Merge pull request #593 from CrossRealms/remove-deprecated-alerts

removed deprecated alerts
CrossRealms · Aug 7, 2024 · c17e9b6 · c17e9b6
2 parents 145e135 + dc237e1
commit c17e9b6
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 251 deletions.
diff --git a/cyences_app_for_splunk/default/macros.conf b/cyences_app_for_splunk/default/macros.conf
@@ -283,10 +283,6 @@ iseval = 0
 definition = `cs_linux` sourcetype="cyences:linux:users"
 iseval = 0
 
-[cs_linux_sudousers]
-definition = `cs_linux` sourcetype="sudousers"
-iseval = 0
-
 [cs_linux_interfaces]
 definition = `cs_linux` sourcetype="interfaces"
 iseval = 0
@@ -874,10 +870,6 @@ iseval = 0
 definition = index=o365
 iseval = 0
 
-[cs_o365_success_login_outside_country_filter]
-definition = search *
-iseval = 0
-
 [cs_o365_successful_login_from_unusual_country_filter]
 definition = search *
 iseval = 0
@@ -894,14 +886,6 @@ iseval = 0
 definition = search *
 iseval = 0
 
-[cs_confirmiplocation]
-definition = search *
-iseval = 0
-
-[cs_o365_failed_login_due_to_mfs_outside_country_filter]
-definition = search *
-iseval = 0
-
 [cs_o365_failed_login_due_to_mfs_from_unusual_country_filter]
 definition = search *
 iseval = 0
@@ -1369,10 +1353,6 @@ iseval = 0
 definition = search *
 iseval = 0
 
-[cs_authentication_successful_vpn_login_outside_home_country_filter]
-definition = search *
-iseval = 0
-
 [cs_authentication_vpn_login_attemps_outside_working_hour_filter]
 definition = search *
 iseval = 0
@@ -1465,10 +1445,6 @@ iseval = 0
 definition = index IN (os, linux)
 iseval = 0
 
-[cs_change_in_sudo_access_of_local_linux_account_filter]
-definition = search *
-iseval = 0
-
 [cs_change_in_user_linux_filter]
 definition = search *
 iseval = 0

diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf
@@ -2360,52 +2360,6 @@ action.cyences_notable_event_action.attacker_drilldown = `cs_o365` sourcetype="o
 action.cyences_send_email_action = 1
 action.cyences_notable_event_action.products = Office 365
 
-[O365 - Login Failure Outside Home Country Due To Multi Factor Authentication]
-disabled = 1
-enableSched = 1
-alert.track = 1
-alert.severity = 4
-alert.suppress = 0
-counttype = number of events
-quantity = 0
-relation = greater than
-cron_schedule = 9,39 * * * *
-description = This alert will show the login failure outside home country due to multi factor authentication. \
-\
-Data Collection - Office 365 management activity data (Splunk Add-on for Office 365). 
-dispatch.earliest_time = -2h@h
-dispatch.latest_time = +2h@h
-display.general.type = statistics
-display.page.search.tab = statistics
-display.page.search.mode = fast
-request.ui_dispatch_app = cyences_app_for_splunk
-request.ui_dispatch_view = search
-search = `cs_o365` sourcetype="o365:management:activity" _index_earliest=-31m@m _index_latest=-1m@m Workload=AzureActiveDirectory Operation=UserLoginFailed (LogonError="DeviceAuthenticationRequired" OR LogonError="UserStrongAuthClientAuthNRequiredInterrupt" ) user!="not available" \
-| eval ExtendedProperties=mvzip('ExtendedProperties{}.Name','ExtendedProperties{}.Value'," : ") \
-| stats count, values(user_type) as user_type, values(authentication_method) as authentication_method, max(_time) as Last_Failed_Login, values(LogonError) as LogonError, values(ApplicationId) as ApplicationId, values(ExtendedProperties) as ExtendedProperties by user, ClientIP \
-| iplocation ClientIP \
-| where Country!=`cs_home_country` \
-| `cs_confirmiplocation` \
-| fillnull Country, Region, City value="-" \
-| eval Location=ClientIP." (".count.") | ".Country." | ".Region." | ".City \
-| stats sum(count) as count, values(user_type) as user_type, values(authentication_method) as authentication_method, max(Last_Failed_Login) as Last_Failed_Login, list(Location) as Location, values(LogonError) as LogonError, values(ApplicationId) as ApplicationId, values(ExtendedProperties) as ExtendedProperties by user \
-| `cs_user_privilege_mapping(user)` \
-| eval cyences_severity = case(user_type=="Admin" or user_type=="DcAdmin" or is_privileged_user=="Yes", "medium", true(), "low") \
-| sort - count \
-| `cs_human_readable_time_format(Last_Failed_Login)` \
-| `cs_o365_failed_login_due_to_mfs_outside_country_filter`
-action.cyences_notable_event_action = 1
-action.cyences_notable_event_action.param.filter_macro_name = cs_o365_failed_login_due_to_mfs_outside_country_filter
-action.cyences_notable_event_action.contributing_events = `cs_o365` sourcetype="o365:management:activity" Workload=AzureActiveDirectory Operation=UserLoginFailed (LogonError="DeviceAuthenticationRequired" OR LogonError="UserStrongAuthClientAuthNRequiredInterrupt") user!="not available"
-action.cyences_notable_event_action.system_compromised_search = | stats count by user
-action.cyences_notable_event_action.system_compromised_drilldown = `cs_o365` sourcetype="o365:management:activity" Workload=AzureActiveDirectory Operation=UserLoginFailed (LogonError="DeviceAuthenticationRequired" OR LogonError="UserStrongAuthClientAuthNRequiredInterrupt") user!="not available" user=$row.user$
-action.cyences_notable_event_action.attacker_search = | stats count by LogonError
-action.cyences_notable_event_action.attacker_drilldown = `cs_o365` sourcetype="o365:management:activity" Workload=AzureActiveDirectory Operation=UserLoginFailed user!="not available" LogonError=$row.LogonError$
-action.cyences_send_email_action = 1
-action.cyences_notable_event_action.products = Office 365
-action.cyences_notable_event_action.deprecated = 1
-action.cyences_notable_event_action.deprecated_from_version = 4.0.0
-action.cyences_notable_event_action.deprecated_replacement = O365 - Login Failure From Unusual Country Due To Multi Factor Authentication
 
 [O365 - Login Failure From Unusual Country Due To Multi Factor Authentication]
 disabled = 1
@@ -2496,49 +2450,6 @@ action.cyences_notable_event_action.contributing_events = `cs_o365` sourcetype="
 action.cyences_send_email_action = 1
 action.cyences_notable_event_action.products = Office 365
 
-[O365 - Successful Login Outside Home Country]
-disabled = 1
-enableSched = 1
-alert.track = 1
-alert.severity = 4
-alert.suppress = 0
-counttype = number of events
-quantity = 0
-relation = greater than
-cron_schedule = 9,39 * * * *
-description = This alert will show the successful login outside home country. \
-\
-Data Collection - Office 365 management activity data (Splunk Add-on for Office 365). 
-dispatch.earliest_time = -2h@h
-dispatch.latest_time = +2h@h
-display.general.type = statistics
-display.page.search.tab = statistics
-display.page.search.mode = fast
-request.ui_dispatch_app = cyences_app_for_splunk
-request.ui_dispatch_view = search
-search = `cs_o365` sourcetype="o365:management:activity" _index_earliest=-31m@m _index_latest=-1m@m Workload=AzureActiveDirectory Operation=UserLoggedIn NOT LogonError=* user!="not available" \
-| stats count, values(user_type) as user_type, values(authentication_method) as authentication_method, max(_time) as Last_Success_Login, values(ApplicationId) as ApplicationId by user, ClientIP \
-| iplocation ClientIP \
-| where Country!=`cs_home_country` \
-| `cs_confirmiplocation` \
-| fillnull Country, Region, City value="-" \
-| eval Location=ClientIP." (".count.") | ".Country." | ".Region." | ".City \
-| stats sum(count) as count, values(user_type) as user_type, values(authentication_method) as authentication_method, max(Last_Success_Login) as Last_Success_Login, list(Location) as Location, values(ApplicationId) as ApplicationId by user \
-| `cs_user_privilege_mapping(user)` \
-| eval cyences_severity = case(user_type=="Admin" or user_type=="DcAdmin" or is_privileged_user=="Yes", "medium", true(), "low") \
-| sort - count \
-| `cs_human_readable_time_format(Last_Success_Login)` \
-| `cs_o365_success_login_outside_country_filter`
-action.cyences_notable_event_action = 1
-action.cyences_notable_event_action.param.filter_macro_name = cs_o365_success_login_outside_country_filter
-action.cyences_notable_event_action.contributing_events = `cs_o365` sourcetype="o365:management:activity"  Workload=AzureActiveDirectory Operation=UserLoggedIn NOT LogonError=* user!="not available" | iplocation ClientIP | where Country!=`cs_home_country` | `cs_confirmiplocation`
-action.cyences_notable_event_action.system_compromised_search = | stats count by user
-action.cyences_notable_event_action.system_compromised_drilldown = `cs_o365` sourcetype="o365:management:activity"  Workload=AzureActiveDirectory Operation=UserLoggedIn NOT LogonError=* user!="not available" user=$row.user$ | iplocation ClientIP | where Country!=`cs_home_country` | `cs_confirmiplocation`
-action.cyences_send_email_action = 1
-action.cyences_notable_event_action.products = Office 365
-action.cyences_notable_event_action.deprecated = 1
-action.cyences_notable_event_action.deprecated_from_version = 4.0.0
-action.cyences_notable_event_action.deprecated_replacement = O365 - Successful Login From Unusual Country
 
 [O365 - Successful Login From Unusual Country]
 disabled = 1
@@ -5470,53 +5381,6 @@ action.cyences_send_email_action = 1
 action.cyences_notable_event_action.products = VPN
 
 
-[Authentication - Successful VPN Login Outside Home Country]
-disabled = 0
-enableSched = 1
-alert.track = 1
-alert.severity = 4
-alert.suppress = 0
-counttype = number of events
-quantity = 0
-relation = greater than
-cron_schedule = 59 * * * *
-description = A Successful login outside home country for VPN from a perticular source. \
-\
-Data Collection - VPN data mapped with authentication data-model and has dest_category=vpn_auth.
-dispatch.earliest_time = -62m@m
-dispatch.latest_time = -2m@m
-display.general.type = statistics
-display.page.search.tab = statistics
-display.page.search.mode = fast
-request.ui_dispatch_app = cyences_app_for_splunk
-request.ui_dispatch_view = search
-search = | tstats `cs_summariesonly_authentication` count, max(_time) as Last_Success_Login from datamodel=Cyences_Authentication where Authentication.action="success" AND Authentication.dest_category="vpn_auth" AND `cs_vpn_indexes` by Authentication.user, Authentication.src, Authentication.dest \
-| rename Authentication.* as * \
-| iplocation src \
-| where Country!=`cs_home_country` \
-| `cs_confirmiplocation` \
-| fillnull Country, Region, City value="-" \
-| eval Location=src." (".count.") | ".Country." | ".Region." | ".City \
-| stats sum(count) as count, max(Last_Success_Login) as Last_Success_Login, list(Location) as Location, values(dest) as Dest by user \
-| `cs_user_privilege_mapping(user)` \
-| eval cyences_severity = if(is_privileged_user=="Yes", "critical", "medium") \
-| sort - count \
-| `cs_human_readable_time_format(Last_Success_Login)` \
-| `cs_authentication_successful_vpn_login_outside_home_country_filter`
-action.cyences_notable_event_action = 1
-action.cyences_notable_event_action.param.filter_macro_name = cs_authentication_successful_vpn_login_outside_home_country_filter
-action.cyences_notable_event_action.contributing_events = index=* `cs_vpn_indexes` tag=authentication action="success" dest_category="vpn_auth" | iplocation src | where Country!=`cs_home_country` | `cs_confirmiplocation` 
-action.cyences_notable_event_action.system_compromised_search = | stats count by Dest
-action.cyences_notable_event_action.system_compromised_drilldown = index=* `cs_vpn_indexes` dest=$row.Dest$ tag=authentication action="success" dest_category="vpn_auth" | iplocation src | where Country!=`cs_home_country` | `cs_confirmiplocation` 
-action.cyences_notable_event_action.attacker_search = | stats count by user
-action.cyences_notable_event_action.attacker_drilldown = index=* `cs_vpn_indexes` user=$row.user$ tag=authentication action="success" dest_category="vpn_auth" | iplocation src | where Country!=`cs_home_country` | `cs_confirmiplocation` 
-action.cyences_send_email_action = 1
-action.cyences_notable_event_action.products = VPN
-action.cyences_notable_event_action.deprecated = 1
-action.cyences_notable_event_action.deprecated_from_version = 4.0.0
-action.cyences_notable_event_action.deprecated_replacement = Authentication - Successful VPN Login From Unusual Country
-
-
 [Authentication - VPN Login Attemps Outside Working Hours]
 disabled = 0
 enableSched = 1
@@ -5778,97 +5642,6 @@ action.cyences_notable_event_action.products = Radius Authentication
 # ===============
 # Linux/Unix
 # ===============
-[Linux - Change in Sudo Access of Local Linux Account]
-disabled = 1
-enableSched = 1
-alert.track = 1
-alert.severity = 3
-alert.suppress = 0
-cron_schedule = 59 * * * *
-counttype = number of events
-quantity = 0
-relation = greater than
-description = This report generate lookup of linux local accounts and raise an alert when there is change in sudo access for last 60mins.\
-\
-Data Collection : Below two scripted inputs must be enable. \
-                  Splunk_TA_nix Add-on -> usersWithLoginPrivs.sh \
-                  Cyences add-on for Splunk -> sudousers.sh
-dispatch.earliest_time = -62m@m
-dispatch.latest_time = -2m@m
-display.general.type = statistics
-display.page.search.tab = statistics
-display.page.search.mode = fast
-request.ui_dispatch_app = cyences_app_for_splunk
-request.ui_dispatch_view = search
-search = `cs_linux_users_with_previledge` \
-| table _time host UID USERNAME GID HOME_DIR \
-| eval user_discovery=_time \
-| stats earliest(_time) as _time latest(*) as * by host UID \
-| append \
-    [| search `cs_linux_sudousers` \
-    | stats latest(_raw) as raw latest(_time) as sudo_discover by host \
-    | rex field=raw "sudouser=(?<USERNAME>.*)" max_match=0 \
-    | fields - raw \
-    | mvexpand USERNAME \
-    | eval sudo_access="Yes" ] \
-| stats first(sudo*) as sudo*_new first(user_discovery) as user_discovery_new first(*) as * by host, USERNAME \
-| appendpipe \
-    [| inputlookup cs_linux_user_list.csv \
-    | rename sudo_last_modified as sudo_discover,user_last_modified as user_discovery ] \
-| join host type=left \
-    [| tstats count where index=_internal host=*  earliest=-5m@m latest=now  by host \
-    | eval internal_logs="Yes" ] \
-| stats first(*) as * by host USERNAME \
-| eval sudo_last_modified=case(isnull(internal_logs),sudo_discover,\
-    isnull(user_discovery_new) and isnull(sudo_access),null(),\
-    isnull(user_discovery_new) and isnotnull(sudo_access),now(),\
-    isnull(sudo_access_new) and isnull(sudo_access),null(),\
-    isnotnull(sudo_access_new) and isnull(sudo_access),sudo_discover_new,\
-    isnotnull(sudo_access_new) and isnotnull(sudo_access) and sudo_access=="Yes",sudo_discover,\
-    isnotnull(sudo_access_new) and isnotnull(sudo_access) and (sudo_access=="Sudo Access Revoked" OR sudo_access=="User Removed"),sudo_discover_new,\
-    isnull(sudo_access_new) and isnotnull(sudo_access) and sudo_access=="Yes",now(),\
-    isnull(sudo_access_new) and isnotnull(sudo_access) and (sudo_access=="Sudo Access Revoked" OR sudo_access=="User Removed"),sudo_discover) \
-| eval sudo_access=case(isnull(internal_logs),sudo_access,\
-    isnull(user_discovery_new) and isnull(sudo_access),null(),\
-    isnull(user_discovery_new) and isnotnull(sudo_access),"User Removed",\
-    isnull(sudo_access_new) and isnull(sudo_access),null(),\
-    isnotnull(sudo_access_new) and isnull(sudo_access),"Yes",\
-    isnotnull(sudo_access_new) and isnotnull(sudo_access) and sudo_access=="Yes",sudo_access,\
-    isnotnull(sudo_access_new) and isnotnull(sudo_access) and (sudo_access=="Sudo Access Revoked" OR sudo_access=="User Removed"),"Yes",\
-    isnull(sudo_access_new) and isnotnull(sudo_access) and sudo_access=="Yes","Sudo Access Revoked",\
-    isnull(sudo_access_new) and isnotnull(sudo_access) and (sudo_access=="Sudo Access Revoked" OR sudo_access=="User Removed"),sudo_access) \
-| eval user_status=case(isnull(internal_logs),user_status,\
-    isnull(user_discovery_new) and isnull(user_discovery), null(),\
-    isnotnull(user_discovery_new) and isnull(user_discovery), "User Available",\
-    isnotnull(user_discovery_new) and isnotnull(user_discovery), "User Available",\
-    isnull(user_discovery_new) and isnotnull(user_discovery), "User Removed") \
-| eval user_last_modified=case(isnull(internal_logs),user_discovery,\
-    isnull(user_discovery_new) and isnull(user_discovery), null(),\
-    isnotnull(user_discovery_new) and isnull(user_discovery), user_discovery_new,\
-    isnotnull(user_discovery_new) and isnotnull(user_discovery),user_discovery,\
-    isnull(user_discovery_new) and isnotnull(user_discovery), now()) \
-| fields - user_discovery*,sudo_discover*,sudo_access_new,internal_logs,count,sudo_last_modified_check, \
-| appendpipe \
-    [| outputlookup cs_linux_user_list.csv \
-    | where hostname="DO-NOT-RETURN-ANYRESULTS"] \
-| where sudo_last_modified>relative_time(now(),"-62m") \
-| eval cyences_severity = case(sudo_access=="Yes", "high", sudo_access=="Sudo Access Revoked", "medium", true(), "low") \
-| `cs_human_readable_time_format(sudo_last_modified)` \
-| `cs_human_readable_time_format(user_last_modified)` \
-| `cs_change_in_sudo_access_of_local_linux_account_filter`
-action.cyences_notable_event_action = 1
-action.cyences_notable_event_action.param.filter_macro_name = cs_change_in_sudo_access_of_local_linux_account_filter
-action.cyences_notable_event_action.contributing_events = `cs_linux_sudousers` | rex field=_raw "sudouser=(?<USERNAME>.*)" max_match=0
-action.cyences_notable_event_action.system_compromised_search = | stats count by host
-action.cyences_notable_event_action.system_compromised_drilldown = `cs_linux_sudousers` host=$row.host$ | rex field=_raw "sudouser=(?<USERNAME>.*)" max_match=0
-action.cyences_notable_event_action.attacker_search = | stats count by USERNAME
-action.cyences_notable_event_action.attacker_drilldown = `cs_linux_sudousers` $row.USERNAME$ | rex field=_raw "sudouser=(?<USERNAME>.*)" max_match=0
-action.cyences_send_email_action = 1
-action.cyences_notable_event_action.products = Linux
-action.cyences_notable_event_action.deprecated = 1
-action.cyences_notable_event_action.deprecated_from_version = 4.1.0
-action.cyences_notable_event_action.deprecated_replacement = Linux - User Added/Updated/Deleted
-
 
 [Linux - cs_linux_groups Lookup Gen]
 disabled = 0