From 6c131b92b4f370aa46baf54222c6b75ffd861fae Mon Sep 17 00:00:00 2001 From: mahirchavda Date: Thu, 30 May 2024 19:57:53 +0530 Subject: [PATCH] fix basic scanning forensic query --- cyences_app_for_splunk/default/savedsearches.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf index 389ed17c..e8b76e27 100644 --- a/cyences_app_for_splunk/default/savedsearches.conf +++ b/cyences_app_for_splunk/default/savedsearches.conf @@ -3187,9 +3187,9 @@ search = | tstats `cs_summariesonly_network_traffic` count values(All_Traffic.de action.cyences_notable_event_action = 1 action.cyences_notable_event_action.param.filter_macro_name = cs_scanning_basic_scanning_filter action.cyences_notable_event_action.contributing_events = | datamodel Network_Traffic All_Traffic search strict_fields=false | `drop_dm_object_name(All_Traffic)` -action.cyences_notable_event_action.system_compromised_search = | stats count by index, sourcetype +action.cyences_notable_event_action.system_compromised_search = | stats count by sourcetype action.cyences_notable_event_action.system_compromised_drilldown = index=$row.index$ sourcetype=$row.sourcetype$ -action.cyences_notable_event_action.attacker_search = | stats count by index, src_ip +action.cyences_notable_event_action.attacker_search = | stats count by src_ip action.cyences_notable_event_action.attacker_drilldown = index=$row.index$ src_ip=$row.src_ip$ action.cyences_send_email_action = 1 action.cyences_notable_event_action.products = Cisco IOS, FortiGate, Palo Alto, Sophos Firewall