Merge pull request #633 from CrossRealms/add-defender-atp-alerts

Added defender ATP alerts
CrossRealms · Sep 18, 2024 · 76836f6 · 76836f6
2 parents 76fdd47 + c836130
commit 76836f6
Show file tree

Hide file tree

Showing 2 changed files with 90 additions and 0 deletions.
diff --git a/cyences_app_for_splunk/default/macros.conf b/cyences_app_for_splunk/default/macros.conf
@@ -390,6 +390,19 @@ definition = 0.5
 # no. of buckets in millions
 definition = 0.5
 
+[cs_alert_suppression(3)]
+args = alert_name, suppression_period, groupby_fields
+definition = eval is_triggered=0 \
+| append \
+    [| search `cs_cyences_index` alert_name="$alert_name$" earliest=$suppression_period$ latest=now \
+    | rename orig_host as host \
+    | fields $groupby_fields$ \
+    | eval is_triggered=1] \
+| eventstats count by $groupby_fields$ \
+| where count=1 AND is_triggered=0 \
+| fields - count, is_triggered
+iseval = 0
+
 # O365
 [cs_o365_authorizationpolicy_change_internal_filter]
 definition = search *
@@ -1489,6 +1502,11 @@ definition = index=defenderatp sourcetype="DefenderATPStatusLog"
 [cs_o365_defender_atp_alerts_filter]
 definition = search *
 
+[cs_o365_defender_atp_system_is_offboarded_filter]
+definition = search *
+
+[cs_o365_defender_atp_system_is_not_connected_since_week_filter]
+definition = search *
 
 
 # AWS

diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf
@@ -250,6 +250,78 @@ action.cyences_notable_event_action.products = Office 365 Defender ATP
 action.cyences_notable_event_action.teams = SOC
 
 
+[Defender ATP - System is Offboarded]
+disabled = 1
+enableSched = 1
+alert.track = 1
+alert.severity = 4
+alert.suppress = 0
+counttype = number of events
+quantity = 0
+relation = greater than
+cron_schedule = 54 * * * *
+description = This alert notifies when system/device is offboarded \
+\
+Data Collection - Defender ATP Status Check Add-on (https://splunkbase.splunk.com/app/5691)
+dispatch.earliest_time = -62m@m
+dispatch.latest_time = -2m@m
+display.general.type = statistics
+display.page.search.tab = statistics
+display.page.search.mode = fast
+request.ui_dispatch_app = cyences_app_for_splunk
+request.ui_dispatch_view = search
+search = `cs_o365_defender_atp_audit` \
+| dedup host \
+| search OnboardingState!="1" \
+| table host, status, OnboardingState, LastConnected \
+| eval cyences_severity = "high" \
+| `cs_o365_defender_atp_system_is_offboarded_filter`
+action.cyences_notable_event_action = 1
+action.cyences_notable_event_action.param.filter_macro_name = cs_o365_defender_atp_system_is_offboarded_filter
+action.cyences_notable_event_action.contributing_events = `cs_o365_defender_atp_audit` | dedup host
+action.cyences_notable_event_action.system_compromised_search = | stats count by host
+action.cyences_notable_event_action.system_compromised_drilldown = `cs_o365_defender_atp_audit` | dedup host | search host=$row.host$
+action.cyences_send_email_action = 1
+action.cyences_notable_event_action.products = Office 365 Defender ATP
+action.cyences_notable_event_action.teams = SOC, Compliance
+
+
+[Defender ATP - System is not Connected since a Week]
+disabled = 1
+enableSched = 1
+alert.track = 1
+alert.severity = 4
+alert.suppress = 0
+counttype = number of events
+quantity = 0
+relation = greater than
+cron_schedule = 54 * * * *
+description = This alert notifies when system/device is not connected since a week. \
+\
+Data Collection - Defender ATP Status Check Add-on (https://splunkbase.splunk.com/app/5691)
+dispatch.earliest_time = -62m@m
+dispatch.latest_time = -2m@m
+display.general.type = statistics
+display.page.search.tab = statistics
+display.page.search.mode = fast
+request.ui_dispatch_app = cyences_app_for_splunk
+request.ui_dispatch_view = search
+search = `cs_o365_defender_atp_audit` \
+| dedup host \
+| where LastConnectedEpoch < relative_time(now(), "-1w") \
+| `cs_alert_suppression("Defender ATP - System is not Connected since a Week", "-24h@m", "host")` \
+| table host, status, OnboardingState, LastConnected \
+| eval cyences_severity = "high" \
+| `cs_o365_defender_atp_system_is_not_connected_since_week_filter`
+action.cyences_notable_event_action = 1
+action.cyences_notable_event_action.param.filter_macro_name = cs_o365_defender_atp_system_is_not_connected_since_week_filter
+action.cyences_notable_event_action.contributing_events = `cs_o365_defender_atp_audit` | dedup host
+action.cyences_notable_event_action.system_compromised_search = | stats count by host
+action.cyences_notable_event_action.system_compromised_drilldown = `cs_o365_defender_atp_audit` | dedup host | search host=$row.host$
+action.cyences_send_email_action = 1
+action.cyences_notable_event_action.products = Office 365 Defender ATP
+action.cyences_notable_event_action.teams = SOC, Compliance
+
 
 # ==========================
 # Sophos Endpoint Protection