<form>
<label>ElJefe_OverSight</label>
<fieldset submitButton="false" autoRun="false">
<input type="time" token="field1" searchWhenChanged="true">
<label/>
<default>
<earliestTime>@d</earliestTime>
<latestTime>now</latestTime>
</default>
</input>
<input type="text" token="hostname" searchWhenChanged="true">
<label>Hostname</label>
<default>*</default>
</input>
</fieldset>
<row>
<panel>
<chart>
<title>Number of Events</title>
<searchString>sourcetype="eljefe" station=$hostname$ | stats count by station | sort -count</searchString>
<earliestTime>$field1.earliest$</earliestTime>
<latestTime>$field1.latest$</latestTime>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY2.scale">linear</option>
<option name="charting.chart">column</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">bottom</option>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
</chart>
</panel>
<panel>
<chart>
<title>Binaries by time</title>
<searchString>sourcetype=eljefe | timechart count(parent_binary) as processes by station</searchString>
<earliestTime>$field1.earliest$</earliestTime>
<latestTime>$field1.latest$</latestTime>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">line</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
</row>
<row>
<panel>
<table>
<title>Unique Binaries</title>
<searchString>sourcetype="eljefe" $hostname$|table station child_binary parent_binary user privileges parent_hash_sha256 |dedup parent_hash_sha256</searchString>
<earliestTime>$field1.earliest$</earliestTime>
<latestTime>$field1.latest$</latestTime>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</panel>
<panel>
<table>
<title>Rare Children Overview</title>
<searchString>sourcetype=eljefe | transaction parent_pid parent_binary child_binary station| rare child_binary by station limit=3</searchString>
<earliestTime>$field1.earliest$</earliestTime>
<latestTime>$field1.latest$</latestTime>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Processes executed from temp</title>
<searchString>sourcetype=eljefe parent_binary=*temp* child_binary!=*MpCmdRun.exe| table station parent_binary child_binary</searchString>
<earliestTime>$field1.earliest$</earliestTime>
<latestTime>$field1.latest$</latestTime>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">10</option>
</table>
</panel>
<panel>
<table>
<title>Potentially Dangerous</title>
<searchString>sourcetype=eljefe parent_binary=*lsass.exe OR child_binary=*lsass.exe | table station parent_binary child_binary</searchString>
<earliestTime>$field1.earliest$</earliestTime>
<latestTime>$field1.latest$</latestTime>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
</table>
</panel>
</row>
</form>