Merge pull request #645 from CrossRealms/filter-login-failure-users-f…

…rom-user-inventory Filtered the failed action events
CrossRealms · Oct 3, 2024 · 3113176 · 3113176
2 parents b25d976 + 6bc165a
commit 3113176
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf
@@ -6526,7 +6526,7 @@ display.page.search.tab = statistics
 display.page.search.mode = fast
 request.ui_dispatch_app = cyences_app_for_splunk
 request.ui_dispatch_view = search
-search = index=* sourcetype!="WinRegistry" NOT (sourcetype="WinEventLog" user_type="computer") NOT (sourcetype="meraki:accesspoints" (NOT eventData.identity="*")) (user=* OR User=* OR UserName=* OR Username=* OR userName=* OR username=* OR user_name=* OR src_user=*) \
+search = index=* NOT sourcetype IN ("meraki", "fortigate_utm", "WindowsUpdateLog", "WinRegistry", "Script:ListeningPorts", "Script:InstalledApps", "sophos:xg:idp", "sophos:xg:firewall", "cisco:ios", "MSAD:NT6:DNS", "Perfmon:*") NOT (sourcetype="WinEventLog" user_type="computer") NOT (sourcetype="meraki:accesspoints" (NOT eventData.identity="*")) NOT (action=fail*) (user=* OR User=* OR UserName=* OR Username=* OR userName=* OR username=* OR user_name=* OR src_user=*) \
 | `cs_user_inventory_data_filter` \
 | eval user=mvdedup(mvappend(coalesce(src_user, user, user_name, username,Username, User, UserName, userName), if(mail="null" or mail="",null(),mail))), user_type=coalesce(user_type, user_role, user_category, "n/a") \
 | search NOT user IN ("$*", "-", "' or '1=1", ".{jndi", "") \