Basic Scanning minimum limit updated.

cyences_app_for_splunk/default/savedsearches.conf

@@ -1359,7 +1359,7 @@ counttype = number of events
 quantity = 0
 relation = greater than
 cron_schedule = 29 * * * *
-description = This alert scans for hosts that either reach out to 500 or more hosts or 100 ports in a short period of time.\
+description = This alert scans for hosts that either reach out to 1000 or more destination ip or 100 or more distincts ports in a short period (1 hour) of time.\
 \
 Data Collection - Palo Alto Networks firewalls, and with any other device that uses the Splunk common information model.
 dispatch.earliest_time = -62m@m
@@ -1369,10 +1369,10 @@ display.page.search.tab = statistics
 display.page.search.mode = fast
 request.ui_dispatch_app = cyences_app_for_splunk
 request.ui_dispatch_view = search
-search = index=* ( (tag=network tag=communicate) OR sourcetype=pan*traffic OR sourcetype=opsec OR sourcetype=cisco:asa) `cs_scanning_basic_scanning_raw_filter` \
-| stats dc(dest_port) as num_dest_port dc(dest_ip) as num_dest_ip by sourcetype, src_ip\
-| where num_dest_port > 100 OR num_dest_ip > 500\
-| eval cyences_severity = case(num_dest_ip>1000 and num_dest_port>1000, "critical", num_dest_ip>1000 or num_dest_port>1000, "high", true(), "medium") \
+search = index=* ( (tag=network tag=communicate) OR sourcetype=pan*traffic OR sourcetype=opsec OR sourcetype=cisco:asa) \
+| stats dc(dest_port) as num_dest_port dc(dest_ip) as num_dest_ip by sourcetype, src_ip \
+| where num_dest_port > 100 OR num_dest_ip > 1000 \
+| eval cyences_severity = case(num_dest_port>1000 or num_dest_ip>10000, "critical", num_dest_port>500 or num_dest_ip>3000, "high", true(), "medium") \
 | `cs_scanning_basic_scanning_filter`
 action.cyences_notable_event_action = 1
 action.cyences_notable_event_action.param.filter_macro_name = cs_scanning_basic_scanning_filter