From ef03708f310538f7920b7be78c383a698ac709bc Mon Sep 17 00:00:00 2001 From: Hardik Dholariya <57986609+hardikhdholariya@users.noreply.github.com> Date: Thu, 26 Sep 2024 15:03:07 +0530 Subject: [PATCH 1/5] Added filter for total_MB --- cyences_app_for_splunk/default/savedsearches.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf index bb20b629..c3124091 100644 --- a/cyences_app_for_splunk/default/savedsearches.conf +++ b/cyences_app_for_splunk/default/savedsearches.conf @@ -3040,7 +3040,7 @@ search = | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as t | fields - total_m_packets_] \ | stats sum(total_m_packets) as total_m_packets, sum(total_MB) as total_MB, list(dest_ip_mix) as dest_ip_mix, list(action_mix) as actions by src_ip \ | eval top5_dest_ip=mvindex(dest_ip_mix,0,4) | fields - dest_ip_mix \ -| where total_m_packets>`cs_network_outbound_min_m_packets` \ +| where total_m_packets>`cs_network_outbound_min_m_packets` AND total_MB> `cs_network_outbound_min_MB_traffic` \ | lookup cs_outbound_network_traffic_upperbound.csv src_ip \ | where total_m_packets>upperBound_total_m_packets OR total_MB > upperBound_total_MB \ | eval cyences_severity = case(total_m_packets>upperBound_total_m_packets*3 OR total_MB>upperBound_total_MB*3, "critical", total_m_packets>upperBound_total_m_packets*2 OR total_MB>upperBound_total_MB*2, "high", true(), "medium") \ @@ -6623,4 +6623,4 @@ action.cyences_notable_event_action.system_compromised_drilldown = `cs_f5_bigip action.cyences_notable_event_action.attacker_search = | stats count by ip_client action.cyences_notable_event_action.attacker_drilldown = `cs_f5_bigip_asm` ip_client="*" dest_ip="*" severity IN ("critical","high","medium") enforcement_action!=block attack_type!="JSON Parser Attack" ip_client=$row.ip_client$ action.cyences_send_email_action = 1 -action.cyences_notable_event_action.products = F5 BIGIP \ No newline at end of file +action.cyences_notable_event_action.products = F5 BIGIP From bee775911fc9a4eea276cb4d4969e196cbb11849 Mon Sep 17 00:00:00 2001 From: Hardik Dholariya <57986609+hardikhdholariya@users.noreply.github.com> Date: Thu, 26 Sep 2024 15:07:16 +0530 Subject: [PATCH 2/5] Added macro --- cyences_app_for_splunk/default/macros.conf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/cyences_app_for_splunk/default/macros.conf b/cyences_app_for_splunk/default/macros.conf index 10473dbe..ad3858d4 100644 --- a/cyences_app_for_splunk/default/macros.conf +++ b/cyences_app_for_splunk/default/macros.conf @@ -386,6 +386,9 @@ definition = 0.5 # no. of packets in millions definition = 0.5 +[cs_network_outbound_min_MB_traffic] +definition = 0 + # O365 [cs_o365_authorizationpolicy_change_internal_filter] definition = search * @@ -1644,4 +1647,4 @@ iseval = 0 [cs_f5_bigip_not_blocked_attacks_filter] definition = search * -iseval = 0 \ No newline at end of file +iseval = 0 From d83d51f664eb88d58afb49c02ebe7b438bc8f221 Mon Sep 17 00:00:00 2001 From: Hardik Dholariya <57986609+hardikhdholariya@users.noreply.github.com> Date: Thu, 26 Sep 2024 15:25:33 +0530 Subject: [PATCH 3/5] macro value changes --- cyences_app_for_splunk/default/macros.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cyences_app_for_splunk/default/macros.conf b/cyences_app_for_splunk/default/macros.conf index ad3858d4..899c230f 100644 --- a/cyences_app_for_splunk/default/macros.conf +++ b/cyences_app_for_splunk/default/macros.conf @@ -387,7 +387,7 @@ definition = 0.5 definition = 0.5 [cs_network_outbound_min_MB_traffic] -definition = 0 +definition = 10 # O365 [cs_o365_authorizationpolicy_change_internal_filter] From 6fe6a0432fa2b7b90078196832ec46a95a77ee7a Mon Sep 17 00:00:00 2001 From: Hardik Dholariya <57986609+hardikhdholariya@users.noreply.github.com> Date: Fri, 27 Sep 2024 20:35:26 +0530 Subject: [PATCH 4/5] updated the condition --- cyences_app_for_splunk/default/savedsearches.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf index c3124091..bc441117 100644 --- a/cyences_app_for_splunk/default/savedsearches.conf +++ b/cyences_app_for_splunk/default/savedsearches.conf @@ -3040,7 +3040,7 @@ search = | tstats `cs_summariesonly_network_traffic` sum(All_Traffic.bytes) as t | fields - total_m_packets_] \ | stats sum(total_m_packets) as total_m_packets, sum(total_MB) as total_MB, list(dest_ip_mix) as dest_ip_mix, list(action_mix) as actions by src_ip \ | eval top5_dest_ip=mvindex(dest_ip_mix,0,4) | fields - dest_ip_mix \ -| where total_m_packets>`cs_network_outbound_min_m_packets` AND total_MB> `cs_network_outbound_min_MB_traffic` \ +| where total_m_packets>`cs_network_outbound_min_m_packets` OR total_MB> `cs_network_outbound_min_MB_traffic` \ | lookup cs_outbound_network_traffic_upperbound.csv src_ip \ | where total_m_packets>upperBound_total_m_packets OR total_MB > upperBound_total_MB \ | eval cyences_severity = case(total_m_packets>upperBound_total_m_packets*3 OR total_MB>upperBound_total_MB*3, "critical", total_m_packets>upperBound_total_m_packets*2 OR total_MB>upperBound_total_MB*2, "high", true(), "medium") \ From a666ce9f6426141a325f0629b919caab893466a3 Mon Sep 17 00:00:00 2001 From: Hardik Dholariya <57986609+hardikhdholariya@users.noreply.github.com> Date: Fri, 27 Sep 2024 22:24:30 +0530 Subject: [PATCH 5/5] updated the min MB value --- cyences_app_for_splunk/default/macros.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cyences_app_for_splunk/default/macros.conf b/cyences_app_for_splunk/default/macros.conf index 899c230f..faaa498f 100644 --- a/cyences_app_for_splunk/default/macros.conf +++ b/cyences_app_for_splunk/default/macros.conf @@ -387,7 +387,7 @@ definition = 0.5 definition = 0.5 [cs_network_outbound_min_MB_traffic] -definition = 10 +definition = 10000 # O365 [cs_o365_authorizationpolicy_change_internal_filter]