Merge pull request #354 from CrossRealms/Add-the-alert-for-windows-ce…

…rtificate-expiration Added the alert for windows certificate expiration
CrossRealms · Aug 11, 2023 · 6ede778 · 6ede778
2 parents 324e45c + 3b18da1
commit 6ede778
Show file tree

Hide file tree

Showing 2 changed files with 63 additions and 0 deletions.
diff --git a/cyences_app_for_splunk/default/macros.conf b/cyences_app_for_splunk/default/macros.conf
@@ -727,6 +727,9 @@ iseval = 0
 [cs_windows_firewall_is_disabled_filter]
 definition = search *
 
+[cs_windows_certification_is_expiring_filter]
+definition = search *
+
 [cs_windows_cert_store_idx]
 definition = index IN (wincerts)
 iseval = 0

diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf
@@ -966,6 +966,66 @@ action.cyences_send_email_action = 1
 action.cyences_notable_event_action.products = Windows
 
 
+[Windows - Certificate is Expiring Soon]
+disabled = 1
+enableSched = 1
+alert.track = 1
+alert.severity = 4
+alert.suppress = 0
+counttype = number of events
+quantity = 0
+relation = greater than
+# The alert will be triggered every 24 hours at midday using the data from the previous 24 hours.
+cron_schedule = 10 12 * * *
+description = The alert will be triggered if the certificate is expiring in 7 days. \
+Data Collection - Windows Certificate Store Add-on (TODO: <Add the splunkbase link>).
+dispatch.earliest_time = -24h@h
+dispatch.latest_time = now
+display.general.type = statistics
+display.page.search.tab = statistics
+display.page.search.mode = fast
+request.ui_dispatch_app = cyences_app_for_splunk
+request.ui_dispatch_view = search
+# This search captures certificates that will expire within 7 days, and if they are expiring within one day, the severity will be critical, otherwise, the severity will be high.
+search = `cs_windows_cert_store_idx` sourcetype="windows:certstore:local" \
+| dedup host SerialNumber \
+| `cs_windows_cert_time_format(NotAfter)` \
+| `cs_windows_cert_time_format(NotBefore)` \
+| eval interval_start=relative_time(now(),"-1m") \
+| eval interval_one_day=relative_time(now(),"+1d") \
+| eval interval_end=relative_time(now(),"+7d") \
+| where interval_start<NotAfter AND NotAfter<interval_end \
+| eval cyences_severity = if(NotAfter<=interval_one_day, "critical", "high") \
+| `cs_human_readable_time_format(NotAfter)` \
+| `cs_human_readable_time_format(NotBefore)` \
+| table host Subject DnsNameList Issuer NotBefore NotAfter FriendlyName SerialNumber PSPath PSParentPath PSParentPath_FriendlyName cyences_severity \
+| fillnull value="-" PSParentPath_FriendlyName \
+| append \
+    [ | search `cs_windows_cert_store_idx` sourcetype="windows:certstore:ca:issued" \
+    | dedup Issued_Request_ID \
+    | `cs_windows_cert_time_format(Certificate_Expiration_Date)` \
+    | `cs_windows_cert_time_format(Certificate_Effective_Date)` \
+    | eval interval_start=relative_time(now(),"-1m") \
+    | eval interval_one_day=relative_time(now(),"+1d") \
+    | eval interval_end=relative_time(now(),"+7d") \
+    | where interval_start<Certificate_Expiration_Date AND Certificate_Expiration_Date<interval_end \
+    | join type=left Certificate_Template \
+        [| inputlookup cs_windows_cert_name_mapping.csv ] \
+    | eval Certificate_Template=if(isnull(Certificate_Name),Certificate_Template,Certificate_Name."(".Certificate_Template.")") \
+    | eval cyences_severity = if(Certificate_Expiration_Date<=interval_one_day, "critical", "high") \
+    | `cs_human_readable_time_format(Certificate_Expiration_Date)` \
+    | `cs_human_readable_time_format(Certificate_Effective_Date)` \
+    | table host Issued_Common_Name Issued_Request_ID Certificate_Effective_Date Certificate_Expiration_Date Certificate_Template Requester_Name Request_Disposition_Message Serial_Number cyences_severity] \
+| `cs_windows_certification_is_expiring_filter`
+action.cyences_notable_event_action = 1
+action.cyences_notable_event_action.param.filter_macro_name = cs_windows_certification_is_expiring_filter
+action.cyences_notable_event_action.contributing_events = `cs_windows_cert_store_idx` sourcetype="windows:certstore:*"
+action.cyences_notable_event_action.system_compromised_search = | fillnull value="-" SerialNumber Issued_Request_ID | stats count by host SerialNumber Issued_Request_ID
+action.cyences_notable_event_action.system_compromised_drilldown = `cs_windows_cert_store_idx` sourcetype="windows:certstore:*" host=$row.host$ | fillnull value="-" SerialNumber Issued_Request_ID | search SerialNumber=$row.SerialNumber$ Issued_Request_ID=$row.Issued_Request_ID$ | dedup SerialNumber Issued_Request_ID
+action.cyences_send_email_action = 1
+action.cyences_notable_event_action.products = Windows
+
+
 [AD - Group Changed]
 disabled = 1
 enableSched = 1