Skip to content

Commit

Permalink
Added sophos firewall alert
Browse files Browse the repository at this point in the history
  • Loading branch information
@hardikhdholariya
hardikhdholariya committed Sep 12, 2024
1 parent 68685a1 commit 68e1c2b
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 0 deletions.
4 changes: 4 additions & 0 deletions cyences_app_for_splunk/default/macros.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1185,6 +1185,10 @@ iseval = 0
definition = search *
iseval = 0

[cs_sophos_firewall_advanced_threat_detected]
definition = search *
iseval = 0

[cs_sophos_core_restore_failed_filter]
definition = search *
iseval = 0
Expand Down
34 changes: 34 additions & 0 deletions cyences_app_for_splunk/default/savedsearches.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3791,6 +3791,40 @@ action.cyences_notable_event_action.products = Sophos Firewall
action.cyences_notable_event_action.teams = Compliance


[Sophos Firewall - Advanced Threat Detected]
disabled = 1
enableSched = 1
alert.track = 1
alert.severity = 4
alert.suppress = 0
counttype = number of events
quantity = 0
relation = greater than
cron_schedule = 53 * * * *
description = This alert will trigger when advanced threat was detected. \
\
Data Collection - Sophos Central Add-on for Splunk (https://splunkbase.splunk.com/app/6186/)
dispatch.earliest_time = -62m@m
dispatch.latest_time = -2m@m
display.general.type = statistics
display.page.search.tab = statistics
display.page.search.mode = fast
request.ui_dispatch_app = cyences_app_for_splunk
request.ui_dispatch_view = search
search = `cs_sophos` sourcetype="sophos_events" type="Event::Firewall::FirewallAdvancedThreatProtectionDetailed" \
| stats count, latest(_time) as _time, values(name) as description by host, location | sort - count \
| eval cyences_severity = "critical" \
| `cs_human_readable_time_format(_time, event_time)` \
| `cs_sophos_firewall_advanced_threat_detected`
action.cyences_notable_event_action = 1
action.cyences_notable_event_action.param.filter_macro_name = cs_sophos_firewall_advanced_threat_detected
action.cyences_notable_event_action.contributing_events = `cs_sophos` sourcetype="sophos_events" type="Event::Firewall::FirewallAdvancedThreatProtectionDetailed"
action.cyences_notable_event_action.system_compromised_search = | stats sum(count) as count by location
action.cyences_notable_event_action.system_compromised_drilldown = `cs_sophos` sourcetype="sophos_events" type="Event::Firewall::FirewallAdvancedThreatProtectionDetailed" location=$row.location$
action.cyences_send_email_action = 1
action.cyences_notable_event_action.products = Sophos Firewall
action.cyences_notable_event_action.teams = SOC

# ==============
# Cisco Meraki
# ==============
Expand Down

0 comments on commit 68e1c2b

Please sign in to comment.