Merge pull request #348 from CrossRealms/no-critical-event-scanning

No Critical event for scanning
CrossRealms · Jul 20, 2023 · 0bd9efe · 0bd9efe
2 parents e9e3b0c + c8e4e91
commit 0bd9efe
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf
@@ -1372,7 +1372,7 @@ request.ui_dispatch_view = search
 search = index=* ( (tag=network tag=communicate) OR sourcetype=pan*traffic OR sourcetype=opsec OR sourcetype=cisco:asa) `cs_scanning_basic_scanning_raw_filter` \
 | stats dc(dest_port) as num_dest_port, dc(dest_ip) as num_dest_ip, values(dvc) as dvc  by sourcetype, src_ip \
 | where num_dest_port > 100 OR num_dest_ip > 1500 \
-| eval cyences_severity = case(num_dest_port>10000 or num_dest_ip>100000, "critical", num_dest_port>5000 or num_dest_ip>30000, "high", true(), "medium") \
+| eval cyences_severity = case(num_dest_port>5000 or num_dest_ip>30000, "high", true(), "medium") \
 | `cs_scanning_basic_scanning_filter`
 action.cyences_notable_event_action = 1
 action.cyences_notable_event_action.param.filter_macro_name = cs_scanning_basic_scanning_filter