237,218,48,116,103,203]},{"Name":"WINDOWS_USER","Type":"macro","AdditionalInfo":{"Name":"WINDOWS_USER","Description":"Windows tag containing user events","Expansion":"windows_security"},"Hash":[223,61,196,139,104,57,172,217,191,91,109,63,153,190,187,229,167,13,120,233,59,74,1,208,92,153,162,255,127,33,220,38]},{"Name":"WINDOWS_EVENTLOG_CLEARED","Type":"macro","AdditionalInfo":{"Name":"WINDOWS_EVENTLOG_CLEARED","Description":"Windows tags containing security and system events i.e. windows_security,windows_system","Expansion":"windows_security,windows,system\n"},"Hash":[79,171,36,8,106,152,180,203,111,215,254,35,77,46,216,118,34,34,146,179,126,29,36,53,224,123,96,6,211,253,81,85]},{"Name":"74a11418-cb0b-4beb-84a7-7df00c06125b","Type":"dashboard","AdditionalInfo":{"UUID":"74a11418-cb0b-4beb-84a7-7df00c06125b","Name":"Windows - Overview","Description":"Overview of all collected Windows events"},"Hash":[50,18,45,149,34,43,161,247,249,182,249,222,235,178,157,214,148,204,145,206,84,178,170,181,192,9,214,74,68,217,175,10]},{"Name":"426216e8-73f8-4866-934e-962935f0d70f","Type":"dashboard","AdditionalInfo":{"UUID":"426216e8-73f8-4866-934e-962935f0d70f","Name":"Windows - Logons - Successful","Description":"Overview of successful Windows logon events"},"Hash":[7,94,107,191,233,21,56,213,226,84,42,6,62,237,149,190,86,114,20,89,156,198,49,20,78,217,76,96,165,59,137,246]},{"Name":"6a13bcdb-423e-4010-940d-071e93061503","Type":"dashboard","AdditionalInfo":{"UUID":"6a13bcdb-423e-4010-940d-071e93061503","Name":"Windows - Logons - Failures/Lockouts","Description":"Overview of failed Windows logon and associated account lockout events"},"Hash":[210,247,113,231,30,137,142,58,69,13,117,229,27,71,153,230,172,122,38,179,186,210,208,164,35,13,29,160,42,37,231,88]},{"Name":"6dcb12e5-31f0-49fb-a4f6-09ffbf6be4bc","Type":"dashboard","AdditionalInfo":{"UUID":"6dcb12e5-31f0-49fb-a4f6-09ffbf6be4bc","Name":"Windows - Groups - Overview","Description":"Overview of Windows group events"},"Hash":[98,174,190,225,231,152,54,211,54,152,186,146,36,103,37,206,48,74,14,190,107,64,142,124,17,59,239,22,97,58,18,75]},{"Name":"d6d86716-153c-4d4b-af72-a1c9a4acdc64","Type":"dashboard","AdditionalInfo":{"UUID":"d6d86716-153c-4d4b-af72-a1c9a4acdc64","Name":"Windows - Users - Overview","Description":"Overview of all collected Windows user account events"},"Hash":[12,55,225,250,173,27,103,47,15,246,205,168,115,133,201,145,183,147,239,142,233,230,149,28,217,92,152,23,69,105,151,131]},{"Name":"e49c3829-6a48-41b9-b17f-0a57b97e5eee","Type":"searchlibrary","AdditionalInfo":{"Name":"All Windows TAG count","Description":"Count of windows events per TAG","Query":"tag=$WINDOWS_ALL stats count by TAG\r\n| chart count by TAG","UUID":"e49c3829-6a48-41b9-b17f-0a57b97e5eee"},"Hash":[32,53,192,206,88,68,27,2,222,140,46,193,123,241,19,44,9,48,210,249,13,212,210,63,192,55,51,179,123,137,60,228]},{"Name":"05b1c81d-94ae-48df-afe1-ad80372ded67","Type":"searchlibrary","AdditionalInfo":{"Name":"All Windows  Computer Details","Description":"Count of windows events per Computer, EventID","Query":"tag=$WINDOWS_ALL winlog Computer EventID Level\r\n| stats count by Computer EventID Level\r\n| lookup -r windows_eventid_messages EventID ID Message\r\n| table count Computer EventID Message","UUID":"05b1c81d-94ae-48df-afe1-ad80372ded67"},"Hash":[78,173,46,175,39,81,34,37,151,98,136,243,74,149,100,48,65,134,199,151,109,40,59,150,203,253,217,0,231,102,218,123]},{"Name":"789965b7-e0b1-4100-b2a1-11b0244d3992","Type":"searchlibrary","AdditionalInfo":{"Name":"All Windows  EventID Details","Description":"Count of windows events per EventID, Criticality","Query":"tag=$WINDOWS_ALL winlog EventID Level\r\n| stats count as Count by EventID Level\r\n| lookup -r windows_event_level_criticality Level Level Criticality\r\n| lookup -r windows_eventid_messages EventID ID Message\r\n| table Count EventID Message Criticality","UUID":"789965b7-e0b1-4100-b2a1-11b0244d3992"},"Hash":[8,5,113,18,108,251,251,38,8,100,117,38,128,238,158,216,255,144,155,105,141,128,97,235,52,176,56,157,187,180,146,0]},{"Name":"e2693b54-944b-405e-b12b-9ea7f8669aa6","Type":"searchlibrary","AdditionalInfo":{"Name":"All Windows  EventID count","Description":"Count of windows events per EventID","Query":"tag=$WINDOWS_ALL winlog EventID\r\n| stats count by EventID\r\n| chart count by EventID","UUID":"e2693b54-944b-405e-b12b-9ea7f8669aa6"},"Hash":[172,202,182,151,136,127,60,172,191,113,220,206,163,102,87,2,81,188,227,201,37,21,82,165,172,90,180,249,162,54,135,236]},{"Name":"d0df0c1b-aefe-46f9-ae2c-ec7a016c69c3","Type":"searchlibrary","AdditionalInfo":{"Name":"All Windows Events Overview","Description":"Chart of total Windows events","Query":"tag=$WINDOWS_ALL stats count\r\n| chart count","UUID":"d0df0c1b-aefe-46f9-ae2c-ec7a016c69c3"},"Hash":[235,61,137,143,17,73,113,148,102,128,196,88,4,9,5,212,142,43,208,226,165,207,24,128,168,88,91,137,197,146,182,197]},{"Name":"22d3a9ef-4aaf-4e65-a902-f2ca5b043298","Type":"searchlibrary","AdditionalInfo":{"Name":"All Windows Level count","Description":"Count of windows events per Level","Query":"tag=$WINDOWS_ALL winlog Level\r\n| stats count by Level\r\n| lookup -r windows_event_level_criticality Level Level Criticality\r\n| chart count by Criticality","UUID":"22d3a9ef-4aaf-4e65-a902-f2ca5b043298"},"Hash":[175,53,46,48,54,73,222,3,129,101,41,214,153,184,106,66,218,139,116,187,200,181,230,3,39,163,126,67,164,148,174,69]},{"Name":"ee62b55d-d567-4a68-8b47-7d7b7525303e","Type":"searchlibrary","AdditionalInfo":{"Name":"Windows Successful Admin Logon Details - ElevatedToken","Description":"Count of successful admin logon events by computer, user, logoninfo; excluding builtin users and local system auths","Query":"tag=$WINDOWS_LOGON winlog EventID == 4624 ElevatedToken==\"%%1842\" Computer SubjectUserName SubjectDomainName TargetUserSid TargetUserName !~ \"$\" TargetDomainName LogonType LogonProcessName WorkstationName as TargetInfo IpAddress\r\n| eval (\r\n    !(strings_hassuffix(SubjectUserName,\"$\") == true \u0026\u0026 (TargetUserSid ~ \"S-1-5-80\" || TargetUserSid ~ \"S-1-5-82\" || TargetUserSid ~ \"S-1-5-90\" || TargetUserSid ~ \"S-1-5-96\")) \r\n    \u0026\u0026 !((SubjectUserName == \"-\" || strings_hassuffix(SubjectUserName,\"$\") == true) \u0026\u0026 TargetUserSid == \"S-1-5-18\") \r\n    \u0026\u0026 !(in(TargetDomainName,\"NT VIRTUAL MACHINE\",\"NT AUTHORITY\")))\r\n| lookup -r windows_login_types LogonType logon_type name as LogonName\r\n| printf -e LogonTypeInfo \"%v (%v)\" LogonName LogonType\r\n| printf -e SubjectUser \"%v\\\\%v\" SubjectDomainName SubjectUserName\r\n| printf -e TargetUser \"%v\\\\%v\" TargetDomainName TargetUserName\r\n| eval (if (TargetInfo == \"-\") {TargetInfo = \"\u003cSee Computer\u003e\";})\r\n| stats count as Count by Computer SubjectUser TargetUser LogonTypeInfo LogonProcessName TargetInfo IpAddress\r\n| table Count Computer SubjectUser TargetUser LogonTypeInfo LogonProcessName TargetInfo IpAddress\r\n","UUID":"ee62b55d-d567-4a68-8b47-7d7b7525303e"},"Hash":[123,78,7,135,8,17,46,2,172,23,58,218,204,6,154,132,85,169,45,4,35,42,130,6,92,97,100,197,153,142,58,241]},{"Name":"7e479c1b-b8fd-467b-92e5-6ab7219936f8","Type":"searchlibrary","AdditionalInfo":{"Name":"Windows Successful User Logon Details","Description":"Count of successful user logon events by computer, user, logoninfo; excluding builtin users and local system auths","Query":"tag=$WINDOWS_LOGON winlog EventID == 4624 Computer SubjectUserSid SubjectUserName SubjectDomainName TargetUserSid TargetUserName !~ \"$\" TargetDomainName LogonType LogonProcessName WorkstationName as TargetInfo IpAddress\r\n// Exclude builtin users and local system auths\r\n| eval ( !(SubjectUserSid == \"S-1-5-18\" \u0026\u0026 (TargetUserSid ~ \"S-1-5-20\" || TargetUserSid ~ \"S-1-5-19\" || TargetUserSid ~ \"S-1-5-80\" || TargetUserSid ~ \"S-1-5-82\" || TargetUserSid ~ \"S-1-5-83\" || TargetUserSid ~ \"S-1-5-90\" || TargetUserSid ~ \"S-1-5-96\")) \r\n  \u0026\u0026 !((SubjectUserName == \"-\" || SubjectUserName ~ \"$\") \u0026\u0026 TargetUserSid == \"S-1-5-18\"))\r\n| lookup -r windows_login_types LogonType logon_type name as LogonName\r\n| printf -e LogonTypeInfo \"%v (%v)\" LogonName LogonType\r\n| printf -e SubjectUser \"%v\\\\%v\" SubjectDomainName SubjectUserName\r\n| printf -e TargetUser \"%v\\\\%v\" TargetDomainName TargetUserName\r\n| eval (if (TargetInfo == \"-\") {TargetInfo = \"\u003cSee Computer\u003e\";})\r\n| stats count by Computer SubjectUser TargetUser TargetUserSid LogonTypeInfo LogonProcessName TargetInfo IpAddress\r\n| table count Computer SubjectUser TargetUser TargetUserSid LogonTypeInfo LogonProcessName TargetInfo IpAddress\r\n","UUID":"7e479c1b-b8fd-467b-92e5-6ab7219936f8"},"Hash":[61,183,24,249,37,219,175,109,143,37,21,92,227,1,159,57,50,48,208,121,160,228,28,118,239,70,105,127,143,32,22,21]},{"Name":"0f7750bd-1576-481a-b60d-b382bc9e70fd","Type":"searchlibrary","AdditionalInfo":{"Name":"Windows Successful Admin Logon Details - Group Membership","Description":"Count of successful user logon events by computer, user, logoninfo using group membership info in eventid 4627","Query":"@groups{tag=$WINDOWS_LOGON words \"S-1-5-32-544\"\r\n| winlog EventID==4627 Computer as Comp SubjectUserName as SUN SubjectDomainName as SDN TargetUserName as TUN TargetDomainName as TDN LogonType as LT\r\n| eval (!(SUN~\"$\" \u0026\u0026 TUN==\"SYSTEM\") \u0026\u0026 !(SUN==\"-\" \u0026\u0026 TUN~\"$\"))\r\n| unique Comp SUN SDN TUN TDN LT\r\n| table Comp SUN SDN TUN TDN LT};\r\ntag=$WINDOWS_LOGON winlog TimeCreated EventID == 4624 Computer SubjectUserName SubjectDomainName TargetUserName TargetDomainName LogonType LogonProcessName WorkstationName as TargetInfo IpAddress\r\n| lookup -s -r @groups [Computer SubjectUserName SubjectDomainName TargetUserName TargetDomainName LogonType] [Comp SUN SDN TUN TDN LT]\r\n| lookup -r windows_login_types LogonType logon_type name as LogonName\r\n| printf -e SubjectUser \"%v\\\\%v\" SubjectDomainName SubjectUserName\r\n| printf -e TargetUser \"%v\\\\%v\" TargetDomainName TargetUserName\r\n| printf -e LogonTypeInfo \"%v (%v)\" LogonName LogonType\r\n| eval (if (TargetInfo == \"-\") {TargetInfo = \"\u003cSee Computer\u003e\";})\r\n| table TimeCreated Computer SubjectUser TargetUser LogonTypeInfo LogonProcessName TargetInfo IpAddress\r\n","UUID":"0f7750bd-1576-481a-b60d-b382bc9e70fd"},"Hash":[12,97,61,203,153,175,34,171,135,55,198,10,102,86,157,16,68,192,174,29,2,131,234,141,224,142,146,243,17,30,91,154]},{"Name":"79d5841f-a565-479d-9e64-1600d4ce7047","Type":"searchlibrary","AdditionalInfo":{"Name":"Windows Failed User Logon Details","Description":"Count of failed user logon events by computer, user, logoninfo","Query":"tag=$WINDOWS_LOGON winlog EventID Computer SubjectUserName SubjectDomainName TargetUserName TargetDomainName LogonType WorkstationName as TargetInfo IpAddress Status\r\n| eval (EventID == \"4625\" || EventID == \"4771\")\r\n| lookup -r windows_login_types LogonType logon_type name as LogonName\r\n| lookup -r windows_auth_fail_codes Status Code Description\r\n| printf -e LogonTypeInfo \"%v (%v)\" LogonName LogonType\r\n| printf -e SubjectUser \"%v\\\\%v\" SubjectDomainName SubjectUserName\r\n| printf -e TargetUser \"%v\\\\%v\" TargetDomainName TargetUserName\r\n| eval (if (EventID == \"4771\") {LogonTypeInfo = \"\"; KrbStatus = Status; SubjectUser = \"\"; TargetUser = TargetUserName;})\r\n| lookup -r windows_ticket_failure_codes KrbStatus code description as Description\r\n| stats count by Computer SubjectUser TargetUser Description Status LogonTypeInfo TargetInfo IpAddress\r\n| table count Computer SubjectUser TargetUser Description LogonTypeInfo TargetInfo IpAddress\r\n","UUID":"79d5841f-a565-479d-9e64-1600d4ce7047"},"Hash":[44,149,141,161,250,124,112,65,218,214,240,171,136,131,131,96,156,101,95,242,228,66,61,149,100,65,46,237,73,194,150,109]},{"Name":"e12043cd-2085-43b9-a2d2-9bd214a46429","Type":"searchlibrary","AdditionalInfo":{"Name":"Windows User Locked Details","Description":"Details for each user locked Windows event","Query":"tag=$WINDOWS_LOGON winlog TimeCreated EventID==4740 Computer as LockedFrom TargetUserName as TUN TargetDomainName\r\n| printf -e LockedUser \"%v\\\\%v\" TargetDomainName TUN\r\n| table TimeCreated LockedFrom LockedUser\r\n","UUID":"e12043cd-2085-43b9-a2d2-9bd214a46429"},"Hash":[239,64,226,115,223,164,94,48,217,20,30,162,69,83,244,84,8,227,233,135,254,95,102,231,55,242,53,10,14,183,123,211]},{"Name":"1d653fd9-5335-494d-8baf-9a6b9d5b98fc","Type":"searchlibrary","AdditionalInfo":{"Name":"Windows Successful Logon Events Overview","Description":"Chart of total successful Windows logon events; excluding some builtin users and local system auths","Query":"tag=$WINDOWS_LOGON winlog EventID==4624 SubjectUserName TargetUserSid\r\n// Exclude builtin users and local system auths\r\n| eval ( !(SubjectUserName ~ \"$\" \u0026\u0026 (TargetUserSid !~ \"S-1-5-80\" || TargetUserSid ~ \"S-1-5-82\" || TargetUserSid ~ \"S-1-5-90\" || TargetUserSid ~ \"S-1-5-96\")) || !((SubjectUserName == \"-\" || SubjectUserName ~ \"$\") \u0026\u0026 TargetUserSid == \"S-1-5-18\") )\r\n| stats count\r\n| chart count","UUID":"1d653fd9-5335-494d-8baf-9a6b9d5b98fc"},"Hash":[80,218,8,76,137,86,41,200,38,220,2,1,39,180,212,228,191,216,189,74,129,240,255,251,59,249,35,184,69,14,73,94]},{"Name":"357db0e6-7346-40af-8863-f3468f3ae991","Type":"searchlibrary","AdditionalInfo":{"Name":"Windows Successful RDP Logon Details","Description":"Count of successful RDP logon events by computer, user, logoninfo; excluding builtin users and local system auths","Query":"tag=$WINDOWS_LOGON winlog EventID == 4624 Computer SubjectUserName SubjectDomainName TargetUserSid TargetUserName !~ \"$\" TargetDomainName LogonType==10 LogonProcessName WorkstationName as TargetInfo IpAddress\r\n// Exclude builtin users and local system auths\r\n| eval (\r\n    !(SubjectUserName ~ \"$\" \u0026\u0026 (TargetUserSid !~ \"S-1-5-80\" || TargetUserSid ~ \"S-1-5-82\" || TargetUserSid ~ \"S-1-5-90\" || TargetUserSid ~ \"S-1-5-96\")) \r\n    || !((SubjectUserName == \"-\" || SubjectUserName ~ \"$\") \u0026\u0026 TargetUserSid == \"S-1-5-18\") )\r\n| lookup -r windows_login_types LogonType logon_type name as LogonName\r\n| printf -e LogonTypeInfo \"%v (%v)\" LogonName LogonType\r\n| printf -e SubjectUser \"%v\\\\%v\" SubjectDomainName SubjectUserName\r\n| printf -e TargetUser \"%v\\\\%v\" TargetDomainName TargetUserName\r\n| eval (if (TargetInfo == \"-\") {TargetInfo = \"\u003cSee Computer\u003e\";})\r\n| stats count by Computer SubjectUser TargetUser LogonTypeInfo LogonProcessName TargetInfo IpAddress\r\n| table count Computer SubjectUser TargetUser LogonTypeInfo LogonProcessName TargetInfo IpAddress\r\n","UUID":"357db0e6-7346-40af-8863-f3468f3ae991"},"Hash":[109,229,28,175,48,12,159,242,162,42,59,191,122,61,133,58,168,33,249,239,253,195,239,1,118,242,119,31,213,132,124,2]},{"Name":"6c233491-e28f-499b-babd-e63cd2620d8f","Type":"searchlibrary","AdditionalInfo":{"Name":"Windows Failed Logons Before User Locked Events","Description":"Count of failed logon events (4625,4771) based on information from 4740 events","Query":"@locked{tag=$WINDOWS_LOGON winlog TimeCreated EventID==4740 Computer as LockedOn TargetUserName as TUN TargetDomainName\r\n| printf -e LockedUser \"%v\\\\%v\" TargetDomainName TUN\r\n| table TUN};\r\ntag=$WINDOWS_LOGON winlog EventID Computer SubjectUserName SubjectDomainName TargetUserName TargetDomainName LogonType WorkstationName as TargetInfo IpAddress Status\r\n| eval (EventID == \"4625\" || EventID == \"4771\")\r\n| lookup -s -r @locked TargetUserName TUN\r\n| lookup -r windows_login_types LogonType logon_type name as LogonName\r\n| lookup -r windows_auth_fail_codes Status Code Description\r\n| printf -e LogonTypeInfo \"%v (%v)\" LogonName LogonType\r\n| printf -e SubjectUser \"%v\\\\%v\" SubjectDomainName SubjectUserName\r\n| printf -e TargetUser \"%v\\\\%v\" TargetDomainName TargetUserName\r\n| eval (if (EventID == \"4771\") {LogonTypeInfo = \"\"; KrbStatus = Status; SubjectUser = \"\"; TargetUser = TargetUserName;})\r\n| lookup -r windows_ticket_failure_codes KrbStatus code description as Description\r\n| stats count by Computer SubjectUser TargetUser Description Status LogonTypeInfo TargetInfo IpAddress\r\n| table count Computer SubjectUser TargetUser Description Status LogonTypeInfo TargetInfo IpAddress\r\n","UUID":"6c233491-e28f-499b-babd-e63cd2620d8f"},"Hash":[190,195,100,69,81,38,98,65,57,66,215,222,166,125,79,112,223,13,104,223,161,180,11,19,238,255,49,183,113,65,215,53]},{"Name":"4eea7c70-4a4d-4448-9e61-1e3921fa1647","Type":"searchlibrary","AdditionalInfo":{"Name":"Windows Failed Logon Events Overview","Description":"Chart of total failed Windows logon events","Query":"tag=$WINDOWS_LOGON winlog EventID\r\n| eval (EventID == \"4625\" || EventID == \"4771\")\r\n| stats count\r\n| chart count","UUID":"4eea7c70-4a4d-4448-9e61-1e3921fa1647"},"Hash":[171,247,50,165,221,74,137,67,20,43,199,210,166,219,96,127,10,166,221,223,101,100,39,138,49,187,96,48,85,126,68,175]},{"Name":"0ada9df6-c1ef-4b53-917b-18929ee6cf42","Type":"searchlibrary","AdditionalInfo":{"Name":"Windows Group Deletion Events","Description":"","Query":"tag=$WINDOWS_GROUP winlog EventID TimeCreated Computer TargetUserName TargetDomainName SubjectUserName SubjectDomainName\r\n| regex -e EventID \"^(4730|4734|4748|4753|4758|4763)$\"\r\n| lookup -r windows_eventid_messages EventID ID Message\r\n| printf -e TargetGroup \"%v\\\\%v\" TargetDomainName TargetUserName\r\n| printf -e DeletedBy \"%v\\\\%v\" SubjectDomainName SubjectUserName\r\n| table TimeCreated Message Computer TargetGroup DeletedBy","UUID":"0ada9df6-c1ef-4b53-917b-18929ee6cf42"},"Hash":[129,114,165,10,126,84,67,124,240,44,120,125,207,146,30,255,9,85,255,97,190,187,219,192,67,1,67,241,210,244,235,143]},{"Name":"c2d9a4e7-97b3-4c42-a4da-eb03613105ed","Type":"searchlibrary","AdditionalInfo":{"Name":"Windows Group Events Overview","Description":"Chart of total Windows group events","Query":"tag=$WINDOWS_GROUP winlog EventID\r\n| regex -e EventID \"^(4727|4728|4729|4730|4731|4732|4733|4734|4735|4736|4737|4744|4745|4746|4747|4749|4750|4751|4752|4753|4754|4755|4756|4757|4758|4759|4760|4761|4762|4763|4764)$\"\r\n| stats count\r\n| chart by count","UUID":"c2d9a4e7-97b3-4c42-a4da-eb03613105ed"},"Hash":[126,251,57,153,111,107,184,120,215,153,240,254,228,21,215,127,60,176,164,10,199,52,190,117,69,178,22,100,206,89,33,61]},{"Name":"4fac7213-53c4-4697-af4d-98ec2b88585b","Type":"searchlibrary","AdditionalInfo":{"Name":"Windows Member Removed from Group Events","Description":"","Query":"tag=$WINDOWS_GROUP winlog EventID TimeCreated Computer MemberName MemberSid TargetUserName TargetDomainName SubjectUserName SubjectDomainName\r\n| regex -e EventID \"^(4729|4733|4747|4752|4757|4762)$\"\r\n| lookup -r windows_eventid_messages EventID ID Message\r\n| printf -e TargetGroup \"%v\\\\%v\" TargetDomainName TargetUserName\r\n| printf -e AddedBy \"%v\\\\%v\" SubjectDomainName SubjectUserName\r\n| printf -e MemberInfo \"%v (%v)\" MemberName MemberSid\r\n| table TimeCreated Message Computer MemberInfo TargetGroup AddedBy","UUID":"4fac7213-53c4-4697-af4d-98ec2b88585b"},"Hash":[12,51,201,218,84,68,130,207,110,103,4,73,149,154,246,169,65,198,37,86,64,96,42,253,31,156,218,86,52,64,120,254]},{"Name":"7f39e7e5-0168-4329-8640-4b5602962b83","Type":"searchlibrary","AdditionalInfo":{"Name":"Windows Group Creation Events","Description":"","Query":"tag=$WINDOWS_GROUP winlog EventID TimeCreated Computer TargetUserName TargetDomainName SubjectUserName SubjectDomainName SamAccountName\r\n| regex -e EventID \"^(4727|4731|4744|4749|4754|4759)$\"\r\n| lookup -r windows_eventid_messages EventID ID Message\r\n| printf -e GroupInfo \"%v\\\\%v (%v)\" TargetDomainName TargetUserName SamAccountName\r\n| printf -e CreatedBy \"%v\\\\%v\" SubjectDomainName SubjectUserName\r\n| table TimeCreated Message Computer GroupInfo CreatedBy","UUID":"7f39e7e5-0168-4329-8640-4b5602962b83"},"Hash":[162,19,108,86,121,120,102,55,232,127,63,138,208,156,127,147,86,227,101,64,38,126,40,107,52,85,110,56,68,112,33,77]},{"Name":"2ad90f84-5882-45ef-97dd-2f9ac157036f","Type":"searchlibrary","AdditionalInfo":{"Name":"Windows Member Added to Group Events","Description":"","Query":"tag=$WINDOWS_GROUP winlog EventID TimeCreated Computer MemberName MemberSid TargetUserName TargetDomainName SubjectUserName SubjectDomainName\r\n| regex -e EventID \"^(4728|4732|4746|4751|4756|4761)$\"\r\n| lookup -r windows_eventid_messages EventID ID Message\r\n| printf -e TargetGroup \"%v\\\\%v\" TargetDomainName TargetUserName\r\n| printf -e AddedBy \"%v\\\\%v\" SubjectDomainName SubjectUserName\r\n| printf -e MemberInfo \"%v (%v)\" MemberName MemberSid\r\n| table TimeCreated Message Computer MemberInfo TargetGroup AddedBy","UUID":"2ad90f84-5882-45ef-97dd-2f9ac157036f"},"Hash":[17,197,157,224,135,167,151,171,142,223,251,202,209,175,191,194,86,74,0,221,20,155,42,43,91,8,149,127,141,40,144,160]},{"Name":"fd18ce59-51b0-4c54-88fd-6d339fe759c0","Type":"searchlibrary","AdditionalInfo":{"Name":"Windows User Account Events Overview","Description":"","Query":"tag=$WINDOWS_USER winlog EventID\r\n| regex -e EventID \"^(4720|4722|4725|4726|4738|4767)$\"\r\n| stats count\r\n| chart count","UUID":"fd18ce59-51b0-4c54-88fd-6d339fe759c0"},"Hash":[183,49,43,50,155,13,38,26,190,136,10,255,166,116,128,126,53,230,113,238,246,125,45,174,5,184,25,215,200,49,59,154]},{"Name":"b8b7f045-ccde-44c2-8145-7e0282fb031e","Type":"searchlibrary","AdditionalInfo":{"Name":"Windows User Account Disabled Events","Description":"","Query":"tag=$WINDOWS_USER winlog EventID==4725 TimeCreated Computer TargetUserName TargetDomainName SubjectUserName SubjectDomainName SamAccountName\r\n| printf -e DisabledUser \"%v\\\\%v\" TargetDomainName TargetUserName\r\n| printf -e DisabledBy \"%v\\\\%v\" SubjectDomainName SubjectUserName\r\n| lookup -r windows_eventid_messages EventID ID Message\r\n| table TimeCreated Message DisabledUser DisabledBy Computer","UUID":"b8b7f045-ccde-44c2-8145-7e0282fb031e"},"Hash":[237,198,54,25,51,45,38,90,14,176,185,8,131,35,172,216,246,22,1,68,106,149,138,155,169,75,218,52,121,94,47,17]},{"Name":"62877004-2fd0-4e44-878b-545ac03a3b52","Type":"searchlibrary","AdditionalInfo":{"Name":"Windows User Account Enabled Events","Description":"","Query":"tag=$WINDOWS_USER winlog EventID==4722 TimeCreated Computer TargetUserName TargetDomainName SubjectUserName SubjectDomainName SamAccountName\r\n| printf -e EnabledUser \"%v\\\\%v\" TargetDomainName TargetUserName\r\n| printf -e EnabledBy \"%v\\\\%v\" SubjectDomainName SubjectUserName\r\n| lookup -r windows_eventid_messages EventID ID Message\r\n| table TimeCreated Message EnabledUser EnabledBy Computer","UUID":"62877004-2fd0-4e44-878b-545ac03a3b52"},"Hash":[112,253,224,168,204,202,241,163,162,0,176,208,70,195,127,0,235,252,0,85,55,115,45,4,246,141,136,33,26,85,228,216]},{"Name":"2132275b-1f4f-4803-9b0a-68c008ba70ef","Type":"searchlibrary","AdditionalInfo":{"Name":"Windows User Account Deleted Events","Description":"","Query":"tag=$WINDOWS_USER winlog EventID==4726 TimeCreated Computer TargetUserName TargetDomainName SubjectUserName SubjectDomainName SamAccountName\r\n| printf -e DeletedUser \"%v\\\\%v\" TargetDomainName TargetUserName\r\n| printf -e DeletedBy \"%v\\\\%v\" SubjectDomainName SubjectUserName\r\n| lookup -r windows_eventid_messages EventID ID Message\r\n| table TimeCreated Message DeletedUser DeletedBy Computer","UUID":"2132275b-1f4f-4803-9b0a-68c008ba70ef"},"Hash":[94,35,20,2,64,194,70,72,118,254,80,26,0,193,120,168,251,120,193,252,150,190,144,50,65,148,243,107,201,127,4,177]},{"Name":"b1e0b8c8-a75c-4a3c-ad03-c059555447f9","Type":"searchlibrary","AdditionalInfo":{"Name":"Windows User Account Changed Events","Description":"","Query":"tag=$WINDOWS_USER winlog EventID==4738 TimeCreated Computer TargetUserName TargetDomainName SubjectUserName SubjectDomainName SamAccountName\r\n| printf -e ChangedUser \"%v\\\\%v\" TargetDomainName TargetUserName\r\n| printf -e ChangedBy \"%v\\\\%v\" SubjectDomainName SubjectUserName\r\n| lookup -r windows_eventid_messages EventID ID Message\r\n| table TimeCreated Message ChangedUser ChangedBy Computer","UUID":"b1e0b8c8-a75c-4a3c-ad03-c059555447f9"},"Hash":[73,239,95,86,146,194,73,29,44,84,38,131,115,26,132,250,171,223,86,195,241,0,71,26,69,235,205,170,62,55,170,145]},{"Name":"a36b1f55-2be8-467a-a38c-8430702ef632","Type":"searchlibrary","AdditionalInfo":{"Name":"Windows User Account Unlocked Events","Description":"","Query":"tag=$WINDOWS_USER winlog EventID==4767 TimeCreated Computer TargetUserName TargetDomainName SubjectUserName SubjectDomainName SamAccountName\r\n| printf -e UnlockedUser \"%v\\\\%v\" TargetDomainName TargetUserName\r\n| printf -e UnlockedBy \"%v\\\\%v\" SubjectDomainName SubjectUserName\r\n| lookup -r windows_eventid_messages EventID ID Message\r\n| table TimeCreated Message UnlockedUser UnlockedBy Computer","UUID":"a36b1f55-2be8-467a-a38c-8430702ef632"},"Hash":[159,210,115,99,168,102,135,246,120,75,214,11,172,79,140,32,208,81,186,232,194,177,28,99,123,84,166,70,167,14,223,130]},{"Name":"ed15965b-0d12-42b0-8b4b-b2752a59c765","Type":"searchlibrary","AdditionalInfo":{"Name":"Windows User Account Created Events","Description":"","Query":"tag=$WINDOWS_USER winlog EventID==4720 TimeCreated Computer TargetUserName TargetDomainName SubjectUserName SubjectDomainName SamAccountName\r\n| printf -e NewUser \"%v\\\\%v\" TargetDomainName TargetUserName\r\n| printf -e CreatedBy \"%v\\\\%v\" SubjectDomainName SubjectUserName\r\n| lookup -r windows_eventid_messages EventID ID Message\r\n| table TimeCreated Message NewUser CreatedBy Computer","UUID":"ed15965b-0d12-42b0-8b4b-b2752a59c765"},"Hash":[252,212,203,225,192,161,50,155,248,104,182,21,203,250,105,37,87,31,150,244,128,214,10,81,27,133,14,225,249,253,155,241]},{"Name":"68b41439-3993-4af2-9d7a-5db001b0e54b","Type":"searchlibrary","AdditionalInfo":{"Name":"Windows Event Log Cleared events","Description":"Details from event log cleared events","Query":"tag=$WINDOWS_EVENTLOG_CLEARED winlog -s TimeCreated EventID Computer as LogClearedOn UserData\r\n| eval ((EventID == \"104\") || EventID == \"1102\")\r\n| xml -e UserData LogFileCleared.SubjectUserName as SubjectUserName LogFileCleared.SubjectDomainName as SubjectDomainName LogFileCleared.Channel as ClearedLogName\r\n| eval (if (EventID == \"1102\") {ClearedLogName = \"Security\";})\r\n| printf -e LogClearedBy \"%v\\\\%v\" SubjectDomainName SubjectUserName\r\n| table TimeCreated LogClearedOn ClearedLogName LogClearedBy\r\n","UUID":"68b41439-3993-4af2-9d7a-5db001b0e54b"},"Hash":[17,96,169,243,0,246,102,153,250,194,33,243,131,119,154,132,59,119,204,175,249,55,41,112,198,146,178,195,221,180,236,32]},{"Name":"59b0e472-3f9a-42c0-982d-3126923b97ae","Type":"searchlibrary","AdditionalInfo":{"Name":"Windows - Potential PTH logon","Description":"Details about potential pass the hash logons","Query":"tag=$WINDOWS_LOGON winlog TimeCreated Computer EventID SubjectUserSid SubjectDomainName SubjectUserName TargetDomainName TargetUserName LogonType LogonProcessName KeyLength WorkstationName IpAddress\r\n| eval (EventID==\"4624\" || EventID==\"4625\")\r\n| eval ((SubjectUserSid==\"S-1-0-0\" \u0026\u0026 LogonType==\"3\" \u0026\u0026 LogonProcessName==\"NtLmSsp\") || (LogonType==\"9\" \u0026\u0026 LogonProcessName==\"seclogo\"))\r\n| lookup -r windows_login_types LogonType logon_type name as LogonName\r\n| unique TimeCreated Computer TargetDomainName TargetUserName IpAddress LogonName LogonType LogonProcessName\r\n| printf -e TargetUser \"%v\\\\%v\" TargetDomainName TargetUserName\r\n| printf -e LogonTypeInfo \"%v (%v)\" LogonName LogonType\r\n| table TimeCreated Computer TargetUser IpAddress LogonTypeInfo LogonProcessName\r\n","UUID":"59b0e472-3f9a-42c0-982d-3126923b97ae"},"Hash":[40,59,223,109,117,229,62,129,92,242,79,55,237,14,28,24,33,86,205,14,147,144,255,146,251,229,212,220,249,229,250,115]},{"Name":"e791dd04-945c-416c-a290-5e3e96274a58","Type":"file","AdditionalInfo":{"UUID":"e791dd04-945c-416c-a290-5e3e96274a58","Name":"timo-c-dinger-Oo3L5fL1lBU-unsplash.jpg","Description":"Cover for Windows Kit","Size":114970,"ContentType":"image/jpeg"},"Hash":[74,82,90,72,225,123,245,216,204,23,239,148,92,40,67,135,197,219,53,202,130,117,249,2,221,170,152,230,186,85,6,216]},{"Name":"a75d008a-13d6-4d82-8641-d90a0315a0d8","Type":"file","AdditionalInfo":{"UUID":"a75d008a-13d6-4d82-8641-d90a0315a0d8","Name":"timo-c-dinger-Oo3L5fL1lBU-unsplash.jpg","Description":"Banner for Windows Kit","Size":114970,"ContentType":"image/jpeg"},"Hash":[34,206,91,13,90,186,16,7,230,137,147,46,189,228,43,200,224,76,92,234,78,9,112,123,28,72,31,40,178,102,145,44]},{"Name":"9177296d-d3c1-4240-87e5-a89278c7fb4a","Type":"file","AdditionalInfo":{"UUID":"9177296d-d3c1-4240-87e5-a89278c7fb4a","Name":"icon file for kit build \"Windows v2\"","Description":"","Size":114970,"ContentType":"image/jpeg"},"Hash":[136,133,219,166,222,1,114,135,45,34,245,16,131,139,13,2,178,187,76,4,129,49,245,173,50,253,168,203,81,101,164,11]},{"Name":"3add526e-3523-445d-bbfc-050c06546d81","Type":"file","AdditionalInfo":{"UUID":"3add526e-3523-445d-bbfc-050c06546d81","Name":"cover file for kit build \"Windows v2\"","Description":"","Size":114970,"ContentType":"image/jpeg"},"Hash":[122,42,166,178,115,5,165,203,236,146,109,0,62,12,240,175,218,9,165,115,162,146,82,2,51,6,178,149,109,241,167,239]},{"Name":"044e554a-4cc4-49fc-9942-07e9ca778edd","Type":"file","AdditionalInfo":{"UUID":"044e554a-4cc4-49fc-9942-07e9ca778edd","Name":"banner file for kit build \"Windows v2\"","Description":"","Size":114970,"ContentType":"image/jpeg"},"Hash":[232,169,139,91,162,139,14,47,24,217,202,181,104,158,66,92,116,29,99,159,247,163,240,110,182,140,71,136,65,189,202,17]},{"Name":"f1524abf-f14a-46a1-8998-ef3ed937a739","Type":"playbook","AdditionalInfo":{"UUID":"f1524abf-f14a-46a1-8998-ef3ed937a739","Name":"Windows Kit","Description":""},"Hash":[184,21,29,199,221,210,130,110,150,175,158,178,208,139,159,238,17,18,207,99,236,202,74,50,42,84,7,40,96,40,198,139]},{"Name":"4f35c78a-ce4a-424e-ab24-9b6e9ed85e91","Type":"playbook","AdditionalInfo":{"UUID":"4f35c78a-ce4a-424e-ab24-9b6e9ed85e91","Name":"Windows Event Forwarding and Collection","Description":""},"Hash":[91,204,102,11,31,129,101,25,59,122,251,7,49,1,221,25,174,167,55,208,179,227,87,212,81,120,172,112,145,3,224,55]}],"ConfigMacros":[{"MacroName":"WINDOWS_ALL","Description":"Expression for or list of all windows tags","DefaultValue":"windows","Value":"","Type":"STRING","InstalledByID":""},{"MacroName":"WINDOWS_GROUP","Description":"Windows tag containing group events","DefaultValue":"windows","Value":"","Type":"STRING","InstalledByID":""},{"MacroName":"WINDOWS_LOGON","Description":"Windows tag containing logon events","DefaultValue":"windows","Value":"","Type":"STRING","InstalledByID":""},{"MacroName":"WINDOWS_USER","Description":"Windows tag containing user account events","DefaultValue":"windows","Value":"","Type":"STRING","InstalledByID":""},{"MacroName":"WINDOWS_EVENTLOG_CLEARED","Description":"Windows tags containing security and system events i.e. windows_security,windows_system","DefaultValue":"windows","Value":"","Type":"STRING","InstalledByID":""}]},{"ID":"io.gravwell.windows.resource","Name":"Windows Resources","UUID":"fc95288f-4c06-451e-8a50-96b75f75c348","Version":4,"Description":"# Gravwell Windows Resource Kit\n\nThis kit contains helpful lookup resources and scripts that make handling encoded values in windows logs easier.\n\nThis kit is generally a dependency to other kits and provides little value on its own.\n\n\n## Contents\n\n- SID lookup resource\n- Permission bit decoder\n- Limited EventID lookup resource","Readme":"","Signed":true,"AdminRequired":false,"MinVersion":{"Major":5,"Minor":4,"Point":11},"MaxVersion":{"Major":0,"Minor":0,"Point":0},"Size":863232,"Created":"2024-08-05T16:23:20.026135603Z","Ingesters":["winevent"],"Tags":["windows","sysmon"],"Assets":[{"Type":"image","Source":"cover.jpg","Legend":"Windows Resources","Featured":true,"Banner":false},{"Type":"readme","Source":"README.md","Legend":"","Featured":false,"Banner":false}],"Dependencies":null,"Items":[{"Name":"windows_security_ids","Type":"resource","AdditionalInfo":{"VersionNumber":3,"ResourceName":"windows_security_ids","Description":"Maps Windows security IDs (e.g. \"S-1-5-18\") to friendly names/descriptions (\"Local System\"/\"A service account that is used by the operating system.\")","Size":17075,"Labels":null},"Hash":[141,186,238,153,49,227,71,240,100,53,12,80,22,255,239,50,43,73,154,205,181,245,70,118,101,210,254,187,151,146,43,229]},{"Name":"windows_access_flags","Type":"resource","AdditionalInfo":{"VersionNumber":17,"ResourceName":"windows_access_flags","Description":"Anko script to process Sysmon GrantAccess bitmasks","Size":1756,"Labels":null},"Hash":[193,252,114,132,227,127,53,2,7,181,18,176,43,40,44,25,219,81,161,121,183,126,236,112,220,228,89,195,119,157,4,108]},{"Name":"windows_error_codes","Type":"resource","AdditionalInfo":{"VersionNumber":4,"ResourceName":"windows_error_codes","Description":"Windows winerror.h error codes and description resource","Size":335711,"Labels":null},"Hash":[167,194,124,31,217,45,227,238,51,1,57,143,87,31,69,97,249,136,216,139,63,190,203,88,178,196,254,92,44,72,254,23]},{"Name":"windows_login_types","Type":"resource","AdditionalInfo":{"VersionNumber":3,"ResourceName":"windows_login_types","Description":"Maps Windows event LogonType values to a name and description","Size":861,"Labels":null},"Hash":[126,129,224,45,19,150,222,73,152,176,204,219,233,20,104,115,92,170,193,202,31,33,136,116,121,12,209,100,149,81,130,118]},{"Name":"80c345f2-d99b-489b-b1fb-2ceaf757338d","Type":"file","AdditionalInfo":{"UUID":"80c345f2-d99b-489b-b1fb-2ceaf757338d","Name":"resourcetest cover","Description":"","Size":264546,"ContentType":"image/jpeg"},"Hash":[181,76,7,249,191,85,130,199,118,145,125,98,153,197,87,129,224,64,109,96,115,156,195,105,143,230,137,158,239,132,247,123]},{"Name":"windows_ticket_encryption_types","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"windows_ticket_encryption_types","Description":"Maps Windows ticket encryption types to names and escriptions","Size":657,"Labels":null},"Hash":[35,10,48,68,107,107,228,196,153,181,219,143,37,240,17,180,221,183,36,102,153,122,234,186,184,136,193,179,127,54,249,38]},{"Name":"windows_ticket_failure_codes","Type":"resource","AdditionalInfo":{"VersionNumber":1,"ResourceName":"windows_ticket_failure_codes","Description":"CSV of Kerberos ticket request failure codes and descriptions","Size":15141,"Labels":null},"Hash":[38,29,41,251,195,195,59,80,10,178,105,70,48,147,214,252,6,195,160,116,160,248,184,172,88,248,36,61,245,211,10,160]}],"ConfigMacros":null}]