Merge pull request #623 from CrossRealms/add-alert-for-Firewall-lost-…

…connection-to-Sophos Added alert for the firewall lost connection
CrossRealms · Sep 9, 2024 · 433875e · 433875e
2 parents 8b4dcc4 + 1967cb8
commit 433875e
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 0 deletions.
diff --git a/cyences_app_for_splunk/default/macros.conf b/cyences_app_for_splunk/default/macros.conf
@@ -1173,6 +1173,10 @@ iseval = 0
 definition = search *
 iseval = 0
 
+[cs_sophos_firewall_lost_connection_to_sophos]
+definition = search *
+iseval = 0
+
 [cs_sophos_core_restore_failed_filter]
 definition = search *
 iseval = 0

diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf
@@ -471,6 +471,41 @@ action.cyences_notable_event_action.products = Sophos Endpoint Protection
 action.cyences_notable_event_action.teams = SOC
 
 
+[Sophos Endpoint Protection - Firewall Lost Connection to Sophos Central]
+disabled = 1
+enableSched = 1
+alert.track = 1
+alert.severity = 4
+alert.suppress = 0
+counttype = number of events
+quantity = 0
+relation = greater than
+cron_schedule = 54 * * * *
+description = This alert will trigger when a Firewall lost connection to Sophos Central. \
+\
+Data Collection - Sophos Central Add-on for Splunk (https://splunkbase.splunk.com/app/6186/)
+dispatch.earliest_time = -62m@m
+dispatch.latest_time = -2m@m
+display.general.type = statistics
+display.page.search.tab = statistics
+display.page.search.mode = fast
+request.ui_dispatch_app = cyences_app_for_splunk
+request.ui_dispatch_view = search
+search = `cs_sophos` sourcetype="sophos_events" type="Event::Firewall::LostConnectionToSophosCentral" \
+| stats count, latest(_time) as _time, values(name) as threat, values(source_info.ip) as src_ip by host, location | sort -count \
+| eval cyences_severity = "high" \
+| `cs_human_readable_time_format(_time, event_time)` \
+| `cs_sophos_firewall_lost_connection_to_sophos` 
+action.cyences_notable_event_action = 1
+action.cyences_notable_event_action.param.filter_macro_name = cs_sophos_firewall_lost_connection_to_sophos
+action.cyences_notable_event_action.contributing_events = `cs_sophos` sourcetype="sophos_events" type="Event::Firewall::LostConnectionToSophosCentral"
+action.cyences_notable_event_action.system_compromised_search = | stats sum(count) as count by location
+action.cyences_notable_event_action.system_compromised_drilldown = `cs_sophos` sourcetype="sophos_events" location=$row.location$
+action.cyences_send_email_action = 1
+action.cyences_notable_event_action.products = Sophos Endpoint Protection
+action.cyences_notable_event_action.teams = Compliance
+
+
 
 # ======================
 # Windows Defender