Merge pull request #568 from CrossRealms/fix-basic-scan-forensic-query

fix basic scanning forensic query
CrossRealms · May 31, 2024 · 4cc090c · 4cc090c
2 parents 0d75988 + 6c131b9
commit 4cc090c
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf
@@ -3190,9 +3190,9 @@ search = | tstats `cs_summariesonly_network_traffic` count values(All_Traffic.de
 action.cyences_notable_event_action = 1
 action.cyences_notable_event_action.param.filter_macro_name = cs_scanning_basic_scanning_filter
 action.cyences_notable_event_action.contributing_events = | datamodel Network_Traffic All_Traffic search strict_fields=false | `drop_dm_object_name(All_Traffic)`
-action.cyences_notable_event_action.system_compromised_search = | stats count by index, sourcetype
+action.cyences_notable_event_action.system_compromised_search = | stats count by sourcetype
 action.cyences_notable_event_action.system_compromised_drilldown = index=$row.index$ sourcetype=$row.sourcetype$
-action.cyences_notable_event_action.attacker_search = | stats count by index, src_ip
+action.cyences_notable_event_action.attacker_search = | stats count by src_ip
 action.cyences_notable_event_action.attacker_drilldown = index=$row.index$ src_ip=$row.src_ip$
 action.cyences_send_email_action = 1
 action.cyences_notable_event_action.products = Cisco IOS, FortiGate, Palo Alto, Sophos Firewall