{ "id" : null, "name" : "Active Directory Auditing", "description" : "Active Directory Auditing Content Pack", "category" : "Active Directory, Windows, Operating Systems, Security", "inputs" : [ { "title" : "WinLogs-gelf", "configuration" : { "port" : 5414, "override_source" : "", "bind_address" : "0.0.0.0", "recv_buffer_size" : 1048576 }, "type" : "org.graylog2.inputs.gelf.udp.GELFUDPInput", "global" : true, "extractors" : [ ], "static_fields" : { } } ], "streams" : [ { "id" : "54b59893e4b0de02bdd8439c", "title" : "AD Failed Logons", "description" : "AD Failed Logons", "disabled" : false, "outputs" : [ ], "stream_rules" : [ { "type" : "EXACT", "field" : "EventID", "value" : "4625", "inverted" : false } ] } ], "outputs" : [ ], "dashboards" : [ { "title" : "AD Summary (7d)", "description" : "AD Summary (7d)", "dashboard_widgets" : [ { "description" : "Account Lockouts ", "type" : "SEARCH_RESULT_COUNT", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "lower_is_better" : false, "trend" : true, "query" : "EventID:4740" }, "col" : 2, "row" : 1, "cache_time" : 300 }, { "description" : "Account Creations", "type" : "SEARCH_RESULT_COUNT", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "lower_is_better" : false, "trend" : true, "query" : "EventID:631 OR EventID:635 OR EventID:658 OR EventID:4727 OR EventID:4731 OR EventID:4754" }, "col" : 1, "row" : 1, "cache_time" : 300 }, { "description" : "Groups Created", "type" : "SEARCH_RESULT_COUNT", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "lower_is_better" : false, "trend" : true, "query" : "EventID:631 OR EventID:635 OR EventID:658 OR EventID:4727 OR EventID:4731 OR EventID:4754" }, "col" : 3, "row" : 1, "cache_time" : 300 }, { "description" : "Account Deletions", "type" : "SEARCH_RESULT_COUNT", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "lower_is_better" : false, "trend" : true, "query" : "EventID:630 OR EventID:4726" }, "col" : 1, "row" : 2, "cache_time" : 300 }, { "description" : "Account Unlocks", "type" : "SEARCH_RESULT_COUNT", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "lower_is_better" : false, "trend" : true, "query" : "EventID:4767" }, "col" : 2, "row" : 2, "cache_time" : 300 }, { "description" : "Group Membership Changes", "type" : "SEARCH_RESULT_COUNT", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "lower_is_better" : false, "trend" : true, "query" : "EventID:4728 OR EventID:4729 OR EventID:4732 OR EventID:4733 OR EventID:4756 OR EventID:4757" }, "col" : 3, "row" : 2, "cache_time" : 300 }, { "description" : "Group Modifications", "type" : "SEARCH_RESULT_COUNT", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "lower_is_better" : false, "trend" : true, "query" : "((EventID:4764 OR EventID:4735 OR EventID:4737 OR EventID:4755) AND NOT SamAccountName:\\-)" }, "col" : 4, "row" : 2, "cache_time" : 300 }, { "description" : "Groups Deleted", "type" : "SEARCH_RESULT_COUNT", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "lower_is_better" : false, "trend" : true, "query" : "EventID:634 OR EventID:638 OR EventID:662 OR EventID:4730 OR EventID:4734 OR EventID:4758" }, "col" : 4, "row" : 1, "cache_time" : 300 } ] }, { "title" : "AD DNS Object Summary (7d)", "description" : "AD DNS Object Summary (7d)", "dashboard_widgets" : [ { "description" : "Created DNS Objects By User", "type" : "SEARCH_RESULT_CHART", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "interval" : "hour", "query" : "EventID:5137 AND ObjectClass:dnsNode AND created AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:\\-)" }, "col" : 1, "row" : 1, "cache_time" : 300 }, { "description" : "Created DNS Objects By User", "type" : "SEARCH_RESULT_COUNT", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "lower_is_better" : false, "trend" : false, "query" : "EventID:5137 AND ObjectClass:dnsNode AND created AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:\\-)" }, "col" : 3, "row" : 1, "cache_time" : 300 }, { "description" : "Created DNS Objects By User", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "SubjectUserName", "show_pie_chart" : false, "query" : "EventID:5137 AND ObjectClass:dnsNode AND created AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:\\-)", "show_data_table" : true }, "col" : 1, "row" : 2, "cache_time" : 300 }, { "description" : "Created DNS Objects By Source", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "source", "show_pie_chart" : false, "query" : "EventID:5137 AND ObjectClass:dnsNode AND created AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:\\-)", "show_data_table" : true }, "col" : 2, "row" : 2, "cache_time" : 300 }, { "description" : "Created DNS Objects", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "ObjectDN", "show_pie_chart" : false, "query" : "EventID:5137 AND ObjectClass:dnsNode AND created AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:\\-)", "show_data_table" : true }, "col" : 3, "row" : 2, "cache_time" : 300 }, { "description" : "Deleted DNS Objects By User", "type" : "SEARCH_RESULT_CHART", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "interval" : "hour", "query" : "((EventID:5136 AND AttributeLDAPDisplayName:dNSTombstoned) OR (EventID:5141)) AND ObjectClass:dnsNode AND deleted AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM)" }, "col" : 1, "row" : 4, "cache_time" : 300 }, { "description" : "Deleted DNS Objects By User", "type" : "SEARCH_RESULT_COUNT", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "lower_is_better" : false, "trend" : false, "query" : "((EventID:5136 AND AttributeLDAPDisplayName:dNSTombstoned) OR (EventID:5141)) AND ObjectClass:dnsNode AND deleted AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM)" }, "col" : 3, "row" : 4, "cache_time" : 300 }, { "description" : "Deleted DNS Objects By User", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "SubjectUserName", "show_pie_chart" : false, "query" : "((EventID:5136 AND AttributeLDAPDisplayName:dNSTombstoned) OR (EventID:5141)) AND ObjectClass:dnsNode AND deleted AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM)", "show_data_table" : true }, "col" : 1, "row" : 5, "cache_time" : 300 }, { "description" : "Deleted DNS Objects By Source", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "source", "show_pie_chart" : false, "query" : "((EventID:5136 AND AttributeLDAPDisplayName:dNSTombstoned) OR (EventID:5141)) AND ObjectClass:dnsNode AND deleted AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM)", "show_data_table" : true }, "col" : 2, "row" : 5, "cache_time" : 300 }, { "description" : "Deleted DNS Objects", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "ObjectDN", "show_pie_chart" : false, "query" : "((EventID:5136 AND AttributeLDAPDisplayName:dNSTombstoned) OR (EventID:5141)) AND ObjectClass:dnsNode AND deleted AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM)", "show_data_table" : true }, "col" : 3, "row" : 5, "cache_time" : 300 } ] }, { "title" : "AD User Object Summary (7d)", "description" : "AD User Object Creations/Deletions", "dashboard_widgets" : [ { "description" : "Account Unlocks By User", "type" : "QUICKVALUES", "configuration" : { "field" : "SubjectUserName", "query" : "EventID:4767", "timerange" : { "range" : 604800, "type" : "relative" } }, "col" : 1, "row" : 11, "cache_time" : 10 }, { "description" : "Accounts Unlocked", "type" : "QUICKVALUES", "configuration" : { "field" : "TargetUserName", "query" : "EventID:4767", "timerange" : { "range" : 604800, "type" : "relative" } }, "col" : 3, "row" : 11, "cache_time" : 300 }, { "description" : "Unlocks By Source", "type" : "QUICKVALUES", "configuration" : { "field" : "source", "query" : "EventID:4767", "timerange" : { "range" : 604800, "type" : "relative" } }, "col" : 2, "row" : 11, "cache_time" : 10 }, { "description" : "Account Lockouts By Source", "type" : "QUICKVALUES", "configuration" : { "field" : "source", "query" : "EventID:4740", "timerange" : { "range" : 604800, "type" : "relative" } }, "col" : 2, "row" : 8, "cache_time" : 10 }, { "description" : "Account Lockouts By Machine", "type" : "QUICKVALUES", "configuration" : { "field" : "TargetDomainName", "query" : "EventID:4740", "timerange" : { "range" : 604800, "type" : "relative" } }, "col" : 1, "row" : 8, "cache_time" : 10 }, { "description" : "Account Unlocks", "type" : "SEARCH_RESULT_COUNT", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "lower_is_better" : false, "trend" : false, "query" : "EventID:4767" }, "col" : 3, "row" : 10, "cache_time" : 10 }, { "description" : "Account Unlocks", "type" : "SEARCH_RESULT_CHART", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "interval" : "hour", "query" : "EventID:4767" }, "col" : 1, "row" : 10, "cache_time" : 10 }, { "description" : "Account Lockouts", "type" : "SEARCH_RESULT_CHART", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "interval" : "hour", "query" : "EventID:4740" }, "col" : 1, "row" : 7, "cache_time" : 10 }, { "description" : "Account Lockouts", "type" : "SEARCH_RESULT_COUNT", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "lower_is_better" : false, "trend" : false, "query" : "EventID:4740" }, "col" : 3, "row" : 7, "cache_time" : 10 }, { "description" : "Accounts Lockedout", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "TargetUserName", "show_pie_chart" : false, "query" : "EventID:4740", "show_data_table" : true }, "col" : 3, "row" : 8, "cache_time" : 10 }, { "description" : "Accounts Deleted By Source", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "source", "show_pie_chart" : false, "query" : "EventID:630 OR EventID:4726", "show_data_table" : true }, "col" : 2, "row" : 5, "cache_time" : 300 }, { "description" : "Deleted Accounts", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "TargetUserName", "show_pie_chart" : false, "query" : "EventID:630 OR EventID:4726", "show_data_table" : true }, "col" : 3, "row" : 5, "cache_time" : 300 }, { "description" : "Accounts Deleted By User", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "SubjectUserName", "show_pie_chart" : false, "query" : "EventID:630 OR EventID:4726", "show_data_table" : true }, "col" : 1, "row" : 5, "cache_time" : 300 }, { "description" : "Account Deletions", "type" : "SEARCH_RESULT_COUNT", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "lower_is_better" : false, "trend" : false, "query" : "EventID:630 OR EventID:4726" }, "col" : 3, "row" : 4, "cache_time" : 300 }, { "description" : "Account Deletions", "type" : "SEARCH_RESULT_CHART", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "interval" : "hour", "query" : "EventID:630 OR EventID:4726" }, "col" : 1, "row" : 4, "cache_time" : 300 }, { "description" : "Created Accounts", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "SamAccountName", "show_pie_chart" : false, "query" : "EventID:624 OR EventID:4720", "show_data_table" : true }, "col" : 3, "row" : 2, "cache_time" : 300 }, { "description" : "Accounts Created By Source", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "source", "show_pie_chart" : false, "query" : "EventID:624 OR EventID:4720", "show_data_table" : true }, "col" : 2, "row" : 2, "cache_time" : 300 }, { "description" : "Accounts Created By User", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "SubjectUserName", "show_pie_chart" : false, "query" : "EventID:624 OR EventID:4720", "show_data_table" : true }, "col" : 1, "row" : 2, "cache_time" : 300 }, { "description" : "Account Creations", "type" : "SEARCH_RESULT_COUNT", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "lower_is_better" : false, "trend" : false, "query" : "EventID:624 OR EventID:4720" }, "col" : 3, "row" : 1, "cache_time" : 300 }, { "description" : "Account Creations", "type" : "SEARCH_RESULT_CHART", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "interval" : "hour", "query" : "EventID:624 OR EventID:4720" }, "col" : 1, "row" : 1, "cache_time" : 300 } ] }, { "title" : "AD Logon Summary (2h)", "description" : "AD Logon Summary (2h)", "dashboard_widgets" : [ { "description" : "Failed Authentication Attempts", "type" : "SEARCH_RESULT_COUNT", "configuration" : { "timerange" : { "type" : "relative", "range" : 7200 }, "lower_is_better" : false, "trend" : false, "query" : "EventID:4625" }, "col" : 3, "row" : 1, "cache_time" : 60 }, { "description" : "Interactive Logins By User", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 7200 }, "field" : "TargetUserName", "show_pie_chart" : false, "query" : "(EventID:4624 AND (LogonType:2 OR LogonType:10 OR LogonType:11))", "show_data_table" : true }, "col" : 1, "row" : 5, "cache_time" : 60 }, { "description" : "Interactive Logins By IP", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 7200 }, "field" : "IpAddress", "show_pie_chart" : false, "query" : "(EventID:4624 AND (LogonType:2 OR LogonType:10 OR LogonType:11))", "show_data_table" : true }, "col" : 2, "row" : 5, "cache_time" : 60 }, { "description" : "Interactive Logins By Destination", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 7200 }, "field" : "WorkstationName", "show_pie_chart" : false, "query" : "(EventID:4624 AND (LogonType:2 OR LogonType:10 OR LogonType:11))", "show_data_table" : true }, "col" : 3, "row" : 5, "cache_time" : 60 }, { "description" : "Failed Authentication Attempts By User", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 7200 }, "field" : "TargetUserName", "show_pie_chart" : false, "query" : "EventID:4625", "show_data_table" : true }, "col" : 1, "row" : 2, "cache_time" : 60 }, { "description" : "Failed Authentication Attempts By User IP", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 7200 }, "field" : "IpAddress", "show_pie_chart" : false, "query" : "EventID:4625", "show_data_table" : true }, "col" : 2, "row" : 2, "cache_time" : 60 }, { "description" : "Failed Authentication Attempts By Source", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 7200 }, "field" : "source", "show_pie_chart" : false, "query" : "EventID:4625", "show_data_table" : true }, "col" : 3, "row" : 2, "cache_time" : 60 }, { "description" : "Failed Authentication Attempts", "type" : "SEARCH_RESULT_CHART", "configuration" : { "timerange" : { "type" : "relative", "range" : 7200 }, "interval" : "minute", "query" : "EventID:4625" }, "col" : 1, "row" : 1, "cache_time" : 60 }, { "description" : "Interactive Logons", "type" : "SEARCH_RESULT_CHART", "configuration" : { "timerange" : { "type" : "relative", "range" : 7200 }, "interval" : "minute", "query" : "(EventID:4624 AND (LogonType:2 OR LogonType:10 OR LogonType:11))" }, "col" : 1, "row" : 4, "cache_time" : 60 }, { "description" : "Interactive Logins", "type" : "SEARCH_RESULT_COUNT", "configuration" : { "timerange" : { "type" : "relative", "range" : 7200 }, "lower_is_better" : false, "trend" : false, "query" : "(EventID:4624 AND (LogonType:2 OR LogonType:10 OR LogonType:11))" }, "col" : 3, "row" : 4, "cache_time" : 60 } ] }, { "title" : "AD Group Object Summary (7d)", "description" : "AD Group Object Summary(7d)", "dashboard_widgets" : [ { "description" : "Group Creations ", "type" : "SEARCH_RESULT_COUNT", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "lower_is_better" : false, "trend" : false, "query" : "EventID:631 OR EventID:635 OR EventID:658 OR EventID:4727 OR EventID:4731 OR EventID:4754" }, "col" : 3, "row" : 1, "cache_time" : 300 }, { "description" : "Group Creations", "type" : "SEARCH_RESULT_CHART", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "interval" : "hour", "query" : "EventID:631 OR EventID:635 OR EventID:658 OR EventID:4727 OR EventID:4731 OR EventID:4754" }, "col" : 1, "row" : 1, "cache_time" : 300 }, { "description" : "Group Creations By User", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "SubjectUserName", "show_pie_chart" : false, "query" : "EventID:631 OR EventID:635 OR EventID:658 OR EventID:4727 OR EventID:4731 OR EventID:4754", "show_data_table" : true }, "col" : 1, "row" : 2, "cache_time" : 300 }, { "description" : "Group Creations By Source", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "source", "show_pie_chart" : false, "query" : "EventID:631 OR EventID:635 OR EventID:658 OR EventID:4727 OR EventID:4731 OR EventID:4754", "show_data_table" : true }, "col" : 2, "row" : 2, "cache_time" : 300 }, { "description" : "Created Groups", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "TargetUserName", "show_pie_chart" : false, "query" : "EventID:631 OR EventID:635 OR EventID:658 OR EventID:4727 OR EventID:4731 OR EventID:4754", "show_data_table" : true }, "col" : 3, "row" : 2, "cache_time" : 300 }, { "description" : "Group Deletions", "type" : "SEARCH_RESULT_CHART", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "interval" : "hour", "query" : "EventID:634 OR EventID:638 OR EventID:662 OR EventID:4730 OR EventID:4734 OR EventID:4758" }, "col" : 1, "row" : 4, "cache_time" : 300 }, { "description" : "Group Deletions", "type" : "SEARCH_RESULT_COUNT", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "lower_is_better" : false, "trend" : false, "query" : "EventID:634 OR EventID:638 OR EventID:662 OR EventID:4730 OR EventID:4734 OR EventID:4758" }, "col" : 3, "row" : 4, "cache_time" : 300 }, { "description" : "Groups Modified", "type" : "SEARCH_RESULT_COUNT", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "lower_is_better" : false, "trend" : false, "query" : "((EventID:4764 OR EventID:4735 OR EventID:4737 OR EventID:4755) AND NOT SamAccountName:\\-)" }, "col" : 3, "row" : 10, "cache_time" : 300 }, { "description" : "Groups Modified", "type" : "SEARCH_RESULT_CHART", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "interval" : "hour", "query" : "((EventID:4764 OR EventID:4735 OR EventID:4737 OR EventID:4755) AND NOT SamAccountName:\\-)" }, "col" : 1, "row" : 10, "cache_time" : 10 }, { "description" : "Groups Modified", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "TargetUserName", "show_pie_chart" : false, "query" : "((EventID:4764 OR EventID:4735 OR EventID:4737 OR EventID:4755) AND NOT SamAccountName:\\-)", "show_data_table" : true }, "col" : 3, "row" : 11, "cache_time" : 10 }, { "description" : "Groups Modified By Source", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "source", "show_pie_chart" : false, "query" : "((EventID:4764 OR EventID:4735 OR EventID:4737 OR EventID:4755) AND NOT SamAccountName:\\-)", "show_data_table" : true }, "col" : 2, "row" : 11, "cache_time" : 10 }, { "description" : "Groups Modified By User", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "SubjectUserName", "show_pie_chart" : false, "query" : "((EventID:4764 OR EventID:4735 OR EventID:4737 OR EventID:4755) AND NOT SamAccountName:\\-)", "show_data_table" : true }, "col" : 1, "row" : 11, "cache_time" : 10 }, { "description" : "Membership Changes", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "TargetUserName", "show_pie_chart" : false, "query" : "EventID:4728 OR EventID:4729 OR EventID:4732 OR EventID:4733 OR EventID:4756 OR EventID:4757", "show_data_table" : true }, "col" : 3, "row" : 8, "cache_time" : 300 }, { "description" : "Membership Changes By Source", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "source", "show_pie_chart" : false, "query" : "EventID:4728 OR EventID:4729 OR EventID:4732 OR EventID:4733 OR EventID:4756 OR EventID:4757", "show_data_table" : true }, "col" : 2, "row" : 8, "cache_time" : 300 }, { "description" : "Membership Changes By User", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "SubjectUserName", "show_pie_chart" : false, "query" : "EventID:4728 OR EventID:4729 OR EventID:4732 OR EventID:4733 OR EventID:4756 OR EventID:4757", "show_data_table" : true }, "col" : 1, "row" : 8, "cache_time" : 300 }, { "description" : "Group Deletions By Source", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "source", "show_pie_chart" : false, "query" : "EventID:634 OR EventID:638 OR EventID:662 OR EventID:4730 OR EventID:4734 OR EventID:4758", "show_data_table" : true }, "col" : 2, "row" : 5, "cache_time" : 300 }, { "description" : "Deleted Groups", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "TargetUserName", "show_pie_chart" : false, "query" : "EventID:634 OR EventID:638 OR EventID:662 OR EventID:4730 OR EventID:4734 OR EventID:4758", "show_data_table" : true }, "col" : 3, "row" : 5, "cache_time" : 300 }, { "description" : "Membership Changes", "type" : "SEARCH_RESULT_CHART", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "interval" : "hour", "query" : "EventID:4728 OR EventID:4729 OR EventID:4732 OR EventID:4733 OR EventID:4756 OR EventID:4757" }, "col" : 1, "row" : 7, "cache_time" : 300 }, { "description" : "Membership Changes", "type" : "SEARCH_RESULT_COUNT", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "lower_is_better" : false, "trend" : false, "query" : "EventID:4728 OR EventID:4729 OR EventID:4732 OR EventID:4733 OR EventID:4756 OR EventID:4757" }, "col" : 3, "row" : 7, "cache_time" : 300 }, { "description" : "Group Deletions By User", "type" : "QUICKVALUES", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "field" : "SubjectUserName", "show_pie_chart" : false, "query" : "EventID:634 OR EventID:638 OR EventID:662 OR EventID:4730 OR EventID:4734 OR EventID:4758", "show_data_table" : true }, "col" : 1, "row" : 5, "cache_time" : 300 } ] }, { "title" : "AD Computer Object Summary (7d)", "description" : "AD Computer Object Summary (7d)", "dashboard_widgets" : [ { "description" : "Computer Objects Created ", "type" : "SEARCH_RESULT_COUNT", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "lower_is_better" : false, "trend" : false, "query" : "EventID:4741" }, "col" : 1, "row" : 1, "cache_time" : 300 }, { "description" : "Computer Objects Changed", "type" : "SEARCH_RESULT_COUNT", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "lower_is_better" : false, "trend" : false, "query" : "EventID:4742" }, "col" : 1, "row" : 2, "cache_time" : 300 }, { "description" : "Computer Objects Deleted", "type" : "SEARCH_RESULT_COUNT", "configuration" : { "timerange" : { "type" : "relative", "range" : 604800 }, "lower_is_better" : false, "trend" : false, "query" : "EventID:4743" }, "col" : 1, "row" : 3, "cache_time" : 300 } ] } ], "grok_patterns" : [ ] }