saltybeagle/IdM_User_Insight.xml

## IdM_User_Insight.xml
<form>
  <label>IdM User Insight</label>
  <description>look into the details for an individual user</description>
  <fieldset autoRun="false">
    <input type="text" token="username">
      <label>My.UNL Username</label>
      <default>bbieber2</default>
    </input>
    <input type="time">
      <default>Last 7 days</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>CAS Services Accessed</title>
        <searchTemplate>(host="its-idm-sso4.unl.edu" OR host="its-idm-sso3.unl.edu") AND "Audit trail record" SERVICE_TICKET_CREATED $username$ | rex field=_raw "WHO: (?&lt;uid&gt;.*)#012WHAT: (?&lt;ticket&gt;[^\s]+) for (?&lt;service&gt;[^\?]+)(\?.*)?#012ACTION: SERVICE_TICKET_CREATED#012APPLICATION: CAS#012.*CLIENT IP ADDRESS: (?&lt;clientip&gt;[^#]+)#012" | search uid=$username$ | lookup dnslookup clientip AS clientip |  table uid, service, clientip, clienthost, _time, host</searchTemplate>
      </table>
    </panel>
    <panel>
      <table>
        <title>Shibboleth Services Accessed</title>
        <searchTemplate>host="idm-l1" Shibboleth-Audit   "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified" $username$ | rex field=_raw ".*\|(?&lt;service&gt;[^|]+)\|urn:mace:shibboleth:2\.0:profiles:saml2:sso.*\|(?&lt;uid&gt;[^|]+)\|urn:oasis:names:tc:SAML:2\.0:ac:classes:unspecified.*" | table uid,service,_time</searchTemplate>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>ADFS Logins</title>
        <searchTemplate>SourceName="AD FS Auditing" AND EventCode=501 AND User=adfsfarm AND "Caller Identity" AND $username$ | rex field=Message "(?&lt;uid&gt;.*)\@unl\.edu" | rex field=Message "UNL-AD\\\(?&lt;uid&gt;.*)" | rex field=Message "(?&lt;clientip&gt;[\d]+\.[\d]+\.[\d]+\.[\d]+)" | lookup dnslookup clientip | table uid,clientip,clienthost,host,_time | sort -_time</searchTemplate>
      </table>
    </panel>
    <panel>
      <table>
        <title>LDAP User Logins</title>
        <searchTemplate>host=its-idm-ldap* AND ([ search host=its-idm-ldap* AND "BIND dn=\"uid=$username$,ou=people,dc=unl,dc=edu\"" | top limit=0 host,conn | fields host,conn | format ]) | transaction host,conn | rex field=_raw "(?&lt;source_ip&gt;\d{1,3}.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d))" | lookup dnslookup clientip AS source_ip | table uid, source_ip, clienthost, err, _time</searchTemplate>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>LDAP Logon Activity</title>
        <searchString>host=its-idm-ldap* AND ([ search host=its-idm-ldap* AND "BIND dn=\"uid=$username$,ou=people,dc=unl,dc=edu\"" | top limit=0 host,conn | fields host,conn | format ]) | transaction host,conn | eval Result = case(err="0", "Success", err="49", "Failure") | timechart count by Result</searchString>
        <earliestTime>$earliest$</earliestTime>
        <latestTime>$latest$</latestTime>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>AD Logon Activity</title>
        <searchString>sourcetype="WinEventLog:Security" (Account_Name=$username$ OR Logon_Account=$username$) AND (EventCode="4771" OR (EventCode="4776" AND Failure) OR EventCode="4624") | eval Result = case(EventCode = "4771","Failure", EventCode = "4776","Failure", EventCode = "4624","Success") | timechart count by Result</searchString>
        <earliestTime>$earliest$</earliestTime>
        <latestTime>$latest$</latestTime>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Password Changes</title>
        <searchTemplate>host=its-idm-master* AND ([ search host=its-idm-master* AND "MOD attr=userPassword" | top limit=0 host,conn,op | fields host conn op | format ]) | transaction host,conn,op | search uid=$username$ |  table uid, err, _time</searchTemplate>
      </table>
    </panel>
    <panel>
      <table>
        <title>AD Account Lockouts</title>
        <searchString>"A user account was locked out" Account_Name=$username$ | eval uid = mvindex(Account_Name,1) | table uid, Caller_Computer_Name, _time</searchString>
        <earliestTime>$earliest$</earliestTime>
        <latestTime>$latest$</latestTime>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">false</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>AD User Logins</title>
        <searchTemplate>sourcetype="WinEventLog:Security" Account_Name=$username$ AND Account_Domain=UNL-AD AND EventCode=4624 | lookup dnslookup clientip AS Source_Network_Address | table Account_Name, Source_Network_Address, clienthost, _time | sort -_time</searchTemplate>
      </table>
    </panel>
    <panel>
      <table>
        <title>AD AuthN Failures</title>
        <searchTemplate>sourcetype="WinEventLog:Security" AND ((EventCode="4771" AND Account_Name !=*$$ AND Account_Name != - ) OR (EventCode="4776" AND Failure AND Logon_Account != *$$)) AND $username$ | eval uid=coalesce(Logon_Account,Account_Name) | eval client = coalesce(Client_Address,Source_Workstation) | eval clientip = ltrim(client,"::ffff:") | lookup dnslookup clientip | table uid, clientip, clienthost, ComputerName, _time</searchTemplate>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>VPN Logins</title>
        <searchTemplate>index="unl-is-firewall" host="vpn.unl.edu" "AnyConnect parent session started." $username$ | rex field=_raw "Group \&lt;(?&lt;profile&gt;[^\s]+)\&gt; User \&lt;(?&lt;uid&gt;[^\s]+)\&gt; IP \&lt;(?&lt;clientip&gt;[^\s]+)\&gt; AnyConnect parent session started." | lookup dnslookup clientip AS clientip | table uid, profile, clientip, clienthost, _time</searchTemplate>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <map>
        <title>ADFS Login Map</title>
        <searchString>SourceName="AD FS Auditing" AND EventCode=501 AND User=adfsfarm AND "Caller Identity" AND $username$ | rex field=Message "(?&lt;uid&gt;.*)\@unl\.edu" | rex field=Message "UNL-AD\\\(?&lt;uid&gt;.*)" | rex field=Message "(?&lt;clientip&gt;[\d]+\.[\d]+\.[\d]+\.[\d]+)" | dedup uid,clientip,host,_time | lookup dnslookup clientip | iplocation clientip | geostats count</searchString>
        <earliestTime>$earliest$</earliestTime>
        <latestTime>$latest$</latestTime>
        <option name="mapping.data.maxClusters">100</option>
        <option name="mapping.drilldown">all</option>
        <option name="mapping.map.center">(0,0)</option>
        <option name="mapping.map.zoom">2</option>
        <option name="mapping.markerLayer.markerMaxSize">50</option>
        <option name="mapping.markerLayer.markerMinSize">10</option>
        <option name="mapping.markerLayer.markerOpacity">0.8</option>
        <option name="mapping.tileLayer.maxZoom">7</option>
        <option name="mapping.tileLayer.minZoom">0</option>
      </map>
    </panel>
  </row>
</form>
	<form>
	<label>IdM User Insight</label>
	<description>look into the details for an individual user</description>
	<fieldset autoRun="false">
	<input type="text" token="username">
	<label>My.UNL Username</label>
	<default>bbieber2</default>
	</input>
	<input type="time">
	<default>Last 7 days</default>
	</input>
	</fieldset>
	<row>
	<panel>
	<table>
	<title>CAS Services Accessed</title>
	<searchTemplate>(host="its-idm-sso4.unl.edu" OR host="its-idm-sso3.unl.edu") AND "Audit trail record" SERVICE_TICKET_CREATED $username$ \| rex field=_raw "WHO: (?<uid>.)#012WHAT: (?<ticket>[^\s]+) for (?<service>[^\?]+)(\?.)?#012ACTION: SERVICE_TICKET_CREATED#012APPLICATION: CAS#012.*CLIENT IP ADDRESS: (?<clientip>[^#]+)#012" \| search uid=$username$ \| lookup dnslookup clientip AS clientip \| table uid, service, clientip, clienthost, _time, host</searchTemplate>
	</table>
	</panel>
	<panel>
	<table>
	<title>Shibboleth Services Accessed</title>
	<searchTemplate>host="idm-l1" Shibboleth-Audit "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified" $username$ \| rex field=_raw ".\\|(?<service>[^\|]+)\\|urn:mace:shibboleth:2\.0:profiles:saml2:sso.\\|(?<uid>[^\|]+)\\|urn:oasis:names:tc:SAML:2\.0:ac:classes:unspecified.*" \| table uid,service,_time</searchTemplate>
	</table>
	</panel>
	</row>
	<row>
	<panel>
	<table>
	<title>ADFS Logins</title>
	<searchTemplate>SourceName="AD FS Auditing" AND EventCode=501 AND User=adfsfarm AND "Caller Identity" AND $username$ \| rex field=Message "(?<uid>.)\@unl\.edu" \| rex field=Message "UNL-AD\\\(?<uid>.)" \| rex field=Message "(?<clientip>[\d]+\.[\d]+\.[\d]+\.[\d]+)" \| lookup dnslookup clientip \| table uid,clientip,clienthost,host,_time \| sort -_time</searchTemplate>
	</table>
	</panel>
	<panel>
	<table>
	<title>LDAP User Logins</title>
	<searchTemplate>host=its-idm-ldap* AND ([ search host=its-idm-ldap* AND "BIND dn=\"uid=$username$,ou=people,dc=unl,dc=edu\"" \| top limit=0 host,conn \| fields host,conn \| format ]) \| transaction host,conn \| rex field=_raw "(?<source_ip>\d{1,3}.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d))" \| lookup dnslookup clientip AS source_ip \| table uid, source_ip, clienthost, err, _time</searchTemplate>
	</table>
	</panel>
	</row>
	<row>
	<panel>
	<chart>
	<title>LDAP Logon Activity</title>
	<searchString>host=its-idm-ldap* AND ([ search host=its-idm-ldap* AND "BIND dn=\"uid=$username$,ou=people,dc=unl,dc=edu\"" \| top limit=0 host,conn \| fields host,conn \| format ]) \| transaction host,conn \| eval Result = case(err="0", "Success", err="49", "Failure") \| timechart count by Result</searchString>
	<earliestTime>$earliest$</earliestTime>
	<latestTime>$latest$</latestTime>
	<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
	<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
	<option name="charting.axisTitleX.visibility">visible</option>
	<option name="charting.axisTitleY.visibility">visible</option>
	<option name="charting.axisTitleY2.visibility">visible</option>
	<option name="charting.axisX.scale">linear</option>
	<option name="charting.axisY.scale">linear</option>
	<option name="charting.axisY2.enabled">0</option>
	<option name="charting.axisY2.scale">inherit</option>
	<option name="charting.chart">line</option>
	<option name="charting.chart.nullValueMode">gaps</option>
	<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
	<option name="charting.chart.stackMode">default</option>
	<option name="charting.chart.style">shiny</option>
	<option name="charting.drilldown">all</option>
	<option name="charting.layout.splitSeries">0</option>
	<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
	<option name="charting.legend.placement">right</option>
	</chart>
	</panel>
	</row>
	<row>
	<panel>
	<chart>
	<title>AD Logon Activity</title>
	<searchString>sourcetype="WinEventLog:Security" (Account_Name=$username$ OR Logon_Account=$username$) AND (EventCode="4771" OR (EventCode="4776" AND Failure) OR EventCode="4624") \| eval Result = case(EventCode = "4771","Failure", EventCode = "4776","Failure", EventCode = "4624","Success") \| timechart count by Result</searchString>
	<earliestTime>$earliest$</earliestTime>
	<latestTime>$latest$</latestTime>
	<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
	<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
	<option name="charting.axisTitleX.visibility">visible</option>
	<option name="charting.axisTitleY.visibility">visible</option>
	<option name="charting.axisTitleY2.visibility">visible</option>
	<option name="charting.axisX.scale">linear</option>
	<option name="charting.axisY.scale">linear</option>
	<option name="charting.axisY2.enabled">0</option>
	<option name="charting.axisY2.scale">inherit</option>
	<option name="charting.chart">line</option>
	<option name="charting.chart.nullValueMode">gaps</option>
	<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
	<option name="charting.chart.stackMode">default</option>
	<option name="charting.chart.style">shiny</option>
	<option name="charting.drilldown">all</option>
	<option name="charting.layout.splitSeries">0</option>
	<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
	<option name="charting.legend.placement">right</option>
	</chart>
	</panel>
	</row>
	<row>
	<panel>
	<table>
	<title>Password Changes</title>
	<searchTemplate>host=its-idm-master* AND ([ search host=its-idm-master* AND "MOD attr=userPassword" \| top limit=0 host,conn,op \| fields host conn op \| format ]) \| transaction host,conn,op \| search uid=$username$ \| table uid, err, _time</searchTemplate>
	</table>
	</panel>
	<panel>
	<table>
	<title>AD Account Lockouts</title>
	<searchString>"A user account was locked out" Account_Name=$username$ \| eval uid = mvindex(Account_Name,1) \| table uid, Caller_Computer_Name, _time</searchString>
	<earliestTime>$earliest$</earliestTime>
	<latestTime>$latest$</latestTime>
	<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
	<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
	<option name="charting.axisTitleX.visibility">visible</option>
	<option name="charting.axisTitleY.visibility">visible</option>
	<option name="charting.axisTitleY2.visibility">visible</option>
	<option name="charting.axisX.scale">linear</option>
	<option name="charting.axisY.scale">linear</option>
	<option name="charting.axisY2.enabled">false</option>
	<option name="charting.axisY2.scale">inherit</option>
	<option name="charting.chart">column</option>
	<option name="charting.chart.nullValueMode">gaps</option>
	<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
	<option name="charting.chart.stackMode">default</option>
	<option name="charting.chart.style">shiny</option>
	<option name="charting.drilldown">all</option>
	<option name="charting.layout.splitSeries">0</option>
	<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
	<option name="charting.legend.placement">right</option>
	<option name="wrap">true</option>
	<option name="rowNumbers">false</option>
	<option name="dataOverlayMode">none</option>
	<option name="drilldown">cell</option>
	</table>
	</panel>
	</row>
	<row>
	<panel>
	<table>
	<title>AD User Logins</title>
	<searchTemplate>sourcetype="WinEventLog:Security" Account_Name=$username$ AND Account_Domain=UNL-AD AND EventCode=4624 \| lookup dnslookup clientip AS Source_Network_Address \| table Account_Name, Source_Network_Address, clienthost, _time \| sort -_time</searchTemplate>
	</table>
	</panel>
	<panel>
	<table>
	<title>AD AuthN Failures</title>
	<searchTemplate>sourcetype="WinEventLog:Security" AND ((EventCode="4771" AND Account_Name !=$$ AND Account_Name != - ) OR (EventCode="4776" AND Failure AND Logon_Account != $$)) AND $username$ \| eval uid=coalesce(Logon_Account,Account_Name) \| eval client = coalesce(Client_Address,Source_Workstation) \| eval clientip = ltrim(client,"::ffff:") \| lookup dnslookup clientip \| table uid, clientip, clienthost, ComputerName, _time</searchTemplate>
	</table>
	</panel>
	</row>
	<row>
	<panel>
	<table>
	<title>VPN Logins</title>
	<searchTemplate>index="unl-is-firewall" host="vpn.unl.edu" "AnyConnect parent session started." $username$ \| rex field=_raw "Group \<(?<profile>[^\s]+)\> User \<(?<uid>[^\s]+)\> IP \<(?<clientip>[^\s]+)\> AnyConnect parent session started." \| lookup dnslookup clientip AS clientip \| table uid, profile, clientip, clienthost, _time</searchTemplate>
	</table>
	</panel>
	</row>
	<row>
	<panel>
	<map>
	<title>ADFS Login Map</title>
	<searchString>SourceName="AD FS Auditing" AND EventCode=501 AND User=adfsfarm AND "Caller Identity" AND $username$ \| rex field=Message "(?<uid>.)\@unl\.edu" \| rex field=Message "UNL-AD\\\(?<uid>.)" \| rex field=Message "(?<clientip>[\d]+\.[\d]+\.[\d]+\.[\d]+)" \| dedup uid,clientip,host,_time \| lookup dnslookup clientip \| iplocation clientip \| geostats count</searchString>
	<earliestTime>$earliest$</earliestTime>
	<latestTime>$latest$</latestTime>
	<option name="mapping.data.maxClusters">100</option>
	<option name="mapping.drilldown">all</option>
	<option name="mapping.map.center">(0,0)</option>
	<option name="mapping.map.zoom">2</option>
	<option name="mapping.markerLayer.markerMaxSize">50</option>
	<option name="mapping.markerLayer.markerMinSize">10</option>
	<option name="mapping.markerLayer.markerOpacity">0.8</option>
	<option name="mapping.tileLayer.maxZoom">7</option>
	<option name="mapping.tileLayer.minZoom">0</option>
	</map>
	</panel>
	</row>
	</form>