From 68685a1b86cdc080284ecd6315645cce0261ef18 Mon Sep 17 00:00:00 2001
From: Hardik Dholariya <hardikdholariya1@gmail.com>
Date: Wed, 11 Sep 2024 20:54:18 +0530
Subject: [PATCH 1/2] Added sophos firewall alerts

---
 cyences_app_for_splunk/default/macros.conf    |   8 +
 .../default/savedsearches.conf                | 172 +++++++++++++-----
 2 files changed, 130 insertions(+), 50 deletions(-)

diff --git a/cyences_app_for_splunk/default/macros.conf b/cyences_app_for_splunk/default/macros.conf
index 73554af7..bc3e340c 100644
--- a/cyences_app_for_splunk/default/macros.conf
+++ b/cyences_app_for_splunk/default/macros.conf
@@ -1177,6 +1177,14 @@ iseval = 0
 definition = search *
 iseval = 0
 
+[cs_sophos_firewall_vpn_tunnel_down]
+definition = search *
+iseval = 0
+
+[cs_sophos_firewall_vpn_gateway_down]
+definition = search *
+iseval = 0
+
 [cs_sophos_core_restore_failed_filter]
 definition = search *
 iseval = 0
diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf
index 538b4691..3e517ea6 100644
--- a/cyences_app_for_splunk/default/savedsearches.conf
+++ b/cyences_app_for_splunk/default/savedsearches.conf
@@ -11,20 +11,21 @@
 # 10. Cisco IOS (Network Devices)
 # 11. Fortigate Firewall (Network Devices)
 # 12. Palo Alto Firewall (Network Devices)
-# 13. Vulnerability Scanners
-# 14. Active Directory and Windows
-# 15. Ransomware
-# 16. Credential Compromise
-# 17. Authentication
-# 18. VPN
-# 19. Radius Authentication
-# 20. Linux/Unix
-# 21. MSSQL
-# 22. Oracle
-# 23. Asset Inventory
-# 24. Device Inventory
-# 25. User Inventory
-# 26. Cisco Meraki
+# 13. Sophos Firewall (Network Devices)
+# 14. Vulnerability Scanners
+# 15. Active Directory and Windows
+# 16. Ransomware
+# 17. Credential Compromise
+# 18. Authentication
+# 19. VPN
+# 20. Radius Authentication
+# 21. Linux/Unix
+# 22. MSSQL
+# 23. Oracle
+# 24. Asset Inventory
+# 25. Device Inventory
+# 26. User Inventory
+# 27. Cisco Meraki
 
 
 # Cron Details
@@ -471,42 +472,6 @@ action.cyences_notable_event_action.products = Sophos Endpoint Protection
 action.cyences_notable_event_action.teams = SOC
 
 
-[Sophos Endpoint Protection - Firewall Lost Connection to Sophos Central]
-disabled = 1
-enableSched = 1
-alert.track = 1
-alert.severity = 4
-alert.suppress = 0
-counttype = number of events
-quantity = 0
-relation = greater than
-cron_schedule = 54 * * * *
-description = This alert will trigger when a Firewall lost connection to Sophos Central. \
-\
-Data Collection - Sophos Central Add-on for Splunk (https://splunkbase.splunk.com/app/6186/)
-dispatch.earliest_time = -62m@m
-dispatch.latest_time = -2m@m
-display.general.type = statistics
-display.page.search.tab = statistics
-display.page.search.mode = fast
-request.ui_dispatch_app = cyences_app_for_splunk
-request.ui_dispatch_view = search
-search = `cs_sophos` sourcetype="sophos_events" type="Event::Firewall::LostConnectionToSophosCentral" \
-| stats count, latest(_time) as _time, values(name) as threat, values(source_info.ip) as src_ip by host, location | sort -count \
-| eval cyences_severity = "high" \
-| `cs_human_readable_time_format(_time, event_time)` \
-| `cs_sophos_firewall_lost_connection_to_sophos` 
-action.cyences_notable_event_action = 1
-action.cyences_notable_event_action.param.filter_macro_name = cs_sophos_firewall_lost_connection_to_sophos
-action.cyences_notable_event_action.contributing_events = `cs_sophos` sourcetype="sophos_events" type="Event::Firewall::LostConnectionToSophosCentral"
-action.cyences_notable_event_action.system_compromised_search = | stats sum(count) as count by location
-action.cyences_notable_event_action.system_compromised_drilldown = `cs_sophos` sourcetype="sophos_events" location=$row.location$
-action.cyences_send_email_action = 1
-action.cyences_notable_event_action.products = Sophos Endpoint Protection
-action.cyences_notable_event_action.teams = Compliance
-
-
-
 # ======================
 # Windows Defender
 # ======================
@@ -3718,6 +3683,113 @@ search = | savedsearch "Palo Alto Firewall - Network Compromise - DDoS Attack Pr
 action.cyences_notable_event_action.products = Palo Alto
 
 
+# ================
+# Sophos Firewall
+# ================
+[Sophos Firewall - Firewall Lost Connection to Sophos Central]
+disabled = 1
+enableSched = 1
+alert.track = 1
+alert.severity = 4
+alert.suppress = 0
+counttype = number of events
+quantity = 0
+relation = greater than
+cron_schedule = 51 * * * *
+description = This alert will trigger when a Firewall lost connection to Sophos Central. \
+\
+Data Collection - Sophos Central Add-on for Splunk (https://splunkbase.splunk.com/app/6186/)
+dispatch.earliest_time = -62m@m
+dispatch.latest_time = -2m@m
+display.general.type = statistics
+display.page.search.tab = statistics
+display.page.search.mode = fast
+request.ui_dispatch_app = cyences_app_for_splunk
+request.ui_dispatch_view = search
+search = `cs_sophos` sourcetype="sophos_events" type="Event::Firewall::LostConnectionToSophosCentral" \
+| stats count, latest(_time) as _time, values(name) as description  by host, location | sort -count \
+| eval cyences_severity = "high" \
+| `cs_human_readable_time_format(_time, event_time)` \
+| `cs_sophos_firewall_lost_connection_to_sophos` 
+action.cyences_notable_event_action = 1
+action.cyences_notable_event_action.param.filter_macro_name = cs_sophos_firewall_lost_connection_to_sophos
+action.cyences_notable_event_action.contributing_events = `cs_sophos` sourcetype="sophos_events" type="Event::Firewall::LostConnectionToSophosCentral"
+action.cyences_notable_event_action.system_compromised_search = | stats sum(count) as count by location
+action.cyences_notable_event_action.system_compromised_drilldown = `cs_sophos` sourcetype="sophos_events" type="Event::Firewall::LostConnectionToSophosCentral" location=$row.location$
+action.cyences_send_email_action = 1
+action.cyences_notable_event_action.products = Sophos Firewall
+action.cyences_notable_event_action.teams = Compliance
+
+
+[Sophos Firewall - Firewall VPN Tunnel Down]
+disabled = 1
+enableSched = 1
+alert.track = 1
+alert.severity = 4
+alert.suppress = 0
+counttype = number of events
+quantity = 0
+relation = greater than
+cron_schedule = 52 * * * *
+description = This alert will trigger when a Firewall VPN tunnel goes down. \
+\
+Data Collection - Sophos Central Add-on for Splunk (https://splunkbase.splunk.com/app/6186/)
+dispatch.earliest_time = -62m@m
+dispatch.latest_time = -2m@m
+display.general.type = statistics
+display.page.search.tab = statistics
+display.page.search.mode = fast
+request.ui_dispatch_app = cyences_app_for_splunk
+request.ui_dispatch_view = search
+search = `cs_sophos` sourcetype="sophos_events" type="Event::Firewall::FirewallVPNTunnelDown" \
+| stats count, latest(_time) as _time, values(name) as description by host, location | sort - count \
+| eval cyences_severity = "high" \
+| `cs_human_readable_time_format(_time, event_time)` \
+| `cs_sophos_firewall_vpn_tunnel_down` 
+action.cyences_notable_event_action = 1
+action.cyences_notable_event_action.param.filter_macro_name = cs_sophos_firewall_vpn_tunnel_down
+action.cyences_notable_event_action.contributing_events = `cs_sophos` sourcetype="sophos_events" type="Event::Firewall::FirewallVPNTunnelDown"
+action.cyences_notable_event_action.system_compromised_search = | stats sum(count) as count by location
+action.cyences_notable_event_action.system_compromised_drilldown = `cs_sophos` sourcetype="sophos_events" type="Event::Firewall::FirewallVPNTunnelDown" location=$row.location$
+action.cyences_send_email_action = 1
+action.cyences_notable_event_action.products = Sophos Firewall
+action.cyences_notable_event_action.teams = Compliance
+
+
+[Sophos Firewall - Firewall Gateway Down]
+disabled = 1
+enableSched = 1
+alert.track = 1
+alert.severity = 4
+alert.suppress = 0
+counttype = number of events
+quantity = 0
+relation = greater than
+cron_schedule = 53 * * * *
+description = This alert will trigger when a Firewall VPN gateway down. \
+\
+Data Collection - Sophos Central Add-on for Splunk (https://splunkbase.splunk.com/app/6186/)
+dispatch.earliest_time = -62m@m
+dispatch.latest_time = -2m@m
+display.general.type = statistics
+display.page.search.tab = statistics
+display.page.search.mode = fast
+request.ui_dispatch_app = cyences_app_for_splunk
+request.ui_dispatch_view = search
+search = `cs_sophos` sourcetype="sophos_events" type="Event::Firewall::FirewallGatewayDown" \
+| stats count, latest(_time) as _time, values(name) as description by host, location | sort - count \
+| eval cyences_severity = "high" \
+| `cs_human_readable_time_format(_time, event_time)` \
+| `cs_sophos_firewall_vpn_gateway_down` 
+action.cyences_notable_event_action = 1
+action.cyences_notable_event_action.param.filter_macro_name = cs_sophos_firewall_vpn_gateway_down
+action.cyences_notable_event_action.contributing_events = `cs_sophos` sourcetype="sophos_events" type="Event::Firewall::FirewallGatewayDown"
+action.cyences_notable_event_action.system_compromised_search = | stats sum(count) as count by location
+action.cyences_notable_event_action.system_compromised_drilldown = `cs_sophos` sourcetype="sophos_events" type="Event::Firewall::FirewallGatewayDown" location=$row.location$
+action.cyences_send_email_action = 1
+action.cyences_notable_event_action.products = Sophos Firewall
+action.cyences_notable_event_action.teams = Compliance
+
 
 # ==============
 # Cisco Meraki

From 68e1c2b7fe83a760a7480f27d146911c3554baf5 Mon Sep 17 00:00:00 2001
From: Hardik Dholariya <hardikdholariya1@gmail.com>
Date: Thu, 12 Sep 2024 14:15:28 +0530
Subject: [PATCH 2/2] Added sophos firewall alert

---
 cyences_app_for_splunk/default/macros.conf    |  4 +++
 .../default/savedsearches.conf                | 34 +++++++++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/cyences_app_for_splunk/default/macros.conf b/cyences_app_for_splunk/default/macros.conf
index bc3e340c..67d58e62 100644
--- a/cyences_app_for_splunk/default/macros.conf
+++ b/cyences_app_for_splunk/default/macros.conf
@@ -1185,6 +1185,10 @@ iseval = 0
 definition = search *
 iseval = 0
 
+[cs_sophos_firewall_advanced_threat_detected]
+definition = search *
+iseval = 0
+
 [cs_sophos_core_restore_failed_filter]
 definition = search *
 iseval = 0
diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf
index 3e517ea6..5d0e4b62 100644
--- a/cyences_app_for_splunk/default/savedsearches.conf
+++ b/cyences_app_for_splunk/default/savedsearches.conf
@@ -3791,6 +3791,40 @@ action.cyences_notable_event_action.products = Sophos Firewall
 action.cyences_notable_event_action.teams = Compliance
 
 
+[Sophos Firewall - Advanced Threat Detected]
+disabled = 1
+enableSched = 1
+alert.track = 1
+alert.severity = 4
+alert.suppress = 0
+counttype = number of events
+quantity = 0
+relation = greater than
+cron_schedule = 53 * * * *
+description = This alert will trigger when advanced threat was detected. \
+\
+Data Collection - Sophos Central Add-on for Splunk (https://splunkbase.splunk.com/app/6186/)
+dispatch.earliest_time = -62m@m
+dispatch.latest_time = -2m@m
+display.general.type = statistics
+display.page.search.tab = statistics
+display.page.search.mode = fast
+request.ui_dispatch_app = cyences_app_for_splunk
+request.ui_dispatch_view = search
+search = `cs_sophos` sourcetype="sophos_events" type="Event::Firewall::FirewallAdvancedThreatProtectionDetailed" \
+| stats count, latest(_time) as _time, values(name) as description by host, location | sort - count \
+| eval cyences_severity = "critical" \
+| `cs_human_readable_time_format(_time, event_time)` \
+| `cs_sophos_firewall_advanced_threat_detected` 
+action.cyences_notable_event_action = 1
+action.cyences_notable_event_action.param.filter_macro_name = cs_sophos_firewall_advanced_threat_detected
+action.cyences_notable_event_action.contributing_events = `cs_sophos` sourcetype="sophos_events" type="Event::Firewall::FirewallAdvancedThreatProtectionDetailed"
+action.cyences_notable_event_action.system_compromised_search = | stats sum(count) as count by location
+action.cyences_notable_event_action.system_compromised_drilldown = `cs_sophos` sourcetype="sophos_events" type="Event::Firewall::FirewallAdvancedThreatProtectionDetailed" location=$row.location$
+action.cyences_send_email_action = 1
+action.cyences_notable_event_action.products = Sophos Firewall
+action.cyences_notable_event_action.teams = SOC
+
 # ==============
 # Cisco Meraki
 # ==============