Merge pull request #627 from CrossRealms/unusual-outbound-traffic-ale…

…rt-change updated outbound traffic alert
CrossRealms · Sep 9, 2024 · 51e40e4 · 51e40e4
2 parents 870cbeb + fc945c4
commit 51e40e4
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 14 deletions.
diff --git a/cyences_app_for_splunk/default/macros.conf b/cyences_app_for_splunk/default/macros.conf
@@ -383,11 +383,11 @@ definition = 10
 
 # Network
 [cs_network_ddos_min_m_packets]
-# no. of buckets in millions
+# no. of packets in millions
 definition = 0.5
 
 [cs_network_outbound_min_m_packets]
-# no. of buckets in millions
+# no. of packets in millions
 definition = 0.5
 
 # O365

diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf
@@ -2931,11 +2931,11 @@ display.page.search.mode = fast
 display.visualizations.show = 0
 request.ui_dispatch_app = cyences_app_for_splunk
 request.ui_dispatch_view = search
-search = | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as total_bytes, sum(All_Traffic.packets) as total_packets from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.src_ip)` AND `cs_public_ips(All_Traffic.dest_ip)` by _time span=1h, sourcetype \
+search = | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as total_bytes, sum(All_Traffic.packets) as total_packets from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.src_ip)` AND `cs_public_ips(All_Traffic.dest_ip)` by _time span=1h, All_Traffic.src_ip \
 | `cs_drop_dm_object_name(All_Traffic)` \
 | eval total_MB = round(total_bytes/(1024*1024),1) | fields - total_bytes \
 | eval total_m_packets = round(total_packets/1000000,1) | fields - total_packets \
-| stats avg(total_m_packets) as avg_total_m_packets, stdev(total_m_packets) as stdev_total_m_packets, avg(total_MB) as avg_total_MB, stdev(total_MB) as stdev_total_MB by sourcetype \
+| stats avg(total_m_packets) as avg_total_m_packets, stdev(total_m_packets) as stdev_total_m_packets, avg(total_MB) as avg_total_MB, stdev(total_MB) as stdev_total_MB by src_ip \
 | eval upperBound_total_m_packets=(avg_total_m_packets+stdev_total_m_packets*5), upperBound_total_MB=(avg_total_MB+stdev_total_MB*5) \
 | foreach avg*, std*, upperBound* [| eval <<FIELD>>=round(<<FIELD>>, 2)] \
 | outputlookup cs_outbound_network_traffic_upperbound.csv
@@ -3022,38 +3022,38 @@ display.page.search.tab = statistics
 display.page.search.mode = fast
 request.ui_dispatch_app = cyences_app_for_splunk
 request.ui_dispatch_view = search
-search = | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as total_bytes, sum(All_Traffic.packets) as total_packets from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.src_ip)` AND `cs_public_ips(All_Traffic.dest_ip)` by sourcetype, All_Traffic.src_ip, All_Traffic.action \
+search = | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as total_bytes, sum(All_Traffic.packets) as total_packets from datamodel=Network_Traffic where `cs_private_ips(All_Traffic.src_ip)` AND `cs_public_ips(All_Traffic.dest_ip)` by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.action \
 | `cs_drop_dm_object_name(All_Traffic)` \
 | eval total_MB = round(total_bytes/(1024*1024),2) | fields - total_bytes \
 | eval total_m_packets = round(total_packets/1000000,2) | fields - total_packets \
 | eval original_event=1 \
 | appendpipe \
-    [| stats sum(total_m_packets) as total_m_packets_ by sourcetype, src_ip \
+    [| stats sum(total_m_packets) as total_m_packets_ by src_ip, dest_ip \
     | sort - total_m_packets_ \
-    | eval src_ip_mix=src_ip." (".total_m_packets_." M packets)" \
+    | eval dest_ip_mix=dest_ip." (".total_m_packets_." M packets)" \
     | fields - total_m_packets_] \
 | appendpipe \
     [| where original_event==1 \
-    | stats sum(total_m_packets) as total_m_packets_ by sourcetype, action \
+    | stats sum(total_m_packets) as total_m_packets_ by src_ip, action \
     | sort - total_m_packets_ \
     | eval action_mix=action." (".total_m_packets_." M packets)" \
     | fields - total_m_packets_] \
-| stats sum(total_m_packets) as total_m_packets, sum(total_MB) as total_MB, list(src_ip_mix) as src_ip_mix, list(action_mix) as actions by sourcetype \
-| eval top5_src_ip=mvindex(src_ip_mix,0,4) | fields - src_ip_mix \
+| stats sum(total_m_packets) as total_m_packets, sum(total_MB) as total_MB, list(dest_ip_mix) as dest_ip_mix, list(action_mix) as actions by src_ip \
+| eval top5_dest_ip=mvindex(dest_ip_mix,0,4) | fields - dest_ip_mix \
 | where total_m_packets>`cs_network_outbound_min_m_packets` \
-| lookup cs_outbound_network_traffic_upperbound.csv sourcetype \
+| lookup cs_outbound_network_traffic_upperbound.csv src_ip \
 | where total_m_packets>upperBound_total_m_packets OR total_MB > upperBound_total_MB \
 | eval cyences_severity = case(total_m_packets>upperBound_total_m_packets*3 OR total_MB>upperBound_total_MB*3, "critical", total_m_packets>upperBound_total_m_packets*2 OR total_MB>upperBound_total_MB*2, "high", true(), "medium") \
-| table sourcetype, cyences_severity, total_m_packets, avg_total_m_packets, upperBound_total_m_packets, actions, top5_src_ip, total_MB, avg_total_MB, upperBound_total_MB \
+| table src_ip, cyences_severity, total_m_packets, avg_total_m_packets, upperBound_total_m_packets, actions, top5_dest_ip, total_MB, avg_total_MB, upperBound_total_MB \
 | fieldformat avg_total_m_packets=avg_total_m_packets." M" \
 | fieldformat upperBound_total_m_packets=upperBound_total_m_packets." M" \
 | fieldformat total_m_packets=total_m_packets." M" \
 | `cs_network_unusual_outbound_traffic_filter`
 action.cyences_notable_event_action = 1
 action.cyences_notable_event_action.param.filter_macro_name = cs_network_unusual_outbound_traffic_filter
 action.cyences_notable_event_action.contributing_events = | datamodel Network_Traffic All_Traffic search strict_fields=false | `cs_drop_dm_object_name(All_Traffic)` | search `cs_private_ips(src_ip)` AND `cs_public_ips(dest_ip)`
-action.cyences_notable_event_action.system_compromised_search = | stats values(total_m_packets) as total_m_packets, values(total_MB) as total_MB by sourcetype
-action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Network_Traffic All_Traffic search strict_fields=false | search sourcetype=$row.sourcetype$ | `cs_drop_dm_object_name(All_Traffic)` | search `cs_private_ips(src_ip)` AND `cs_public_ips(dest_ip)`
+action.cyences_notable_event_action.system_compromised_search = | stats values(total_m_packets) as total_m_packets, values(total_MB) as total_MB by src_ip
+action.cyences_notable_event_action.system_compromised_drilldown = | datamodel Network_Traffic All_Traffic search strict_fields=false | search src_ip=$row.src_ip$ | `cs_drop_dm_object_name(All_Traffic)` | search `cs_private_ips(src_ip)` AND `cs_public_ips(dest_ip)`
 action.cyences_send_email_action = 1
 action.cyences_notable_event_action.products = Cisco IOS, FortiGate, Palo Alto, Sophos Firewall