Merge pull request #644 from CrossRealms/update-unusual-outbound-traf…

…fic-alert Update unusual outbound traffic alert
CrossRealms · Oct 3, 2024 · b25d976 · b25d976
2 parents 3b680ab + a666ce9
commit b25d976
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/cyences_app_for_splunk/default/macros.conf b/cyences_app_for_splunk/default/macros.conf
@@ -386,6 +386,9 @@ definition = 0.5
 # no. of packets in millions
 definition = 0.5
 
+[cs_network_outbound_min_MB_traffic]
+definition = 10000
+
 # O365
 [cs_o365_authorizationpolicy_change_internal_filter]
 definition = search *
@@ -1644,4 +1647,4 @@ iseval = 0
 
 [cs_f5_bigip_not_blocked_attacks_filter]
 definition = search *
-iseval = 0
+iseval = 0
diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf
@@ -3040,7 +3040,7 @@ search = | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as t
     | fields - total_m_packets_] \
 | stats sum(total_m_packets) as total_m_packets, sum(total_MB) as total_MB, list(dest_ip_mix) as dest_ip_mix, list(action_mix) as actions by src_ip \
 | eval top5_dest_ip=mvindex(dest_ip_mix,0,4) | fields - dest_ip_mix \
-| where total_m_packets>`cs_network_outbound_min_m_packets` \
+| where total_m_packets>`cs_network_outbound_min_m_packets` OR total_MB> `cs_network_outbound_min_MB_traffic` \
 | lookup cs_outbound_network_traffic_upperbound.csv src_ip \
 | where total_m_packets>upperBound_total_m_packets OR total_MB > upperBound_total_MB \
 | eval cyences_severity = case(total_m_packets>upperBound_total_m_packets*3 OR total_MB>upperBound_total_MB*3, "critical", total_m_packets>upperBound_total_m_packets*2 OR total_MB>upperBound_total_MB*2, "high", true(), "medium") \
@@ -6623,4 +6623,4 @@ action.cyences_notable_event_action.system_compromised_drilldown =  `cs_f5_bigip
 action.cyences_notable_event_action.attacker_search = | stats count by ip_client
 action.cyences_notable_event_action.attacker_drilldown =  `cs_f5_bigip_asm` ip_client="*" dest_ip="*" severity IN ("critical","high","medium") enforcement_action!=block attack_type!="JSON Parser Attack" ip_client=$row.ip_client$
 action.cyences_send_email_action = 1
-action.cyences_notable_event_action.products = F5 BIGIP
+action.cyences_notable_event_action.products = F5 BIGIP