Merge pull request #580 from CrossRealms/change-in-upper-bound-calcul…

…ation-for-the-network-alerts updated upperbound calculation for network traffic
CrossRealms · Jun 13, 2024 · 5eb6c09 · 5eb6c09
2 parents 05892aa + 222eecf
commit 5eb6c09
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf
@@ -3007,7 +3007,7 @@ search = | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as t
 | eval total_MB = round(total_bytes/(1024*1024),1) | fields - total_bytes \
 | eval total_m_packets = round(total_packets/1000000,1) | fields - total_packets \
 | stats avg(total_m_packets) as avg_total_m_packets, stdev(total_m_packets) as stdev_total_m_packets, avg(dc_src_ip) as avg_dc_src_ip, stdev(dc_src_ip) as stdev_dc_src_ip, avg(total_MB) as avg_total_MB, stdev(total_MB) as stdev_total_MB by sourcetype \
-| eval upperBound_total_m_packets=(avg_total_m_packets+stdev_total_m_packets*3), upperBound_dc_src_ip=(avg_dc_src_ip+stdev_dc_src_ip*3), upperBound_total_MB=(avg_total_MB+stdev_total_MB*3) \
+| eval upperBound_total_m_packets=(avg_total_m_packets+stdev_total_m_packets*5), upperBound_dc_src_ip=(avg_dc_src_ip+stdev_dc_src_ip*3), upperBound_total_MB=(avg_total_MB+stdev_total_MB*5) \
 | foreach avg*, std*, upperBound* [| eval <<FIELD>>=round(<<FIELD>>, 2)] \
 | outputlookup cs_network_traffic_upperbound.csv
 action.cyences_notable_event_action.products = Cisco IOS, FortiGate, Palo Alto, Sophos Firewall
@@ -3036,7 +3036,7 @@ search = | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as t
 | eval total_MB = round(total_bytes/(1024*1024),1) | fields - total_bytes \
 | eval total_m_packets = round(total_packets/1000000,1) | fields - total_packets \
 | stats avg(total_m_packets) as avg_total_m_packets, stdev(total_m_packets) as stdev_total_m_packets, avg(total_MB) as avg_total_MB, stdev(total_MB) as stdev_total_MB by sourcetype \
-| eval upperBound_total_m_packets=(avg_total_m_packets+stdev_total_m_packets*3), upperBound_total_MB=(avg_total_MB+stdev_total_MB*3) \
+| eval upperBound_total_m_packets=(avg_total_m_packets+stdev_total_m_packets*5), upperBound_total_MB=(avg_total_MB+stdev_total_MB*5) \
 | foreach avg*, std*, upperBound* [| eval <<FIELD>>=round(<<FIELD>>, 2)] \
 | outputlookup cs_outbound_network_traffic_upperbound.csv
 action.cyences_notable_event_action.products = Cisco IOS, FortiGate, Palo Alto, Sophos Firewall
@@ -3087,7 +3087,7 @@ search = | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as t
 | lookup cs_network_traffic_upperbound.csv sourcetype \
 | where total_m_packets>upperBound_total_m_packets OR dc_src_ip > uppperBound_dc_src_ip \
 | eval cyences_severity = case(total_m_packets>upperBound_total_m_packets*3 OR dc_src_ip>uppperBound_dc_src_ip*3, "critical", total_m_packets>upperBound_total_m_packets*2 OR dc_src_ip>uppperBound_dc_src_ip*2, "high", true(), "medium") \
-| table sourcetype, cyences_severity, total_m_packets, avg_total_m_packets, upperBound_total_m_packets, actions, dc_src_ip, avg_dc_src_ip, upperBound_dc_src_ip, top5_src_ip, total_MB, avg_total_MB \
+| table sourcetype, cyences_severity, total_m_packets, avg_total_m_packets, upperBound_total_m_packets, actions, dc_src_ip, avg_dc_src_ip, upperBound_dc_src_ip, top5_src_ip, total_MB, avg_total_MB, upperBound_total_MB \
 | fieldformat avg_total_m_packets=avg_total_m_packets." M" \
 | fieldformat upperBound_total_m_packets=upperBound_total_m_packets." M" \
 | fieldformat total_m_packets=total_m_packets." M" \