diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf index d0ce60b3..9c29ec0d 100644 --- a/cyences_app_for_splunk/default/savedsearches.conf +++ b/cyences_app_for_splunk/default/savedsearches.conf @@ -1359,7 +1359,7 @@ counttype = number of events quantity = 0 relation = greater than cron_schedule = 29 * * * * -description = This alert scans for hosts that either reach out to 500 or more hosts or 100 ports in a short period of time.\ +description = This alert scans for hosts that either reach out to 1000 or more destination ip or 100 or more distincts ports in a short period (1 hour) of time.\ \ Data Collection - Palo Alto Networks firewalls, and with any other device that uses the Splunk common information model. dispatch.earliest_time = -62m@m @@ -1369,10 +1369,10 @@ display.page.search.tab = statistics display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search -search = index=* ( (tag=network tag=communicate) OR sourcetype=pan*traffic OR sourcetype=opsec OR sourcetype=cisco:asa) `cs_scanning_basic_scanning_raw_filter` \ -| stats dc(dest_port) as num_dest_port dc(dest_ip) as num_dest_ip by sourcetype, src_ip\ -| where num_dest_port > 100 OR num_dest_ip > 500\ -| eval cyences_severity = case(num_dest_ip>1000 and num_dest_port>1000, "critical", num_dest_ip>1000 or num_dest_port>1000, "high", true(), "medium") \ +search = index=* ( (tag=network tag=communicate) OR sourcetype=pan*traffic OR sourcetype=opsec OR sourcetype=cisco:asa) \ +| stats dc(dest_port) as num_dest_port dc(dest_ip) as num_dest_ip by sourcetype, src_ip \ +| where num_dest_port > 100 OR num_dest_ip > 1000 \ +| eval cyences_severity = case(num_dest_port>1000 or num_dest_ip>10000, "critical", num_dest_port>500 or num_dest_ip>3000, "high", true(), "medium") \ | `cs_scanning_basic_scanning_filter` action.cyences_notable_event_action = 1 action.cyences_notable_event_action.param.filter_macro_name = cs_scanning_basic_scanning_filter