From 3909b10ccf999e092d3364c23ccf5b22b47b31c7 Mon Sep 17 00:00:00 2001 From: Hardik Dholariya Date: Tue, 27 Aug 2024 21:28:14 +0530 Subject: [PATCH 1/2] removed macro dependency from other apps --- .../data/models/Cyences_Authentication.json | 2 +- .../data/ui/views/cs_asset_intelligence.xml | 8 +- .../ui/views/cs_authentication_reports.xml | 8 +- .../data/ui/views/cs_network_reports.xml | 32 ++--- .../ui/views/cs_radius_authentication.xml | 4 +- cyences_app_for_splunk/default/macros.conf | 14 +- .../default/savedsearches.conf | 122 +++++++++--------- 7 files changed, 99 insertions(+), 91 deletions(-) diff --git a/cyences_app_for_splunk/default/data/models/Cyences_Authentication.json b/cyences_app_for_splunk/default/data/models/Cyences_Authentication.json index 3c554a5f..284c7c0a 100644 --- a/cyences_app_for_splunk/default/data/models/Cyences_Authentication.json +++ b/cyences_app_for_splunk/default/data/models/Cyences_Authentication.json @@ -742,7 +742,7 @@ ], "constraints": [ { - "search": "(`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$)", + "search": "(`cs_cim_authentication_indexes`) tag=authentication NOT (action=success user=*$)", "owner": "Authentication" } ], diff --git a/cyences_app_for_splunk/default/data/ui/views/cs_asset_intelligence.xml b/cyences_app_for_splunk/default/data/ui/views/cs_asset_intelligence.xml index b21129fd..502bb660 100644 --- a/cyences_app_for_splunk/default/data/ui/views/cs_asset_intelligence.xml +++ b/cyences_app_for_splunk/default/data/ui/views/cs_asset_intelligence.xml @@ -288,8 +288,8 @@ - | tstats `cs_summariesonly_network_traffic` count as inbound from datamodel=Network_Traffic where All_Traffic.dest_ip IN $tkn_filter_ip_only$ by All_Traffic.src_ip | `drop_dm_object_name(All_Traffic)` | iplocation src_ip -| append [| tstats `cs_summariesonly_network_traffic` count as outbound from datamodel=Network_Traffic where All_Traffic.src_ip IN $tkn_filter_ip_only$ by All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` | iplocation dest_ip] + | tstats `cs_summariesonly_network_traffic` count as inbound from datamodel=Network_Traffic where All_Traffic.dest_ip IN $tkn_filter_ip_only$ by All_Traffic.src_ip | `cs_drop_dm_object_name(All_Traffic)` | iplocation src_ip +| append [| tstats `cs_summariesonly_network_traffic` count as outbound from datamodel=Network_Traffic where All_Traffic.src_ip IN $tkn_filter_ip_only$ by All_Traffic.dest_ip | `cs_drop_dm_object_name(All_Traffic)` | iplocation dest_ip] | eval ip=coalesce(src_ip, dest_ip) | `cs_network_generate_location_for_internal_network(ip)` | lookup `cs_palo_search_blocked_ip_lookup_name` ip as src_ip OUTPUT blocked @@ -347,7 +347,7 @@ - | tstats `cs_summariesonly_authentication` count from datamodel=Cyences_Authentication where `cs_radius_authentication_indexes` $tkn_filter_authentication$ Authentication.action IN ("success","failure") Authentication.app="*" by Authentication.app Authentication.action Authentication.user, Authentication.src | `drop_dm_object_name(Authentication)` | iplocation src | fields - lat lon + | tstats `cs_summariesonly_authentication` count from datamodel=Cyences_Authentication where `cs_radius_authentication_indexes` $tkn_filter_authentication$ Authentication.action IN ("success","failure") Authentication.app="*" by Authentication.app Authentication.action Authentication.user, Authentication.src | `cs_drop_dm_object_name(Authentication)` | iplocation src | fields - lat lon $tkn_timeRange_radius_authentication.earliest$ $tkn_timeRange_radius_authentication.latest$ @@ -371,7 +371,7 @@
| tstats `cs_summariesonly_authentication` count from datamodel=Cyences_Authentication where `cs_o365_login_filter_source` `cs_authentication_indexes` $tkn_filter_authentication$ Authentication.app!=OktaIM2:log Authentication.action IN ("success","failure") Authentication.app="*" `cs_authentication_app_filter` by Authentication.app Authentication.action Authentication.user, Authentication.src - | `drop_dm_object_name(Authentication)` | iplocation src | fields - lat lon + | `cs_drop_dm_object_name(Authentication)` | iplocation src | fields - lat lon $tkn_timeRange_authentication.earliest$ $tkn_timeRange_authentication.latest$ diff --git a/cyences_app_for_splunk/default/data/ui/views/cs_authentication_reports.xml b/cyences_app_for_splunk/default/data/ui/views/cs_authentication_reports.xml index babae42d..f64b2445 100644 --- a/cyences_app_for_splunk/default/data/ui/views/cs_authentication_reports.xml +++ b/cyences_app_for_splunk/default/data/ui/views/cs_authentication_reports.xml @@ -96,7 +96,7 @@ Application Authentication Success Rate
- | tstats `cs_summariesonly_authentication` prestats=t count from datamodel=Cyences_Authentication where `cs_o365_login_filter_source` `cs_authentication_indexes` Authentication.app!=OktaIM2:log Authentication.action IN ("success","failure") Authentication.app=$tkn_app|s$ `cs_authentication_app_filter` by Authentication.app Authentication.action | `drop_dm_object_name(Authentication)` + | tstats `cs_summariesonly_authentication` prestats=t count from datamodel=Cyences_Authentication where `cs_o365_login_filter_source` `cs_authentication_indexes` Authentication.app!=OktaIM2:log Authentication.action IN ("success","failure") Authentication.app=$tkn_app|s$ `cs_authentication_app_filter` by Authentication.app Authentication.action | `cs_drop_dm_object_name(Authentication)` | chart count by app action | addtotals | eval "Success%" = round(success / Total * 100,2) @@ -122,7 +122,7 @@ /app/cyences_app_for_splunk/cs_o365_reports - search?q=%7C%20datamodel%20Authentication%20search%20strict_fields%3Dfalse%20%7C%20search%20Authentication.action%20IN%20(%22success%22%2C%20%22failure%22)%20Authentication.app%3D$click.value|s$%20%7C%20%60drop_dm_object_name(Authentication)%60&earliest=$timeRange.earliest$&latest=$timeRange.latest$ + search?q=%7C%20datamodel%20Authentication%20search%20strict_fields%3Dfalse%20%7C%20search%20Authentication.action%20IN%20(%22success%22%2C%20%22failure%22)%20Authentication.app%3D$click.value|s$%20%7C%20%60cs_drop_dm_object_name(Authentication)%60&earliest=$timeRange.earliest$&latest=$timeRange.latest$
@@ -144,7 +144,7 @@ | tstats `cs_summariesonly_authentication` count as count, latest(_time) as last_login from datamodel=Cyences_Authentication where `cs_o365_login_filter_source` `cs_authentication_indexes` Authentication.action IN ("success","failure") Authentication.app=$tkn_app|s$ Authentication.user=$tkn_user|s$ `cs_authentication_app_filter` by Authentication.user, Authentication.app, Authentication.action -| `drop_dm_object_name(Authentication)` +| `cs_drop_dm_object_name(Authentication)` | eval over_field=user."|".app | chart sum(count) as count, max(last_login) as last_login over over_field by action | rex field=over_field "(?<user>[^\|]*)\|(?<app>.*)" | fields - over_field @@ -163,7 +163,7 @@ /app/cyences_app_for_splunk/cs_o365_reports?form.tkn_user=$row.user$&form.tkn__user=$row.user$ - search?q=%7C%20datamodel%20Authentication%20search%20strict_fields%3Dfalse%20%7C%20search%20Authentication.action%20IN%20(%22success%22%2C%20%22failure%22)%20Authentication.app%3D$row.app|s$%20Authentication.user%3D$row.user|s$%20%7C%20%60drop_dm_object_name(Authentication)%60&earliest=$timeRange.earliest$&latest=$timeRange.latest$ + search?q=%7C%20datamodel%20Authentication%20search%20strict_fields%3Dfalse%20%7C%20search%20Authentication.action%20IN%20(%22success%22%2C%20%22failure%22)%20Authentication.app%3D$row.app|s$%20Authentication.user%3D$row.user|s$%20%7C%20%60cs_drop_dm_object_name(Authentication)%60&earliest=$timeRange.earliest$&latest=$timeRange.latest$
diff --git a/cyences_app_for_splunk/default/data/ui/views/cs_network_reports.xml b/cyences_app_for_splunk/default/data/ui/views/cs_network_reports.xml index 66978b62..9af178c9 100644 --- a/cyences_app_for_splunk/default/data/ui/views/cs_network_reports.xml +++ b/cyences_app_for_splunk/default/data/ui/views/cs_network_reports.xml @@ -16,7 +16,7 @@ action | tstats `cs_summariesonly_network_traffic` count from datamodel=Network_Traffic by All_Traffic.action -| `drop_dm_object_name(All_Traffic)` +| `cs_drop_dm_object_name(All_Traffic)` -24h@h now @@ -62,7 +62,7 @@ | tstats `cs_summariesonly_network_traffic` count, sum(All_Traffic.bytes) as total_bytes, sum(All_Traffic.packets) as total_packets from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.src_ip)` AND `cs_private_ips(All_Traffic.dest_ip)`AND (All_Traffic.dest_ip=$tkn_ip$ OR All_Traffic.src_ip=$tkn_ip$) AND (All_Traffic.dest_port=$tkn_port$ OR All_Traffic.src_port=$tkn_port$) AND $tkn_action$ by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.action -| `drop_dm_object_name(All_Traffic)` +| `cs_drop_dm_object_name(All_Traffic)` | rex field=src_ip "(?<src_subnet>\d+\.\d+\.\d+)\.\d+" | rex field=dest_ip "(?<dest_subnet>\d+\.\d+\.\d+)\.\d+" | stats sum(total_bytes) as total_bytes by src_subnet, dest_subnet, action @@ -129,7 +129,7 @@ From $flow_map_viz-from$ To $flow_map_viz-to$ | tstats `cs_summariesonly_network_traffic` count, sum(All_Traffic.bytes) as total_bytes, sum(All_Traffic.packets) as total_packets, dc(All_Traffic.src_port) as no_src_port, dc(All_Traffic.dest_port) as no_dest_port, values(host) as reporting_device_ip from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.src_ip)` AND `cs_private_ips(All_Traffic.dest_ip)` AND (All_Traffic.dest_ip=$tkn_ip$ OR All_Traffic.src_ip=$tkn_ip$) AND (All_Traffic.dest_port=$tkn_port$ OR All_Traffic.src_port=$tkn_port$) AND $tkn_action$ AND All_Traffic.src_ip="$flow_map_viz-from$*" AND All_Traffic.dest_ip="$flow_map_viz-to$*" by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.action -| `drop_dm_object_name(All_Traffic)` +| `cs_drop_dm_object_name(All_Traffic)` | eval total_MB = round(total_bytes/1024/1024, 2) | eval total_k_packets = round(total_packets/1000) | table reporting_device_ip src_ip no_src_port dest_ip no_dest_port action total_MB total_k_packets @@ -148,7 +148,7 @@ Subnet = $flow_map_viz-node$ | tstats `cs_summariesonly_network_traffic` count, sum(All_Traffic.bytes) as total_bytes, sum(All_Traffic.packets) as total_packets, dc(All_Traffic.src_port) as no_src_port, dc(All_Traffic.dest_port) as no_dest_port, values(host) as reporting_device_ip from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.src_ip)` AND `cs_private_ips(All_Traffic.dest_ip)` AND (All_Traffic.dest_ip=$tkn_ip$ OR All_Traffic.src_ip=$tkn_ip$) AND (All_Traffic.dest_port=$tkn_port$ OR All_Traffic.src_port=$tkn_port$) AND $tkn_action$ AND (All_Traffic.src_ip="$flow_map_viz-node$*" OR All_Traffic.dest_ip="$flow_map_viz-node$*") by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.action -| `drop_dm_object_name(All_Traffic)` +| `cs_drop_dm_object_name(All_Traffic)` | eval total_MB = round(total_bytes/1024/1024, 2) | eval total_k_packets = round(total_packets/1000) | table reporting_device_ip src_ip no_src_port dest_ip no_dest_port action total_MB total_k_packets @@ -166,7 +166,7 @@ | tstats `cs_summariesonly_network_traffic` count, sum(All_Traffic.bytes) as total_bytes, sum(All_Traffic.packets) as total_packets, dc(All_Traffic.src_port) as no_src_port, dc(All_Traffic.dest_port) as no_dest_port, values(host) as reporting_device_ip from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.src_ip)` AND `cs_private_ips(All_Traffic.dest_ip)` AND (All_Traffic.dest_ip=$tkn_ip$ OR All_Traffic.src_ip=$tkn_ip$) AND (All_Traffic.dest_port=$tkn_port$ OR All_Traffic.src_port=$tkn_port$) AND $tkn_action$ by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.action -| `drop_dm_object_name(All_Traffic)` +| `cs_drop_dm_object_name(All_Traffic)` | eval total_MB = round(total_bytes/1024/1024, 2) | eval total_k_packets = round(total_packets/1000) | table reporting_device_ip src_ip no_src_port dest_ip no_dest_port action total_MB total_k_packets @@ -184,7 +184,7 @@ | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as total_bytes from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.dest_ip)` AND `cs_public_ips(All_Traffic.src_ip)` AND (All_Traffic.dest_ip=$tkn_ip$ OR All_Traffic.src_ip=$tkn_ip$) AND (All_Traffic.dest_port=$tkn_port$ OR All_Traffic.src_port=$tkn_port$) AND $tkn_action$ by All_Traffic.src_ip, All_Traffic.action -| `drop_dm_object_name(All_Traffic)` +| `cs_drop_dm_object_name(All_Traffic)` | eval color=if(action="allowed", "Allowed", "Other") | eval total_MB = round(total_bytes/1024/1024) | eval total_MB = if(total_MB<1, 1, total_MB) @@ -198,7 +198,7 @@ - search?q=%7C%20tstats%20%60cs_summariesonly_network_traffic%60%20sum(All_Traffic.bytes)%20as%20total_bytes%2C%20values(All_Traffic.dest_ip)%20dest_ip%20from%20datamodel%3DNetwork_Traffic%20where%20%60cs_private_ips(All_Traffic.dest_ip)%60%20AND%20%60cs_public_ips(All_Traffic.src_ip)%60%20AND%20(All_Traffic.dest_ip%3D$tkn_ip$%20OR%20All_Traffic.src_ip%3D$tkn_ip$)%20AND%20(All_Traffic.dest_port%3D$tkn_port$%20OR%20All_Traffic.src_port%3D$tkn_port$)%20$tkn_action$%20by%20All_Traffic.src_ip%2C%20All_Traffic.action%20%0A%7C%20%60drop_dm_object_name(All_Traffic)%60%0A%7C%20eval%20total_MB%20%3D%20round(total_bytes%2F1024%2F1024%2C%202)%0A%7C%20iplocation%20src_ip%0A%7C%20search%20lat%3E%3D$click.bounds.south$%20lat%3C$click.bounds.north$%20lon%3E%3D$click.bounds.west$%20lon%3C$click.bounds.east$&earliest=$timeRange.earliest$&latest=$timeRange.latest$ + search?q=%7C%20tstats%20%60cs_summariesonly_network_traffic%60%20sum(All_Traffic.bytes)%20as%20total_bytes%2C%20values(All_Traffic.dest_ip)%20dest_ip%20from%20datamodel%3DNetwork_Traffic%20where%20%60cs_private_ips(All_Traffic.dest_ip)%60%20AND%20%60cs_public_ips(All_Traffic.src_ip)%60%20AND%20(All_Traffic.dest_ip%3D$tkn_ip$%20OR%20All_Traffic.src_ip%3D$tkn_ip$)%20AND%20(All_Traffic.dest_port%3D$tkn_port$%20OR%20All_Traffic.src_port%3D$tkn_port$)%20$tkn_action$%20by%20All_Traffic.src_ip%2C%20All_Traffic.action%20%0A%7C%20%60cs_drop_dm_object_name(All_Traffic)%60%0A%7C%20eval%20total_MB%20%3D%20round(total_bytes%2F1024%2F1024%2C%202)%0A%7C%20iplocation%20src_ip%0A%7C%20search%20lat%3E%3D$click.bounds.south$%20lat%3C$click.bounds.north$%20lon%3E%3D$click.bounds.west$%20lon%3C$click.bounds.east$&earliest=$timeRange.earliest$&latest=$timeRange.latest$ @@ -207,7 +207,7 @@ | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as total_bytes from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.src_ip)` AND `cs_public_ips(All_Traffic.dest_ip)` AND (All_Traffic.dest_ip=$tkn_ip$ OR All_Traffic.src_ip=$tkn_ip$) AND (All_Traffic.dest_port=$tkn_port$ OR All_Traffic.src_port=$tkn_port$) AND $tkn_action$ by All_Traffic.dest_ip, All_Traffic.action -| `drop_dm_object_name(All_Traffic)` +| `cs_drop_dm_object_name(All_Traffic)` | eval color=if(action="allowed", "Allowed", "Other") | eval total_MB = round(total_bytes/1024/1024) | eval total_MB = if(total_MB<1, 1, total_MB) @@ -221,7 +221,7 @@ - search?q=%7C%20tstats%20%60cs_summariesonly_network_traffic%60%20sum(All_Traffic.bytes)%20as%20total_bytes%2C%20values(All_Traffic.src_ip)%20as%20src_ip%20from%20datamodel%3DNetwork_Traffic%20where%20%60cs_private_ips(All_Traffic.src_ip)%60%20AND%20%60cs_public_ips(All_Traffic.dest_ip)%60%20AND%20(All_Traffic.dest_ip%3D$tkn_ip$%20OR%20All_Traffic.src_ip%3D$tkn_ip$)%20AND%20(All_Traffic.dest_port%3D$tkn_port$%20OR%20All_Traffic.src_port%3D$tkn_port$)%20$tkn_action$%20by%20All_Traffic.dest_ip%2C%20All_Traffic.action%0D%0A%7C%20%60drop_dm_object_name(All_Traffic)%60%20%0D%0A%7C%20eval%20total_MB%20%3D%20round(total_bytes%2F1024%2F1024%2C%202)%0D%0A%7C%20iplocation%20dest_ip%20%0D%0A%7C%20search%20lat%3E%3D$click.bounds.south$%20lat%3C$click.bounds.north$%20lon%3E%3D$click.bounds.west$%20lon%3C$click.bounds.east$&earliest=$timeRange.earliest$&latest=$timeRange.latest$ + search?q=%7C%20tstats%20%60cs_summariesonly_network_traffic%60%20sum(All_Traffic.bytes)%20as%20total_bytes%2C%20values(All_Traffic.src_ip)%20as%20src_ip%20from%20datamodel%3DNetwork_Traffic%20where%20%60cs_private_ips(All_Traffic.src_ip)%60%20AND%20%60cs_public_ips(All_Traffic.dest_ip)%60%20AND%20(All_Traffic.dest_ip%3D$tkn_ip$%20OR%20All_Traffic.src_ip%3D$tkn_ip$)%20AND%20(All_Traffic.dest_port%3D$tkn_port$%20OR%20All_Traffic.src_port%3D$tkn_port$)%20$tkn_action$%20by%20All_Traffic.dest_ip%2C%20All_Traffic.action%0D%0A%7C%20%60cs_drop_dm_object_name(All_Traffic)%60%20%0D%0A%7C%20eval%20total_MB%20%3D%20round(total_bytes%2F1024%2F1024%2C%202)%0D%0A%7C%20iplocation%20dest_ip%20%0D%0A%7C%20search%20lat%3E%3D$click.bounds.south$%20lat%3C$click.bounds.north$%20lon%3E%3D$click.bounds.west$%20lon%3C$click.bounds.east$&earliest=$timeRange.earliest$&latest=$timeRange.latest$ @@ -231,7 +231,7 @@ Port Scanning Attempts - | tstats `cs_summariesonly_network_traffic` dc(All_Traffic.dest_port) as dc_port from datamodel=Network_Traffic where (All_Traffic.dest_ip=$tkn_ip$ OR All_Traffic.src_ip=$tkn_ip$) AND (All_Traffic.dest_port=$tkn_port$ OR All_Traffic.src_port=$tkn_port$) AND $tkn_action$ by All_Traffic.src_ip | `drop_dm_object_name(All_Traffic)` | search `cs_filter_private_ips` + | tstats `cs_summariesonly_network_traffic` dc(All_Traffic.dest_port) as dc_port from datamodel=Network_Traffic where (All_Traffic.dest_ip=$tkn_ip$ OR All_Traffic.src_ip=$tkn_ip$) AND (All_Traffic.dest_port=$tkn_port$ OR All_Traffic.src_port=$tkn_port$) AND $tkn_action$ by All_Traffic.src_ip | `cs_drop_dm_object_name(All_Traffic)` | search `cs_filter_private_ips` | where dc_port>=`cs_network_scanning_min_dc_ports` | `cs_network_scanning_map_filter` | iplocation src_ip @@ -245,7 +245,7 @@ - search?q=%7C%20tstats%20%60cs_summariesonly_network_traffic%60%20dc(All_Traffic.dest_port)%20as%20dc_port%20from%20datamodel%3DNetwork_Traffic%20where%20(All_Traffic.dest_ip%3D$tkn_ip$%20OR%20All_Traffic.src_ip%3D$tkn_ip$)%20AND%20(All_Traffic.dest_port%3D$tkn_port$%20OR%20All_Traffic.src_port%3D$tkn_port$)%20AND%20$tkn_action$%20by%20All_Traffic.src_ip%20%7C%20%60drop_dm_object_name(All_Traffic)%60%20%7C%20search%20%60cs_filter_private_ips%60%0A%7C%20where%20dc_port%3E%3D%60cs_network_scanning_min_dc_ports%60%0A%7C%20%60cs_network_scanning_map_filter%60%0A%7C%20iplocation%20src_ip%0A%7C%20search%20lat%3E%3D$click.bounds.south$%20lat%3C$click.bounds.north$%20lon%3E%3D$click.bounds.west$%20lon%3C$click.bounds.east$&earliest=$timeRange.earliest$&latest=$timeRange.latest$ + search?q=%7C%20tstats%20%60cs_summariesonly_network_traffic%60%20dc(All_Traffic.dest_port)%20as%20dc_port%20from%20datamodel%3DNetwork_Traffic%20where%20(All_Traffic.dest_ip%3D$tkn_ip$%20OR%20All_Traffic.src_ip%3D$tkn_ip$)%20AND%20(All_Traffic.dest_port%3D$tkn_port$%20OR%20All_Traffic.src_port%3D$tkn_port$)%20AND%20$tkn_action$%20by%20All_Traffic.src_ip%20%7C%20%60cs_drop_dm_object_name(All_Traffic)%60%20%7C%20search%20%60cs_filter_private_ips%60%0A%7C%20where%20dc_port%3E%3D%60cs_network_scanning_min_dc_ports%60%0A%7C%20%60cs_network_scanning_map_filter%60%0A%7C%20iplocation%20src_ip%0A%7C%20search%20lat%3E%3D$click.bounds.south$%20lat%3C$click.bounds.north$%20lon%3E%3D$click.bounds.west$%20lon%3C$click.bounds.east$&earliest=$timeRange.earliest$&latest=$timeRange.latest$ @@ -281,7 +281,7 @@
| tstats `cs_summariesonly_network_traffic` count, sum(All_Traffic.bytes) as total_bytes, sum(All_Traffic.packets) as total_packets, values(host) as host from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.src_ip)` AND `cs_private_ips(All_Traffic.dest_ip)` AND (All_Traffic.dest_ip=$tkn_ip$ OR All_Traffic.src_ip=$tkn_ip$) AND (All_Traffic.dest_port=$tkn_port$ OR All_Traffic.src_port=$tkn_port$) by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.src_port, All_Traffic.dest_port All_Traffic.action -| `drop_dm_object_name(All_Traffic)` +| `cs_drop_dm_object_name(All_Traffic)` | append [| inputlookup cs_all_vuln where (status="open" OR status="reopened") AND port!="0" AND ($tkn_vul_severity$) | lookup cs_all_assets asset_id as dest_id output asset_ip as ip @@ -324,7 +324,7 @@ | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as total_bytes from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.dest_ip)` AND `cs_public_ips(All_Traffic.src_ip)` AND (All_Traffic.dest_ip=$tkn_ip$ OR All_Traffic.src_ip=$tkn_ip$) AND (All_Traffic.dest_port=$tkn_port$ OR All_Traffic.src_port=$tkn_port$) AND $tkn_action$ by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.dest_port, All_Traffic.action -| `drop_dm_object_name(All_Traffic)` +| `cs_drop_dm_object_name(All_Traffic)` | append [| inputlookup cs_all_vuln where (status="open" OR status="reopened") AND port!="0" AND ($tkn_vul_severity$) | lookup cs_all_assets asset_id as dest_id output asset_ip as ip | makemv ip delim="~~" @@ -346,7 +346,7 @@ - search?q=%7C%20tstats%20%60cs_summariesonly_network_traffic%60%20sum(All_Traffic.bytes)%20as%20total_bytes%20from%20datamodel%3DNetwork_Traffic%20where%20%60cs_private_ips(All_Traffic.dest_ip)%60%20AND%20%60cs_public_ips(All_Traffic.src_ip)%60%20AND%20(All_Traffic.dest_ip%3D$tkn_ip$%20OR%20All_Traffic.src_ip%3D$tkn_ip$)%20AND%20(All_Traffic.dest_port%3D$tkn_port$%20OR%20All_Traffic.src_port%3D$tkn_port$)%20$tkn_action$%20by%20All_Traffic.src_ip%2C%20All_Traffic.dest_ip%2C%20All_Traffic.dest_port%2C%20All_Traffic.action%20%0A%7C%20%60drop_dm_object_name(All_Traffic)%60%0A%7C%20append%20%5B%7C%20inputlookup%20cs_all_vuln%20where%20(status%3D%22open%22%20OR%20status%3D%22reopened%22)%20AND%20port!%3D%220%22%20AND%20((severity%3D%22critical%22%20OR%20severity%3D%22high%22%20OR%20severity%3D%22medium%22))%20%0A%20%20%20%20%7C%20lookup%20cs_all_assets%20asset_id%20as%20dest_id%20output%20asset_ip%20as%20ip%20%0A%20%20%20%20%7C%20makemv%20ip%20delim%3D%22~~%22%20%0A%20%20%20%20%7C%20stats%20count%20as%20vul%20by%20ip%20port%20%0A%20%20%20%20%7C%20rename%20ip%20as%20dest_ip%2C%20port%20as%20dest_port%5D%0A%7C%20eventstats%20first(vul)%20as%20vul%20by%20dest_ip%2C%20dest_port%0A%7C%20search%20vul%3D*%20total_bytes%3D*%0A%7C%20stats%20values(dest_ip)%20as%20dest_ips%2C%20sum(total_bytes)%20as%20total_bytes%20by%20src_ip%2C%20action%0A%7C%20eval%20total_MB%20%3D%20round(total_bytes%2F1024%2F1024%2C%202)%0A%7C%20iplocation%20src_ip%0A%7C%20search%20lat%3E%3D$click.bounds.south$%20lat%3C$click.bounds.north$%20lon%3E%3D$click.bounds.west$%20lon%3C$click.bounds.east$&earliest=$timeRange.earliest$&latest=$timeRange.latest$ + search?q=%7C%20tstats%20%60cs_summariesonly_network_traffic%60%20sum(All_Traffic.bytes)%20as%20total_bytes%20from%20datamodel%3DNetwork_Traffic%20where%20%60cs_private_ips(All_Traffic.dest_ip)%60%20AND%20%60cs_public_ips(All_Traffic.src_ip)%60%20AND%20(All_Traffic.dest_ip%3D$tkn_ip$%20OR%20All_Traffic.src_ip%3D$tkn_ip$)%20AND%20(All_Traffic.dest_port%3D$tkn_port$%20OR%20All_Traffic.src_port%3D$tkn_port$)%20$tkn_action$%20by%20All_Traffic.src_ip%2C%20All_Traffic.dest_ip%2C%20All_Traffic.dest_port%2C%20All_Traffic.action%20%0A%7C%20%60cs_drop_dm_object_name(All_Traffic)%60%0A%7C%20append%20%5B%7C%20inputlookup%20cs_all_vuln%20where%20(status%3D%22open%22%20OR%20status%3D%22reopened%22)%20AND%20port!%3D%220%22%20AND%20((severity%3D%22critical%22%20OR%20severity%3D%22high%22%20OR%20severity%3D%22medium%22))%20%0A%20%20%20%20%7C%20lookup%20cs_all_assets%20asset_id%20as%20dest_id%20output%20asset_ip%20as%20ip%20%0A%20%20%20%20%7C%20makemv%20ip%20delim%3D%22~~%22%20%0A%20%20%20%20%7C%20stats%20count%20as%20vul%20by%20ip%20port%20%0A%20%20%20%20%7C%20rename%20ip%20as%20dest_ip%2C%20port%20as%20dest_port%5D%0A%7C%20eventstats%20first(vul)%20as%20vul%20by%20dest_ip%2C%20dest_port%0A%7C%20search%20vul%3D*%20total_bytes%3D*%0A%7C%20stats%20values(dest_ip)%20as%20dest_ips%2C%20sum(total_bytes)%20as%20total_bytes%20by%20src_ip%2C%20action%0A%7C%20eval%20total_MB%20%3D%20round(total_bytes%2F1024%2F1024%2C%202)%0A%7C%20iplocation%20src_ip%0A%7C%20search%20lat%3E%3D$click.bounds.south$%20lat%3C$click.bounds.north$%20lon%3E%3D$click.bounds.west$%20lon%3C$click.bounds.east$&earliest=$timeRange.earliest$&latest=$timeRange.latest$ @@ -392,7 +392,7 @@ | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as total_bytes from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.src_ip)` AND `cs_public_ips(All_Traffic.dest_ip)` AND (All_Traffic.dest_ip=$tkn_ip$ OR All_Traffic.src_ip=$tkn_ip$) AND (All_Traffic.dest_port=$tkn_port$ OR All_Traffic.src_port=$tkn_port$) AND $tkn_action$ by All_Traffic.src_ip, All_Traffic.src_port, All_Traffic.dest_ip, All_Traffic.action -| `drop_dm_object_name(All_Traffic)` +| `cs_drop_dm_object_name(All_Traffic)` | append [| inputlookup cs_all_vuln where (status="open" OR status="reopened") AND ($tkn_vul_severity$) | lookup cs_all_assets asset_id as dest_id output asset_ip as ip | makemv ip delim="~~" @@ -414,7 +414,7 @@ - search?q=%7C%20tstats%20%60cs_summariesonly_network_traffic%60%20sum(All_Traffic.bytes)%20as%20total_bytes%20from%20datamodel%3DNetwork_Traffic%20where%20%60cs_private_ips(All_Traffic.src_ip)%60%20AND%20%60cs_public_ips(All_Traffic.dest_ip)%60%20AND%20(All_Traffic.dest_ip%3D$tkn_ip$%20OR%20All_Traffic.src_ip%3D$tkn_ip$)%20AND%20(All_Traffic.dest_port%3D$tkn_port$%20OR%20All_Traffic.src_port%3D$tkn_port$)%20$tkn_action$%20by%20All_Traffic.src_ip%2C%20All_Traffic.src_port%2C%20All_Traffic.dest_ip%2C%20All_Traffic.action%20%0D%0A%7C%20%60drop_dm_object_name(All_Traffic)%60%20%0D%0A%7C%20append%20%5B%7C%20inputlookup%20cs_all_vuln%20where%20(status%3D%22open%22%20OR%20status%3D%22reopened%22)%20AND%20((severity%3D%22critical%22%20OR%20severity%3D%22high%22%20OR%20severity%3D%22medium%22))%20%0D%0A%20%20%20%20%7C%20lookup%20cs_all_assets%20asset_id%20as%20dest_id%20output%20asset_ip%20as%20ip%20%0D%0A%20%20%20%20%7C%20makemv%20ip%20delim%3D%22~~%22%20%0D%0A%20%20%20%20%7C%20stats%20count%20as%20vul%20by%20ip%20port%20%0D%0A%20%20%20%20%7C%20rename%20ip%20as%20src_ip%2C%20port%20as%20src_port%5D%0D%0A%7C%20eventstats%20first(vul)%20as%20vul%20by%20src_ip%2C%20src_port%0D%0A%7C%20search%20vul%3D*%20total_bytes%3D*%0D%0A%7C%20stats%20values(src_ip)%20as%20src_ips%2C%20sum(total_bytes)%20as%20total_bytes%20by%20dest_ip%2C%20action%0D%0A%7C%20eval%20total_MB%20%3D%20round(total_bytes%2F1024%2F1024%2C%202)%0D%0A%7C%20iplocation%20dest_ip%20%0D%0A%7C%20search%20lat%3E%3D$click.bounds.south$%20lat%3C$click.bounds.north$%20lon%3E%3D$click.bounds.west$%20lon%3C$click.bounds.east$&earliest=$timeRange.earliest$&latest=$timeRange.latest$ + search?q=%7C%20tstats%20%60cs_summariesonly_network_traffic%60%20sum(All_Traffic.bytes)%20as%20total_bytes%20from%20datamodel%3DNetwork_Traffic%20where%20%60cs_private_ips(All_Traffic.src_ip)%60%20AND%20%60cs_public_ips(All_Traffic.dest_ip)%60%20AND%20(All_Traffic.dest_ip%3D$tkn_ip$%20OR%20All_Traffic.src_ip%3D$tkn_ip$)%20AND%20(All_Traffic.dest_port%3D$tkn_port$%20OR%20All_Traffic.src_port%3D$tkn_port$)%20$tkn_action$%20by%20All_Traffic.src_ip%2C%20All_Traffic.src_port%2C%20All_Traffic.dest_ip%2C%20All_Traffic.action%20%0D%0A%7C%20%60cs_drop_dm_object_name(All_Traffic)%60%20%0D%0A%7C%20append%20%5B%7C%20inputlookup%20cs_all_vuln%20where%20(status%3D%22open%22%20OR%20status%3D%22reopened%22)%20AND%20((severity%3D%22critical%22%20OR%20severity%3D%22high%22%20OR%20severity%3D%22medium%22))%20%0D%0A%20%20%20%20%7C%20lookup%20cs_all_assets%20asset_id%20as%20dest_id%20output%20asset_ip%20as%20ip%20%0D%0A%20%20%20%20%7C%20makemv%20ip%20delim%3D%22~~%22%20%0D%0A%20%20%20%20%7C%20stats%20count%20as%20vul%20by%20ip%20port%20%0D%0A%20%20%20%20%7C%20rename%20ip%20as%20src_ip%2C%20port%20as%20src_port%5D%0D%0A%7C%20eventstats%20first(vul)%20as%20vul%20by%20src_ip%2C%20src_port%0D%0A%7C%20search%20vul%3D*%20total_bytes%3D*%0D%0A%7C%20stats%20values(src_ip)%20as%20src_ips%2C%20sum(total_bytes)%20as%20total_bytes%20by%20dest_ip%2C%20action%0D%0A%7C%20eval%20total_MB%20%3D%20round(total_bytes%2F1024%2F1024%2C%202)%0D%0A%7C%20iplocation%20dest_ip%20%0D%0A%7C%20search%20lat%3E%3D$click.bounds.south$%20lat%3C$click.bounds.north$%20lon%3E%3D$click.bounds.west$%20lon%3C$click.bounds.east$&earliest=$timeRange.earliest$&latest=$timeRange.latest$ diff --git a/cyences_app_for_splunk/default/data/ui/views/cs_radius_authentication.xml b/cyences_app_for_splunk/default/data/ui/views/cs_radius_authentication.xml index 426a17bf..d38d39d9 100644 --- a/cyences_app_for_splunk/default/data/ui/views/cs_radius_authentication.xml +++ b/cyences_app_for_splunk/default/data/ui/views/cs_radius_authentication.xml @@ -74,7 +74,7 @@ Radius Authentication Success Rate
- | tstats `cs_summariesonly_authentication` prestats=t count from datamodel=Cyences_Authentication where `cs_radius_authentication_indexes` Authentication.dest_category="radius_auth" Authentication.action IN ("success","failure") Authentication.app=$tkn_app|s$ by Authentication.app Authentication.action | `drop_dm_object_name(Authentication)` + | tstats `cs_summariesonly_authentication` prestats=t count from datamodel=Cyences_Authentication where `cs_radius_authentication_indexes` Authentication.dest_category="radius_auth" Authentication.action IN ("success","failure") Authentication.app=$tkn_app|s$ by Authentication.app Authentication.action | `cs_drop_dm_object_name(Authentication)` | chart count by app action | addtotals | eval "Success%" = round(success / Total * 100,2) @@ -115,7 +115,7 @@
| tstats `cs_summariesonly_authentication` count as count, latest(_time) as last_login from datamodel=Cyences_Authentication where `cs_radius_authentication_indexes` Authentication.dest_category="radius_auth" Authentication.action IN ("success","failure") Authentication.app=$tkn_app|s$ Authentication.user=$tkn_user|s$ by Authentication.user, Authentication.app, Authentication.action -| `drop_dm_object_name(Authentication)` +| `cs_drop_dm_object_name(Authentication)` | eval over_field=user." - ".app | chart sum(count) as count, max(last_login) as last_login over over_field by action | rex field=over_field "(?<user>.*) - (?<app>.*)" | fields - over_field diff --git a/cyences_app_for_splunk/default/macros.conf b/cyences_app_for_splunk/default/macros.conf index 26ea3c62..f07da892 100644 --- a/cyences_app_for_splunk/default/macros.conf +++ b/cyences_app_for_splunk/default/macros.conf @@ -339,6 +339,14 @@ iseval = 0 definition = ((`cs_tenable_assets`) OR (`cs_nessus_assets`) OR (`cs_qualys_hostsummary`)) iseval = 0 +[cs_cim_authentication_indexes] +definition = `cs_authentication_indexes` +iseval = 0 + +[cs_drop_dm_object_name(1)] +args = object +definition = rename "$object$.*" as * + # Configuration and Upgrade related macros [cy_run_filter_macro_upgrade_steps] definition = 1 @@ -562,7 +570,7 @@ iseval = 0 args = sourcetypefilter definition = eval main_event="1" \ | append [ | tstats count, values(Authentication.org_country) as org_country from datamodel=Cyences_Authentication where Authentication.action="success" AND Authentication.user!="unknown" AND `cs_public_ips(Authentication.src)` AND sourcetype="$sourcetypefilter$" AND earliest="@w" latest="@d" by Authentication.app, Authentication.user, Authentication.src \ -| `drop_dm_object_name(Authentication)` \ +| `cs_drop_dm_object_name(Authentication)` \ | iplocation src \ | eval Country = if(isnotnull(org_country), org_country, Country) \ | inputlookup cs_authentication_usual_location.csv append=true \ @@ -580,7 +588,7 @@ iseval = 0 [cs_current_week_login_count_vpn] definition = eval main_event="1" \ | append [ | tstats count, values(Authentication.org_country) as org_country from datamodel=Cyences_Authentication where Authentication.dest_category="vpn_auth" AND Authentication.action="success" AND Authentication.user!="unknown" AND `cs_public_ips(Authentication.src)` AND earliest="@w" latest="@d" by Authentication.app, Authentication.user, Authentication.src \ -| `drop_dm_object_name(Authentication)` \ +| `cs_drop_dm_object_name(Authentication)` \ | iplocation src \ | eval Country = if(isnotnull(org_country), org_country, Country) \ | inputlookup cs_authentication_usual_location.csv append=true \ @@ -598,7 +606,7 @@ iseval = 0 [cs_current_week_login_count_o365] definition = eval main_event="1" \ | append [ | tstats count, values(Authentication.org_country) as org_country from datamodel=Cyences_Authentication where Authentication.action="success" AND Authentication.user!="unknown" AND `cs_public_ips(Authentication.src)` AND `cs_o365_login_source` AND earliest="@w" latest="@d" by Authentication.app, Authentication.user, Authentication.src \ -| `drop_dm_object_name(Authentication)` \ +| `cs_drop_dm_object_name(Authentication)` \ | iplocation src \ | eval Country = if(isnotnull(org_country), org_country, Country) \ | inputlookup cs_authentication_usual_location.csv append=true \ diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf index 7f6a470a..37f7582a 100644 --- a/cyences_app_for_splunk/default/savedsearches.conf +++ b/cyences_app_for_splunk/default/savedsearches.conf @@ -2914,7 +2914,7 @@ display.visualizations.show = 0 request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as total_bytes, sum(All_Traffic.packets) as total_packets, dc(All_Traffic.src_ip) as dc_src_ip from datamodel=Network_Traffic where `cs_public_ips(All_Traffic.src_ip)` by _time span=1h, sourcetype \ -| `drop_dm_object_name(All_Traffic)` \ +| `cs_drop_dm_object_name(All_Traffic)` \ | eval total_MB = round(total_bytes/(1024*1024),1) | fields - total_bytes \ | eval total_m_packets = round(total_packets/1000000,1) | fields - total_packets \ | stats avg(total_m_packets) as avg_total_m_packets, stdev(total_m_packets) as stdev_total_m_packets, avg(dc_src_ip) as avg_dc_src_ip, stdev(dc_src_ip) as stdev_dc_src_ip, avg(total_MB) as avg_total_MB, stdev(total_MB) as stdev_total_MB by sourcetype \ @@ -2943,7 +2943,7 @@ display.visualizations.show = 0 request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as total_bytes, sum(All_Traffic.packets) as total_packets from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.src_ip)` AND `cs_public_ips(All_Traffic.dest_ip)` by _time span=1h, sourcetype \ -| `drop_dm_object_name(All_Traffic)` \ +| `cs_drop_dm_object_name(All_Traffic)` \ | eval total_MB = round(total_bytes/(1024*1024),1) | fields - total_bytes \ | eval total_m_packets = round(total_packets/1000000,1) | fields - total_packets \ | stats avg(total_m_packets) as avg_total_m_packets, stdev(total_m_packets) as stdev_total_m_packets, avg(total_MB) as avg_total_MB, stdev(total_MB) as stdev_total_MB by sourcetype \ @@ -2976,7 +2976,7 @@ display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as total_bytes, sum(All_Traffic.packets) as total_packets from datamodel=Network_Traffic by sourcetype, All_Traffic.src_ip, All_Traffic.action \ -| `drop_dm_object_name(All_Traffic)` \ +| `cs_drop_dm_object_name(All_Traffic)` \ | search `cs_public_ips(src_ip)` \ | eval total_MB = round(total_bytes/(1024*1024),2) | fields - total_bytes \ | eval total_m_packets = round(total_packets/1000000,2) | fields - total_packets \ @@ -3005,9 +3005,9 @@ search = | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as t | `cs_network_ddos_filter` action.cyences_notable_event_action = 1 action.cyences_notable_event_action.param.filter_macro_name = cs_network_ddos_filter -action.cyences_notable_event_action.contributing_events = | datamodel Network_Traffic All_Traffic search strict_fields=false | `drop_dm_object_name(All_Traffic)` | search `cs_public_ips(src_ip)` +action.cyences_notable_event_action.contributing_events = | datamodel Network_Traffic All_Traffic search strict_fields=false | `cs_drop_dm_object_name(All_Traffic)` | search `cs_public_ips(src_ip)` action.cyences_notable_event_action.system_compromised_search = | stats values(total_m_packets) as total_m_packets, values(dc_src_ip) as dc_src_ip by sourcetype -action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Network_Traffic All_Traffic search strict_fields=false | search sourcetype=$row.sourcetype$ | `drop_dm_object_name(All_Traffic)` | search `cs_public_ips(src_ip)` +action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Network_Traffic All_Traffic search strict_fields=false | search sourcetype=$row.sourcetype$ | `cs_drop_dm_object_name(All_Traffic)` | search `cs_public_ips(src_ip)` action.cyences_send_email_action = 1 action.cyences_notable_event_action.products = Cisco IOS, FortiGate, Palo Alto, Sophos Firewall @@ -3034,7 +3034,7 @@ display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as total_bytes, sum(All_Traffic.packets) as total_packets from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.src_ip)` AND `cs_public_ips(All_Traffic.dest_ip)` by sourcetype, All_Traffic.src_ip, All_Traffic.action \ -| `drop_dm_object_name(All_Traffic)` \ +| `cs_drop_dm_object_name(All_Traffic)` \ | eval total_MB = round(total_bytes/(1024*1024),2) | fields - total_bytes \ | eval total_m_packets = round(total_packets/1000000,2) | fields - total_packets \ | eval original_event=1 \ @@ -3062,9 +3062,9 @@ search = | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as t | `cs_network_unusual_outbound_traffic_filter` action.cyences_notable_event_action = 1 action.cyences_notable_event_action.param.filter_macro_name = cs_network_unusual_outbound_traffic_filter -action.cyences_notable_event_action.contributing_events = | datamodel Network_Traffic All_Traffic search strict_fields=false | `drop_dm_object_name(All_Traffic)` | search `cs_private_ips(src_ip)` AND `cs_public_ips(dest_ip)` +action.cyences_notable_event_action.contributing_events = | datamodel Network_Traffic All_Traffic search strict_fields=false | `cs_drop_dm_object_name(All_Traffic)` | search `cs_private_ips(src_ip)` AND `cs_public_ips(dest_ip)` action.cyences_notable_event_action.system_compromised_search = | stats values(total_m_packets) as total_m_packets, values(total_MB) as total_MB by sourcetype -action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Network_Traffic All_Traffic search strict_fields=false | search sourcetype=$row.sourcetype$ | `drop_dm_object_name(All_Traffic)` | search `cs_private_ips(src_ip)` AND `cs_public_ips(dest_ip)` +action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Network_Traffic All_Traffic search strict_fields=false | search sourcetype=$row.sourcetype$ | `cs_drop_dm_object_name(All_Traffic)` | search `cs_private_ips(src_ip)` AND `cs_public_ips(dest_ip)` action.cyences_send_email_action = 1 action.cyences_notable_event_action.products = Cisco IOS, FortiGate, Palo Alto, Sophos Firewall @@ -3090,7 +3090,7 @@ display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats `cs_summariesonly_network_traffic` count values(All_Traffic.dest_port) as dest_port, values(All_Traffic.dest_ip) as dest_ip, values(All_Traffic.dvc) as dvc from datamodel=Network_Traffic where `cs_basic_scanning_internal_filter` by sourcetype, All_Traffic.src_ip, All_Traffic.action \ -| `drop_dm_object_name(All_Traffic)` \ +| `cs_drop_dm_object_name(All_Traffic)` \ | eval allowed=if(action="allowed", count, 0), blocked=if(action="blocked", count, 0), other=if(action!="allowed" and action!="blocked", count, 0) \ | stats sum(count) as count dc(dest_port) as num_dest_port, dc(dest_ip) as num_dest_ip, values(dvc) as dvc sum(allowed) as allowed sum(blocked) as blocked sum(other) as other by sourcetype, src_ip \ | eval traffic_info = if(allowed=0,"", round((allowed/count)*100,2)." % (allowed),") \ @@ -3103,7 +3103,7 @@ search = | tstats `cs_summariesonly_network_traffic` count values(All_Traffic.de | `cs_scanning_basic_scanning_filter` action.cyences_notable_event_action = 1 action.cyences_notable_event_action.param.filter_macro_name = cs_scanning_basic_scanning_filter -action.cyences_notable_event_action.contributing_events = | datamodel Network_Traffic All_Traffic search strict_fields=false | `drop_dm_object_name(All_Traffic)` +action.cyences_notable_event_action.contributing_events = | datamodel Network_Traffic All_Traffic search strict_fields=false | `cs_drop_dm_object_name(All_Traffic)` action.cyences_notable_event_action.system_compromised_search = | stats count by sourcetype action.cyences_notable_event_action.system_compromised_drilldown = index=$row.index$ sourcetype=$row.sourcetype$ action.cyences_notable_event_action.attacker_search = | stats count by src_ip @@ -3133,7 +3133,7 @@ display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as total_bytes, sum(All_Traffic.packets) as total_packets from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.dest_ip)` AND `cs_public_ips(All_Traffic.src_ip)` AND All_Traffic.action="allowed" by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.dest_port, All_Traffic.action \ -| `drop_dm_object_name(All_Traffic)` \ +| `cs_drop_dm_object_name(All_Traffic)` \ | join dest_ip dest_port \ [| inputlookup cs_all_vuln where (status="open" OR status="reopened") AND port!="0" AND (severity="critical" OR severity="high" OR severity="medium" OR severity="low") \ | lookup cs_all_assets asset_id as dest_id output asset_ip as ip \ @@ -4645,7 +4645,7 @@ display.page.search.mode = fast display.visualizations.show = 0 request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search -search = | tstats `cs_summariesonly_endpoint` count FROM datamodel=Endpoint.Filesystem where Filesystem.action=created `cs_spike_in_the_file_writes_internal_filter` by _time span=1h, Filesystem.dest | `drop_dm_object_name(Filesystem)` \ +search = | tstats `cs_summariesonly_endpoint` count FROM datamodel=Endpoint.Filesystem where Filesystem.action=created `cs_spike_in_the_file_writes_internal_filter` by _time span=1h, Filesystem.dest | `cs_drop_dm_object_name(Filesystem)` \ | stats avg(count) as avg stdev(count) as stdev by "dest" \ | eval upperBound=(avg+stdev*4) \ | outputlookup cs_ransomware_file_writes_upperbound.csv @@ -4676,7 +4676,7 @@ display.page.search.tab = statistics display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search -search = | tstats `cs_summariesonly_endpoint` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=created `cs_spike_in_the_file_writes_internal_filter` by Filesystem.dest, Filesystem.file_path | `drop_dm_object_name(Filesystem)` \ +search = | tstats `cs_summariesonly_endpoint` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=created `cs_spike_in_the_file_writes_internal_filter` by Filesystem.dest, Filesystem.file_path | `cs_drop_dm_object_name(Filesystem)` \ | rex field=file_path "^(?.*)[\\\\|\\/].*?(?:\.(?[^.]+))?$" \ | eval raw_event=1 \ | appendpipe \ @@ -4701,9 +4701,9 @@ search = | tstats `cs_summariesonly_endpoint` count min(_time) as firstTime max( | `cs_spike_in_file_writes_filter` action.cyences_notable_event_action = 1 action.cyences_notable_event_action.param.filter_macro_name = cs_spike_in_file_writes_filter -action.cyences_notable_event_action.contributing_events = | datamodel Endpoint Filesystem search strict_fields=false | search Filesystem.action=created | `drop_dm_object_name(Filesystem)` +action.cyences_notable_event_action.contributing_events = | datamodel Endpoint Filesystem search strict_fields=false | search Filesystem.action=created | `cs_drop_dm_object_name(Filesystem)` action.cyences_notable_event_action.system_compromised_search = | stats sum(count) as count by dest -action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Endpoint Filesystem search strict_fields=false | search Filesystem.action=created Filesystem.dest=$row.dest$ | `drop_dm_object_name(Filesystem)` +action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Endpoint Filesystem search strict_fields=false | search Filesystem.action=created Filesystem.dest=$row.dest$ | `cs_drop_dm_object_name(Filesystem)` action.cyences_send_email_action = 1 action.cyences_notable_event_action.products = Sysmon @@ -4730,7 +4730,7 @@ display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats `cs_summariesonly_endpoint` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_path !="C:\\Windows\\System32*" Processes.process_path !="C:\\Windows\\SysWOW64*" by Processes.user Processes.dest Processes.process_name Processes.process_id Processes.process_path Processes.parent_process_name Processes.parent_process_path Processes.process_hash \ -| `drop_dm_object_name("Processes")` \ +| `cs_drop_dm_object_name("Processes")` \ | `cs_system_processes_run_from_unexpected_locations_internal_filter` \ | lookup cs_fake_windows_processes_filter process_name, process_hash OUTPUT need_to_filtered | search NOT need_to_filtered=1 \ | `is_windows_system_file` \ @@ -4741,11 +4741,11 @@ search = | tstats `cs_summariesonly_endpoint` count min(_time) as firstTime max( | `cs_system_processes_run_from_unexpected_locations_filter` action.cyences_notable_event_action = 1 action.cyences_notable_event_action.param.filter_macro_name = cs_system_processes_run_from_unexpected_locations_filter -action.cyences_notable_event_action.contributing_events = | datamodel Endpoint Processes search strict_fields=false | search Processes.process_path!="C:\\Windows\\System32*" Processes.process_path!="C:\\Windows\\SysWOW64*" | `drop_dm_object_name(Processes)` | lookup update=true is_windows_system_file filename as process_name OUTPUT systemFile | search systemFile=true | lookup cs_fake_windows_processes_filter process_name, process_hash OUTPUT need_to_filtered | search NOT need_to_filtered=1 +action.cyences_notable_event_action.contributing_events = | datamodel Endpoint Processes search strict_fields=false | search Processes.process_path!="C:\\Windows\\System32*" Processes.process_path!="C:\\Windows\\SysWOW64*" | `cs_drop_dm_object_name(Processes)` | lookup update=true is_windows_system_file filename as process_name OUTPUT systemFile | search systemFile=true | lookup cs_fake_windows_processes_filter process_name, process_hash OUTPUT need_to_filtered | search NOT need_to_filtered=1 action.cyences_notable_event_action.system_compromised_search = | stats sum(count) as count by dest -action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Endpoint Processes search strict_fields=false | search Processes.dest=$row.dest$ Processes.process_path!="C:\\Windows\\System32*" Processes.process_path!="C:\\Windows\\SysWOW64*" | `drop_dm_object_name(Processes)` | lookup update=true is_windows_system_file filename as process_name OUTPUT systemFile | search systemFile=true | lookup cs_fake_windows_processes_filter process_name, process_hash OUTPUT need_to_filtered | search NOT need_to_filtered=1 +action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Endpoint Processes search strict_fields=false | search Processes.dest=$row.dest$ Processes.process_path!="C:\\Windows\\System32*" Processes.process_path!="C:\\Windows\\SysWOW64*" | `cs_drop_dm_object_name(Processes)` | lookup update=true is_windows_system_file filename as process_name OUTPUT systemFile | search systemFile=true | lookup cs_fake_windows_processes_filter process_name, process_hash OUTPUT need_to_filtered | search NOT need_to_filtered=1 action.cyences_notable_event_action.attacker_search = | stats sum(count) as count by process_name, parent_process_name -action.cyences_notable_event_action.attacker_drilldown = | datamodel Endpoint Processes search strict_fields=false | search Processes.process_name=$row.process_name$ Processes.parent_process_name=$row.parent_process_name$ | `drop_dm_object_name(Processes)` +action.cyences_notable_event_action.attacker_drilldown = | datamodel Endpoint Processes search strict_fields=false | search Processes.process_name=$row.process_name$ Processes.parent_process_name=$row.parent_process_name$ | `cs_drop_dm_object_name(Processes)` action.cyences_send_email_action = 1 action.cyences_notable_event_action.products = Sysmon @@ -4772,16 +4772,16 @@ display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats `cs_summariesonly_network_traffic` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND All_Traffic.action=allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action \ -| `cs_human_readable_time_format(firstTime)` | `cs_human_readable_time_format(lastTime)` | `drop_dm_object_name("All_Traffic")` \ +| `cs_human_readable_time_format(firstTime)` | `cs_human_readable_time_format(lastTime)` | `cs_drop_dm_object_name("All_Traffic")` \ | eval cyences_severity = "critical" \ | `cs_tor_traffic_filter` action.cyences_notable_event_action = 1 action.cyences_notable_event_action.param.filter_macro_name = cs_tor_traffic_filter -action.cyences_notable_event_action.contributing_events = | datamodel Network_Traffic search strict_fields=false | search All_Traffic.app=tor | `drop_dm_object_name(All_Traffic)` +action.cyences_notable_event_action.contributing_events = | datamodel Network_Traffic search strict_fields=false | search All_Traffic.app=tor | `cs_drop_dm_object_name(All_Traffic)` action.cyences_notable_event_action.system_compromised_search = | stats sum(count) as count by dest_ip, dest_port -action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Network_Traffic search strict_fields=false | search All_Traffic.app=tor All_Traffic.dest_ip=$row.dest_ip$ | `drop_dm_object_name(All_Traffic)` +action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Network_Traffic search strict_fields=false | search All_Traffic.app=tor All_Traffic.dest_ip=$row.dest_ip$ | `cs_drop_dm_object_name(All_Traffic)` action.cyences_notable_event_action.attacker_search = | stats sum(count) as count by src_ip -action.cyences_notable_event_action.attacker_drilldown = | datamodel Network_Traffic search strict_fields=false | search All_Traffic.app=tor All_Traffic.src_ip=$row.src_ip$ | `drop_dm_object_name(All_Traffic)` +action.cyences_notable_event_action.attacker_drilldown = | datamodel Network_Traffic search strict_fields=false | search All_Traffic.app=tor All_Traffic.src_ip=$row.src_ip$ | `cs_drop_dm_object_name(All_Traffic)` action.cyences_send_email_action = 1 action.cyences_notable_event_action.products = Cisco IOS, FortiGate, Palo Alto, Sophos Firewall @@ -4807,7 +4807,7 @@ display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats `cs_summariesonly_endpoint` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem by Filesystem.dest, Filesystem.file_name, Filesystem.file_path \ -| `drop_dm_object_name(Filesystem)` \ +| `cs_drop_dm_object_name(Filesystem)` \ | rex field=file_path "(?.*)[\\\\|\\/]" | rex field=file_name "(?\.[^\.]+)$" \ | stats sum(count) as count, min(firstTime) as firstTime max(lastTime) as lastTime, values(file_name) as sample_file_names by dest, file_extension, file_location \ | `cs_ransomware_extensions` \ @@ -4822,11 +4822,11 @@ search = | tstats `cs_summariesonly_endpoint` count min(_time) as firstTime max( | `cs_common_ransomware_extensions_filter` action.cyences_notable_event_action = 1 action.cyences_notable_event_action.param.filter_macro_name = cs_common_ransomware_extensions_filter -action.cyences_notable_event_action.contributing_events = | datamodel Endpoint Filesystem search strict_fields=false | `drop_dm_object_name(Filesystem)` | rex field=file_name "(?\.[^\.]+)$" | `cs_ransomware_extensions` +action.cyences_notable_event_action.contributing_events = | datamodel Endpoint Filesystem search strict_fields=false | `cs_drop_dm_object_name(Filesystem)` | rex field=file_name "(?\.[^\.]+)$" | `cs_ransomware_extensions` action.cyences_notable_event_action.system_compromised_search = | stats sum(count) as count by dest -action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Endpoint Filesystem search strict_fields=false | search Filesystem.dest=$row.dest$ | `drop_dm_object_name(Filesystem)` +action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Endpoint Filesystem search strict_fields=false | search Filesystem.dest=$row.dest$ | `cs_drop_dm_object_name(Filesystem)` action.cyences_notable_event_action.attacker_search = | stats sum(count) as count by file_name -action.cyences_notable_event_action.attacker_drilldown = | datamodel Endpoint Filesystem search strict_fields=false | search Filesystem.file_name=$row.file_name$ | `drop_dm_object_name(Filesystem)` +action.cyences_notable_event_action.attacker_drilldown = | datamodel Endpoint Filesystem search strict_fields=false | search Filesystem.file_name=$row.file_name$ | `cs_drop_dm_object_name(Filesystem)` action.cyences_send_email_action = 1 action.cyences_notable_event_action.products = Sysmon @@ -4853,17 +4853,17 @@ display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats `cs_summariesonly_endpoint` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process= "*create*" OR Processes.process= "*delete*") by Processes.dest Processes.parent_process Processes.process_name Processes.user \ -| `drop_dm_object_name("Processes")` | `cs_human_readable_time_format(firstTime)` | `cs_human_readable_time_format(lastTime)` \ +| `cs_drop_dm_object_name("Processes")` | `cs_human_readable_time_format(firstTime)` | `cs_human_readable_time_format(lastTime)` \ | search (process=*rhaegal* OR process=*drogon* OR *viserion_*) \ | eval cyences_severity = "critical" \ | `cs_scheduled_tasks_used_in_badrabbit_ransomware_filter` action.cyences_notable_event_action = 1 action.cyences_notable_event_action.param.filter_macro_name = cs_scheduled_tasks_used_in_badrabbit_ransomware_filter -action.cyences_notable_event_action.contributing_events = | datamodel Endpoint Processes search strict_fields=false | search Processes.process_name=schtasks.exe (Processes.process="*create*" OR Processes.process="*delete*") (Processes.process=*rhaegal* OR Processes.process=*drogon* OR Processes.process=*viserion_*) | `drop_dm_object_name(Processes)` +action.cyences_notable_event_action.contributing_events = | datamodel Endpoint Processes search strict_fields=false | search Processes.process_name=schtasks.exe (Processes.process="*create*" OR Processes.process="*delete*") (Processes.process=*rhaegal* OR Processes.process=*drogon* OR Processes.process=*viserion_*) | `cs_drop_dm_object_name(Processes)` action.cyences_notable_event_action.system_compromised_search = | stats sum(count) as count by dest, user -action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Endpoint Processes search strict_fields=false | search Processes.dest=$row.dest$ | `drop_dm_object_name(Processes)` +action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Endpoint Processes search strict_fields=false | search Processes.dest=$row.dest$ | `cs_drop_dm_object_name(Processes)` action.cyences_notable_event_action.attacker_search = | stats sum(count) as count, values(process) as process by process_name, parent_process_name -action.cyences_notable_event_action.attacker_drilldown = | datamodel Endpoint Processes search strict_fields=false | search Processes.process_name=$row.process_name$ | `drop_dm_object_name(Processes)` +action.cyences_notable_event_action.attacker_drilldown = | datamodel Endpoint Processes search strict_fields=false | search Processes.process_name=$row.process_name$ | `cs_drop_dm_object_name(Processes)` action.cyences_send_email_action = 1 action.cyences_notable_event_action.products = Sysmon @@ -4889,17 +4889,17 @@ display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats `cs_summariesonly_endpoint` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name \ -| `drop_dm_object_name(Filesystem)` | `cs_human_readable_time_format(lastTime)` | `cs_human_readable_time_format(firstTime)` \ +| `cs_drop_dm_object_name(Filesystem)` | `cs_human_readable_time_format(lastTime)` | `cs_human_readable_time_format(firstTime)` \ | rex field=file_name "(?\.[^\.]+)$" | `ransomware_notes` \ | eval cyences_severity = "critical" \ | `cs_common_ransomware_notes_filter` action.cyences_notable_event_action = 1 action.cyences_notable_event_action.param.filter_macro_name = cs_common_ransomware_notes_filter -action.cyences_notable_event_action.contributing_events = | datamodel Endpoint Filesystem search strict_fields=false | `drop_dm_object_name(Filesystem)` | rex field=file_name "(?\.[^\.]+)$" | `ransomware_notes` +action.cyences_notable_event_action.contributing_events = | datamodel Endpoint Filesystem search strict_fields=false | `cs_drop_dm_object_name(Filesystem)` | rex field=file_name "(?\.[^\.]+)$" | `ransomware_notes` action.cyences_notable_event_action.system_compromised_search = | stats sum(count) as count by dest -action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Endpoint Filesystem search strict_fields=false | search Filesystem.dest=$row.dest$ | `drop_dm_object_name(Filesystem)` +action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Endpoint Filesystem search strict_fields=false | search Filesystem.dest=$row.dest$ | `cs_drop_dm_object_name(Filesystem)` action.cyences_notable_event_action.attacker_search = | stats sum(count) as count by file_name -action.cyences_notable_event_action.attacker_drilldown = | datamodel Endpoint Filesystem search strict_fields=false | search Filesystem.file_name=$row.file_name$ | `drop_dm_object_name(Filesystem)` +action.cyences_notable_event_action.attacker_drilldown = | datamodel Endpoint Filesystem search strict_fields=false | search Filesystem.file_name=$row.file_name$ | `cs_drop_dm_object_name(Filesystem)` action.cyences_send_email_action = 1 action.cyences_notable_event_action.products = Sysmon @@ -4925,17 +4925,17 @@ display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats `cs_summariesonly_endpoint` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest \ -| `drop_dm_object_name(Processes)` | `cs_human_readable_time_format(firstTime)` | `cs_human_readable_time_format(lastTime)` \ +| `cs_drop_dm_object_name(Processes)` | `cs_human_readable_time_format(firstTime)` | `cs_human_readable_time_format(lastTime)` \ | search process="*deletejournal*" AND process="*usn*" \ | eval cyences_severity = "critical" \ | `cs_usn_journal_deletion_filter` action.cyences_notable_event_action = 1 action.cyences_notable_event_action.param.filter_macro_name = cs_usn_journal_deletion_filter -action.cyences_notable_event_action.contributing_events = | datamodel Endpoint Processes search strict_fields=false | search Processes.process_name=fsutil.exe Processes.process="*deletejournal*" Processes.process="*usn*" | `drop_dm_object_name(Processes)` +action.cyences_notable_event_action.contributing_events = | datamodel Endpoint Processes search strict_fields=false | search Processes.process_name=fsutil.exe Processes.process="*deletejournal*" Processes.process="*usn*" | `cs_drop_dm_object_name(Processes)` action.cyences_notable_event_action.system_compromised_search = | stats sum(count) as count by dest -action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Endpoint Processes search strict_fields=false | search Processes.dest=$row.dest$ | `drop_dm_object_name(Processes)` +action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Endpoint Processes search strict_fields=false | search Processes.dest=$row.dest$ | `cs_drop_dm_object_name(Processes)` action.cyences_notable_event_action.attacker_search = | stats sum(count) as count, values(process) as process by process_name, parent_process_name -action.cyences_notable_event_action.attacker_drilldown = | datamodel Endpoint Processes search strict_fields=false | search Processes.process_name=$row.process_name$ | `drop_dm_object_name(Processes)` +action.cyences_notable_event_action.attacker_drilldown = | datamodel Endpoint Processes search strict_fields=false | search Processes.process_name=$row.process_name$ | `cs_drop_dm_object_name(Processes)` action.cyences_send_email_action = 1 action.cyences_notable_event_action.products = Sysmon @@ -5096,16 +5096,16 @@ display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats `cs_summariesonly_endpoint` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe Processes.process=*mklink* Processes.process=*HarddiskVolumeShadowCopy* by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id \ -| `drop_dm_object_name(Processes)` | `cs_human_readable_time_format(firstTime)` | `cs_human_readable_time_format(lastTime)` \ +| `cs_drop_dm_object_name(Processes)` | `cs_human_readable_time_format(firstTime)` | `cs_human_readable_time_format(lastTime)` \ | eval cyences_severity = "critical" \ | `cs_credential_dumping_via_symlink_to_shadow_copy_filter` action.cyences_notable_event_action = 1 action.cyences_notable_event_action.param.filter_macro_name = cs_credential_dumping_via_symlink_to_shadow_copy_filter -action.cyences_notable_event_action.contributing_events = | datamodel Endpoint Processes search strict_fields=false | search Processes.process_name="cmd.exe" Processes.process=*mklink* Processes.process=*HarddiskVolumeShadowCopy* | `drop_dm_object_name(Processes)` +action.cyences_notable_event_action.contributing_events = | datamodel Endpoint Processes search strict_fields=false | search Processes.process_name="cmd.exe" Processes.process=*mklink* Processes.process=*HarddiskVolumeShadowCopy* | `cs_drop_dm_object_name(Processes)` action.cyences_notable_event_action.system_compromised_search = | stats sum(count) as count by dest -action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Endpoint Processes search strict_fields=false | search Processes.process_name="cmd.exe" Processes.dest=$row.dest$ | `drop_dm_object_name(Processes)` +action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Endpoint Processes search strict_fields=false | search Processes.process_name="cmd.exe" Processes.dest=$row.dest$ | `cs_drop_dm_object_name(Processes)` action.cyences_notable_event_action.attacker_search = | stats sum(count) as count by process, process_name, parent_process -action.cyences_notable_event_action.attacker_drilldown = | datamodel Endpoint Processes search strict_fields=false | search Processes.process="cmd.exe" Processes.process=$row.process$ | `drop_dm_object_name(Processes)` +action.cyences_notable_event_action.attacker_drilldown = | datamodel Endpoint Processes search strict_fields=false | search Processes.process="cmd.exe" Processes.process=$row.process$ | `cs_drop_dm_object_name(Processes)` action.cyences_send_email_action = 1 action.cyences_notable_event_action.products = Sysmon @@ -5131,16 +5131,16 @@ display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats `cs_summariesonly_endpoint` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe (Processes.process=*\\system32\\config\\sam* OR Processes.process=*\\system32\\config\\security* OR Processes.process=*\\system32\\config\\system* OR Processes.process=*\\windows\\ntds\\ntds.dit*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id \ -| `drop_dm_object_name(Processes)` | `cs_human_readable_time_format(firstTime)` | `cs_human_readable_time_format(lastTime)` \ +| `cs_drop_dm_object_name(Processes)` | `cs_human_readable_time_format(firstTime)` | `cs_human_readable_time_format(lastTime)` \ | eval cyences_severity = "critical" \ | `cs_credential_dumping_via_copy_command_from_shadow_copy_filter` action.cyences_notable_event_action = 1 action.cyences_notable_event_action.param.filter_macro_name = cs_credential_dumping_via_copy_command_from_shadow_copy_filter -action.cyences_notable_event_action.contributing_events = | datamodel Endpoint Processes search strict_fields=false | search Processes.process_name=cmd.exe (Processes.process=*\\system32\\config\\sam* OR Processes.process=*\\system32\\config\\security* OR Processes.process=*\\system32\\config\\system* OR Processes.process=*\\windows\\ntds\\ntds.dit*) | `drop_dm_object_name(Processes)` +action.cyences_notable_event_action.contributing_events = | datamodel Endpoint Processes search strict_fields=false | search Processes.process_name=cmd.exe (Processes.process=*\\system32\\config\\sam* OR Processes.process=*\\system32\\config\\security* OR Processes.process=*\\system32\\config\\system* OR Processes.process=*\\windows\\ntds\\ntds.dit*) | `cs_drop_dm_object_name(Processes)` action.cyences_notable_event_action.system_compromised_search = | stats sum(count) as count by dest -action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Endpoint Processes search strict_fields=false | search Processes.process_name="cmd.exe" dest=$row.dest$ | `drop_dm_object_name(Processes)` +action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Endpoint Processes search strict_fields=false | search Processes.process_name="cmd.exe" dest=$row.dest$ | `cs_drop_dm_object_name(Processes)` action.cyences_notable_event_action.attacker_search = | stats sum(count) as count by process, process_name, parent_process -action.cyences_notable_event_action.attacker_drilldown = | datamodel Endpoint Processes search strict_fields=false | search Processes.process="cmd.exe" Processes.process=$row.process$ | `drop_dm_object_name(Processes)` +action.cyences_notable_event_action.attacker_drilldown = | datamodel Endpoint Processes search strict_fields=false | search Processes.process="cmd.exe" Processes.process=$row.process$ | `cs_drop_dm_object_name(Processes)` action.cyences_send_email_action = 1 action.cyences_notable_event_action.products = Sysmon @@ -5166,16 +5166,16 @@ display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats `cs_summariesonly_endpoint` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=reg.exe OR Processes.process_name=cmd.exe) Processes.process=*save* (Processes.process=*HKEY_LOCAL_MACHINE\\Security* OR Processes.process=*HKEY_LOCAL_MACHINE\\SAM* OR Processes.process=*HKEY_LOCAL_MACHINE\\System* OR Processes.process=*HKLM\\Security* OR Processes.process=*HKLM\\System* OR Processes.process=*HKLM\\SAM*) by Processes.user Processes.process_name Processes.process Processes.dest \ -| `drop_dm_object_name(Processes)` | `cs_human_readable_time_format(firstTime)` | `cs_human_readable_time_format(lastTime)` \ +| `cs_drop_dm_object_name(Processes)` | `cs_human_readable_time_format(firstTime)` | `cs_human_readable_time_format(lastTime)` \ | eval cyences_severity = "critical" \ | `cs_attempted_credential_dump_from_registry_via_reg_exe_filter` action.cyences_notable_event_action = 1 action.cyences_notable_event_action.param.filter_macro_name = cs_attempted_credential_dump_from_registry_via_reg_exe_filter -action.cyences_notable_event_action.contributing_events = | datamodel Endpoint Processes search strict_fields=false | search (Processes.process_name=reg.exe OR Processes.process_name=cmd.exe) Processes.process=*save* (Processes.process=*HKEY_LOCAL_MACHINE\\Security* OR Processes.process=*HKEY_LOCAL_MACHINE\\SAM* OR Processes.process=*HKEY_LOCAL_MACHINE\\System* OR Processes.process=*HKLM\\Security* OR Processes.process=*HKLM\\System* OR Processes.process=*HKLM\\SAM*) | `drop_dm_object_name(Processes)` +action.cyences_notable_event_action.contributing_events = | datamodel Endpoint Processes search strict_fields=false | search (Processes.process_name=reg.exe OR Processes.process_name=cmd.exe) Processes.process=*save* (Processes.process=*HKEY_LOCAL_MACHINE\\Security* OR Processes.process=*HKEY_LOCAL_MACHINE\\SAM* OR Processes.process=*HKEY_LOCAL_MACHINE\\System* OR Processes.process=*HKLM\\Security* OR Processes.process=*HKLM\\System* OR Processes.process=*HKLM\\SAM*) | `cs_drop_dm_object_name(Processes)` action.cyences_notable_event_action.system_compromised_search = | stats sum(count) as count by dest -action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Endpoint Processes search strict_fields=false | search Processes.process IN ("cmd.exe", "reg.exe") Processes.dest=$row.dest$ | `drop_dm_object_name(Processes)` +action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Endpoint Processes search strict_fields=false | search Processes.process IN ("cmd.exe", "reg.exe") Processes.dest=$row.dest$ | `cs_drop_dm_object_name(Processes)` action.cyences_notable_event_action.attacker_search = | stats sum(count) as count by process, process_name, parent_process -action.cyences_notable_event_action.attacker_drilldown = | datamodel Endpoint Processes search strict_fields=false | search Processes.process IN ("cmd.exe", "reg.exe") Processes.process=$row.process$ | `drop_dm_object_name(Processes)` +action.cyences_notable_event_action.attacker_drilldown = | datamodel Endpoint Processes search strict_fields=false | search Processes.process IN ("cmd.exe", "reg.exe") Processes.process=$row.process$ | `cs_drop_dm_object_name(Processes)` action.cyences_send_email_action = 1 action.cyences_notable_event_action.products = Sysmon @@ -5205,7 +5205,7 @@ display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats `cs_summariesonly_authentication` count, min(_time) as firstTime, max(_time) as lastTime, values(Authentication.signature) as signature from datamodel=Cyences_Authentication where `cs_authentication_indexes` (`cs_o365_login_filter_source` OR `cs_aws_login_filter_source`) Authentication.app!=OktaIM2:log Authentication.user!="*$" Authentication.user!="Not Available" Authentication.action="failure" `cs_authentication_password_expire_event_filter` `cs_authentication_app_filter` `cs_bruteforce_from_user_additional_filter` by Authentication.app, Authentication.user, Authentication.src, Authentication.dest \ -| `drop_dm_object_name(Authentication)` \ +| `cs_drop_dm_object_name(Authentication)` \ | appendpipe \ [| stats sum(count) as count by app, user, dest \ | eval new_dest = dest." (".count.")" \ @@ -5253,7 +5253,7 @@ display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats `cs_summariesonly_authentication` count, min(_time) as firstTime, max(_time) as lastTime, values(Authentication.signature) as signature from datamodel=Cyences_Authentication where `cs_authentication_indexes` `cs_o365_login_filter_source` Authentication.app!=OktaIM2:log Authentication.user!="*$" Authentication.action="failure" `cs_authentication_password_expire_event_filter` `cs_authentication_app_filter` `cs_bruteforce_from_source_additional_filter` by Authentication.app, Authentication.src, Authentication.user, Authentication.dest \ -| `drop_dm_object_name(Authentication)` \ +| `cs_drop_dm_object_name(Authentication)` \ | `cs_user_privilege_mapping(user)` \ | appendpipe \ [| stats sum(count) as count by app, src, dest \ @@ -5303,7 +5303,7 @@ display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats `cs_summariesonly_authentication` count, min(_time) as firstTime, max(_time) as lastTime from datamodel=Cyences_Authentication where Authentication.dest_category="vpn_auth" AND `cs_vpn_indexes` AND Authentication.action="failure" `cs_authentication_password_expire_event_filter` by index, Authentication.app, Authentication.user, Authentication.src, Authentication.dest \ -| `drop_dm_object_name(Authentication)` \ +| `cs_drop_dm_object_name(Authentication)` \ | appendpipe \ [| stats sum(count) as count by index, app, user, dest \ | eval new_dest = dest." (".count.")" \ @@ -5353,7 +5353,7 @@ display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats `cs_summariesonly_authentication` count, min(_time) as firstTime, max(_time) as lastTime from datamodel=Cyences_Authentication where Authentication.dest_category="vpn_auth" AND `cs_vpn_indexes` AND Authentication.action="failure" `cs_authentication_password_expire_event_filter` by index, Authentication.app, Authentication.src, Authentication.user, Authentication.dest \ -| `drop_dm_object_name(Authentication)` \ +| `cs_drop_dm_object_name(Authentication)` \ | `cs_user_privilege_mapping(user)` \ | appendpipe \ [| stats sum(count) as count by index, app, src, dest \ @@ -5442,7 +5442,7 @@ display.visualizations.show = 0 request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats count, values(Authentication.org_country) as org_country from datamodel=Cyences_Authentication where Authentication.action="success" AND Authentication.user!="unknown" AND `cs_public_ips(Authentication.src)` by Authentication.app, Authentication.user, Authentication.src, _time span=1w \ -| `drop_dm_object_name(Authentication)` \ +| `cs_drop_dm_object_name(Authentication)` \ | iplocation src \ | eval user=lower(user) \ | eval Country = if(isnotnull(org_country), org_country, Country) \ @@ -5478,7 +5478,7 @@ display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats `cs_summariesonly_authentication` count from datamodel=Cyences_Authentication where Authentication.dest_category="vpn_auth" AND Authentication.action="success" AND `cs_public_ips(Authentication.src)` by Authentication.app, Authentication.user, Authentication.src, Authentication.dest, _time \ -| `drop_dm_object_name(Authentication)` \ +| `cs_drop_dm_object_name(Authentication)` \ | eval user = lower(user) \ | iplocation src \ | `cs_current_week_login_count_vpn` \ @@ -5520,7 +5520,7 @@ display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats `cs_summariesonly_authentication` count from datamodel=Cyences_Authentication where Authentication.dest_category="vpn_auth" AND Authentication.action="failure" AND `cs_public_ips(Authentication.src)` `cs_authentication_password_expire_event_filter` by Authentication.app, Authentication.user, Authentication.src, Authentication.dest, _time \ -| `drop_dm_object_name(Authentication)` \ +| `cs_drop_dm_object_name(Authentication)` \ | eval user = lower(user) \ | iplocation src \ | `cs_current_week_login_count_vpn` \ @@ -5609,7 +5609,7 @@ display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats `cs_summariesonly_authentication` count, min(_time) as firstTime, max(_time) as lastTime, values(Authentication.signature) as signature from datamodel=Cyences_Authentication where Authentication.dest_category="radius_auth" AND `cs_radius_authentication_indexes` AND Authentication.action="failure" `cs_authentication_password_expire_event_filter` by index, Authentication.app, Authentication.user, Authentication.src, Authentication.dest \ -| `drop_dm_object_name(Authentication)` \ +| `cs_drop_dm_object_name(Authentication)` \ | appendpipe \ [| stats sum(count) as count by index, app, user, dest \ | eval new_dest = dest." (".count.")" \ @@ -5908,7 +5908,7 @@ display.page.search.mode = fast request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats `cs_summariesonly_cyences_assets` count, latest(Assets.asset_hostname) as asset_hostname, latest(Assets.asset_ip) as asset_ip, latest(Assets.asset_mac_address) as asset_mac_address, latest(host) as host, latest(Assets.last_scan_time) as last_scan_time, latest(Assets.os) as os, latest(Assets.state) as state, latest(_time) as time FROM datamodel=Cyences_Assets by Assets.asset_id, Assets.vendor_product \ -| `drop_dm_object_name(Assets)` \ +| `cs_drop_dm_object_name(Assets)` \ | inputlookup cs_all_assets append=t \ | dedup asset_id, vendor_product \ | eval asset_hostname=mvjoin(mvdedup(split(lower(asset_hostname), "~~")), "~~"), asset_ip=mvjoin(mvdedup(split(lower(asset_ip), "~~")), "~~"), asset_mac_address=mvjoin(mvdedup(split(lower(asset_mac_address), "~~")), "~~") \ @@ -5951,7 +5951,7 @@ request.ui_dispatch_app = cyences_app_for_splunk request.ui_dispatch_view = search search = | tstats `cs_summariesonly_cyences_vulnerabilities` count, latest(Vulnerabilities.category) as category, latest(Vulnerabilities.cpe) as cpe, latest(Vulnerabilities.cve) as cve, latest(Vulnerabilities.cvss) as cvss, latest(Vulnerabilities.description) as description, latest(Vulnerabilities.dest_ip) as dest_ip, latest(Vulnerabilities.dest_name) as dest_name, latest(Vulnerabilities.dvc) as dvc, latest(Vulnerabilities.first_found) as first_found, latest(Vulnerabilities.has_patch) as has_patch, latest(host) as host, latest(Vulnerabilities.in_the_news) as in_the_news, latest(Vulnerabilities.last_found) as last_found, latest(Vulnerabilities.last_scan_time) as last_scan_time, latest(Vulnerabilities.os) as os, latest(Vulnerabilities.port) as port, latest(Vulnerabilities.protocol) as protocol, latest(Vulnerabilities.published_time) as published_time, latest(Vulnerabilities.severity) as severity, latest(Vulnerabilities.signature) as signature, latest(Vulnerabilities.signature_id) as signature_id, latest(Vulnerabilities.solution) as solution, latest(Vulnerabilities.status) as status, latest(_time) as time, latest(Vulnerabilities.indextime) as indextime, latest(Vulnerabilities.tracking_method) as tracking_method, latest(Vulnerabilities.type) as type, latest(Vulnerabilities.user) as user FROM datamodel=Cyences_Vulnerabilities where NOT ((Vulnerabilities.vendor_product="Tenable.io" OR Vulnerabilities.vendor_product="Tenable.sc") AND Vulnerabilities.vul_id>=1000000) by Vulnerabilities.dest_id, Vulnerabilities.vul_id, Vulnerabilities.vendor_product \ ``` NOTE - vul_id over 1 million is for custom compliance reason, not actual vulnerabilities for Tenable products ``` \ -| `drop_dm_object_name(Vulnerabilities)` \ +| `cs_drop_dm_object_name(Vulnerabilities)` \ | inputlookup cs_all_vuln append=t \ | dedup dest_id, vul_id, vendor_product \ | table category, cpe, cve, cvss, description, dest_id, dest_ip, dest_name, dvc, first_found, has_patch, host, in_the_news, last_found, last_scan_time, os, port, protocol, published_time, severity, signature, signature_id, solution, status, time, indextime, tracking_method, type, user, vendor_product, vul_id \ From 00dcf681784bcdbbf1d8b0874ffd824d5ec95a54 Mon Sep 17 00:00:00 2001 From: Hardik Dholariya Date: Tue, 27 Aug 2024 22:33:20 +0530 Subject: [PATCH 2/2] updated macro definition --- cyences_app_for_splunk/default/macros.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cyences_app_for_splunk/default/macros.conf b/cyences_app_for_splunk/default/macros.conf index f07da892..3dfbf433 100644 --- a/cyences_app_for_splunk/default/macros.conf +++ b/cyences_app_for_splunk/default/macros.conf @@ -340,7 +340,7 @@ definition = ((`cs_tenable_assets`) OR (`cs_nessus_assets`) OR (`cs_qualys_hosts iseval = 0 [cs_cim_authentication_indexes] -definition = `cs_authentication_indexes` +definition = index=* iseval = 0 [cs_drop_dm_object_name(1)]