From 79a0211aec68a14da2af0921c92150c05a5737f5 Mon Sep 17 00:00:00 2001 From: Hardik Dholariya <57986609+hardikhdholariya@users.noreply.github.com> Date: Thu, 26 Sep 2024 17:55:09 +0530 Subject: [PATCH 1/2] Filtered the failed action events --- cyences_app_for_splunk/default/savedsearches.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf index bb20b629..320f6bf2 100644 --- a/cyences_app_for_splunk/default/savedsearches.conf +++ b/cyences_app_for_splunk/default/savedsearches.conf @@ -6526,7 +6526,7 @@ display.page.search.tab = statistics display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search -search = index=* sourcetype!="WinRegistry" NOT (sourcetype="WinEventLog" user_type="computer") NOT (sourcetype="meraki:accesspoints" (NOT eventData.identity="*")) (user=* OR User=* OR UserName=* OR Username=* OR userName=* OR username=* OR user_name=* OR src_user=*) \ +search = index=* sourcetype!="WinRegistry" NOT (sourcetype="WinEventLog" user_type="computer") NOT (sourcetype="meraki:accesspoints" (NOT eventData.identity="*")) NOT (action=fail*) (user=* OR User=* OR UserName=* OR Username=* OR userName=* OR username=* OR user_name=* OR src_user=*) \ | `cs_user_inventory_data_filter` \ | eval user=mvdedup(mvappend(coalesce(src_user, user, user_name, username,Username, User, UserName, userName), if(mail="null" or mail="",null(),mail))), user_type=coalesce(user_type, user_role, user_category, "n/a") \ | search NOT user IN ("$*", "-", "' or '1=1", ".{jndi", "") \ @@ -6623,4 +6623,4 @@ action.cyences_notable_event_action.system_compromised_drilldown = `cs_f5_bigip action.cyences_notable_event_action.attacker_search = | stats count by ip_client action.cyences_notable_event_action.attacker_drilldown = `cs_f5_bigip_asm` ip_client="*" dest_ip="*" severity IN ("critical","high","medium") enforcement_action!=block attack_type!="JSON Parser Attack" ip_client=$row.ip_client$ action.cyences_send_email_action = 1 -action.cyences_notable_event_action.products = F5 BIGIP \ No newline at end of file +action.cyences_notable_event_action.products = F5 BIGIP From 6bc165a875fd3e6e370d1751fe4a1ee8a8bab6f9 Mon Sep 17 00:00:00 2001 From: Hardik Dholariya <57986609+hardikhdholariya@users.noreply.github.com> Date: Mon, 30 Sep 2024 16:02:06 +0530 Subject: [PATCH 2/2] excluded unnecessary source type --- cyences_app_for_splunk/default/savedsearches.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf index 320f6bf2..4f8b6724 100644 --- a/cyences_app_for_splunk/default/savedsearches.conf +++ b/cyences_app_for_splunk/default/savedsearches.conf @@ -6526,7 +6526,7 @@ display.page.search.tab = statistics display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search -search = index=* sourcetype!="WinRegistry" NOT (sourcetype="WinEventLog" user_type="computer") NOT (sourcetype="meraki:accesspoints" (NOT eventData.identity="*")) NOT (action=fail*) (user=* OR User=* OR UserName=* OR Username=* OR userName=* OR username=* OR user_name=* OR src_user=*) \ +search = index=* NOT sourcetype IN ("meraki", "fortigate_utm", "WindowsUpdateLog", "WinRegistry", "Script:ListeningPorts", "Script:InstalledApps", "sophos:xg:idp", "sophos:xg:firewall", "cisco:ios", "MSAD:NT6:DNS", "Perfmon:*") NOT (sourcetype="WinEventLog" user_type="computer") NOT (sourcetype="meraki:accesspoints" (NOT eventData.identity="*")) NOT (action=fail*) (user=* OR User=* OR UserName=* OR Username=* OR userName=* OR username=* OR user_name=* OR src_user=*) \ | `cs_user_inventory_data_filter` \ | eval user=mvdedup(mvappend(coalesce(src_user, user, user_name, username,Username, User, UserName, userName), if(mail="null" or mail="",null(),mail))), user_type=coalesce(user_type, user_role, user_category, "n/a") \ | search NOT user IN ("$*", "-", "' or '1=1", ".{jndi", "") \