Merge pull request #360 from CrossRealms/bruteforce-alert-improvement

Improvement in bruteforce by source for unknown
CrossRealms · Aug 11, 2023 · 61e690a · 61e690a
2 parents 6ede778 + 1519d0b
commit 61e690a
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf
@@ -3813,7 +3813,8 @@ search = | tstats `cs_summariesonly_authentication` count, min(_time) as firstTi
 | `cs_human_readable_time_format(lastTime)` \
 | eval reasons=mvjoin(signature, ", ") | fields - signature | eval users=mvjoin(user, ", ") | fields - user \
 | eval cyences_severity = case(count>1000, "critical", count>500, "high", count>100, "medium") \
-| eval cyences_severity = if((app=="win:unknown" or app=="win:remote") and src=="unknown" and cyences_severity=="critical", "high", cyences_severity) \
+| eval cyences_severity = case(src!="unknown", cyences_severity, cyences_severity=="critical", "high", cyences_severity=="high", "medium", 1==1, "info") \
+``` Reduce severity when src is unknown``` \
 | `cs_authentication_bruteforce_attempt_from_source_filter`
 action.cyences_notable_event_action = 1
 action.cyences_notable_event_action.param.filter_macro_name = cs_authentication_bruteforce_attempt_from_source_filter