Merge pull request #628 from CrossRealms/remove-suspicious-file-shari…

…ng-alert-for-google removed the google suspicious file sharing alert
CrossRealms · Sep 9, 2024 · 8b4dcc4 · 8b4dcc4
2 parents a8c92a4 + 8694a42
commit 8b4dcc4
Show file tree

Hide file tree

Showing 3 changed files with 2 additions and 74 deletions.
diff --git a/cyences_app_for_splunk/default/data/ui/views/cs_gws_reports.xml b/cyences_app_for_splunk/default/data/ui/views/cs_gws_reports.xml
@@ -581,30 +581,4 @@
       </table>
     </panel>
   </row>
-  <row>
-    <panel>
-      <title>Suspicious File Shared by External User on Google Drive</title>
-      <table>
-        <search>
-          <query>`cs_gws` sourcetype="gws:reports:drive"
-| `cs_gws_search_suspicious_title` 
-| rex field=owner "[^@]+@(?&lt;src_domain&gt;[^@]+)" 
-| where isnotnull(src_domain) 
-| search NOT src_domain IN `cs_email_user_domain` 
-| `cs_user_privilege_mapping(target_user)` 
-| stats values(doc_title) as doc_title, values(doc_type) as doc_type, values(event.name) as event.name, values(target_user) as dst_email_list, values(is_privileged_user) as is_privileged_user, count, min(_time) as firstTime, max(_time) as lastTime by owner 
-| rename owner as external_user
-| `cs_human_readable_time_format(firstTime)`
-| `cs_human_readable_time_format(lastTime)`
-| `cs_gws_suspicious_file_shared_by_external_user_filter`</query>
-          <earliest>$timeRange.earliest$</earliest>
-          <latest>$timeRange.latest$</latest>
-          <sampleRatio>1</sampleRatio>
-        </search>
-        <option name="drilldown">none</option>
-        <option name="count">10</option>
-        <option name="refresh.display">progressbar</option>
-      </table>
-    </panel>
-  </row>
 </form>
diff --git a/cyences_app_for_splunk/default/macros.conf b/cyences_app_for_splunk/default/macros.conf
@@ -1601,13 +1601,6 @@ definition = search *
 [cs_gws_google_drive_objects_accessed_by_external_user]
 definition = search *
 
-[cs_gws_suspicious_file_shared_by_external_user_filter]
-definition = search *
-
-[cs_gws_search_suspicious_title]
-definition = lookup cs_email_suspicious_subjects_and_title title as doc_title OUTPUT status | search status=True
-iseval = 0
-
 
 # Cisco IOS
 [cs_cisco_ios]

diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf
@@ -1855,47 +1855,8 @@ action.cyences_send_email_action = 1
 action.cyences_notable_event_action.products = Google Workspace
 action.cyences_notable_event_action.teams = SOC
 
-
-[Google Workspace - Suspicious File Shared by External User on Google Drive]
-disabled = 1
-enableSched = 1
-alert.track = 1
-alert.severity = 4
-alert.suppress = 0
-counttype = number of events
-quantity = 0
-relation = greater than
-cron_schedule = 57 * * * *
-description = The alert will generate if Suspicious File Shared by External User on Google Drive. \
-NOTE: cs_email_user_domain macro must be configured with the domain name in order to use this alert. \
-Data Collection - Google drive activity reports data from Splunk Add-on for Google Workspace (https://splunkbase.splunk.com/app/5556) 
-dispatch.earliest_time = -6h@h
-dispatch.latest_time = now
-display.general.type = statistics
-display.page.search.tab = statistics
-display.page.search.mode = fast
-request.ui_dispatch_app = cyences_app_for_splunk
-request.ui_dispatch_view = search
-search = `cs_gws` sourcetype="gws:reports:drive" _index_earliest=-61m@m _index_latest=-1m@m \
-| `cs_gws_search_suspicious_title` \
-| rex field=owner "[^@]+@(?<src_domain>[^@]+)" \
-| where isnotnull(src_domain) \
-| search NOT src_domain IN `cs_email_user_domain` \
-| `cs_user_privilege_mapping(target_user)` \
-| stats values(doc_title) as doc_title, values(doc_type) as doc_type, values(event.name) as event.name, values(target_user) as dst_email_list, values(is_privileged_user) as is_privileged_user, count, min(_time) as firstTime, max(_time) as lastTime by owner \
-| rename owner as external_user \
-| eval cyences_severity = if(is_privileged_user=="Yes", "critical", "high") \
-| `cs_human_readable_time_format(firstTime)` \
-| `cs_human_readable_time_format(lastTime)` \
-| `cs_gws_suspicious_file_shared_by_external_user_filter`
-action.cyences_notable_event_action = 1
-action.cyences_notable_event_action.param.filter_macro_name = cs_gws_suspicious_file_shared_by_external_user_filter
-action.cyences_notable_event_action.contributing_events = `cs_gws` sourcetype="gws:reports:drive" | `cs_gws_search_suspicious_title` | rex field=owner "[^@]+@(?<src_domain>[^@]+)" | where isnotnull(src_domain) | search NOT src_domain IN `cs_email_user_domain`
-action.cyences_notable_event_action.system_compromised_search = | stats count by external_user
-action.cyences_notable_event_action.system_compromised_drilldown = `cs_gws` sourcetype="gws:reports:drive" | `cs_gws_search_suspicious_title` | rex field=owner "[^@]+@(?<src_domain>[^@]+)" | where isnotnull(src_domain) | search NOT src_domain IN `cs_email_user_domain` | search owner=$row.external_user$ 
-action.cyences_send_email_action = 1
-action.cyences_notable_event_action.products = Google Workspace
-action.cyences_notable_event_action.teams = SOC
+# This alert has been removed and commented here for future reference as it contains a static list of suspicious file titles, which is not maintainable and causes false positives.
+# [Google Workspace - Suspicious File Shared by External User on Google Drive]
 
 
 # TODO - Add DLP alert (regarding sharing the sensitive info) from gws:alerts sourcetype (required subscription to generate events)