Merge branch 'master' into bug-fix-file-sharing

CrossRealms · May 30, 2024 · 826fea2 · 826fea2
2 parents b881ddd + cd3ea98
commit 826fea2
Show file tree

Hide file tree

Showing 5 changed files with 91 additions and 26 deletions.
diff --git a/cyences_app_for_splunk/default/data/ui/views/cs_o365_reports.xml b/cyences_app_for_splunk/default/data/ui/views/cs_o365_reports.xml
@@ -1086,6 +1086,7 @@
 | iplocation ClientIP
 | fillnull value="" Country, Region, City 
 | rename ClientIP as Source
+| `cs_o365_onedrive_or_sharepoint_link_accessed_by_external_user_internal_filter`
 | stats values(Operation) AS Operations, values(ObjectId) as ObjectId , values(SharingLinkScope) as SharingLinkScope, values(Permission) as Permission, values(ApplicationDisplayName) as ApplicationDisplayName, values(Source) as Source,values(EventData) as EventData, values(ItemType) as ItemType,values(EventSource) as EventSource latest(_time) as LastTime earliest(_time) as FirstTime, values(Country) as Country, values(City) as City, values(Region) as Region by SourceFileName, UserId
 | rex field=UserId "(?&lt;email_user&gt;[^@]+)@(?&lt;email_domain&gt;.+)"
 | eval email_domain_search = replace(email_domain, "\.", "_") | fillnull value="NOTHING_HERE_NO" email_domain_search

diff --git a/cyences_app_for_splunk/default/data/ui/views/cs_windows_reports.xml b/cyences_app_for_splunk/default/data/ui/views/cs_windows_reports.xml
@@ -1,6 +1,28 @@
 <form theme="dark" version="1.1">
   <label>Windows</label>
-  <fieldset submitButton="false"></fieldset>
+  <fieldset submitButton="false">
+    <input type="time" token="timeRange">
+      <label>Time Range</label>
+      <default>
+        <earliest>-24h@h</earliest>
+        <latest>now</latest>
+      </default>
+    </input>
+    <input type="text" token="tkn_host" searchWhenChanged="true">
+      <label>Host</label>
+      <default>*</default>
+      <prefix>*</prefix>
+      <suffix>*</suffix>
+      <initialValue>*</initialValue>
+    </input>
+    <input type="text" token="tkn_user" searchWhenChanged="true">
+      <label>User</label>
+      <default>*</default>
+      <prefix>*</prefix>
+      <suffix>*</suffix>
+      <initialValue>*</initialValue>
+    </input>
+  </fieldset>
   <row>
     <panel>
       <html>
@@ -22,29 +44,6 @@
       </table>
     </panel>
   </row>
-  <row>
-    <panel>
-      <input type="time" token="timeRange">
-        <label>Time Range</label>
-        <default>
-          <earliest>-24h@h</earliest>
-          <latest>now</latest>
-        </default>
-      </input>
-      <input type="text" token="tkn_host" searchWhenChanged="true">
-        <label>Host</label>
-        <default>*</default>
-        <prefix>*</prefix>
-        <suffix>*</suffix>
-      </input>
-      <input type="text" token="tkn_user" searchWhenChanged="true">
-        <label>User</label>
-        <default>*</default>
-        <prefix>*</prefix>
-        <suffix>*</suffix>
-      </input>
-    </panel>
-  </row>
   <row depends="$hidden_row$">
     <panel>
       <table>
@@ -62,6 +61,64 @@
       </table>
     </panel>
   </row>
+  <row>
+    <panel>
+      <title>User Login Activity</title>
+      <input type="multiselect" token="tkn_logon_type" searchWhenChanged="true">
+        <label>Logon Type</label>
+        <default>*</default>
+        <prefix>Logon_Type IN (</prefix>
+        <suffix>)</suffix>
+        <choice value="*">All</choice>
+        <initialValue>*</initialValue>
+        <delimiter>, </delimiter>
+        <valuePrefix>"</valuePrefix>
+        <valueSuffix>"</valueSuffix>
+        <fieldForLabel>LogonType</fieldForLabel>
+        <fieldForValue>Logon_Type</fieldForValue>
+        <search>
+          <query>`cs_wineventlog_security` EventCode IN ("4624", "4625") 
+| dedup LogonType 
+| table LogonType,Logon_Type</query>
+          <earliest>$timeRange.earliest$</earliest>
+          <latest>$timeRange.latest$</latest>
+        </search>
+      </input>
+      <input type="text" token="tkn_computer_name" searchWhenChanged="true">
+        <label>Computer Name</label>
+        <default>*</default>
+        <prefix>*</prefix>
+        <suffix>*</suffix>
+        <initialValue>*</initialValue>
+      </input>
+      <table>
+        <title>Successful Login Events (EventCode=4624)</title>
+        <search>
+          <query>`cs_wineventlog_security`  EventCode="4624" host=$tkn_host|s$ $tkn_logon_type$ ComputerName=$tkn_computer_name|s$ user=$tkn_user|s$ user!="*$"
+| `cs_human_readable_time_format(_time, event_time)`
+| table event_time, user, LogonType, ComputerName, signature, user_type</query>
+          <earliest>$timeRange.earliest$</earliest>
+          <latest>$timeRange.latest$</latest>
+        </search>
+        <option name="count">10</option>
+        <option name="drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
+      </table>
+      <table>
+        <title>Failed Login Attempts by User (EventCode=4625)</title>
+        <search>
+          <query>`cs_wineventlog_security` EventCode=4625 host=$tkn_host|s$ $tkn_logon_type$ ComputerName=$tkn_computer_name|s$ user=$tkn_user|s$ user!="*$"
+| stats count as "Failed Attempts" values(signature) as "Failure Reasons" values(LogonType) as "Logon Type" values(ComputerName) as "Computer Names" by user
+| sort - "Failed Attempts"</query>
+          <earliest>$timeRange.earliest$</earliest>
+          <latest>$timeRange.latest$</latest>
+        </search>
+        <option name="count">5</option>
+        <option name="drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
+      </table>
+    </panel>
+  </row>
   <row>
     <panel>
       <title>Windows Users and Privileges (EventCode=4672)</title>
@@ -140,7 +197,8 @@
           <query>index IN (wineventlog, windows, msad) sourcetype=Script:ListeningPorts host=$tkn_host$ transport=$transport$ dest_port=$port$
 | fillnull value="-" appname
 | dedup host, transport, dest_port, pid, appname 
-| table host, _time , transport, dest_port, pid, appname</query>
+| `cs_human_readable_time_format(_time, event_time)`
+| table host, event_time , transport, dest_port, pid, appname</query>
           <earliest>$timeRange.earliest$</earliest>
           <latest>$timeRange.latest$</latest>
         </search>
@@ -154,7 +212,7 @@
   </row>
   <row>
     <panel>
-      <title>Windows Firewall Status</title>    
+      <title>Windows Firewall Status</title>
       <table>
         <search>
           <query>`cs_windows_firewall_status_logs` host=$tkn_host|s$ 

diff --git a/cyences_app_for_splunk/default/macros.conf b/cyences_app_for_splunk/default/macros.conf
@@ -401,6 +401,10 @@ iseval = 0
 definition = search *
 iseval = 0
 
+[cs_o365_onedrive_or_sharepoint_link_accessed_by_external_user_internal_filter]
+definition = search *
+iseval = 0
+
 
 # Sysmon Deploy Audit
 [cs_sysmon_deploy_audit_data]

diff --git a/cyences_app_for_splunk/default/props.conf b/cyences_app_for_splunk/default/props.conf
@@ -334,6 +334,7 @@ EVAL-obj_type = lower(obj_type)
 # wineventlog cleared
 EVAL-LogName = if((EventCode=1100 OR EventCode=1102), "Audit-Security", LogName)
 EVAL-user = coalesce(User, user, "-")
+EVAL-LogonType = case(Logon_Type=2, "Interactive",Logon_Type=3, "Network",Logon_Type=4, "Batch",Logon_Type=5, "Service",Logon_Type=7, "Unlock",Logon_Type=8, "NetworkCleartext",Logon_Type=9, "NewCredentials",Logon_Type=10, "RemoteInteractive",Logon_Type=11, "CachedInteractive")
 
 # Windows firewall disabled events
 EVAL-SettingType = if(EventCode=4950 AND isnull(SettingType), mvfilter(Type!="Information"), SettingType)

diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf
@@ -2846,6 +2846,7 @@ search = `cs_o365` sourcetype="o365:management:activity" _index_earliest=-61m@m
 | iplocation ClientIP \
 | fillnull value="" Country, Region, City \
 | rename ClientIP as Source \
+| `cs_o365_onedrive_or_sharepoint_link_accessed_by_external_user_internal_filter` \
 | stats values(Operation) as Operations, values(ObjectId) as ObjectId , values(SharingLinkScope) as SharingLinkScope, values(Permission) as Permission, values(ApplicationDisplayName) as ApplicationDisplayName, values(Source) as Source,values(EventData) as EventData, values(ItemType) as ItemType,values(EventSource) as EventSource latest(_time) as LastTime earliest(_time) as FirstTime, values(Country) as Country, values(City) as City, values(Region) as Region by SourceFileName, UserId \
 | rex field=UserId "(?<email_user>[^@]+)@(?<email_domain>.+)" \
 | eval email_domain_search = replace(email_domain, "\.", "_") | fillnull value="NOTHING_HERE_NO" email_domain_search \