Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <form>
- <label>ElJefe_OverSight</label>
- <fieldset submitButton="false" autoRun="false">
- <input type="time" token="field1" searchWhenChanged="true">
- <label/>
- <default>
- <earliestTime>@d</earliestTime>
- <latestTime>now</latestTime>
- </default>
- </input>
- <input type="text" token="hostname" searchWhenChanged="true">
- <label>Hostname</label>
- <default>*</default>
- </input>
- </fieldset>
- <row>
- <panel>
- <chart>
- <title>Number of Events</title>
- <searchString>sourcetype="eljefe" station=$hostname$ | stats count by station | sort -count</searchString>
- <earliestTime>$field1.earliest$</earliestTime>
- <latestTime>$field1.latest$</latestTime>
- <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
- <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
- <option name="charting.axisTitleX.visibility">visible</option>
- <option name="charting.axisTitleY.visibility">visible</option>
- <option name="charting.axisTitleY2.visibility">visible</option>
- <option name="charting.axisX.scale">linear</option>
- <option name="charting.axisY.scale">linear</option>
- <option name="charting.axisY2.enabled">false</option>
- <option name="charting.axisY2.scale">linear</option>
- <option name="charting.chart">column</option>
- <option name="charting.chart.nullValueMode">gaps</option>
- <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
- <option name="charting.chart.stackMode">default</option>
- <option name="charting.chart.style">shiny</option>
- <option name="charting.drilldown">all</option>
- <option name="charting.layout.splitSeries">0</option>
- <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
- <option name="charting.legend.placement">bottom</option>
- <option name="wrap">true</option>
- <option name="rowNumbers">false</option>
- <option name="dataOverlayMode">none</option>
- <option name="count">10</option>
- </chart>
- </panel>
- <panel>
- <chart>
- <title>Binaries by time</title>
- <searchString>sourcetype=eljefe | timechart count(parent_binary) as processes by station</searchString>
- <earliestTime>$field1.earliest$</earliestTime>
- <latestTime>$field1.latest$</latestTime>
- <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
- <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
- <option name="charting.axisTitleX.visibility">visible</option>
- <option name="charting.axisTitleY.visibility">visible</option>
- <option name="charting.axisTitleY2.visibility">visible</option>
- <option name="charting.axisX.scale">linear</option>
- <option name="charting.axisY.scale">linear</option>
- <option name="charting.axisY2.enabled">false</option>
- <option name="charting.axisY2.scale">inherit</option>
- <option name="charting.chart">line</option>
- <option name="charting.chart.nullValueMode">gaps</option>
- <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
- <option name="charting.chart.stackMode">default</option>
- <option name="charting.chart.style">shiny</option>
- <option name="charting.drilldown">all</option>
- <option name="charting.layout.splitSeries">0</option>
- <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
- <option name="charting.legend.placement">right</option>
- </chart>
- </panel>
- </row>
- <row>
- <panel>
- <table>
- <title>Unique Binaries</title>
- <searchString>sourcetype="eljefe" $hostname$|table station child_binary parent_binary user privileges parent_hash_sha256 |dedup parent_hash_sha256</searchString>
- <earliestTime>$field1.earliest$</earliestTime>
- <latestTime>$field1.latest$</latestTime>
- <option name="wrap">true</option>
- <option name="rowNumbers">false</option>
- <option name="dataOverlayMode">none</option>
- <option name="drilldown">cell</option>
- <option name="count">10</option>
- </table>
- </panel>
- <panel>
- <table>
- <title>Rare Children Overview</title>
- <searchString>sourcetype=eljefe | transaction parent_pid parent_binary child_binary station| rare child_binary by station limit=3</searchString>
- <earliestTime>$field1.earliest$</earliestTime>
- <latestTime>$field1.latest$</latestTime>
- <option name="wrap">true</option>
- <option name="rowNumbers">false</option>
- <option name="dataOverlayMode">none</option>
- <option name="drilldown">cell</option>
- <option name="count">10</option>
- </table>
- </panel>
- </row>
- <row>
- <panel>
- <table>
- <title>Processes executed from temp</title>
- <searchString>sourcetype=eljefe parent_binary=*temp* child_binary!=*MpCmdRun.exe| table station parent_binary child_binary</searchString>
- <earliestTime>$field1.earliest$</earliestTime>
- <latestTime>$field1.latest$</latestTime>
- <option name="wrap">true</option>
- <option name="rowNumbers">false</option>
- <option name="dataOverlayMode">none</option>
- <option name="drilldown">cell</option>
- <option name="count">10</option>
- </table>
- </panel>
- <panel>
- <table>
- <title>Potentially Dangerous</title>
- <searchString>sourcetype=eljefe parent_binary=*lsass.exe OR child_binary=*lsass.exe | table station parent_binary child_binary</searchString>
- <earliestTime>$field1.earliest$</earliestTime>
- <latestTime>$field1.latest$</latestTime>
- <option name="wrap">true</option>
- <option name="rowNumbers">false</option>
- <option name="dataOverlayMode">none</option>
- <option name="drilldown">cell</option>
- </table>
- </panel>
- </row>
- </form>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement