diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf index 22accc41..372ce439 100644 --- a/cyences_app_for_splunk/default/savedsearches.conf +++ b/cyences_app_for_splunk/default/savedsearches.conf @@ -3007,7 +3007,7 @@ search = | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as t | eval total_MB = round(total_bytes/(1024*1024),1) | fields - total_bytes \ | eval total_m_packets = round(total_packets/1000000,1) | fields - total_packets \ | stats avg(total_m_packets) as avg_total_m_packets, stdev(total_m_packets) as stdev_total_m_packets, avg(dc_src_ip) as avg_dc_src_ip, stdev(dc_src_ip) as stdev_dc_src_ip, avg(total_MB) as avg_total_MB, stdev(total_MB) as stdev_total_MB by sourcetype \ -| eval upperBound_total_m_packets=(avg_total_m_packets+stdev_total_m_packets*3), upperBound_dc_src_ip=(avg_dc_src_ip+stdev_dc_src_ip*3), upperBound_total_MB=(avg_total_MB+stdev_total_MB*3) \ +| eval upperBound_total_m_packets=(avg_total_m_packets+stdev_total_m_packets*5), upperBound_dc_src_ip=(avg_dc_src_ip+stdev_dc_src_ip*3), upperBound_total_MB=(avg_total_MB+stdev_total_MB*5) \ | foreach avg*, std*, upperBound* [| eval <>=round(<>, 2)] \ | outputlookup cs_network_traffic_upperbound.csv action.cyences_notable_event_action.products = Cisco IOS, FortiGate, Palo Alto, Sophos Firewall @@ -3036,7 +3036,7 @@ search = | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as t | eval total_MB = round(total_bytes/(1024*1024),1) | fields - total_bytes \ | eval total_m_packets = round(total_packets/1000000,1) | fields - total_packets \ | stats avg(total_m_packets) as avg_total_m_packets, stdev(total_m_packets) as stdev_total_m_packets, avg(total_MB) as avg_total_MB, stdev(total_MB) as stdev_total_MB by sourcetype \ -| eval upperBound_total_m_packets=(avg_total_m_packets+stdev_total_m_packets*3), upperBound_total_MB=(avg_total_MB+stdev_total_MB*3) \ +| eval upperBound_total_m_packets=(avg_total_m_packets+stdev_total_m_packets*5), upperBound_total_MB=(avg_total_MB+stdev_total_MB*5) \ | foreach avg*, std*, upperBound* [| eval <>=round(<>, 2)] \ | outputlookup cs_outbound_network_traffic_upperbound.csv action.cyences_notable_event_action.products = Cisco IOS, FortiGate, Palo Alto, Sophos Firewall @@ -3087,7 +3087,7 @@ search = | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as t | lookup cs_network_traffic_upperbound.csv sourcetype \ | where total_m_packets>upperBound_total_m_packets OR dc_src_ip > uppperBound_dc_src_ip \ | eval cyences_severity = case(total_m_packets>upperBound_total_m_packets*3 OR dc_src_ip>uppperBound_dc_src_ip*3, "critical", total_m_packets>upperBound_total_m_packets*2 OR dc_src_ip>uppperBound_dc_src_ip*2, "high", true(), "medium") \ -| table sourcetype, cyences_severity, total_m_packets, avg_total_m_packets, upperBound_total_m_packets, actions, dc_src_ip, avg_dc_src_ip, upperBound_dc_src_ip, top5_src_ip, total_MB, avg_total_MB \ +| table sourcetype, cyences_severity, total_m_packets, avg_total_m_packets, upperBound_total_m_packets, actions, dc_src_ip, avg_dc_src_ip, upperBound_dc_src_ip, top5_src_ip, total_MB, avg_total_MB, upperBound_total_MB \ | fieldformat avg_total_m_packets=avg_total_m_packets." M" \ | fieldformat upperBound_total_m_packets=upperBound_total_m_packets." M" \ | fieldformat total_m_packets=total_m_packets." M" \