nafai/view_fim.xml

## view_fim.xml
<ViewerConfig>
    <QueryConfig>
        <QueryParams>
            <UserQuery />
        </QueryParams>
        <QueryNode>
            <Name LanguageNeutralValue="File integrity monitoring">File integrity monitoring</Name>
            <QueryList>
                <Query Id="0" Path="Security">
                    <Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4656)]][EventData[Data[@Name='ObjectType']='File']][EventData[band(Data[@Name='AccessMask'],2)] or EventData[band(Data[@Name='AccessMask'],4)]]</Select>
                </Query>
            </QueryList>
        </QueryNode>
    </QueryConfig>
    <ResultsConfig>
        <Columns>
            <Column Name="Level" Type="System.String" Path="Event/System/Level">100</Column>
            <Column Name="Keywords" Type="System.String" Path="Event/System/Keywords" Visible="">109</Column>
            <Column Name="Date and Time" Type="System.DateTime" Path="Event/System/TimeCreated/@SystemTime" Visible="">142</Column>
            <Column Name="Source" Type="System.String" Path="Event/System/Provider/@Name">236</Column>
            <Column Name="Event ID" Type="System.UInt32" Path="Event/System/EventID">236</Column>
            <Column Name="Task Category" Type="System.String" Path="Event/System/Task">236</Column>
            <Column Name="User" Type="System.String" Path="Event/System/Security/@UserID">50</Column>
            <Column Name="Operational Code" Type="System.String" Path="Event/System/Opcode">110</Column>
            <Column Name="Log" Type="System.String" Path="Event/System/Channel">80</Column>
            <Column Name="Computer" Type="System.String" Path="Event/System/Computer">170</Column>
            <Column Name="Process ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessID">70</Column>
            <Column Name="Thread ID" Type="System.UInt32" Path="Event/System/Execution/@ThreadID">70</Column>
            <Column Name="Processor ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessorID">90</Column>
            <Column Name="Session ID" Type="System.UInt32" Path="Event/System/Execution/@SessionID">70</Column>
            <Column Name="Kernel Time" Type="System.UInt32" Path="Event/System/Execution/@KernelTime">80</Column>
            <Column Name="User Time" Type="System.UInt32" Path="Event/System/Execution/@UserTime">70</Column>
            <Column Name="Processor Time" Type="System.UInt32" Path="Event/System/Execution/@ProcessorTime">100</Column>
            <Column Name="Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@ActivityID">85</Column>
            <Column Name="Relative Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@RelatedActivityID">140</Column>
            <Column Name="Event Source Name" Type="System.String" Path="Event/System/Provider/@EventSourceName">140</Column>
            <Column Name="Username" Type="System.String" Path="Event/EventData/Data[@Name='SubjectUserName']" Visible="">140</Column>
            <Column Name="Process Name" Type="System.String" Path="Event/EventData/Data[@Name='ProcessName']" Visible="">306</Column>
            <Column Name="Object" Type="System.String" Path="Event/EventData/Data[@Name='ObjectName']" Visible="">453</Column>
        </Columns>
    </ResultsConfig>
</ViewerConfig>

## view_insecure_ldap_binds.xml
<ViewerConfig>
    <QueryConfig>
        <QueryParams>
            <UserQuery />
        </QueryParams>
        <QueryNode>
            <Name LanguageNeutralValue="LDAP insecure binds">Insecure LDAP binds</Name>
            <QueryList>
                <Query Id="0" Path="Directory Service">
                    <Select Path="Directory Service">Event[(System/EventID=2889)]</Select>
                </Query>
            </QueryList>
        </QueryNode>
    </QueryConfig>
    <ResultsConfig>
        <Columns>
            <Column Name="Level" Type="System.String" Path="Event/System/Level" Visible="">100</Column>
            <Column Name="Date and Time" Type="System.DateTime" Path="Event/System/TimeCreated/@SystemTime" Visible="">142</Column>
            <Column Name="ClientIP" Type="System.String" Path="Event/EventData/Data[1]" Visible="">200</Column>
            <Column Name="AuthenticatedUser" Type="System.String" Path="Event/EventData/Data[2]" Visible="">200</Column>
            <Column Name="BindType" Type="System.String" Path="Event/EventData/Data[3]" Visible="">200</Column>
        </Columns>
    </ResultsConfig>
</ViewerConfig>
	<ViewerConfig>
	<QueryConfig>
	<QueryParams>
	<UserQuery />
	</QueryParams>
	<QueryNode>
	<Name LanguageNeutralValue="File integrity monitoring">File integrity monitoring</Name>
	<QueryList>
	<Query Id="0" Path="Security">
	<Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4656)]][EventData[Data[@Name='ObjectType']='File']][EventData[band(Data[@Name='AccessMask'],2)] or EventData[band(Data[@Name='AccessMask'],4)]]</Select>
	</Query>
	</QueryList>
	</QueryNode>
	</QueryConfig>
	<ResultsConfig>
	<Columns>
	<Column Name="Level" Type="System.String" Path="Event/System/Level">100</Column>
	<Column Name="Keywords" Type="System.String" Path="Event/System/Keywords" Visible="">109</Column>
	<Column Name="Date and Time" Type="System.DateTime" Path="Event/System/TimeCreated/@SystemTime" Visible="">142</Column>
	<Column Name="Source" Type="System.String" Path="Event/System/Provider/@Name">236</Column>
	<Column Name="Event ID" Type="System.UInt32" Path="Event/System/EventID">236</Column>
	<Column Name="Task Category" Type="System.String" Path="Event/System/Task">236</Column>
	<Column Name="User" Type="System.String" Path="Event/System/Security/@UserID">50</Column>
	<Column Name="Operational Code" Type="System.String" Path="Event/System/Opcode">110</Column>
	<Column Name="Log" Type="System.String" Path="Event/System/Channel">80</Column>
	<Column Name="Computer" Type="System.String" Path="Event/System/Computer">170</Column>
	<Column Name="Process ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessID">70</Column>
	<Column Name="Thread ID" Type="System.UInt32" Path="Event/System/Execution/@ThreadID">70</Column>
	<Column Name="Processor ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessorID">90</Column>
	<Column Name="Session ID" Type="System.UInt32" Path="Event/System/Execution/@SessionID">70</Column>
	<Column Name="Kernel Time" Type="System.UInt32" Path="Event/System/Execution/@KernelTime">80</Column>
	<Column Name="User Time" Type="System.UInt32" Path="Event/System/Execution/@UserTime">70</Column>
	<Column Name="Processor Time" Type="System.UInt32" Path="Event/System/Execution/@ProcessorTime">100</Column>
	<Column Name="Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@ActivityID">85</Column>
	<Column Name="Relative Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@RelatedActivityID">140</Column>
	<Column Name="Event Source Name" Type="System.String" Path="Event/System/Provider/@EventSourceName">140</Column>
	<Column Name="Username" Type="System.String" Path="Event/EventData/Data[@Name='SubjectUserName']" Visible="">140</Column>
	<Column Name="Process Name" Type="System.String" Path="Event/EventData/Data[@Name='ProcessName']" Visible="">306</Column>
	<Column Name="Object" Type="System.String" Path="Event/EventData/Data[@Name='ObjectName']" Visible="">453</Column>
	</Columns>
	</ResultsConfig>
	</ViewerConfig>