diff --git a/cyences_app_for_splunk/default/macros.conf b/cyences_app_for_splunk/default/macros.conf index ad0292a1..1e8481ce 100644 --- a/cyences_app_for_splunk/default/macros.conf +++ b/cyences_app_for_splunk/default/macros.conf @@ -283,10 +283,6 @@ iseval = 0 definition = `cs_linux` sourcetype="cyences:linux:users" iseval = 0 -[cs_linux_sudousers] -definition = `cs_linux` sourcetype="sudousers" -iseval = 0 - [cs_linux_interfaces] definition = `cs_linux` sourcetype="interfaces" iseval = 0 @@ -874,10 +870,6 @@ iseval = 0 definition = index=o365 iseval = 0 -[cs_o365_success_login_outside_country_filter] -definition = search * -iseval = 0 - [cs_o365_successful_login_from_unusual_country_filter] definition = search * iseval = 0 @@ -894,14 +886,6 @@ iseval = 0 definition = search * iseval = 0 -[cs_confirmiplocation] -definition = search * -iseval = 0 - -[cs_o365_failed_login_due_to_mfs_outside_country_filter] -definition = search * -iseval = 0 - [cs_o365_failed_login_due_to_mfs_from_unusual_country_filter] definition = search * iseval = 0 @@ -1369,10 +1353,6 @@ iseval = 0 definition = search * iseval = 0 -[cs_authentication_successful_vpn_login_outside_home_country_filter] -definition = search * -iseval = 0 - [cs_authentication_vpn_login_attemps_outside_working_hour_filter] definition = search * iseval = 0 @@ -1465,10 +1445,6 @@ iseval = 0 definition = index IN (os, linux) iseval = 0 -[cs_change_in_sudo_access_of_local_linux_account_filter] -definition = search * -iseval = 0 - [cs_change_in_user_linux_filter] definition = search * iseval = 0 diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf index 7df1c169..eb6bccf4 100644 --- a/cyences_app_for_splunk/default/savedsearches.conf +++ b/cyences_app_for_splunk/default/savedsearches.conf @@ -2360,52 +2360,6 @@ action.cyences_notable_event_action.attacker_drilldown = `cs_o365` sourcetype="o action.cyences_send_email_action = 1 action.cyences_notable_event_action.products = Office 365 -[O365 - Login Failure Outside Home Country Due To Multi Factor Authentication] -disabled = 1 -enableSched = 1 -alert.track = 1 -alert.severity = 4 -alert.suppress = 0 -counttype = number of events -quantity = 0 -relation = greater than -cron_schedule = 9,39 * * * * -description = This alert will show the login failure outside home country due to multi factor authentication. \ -\ -Data Collection - Office 365 management activity data (Splunk Add-on for Office 365). -dispatch.earliest_time = -2h@h -dispatch.latest_time = +2h@h -display.general.type = statistics -display.page.search.tab = statistics -display.page.search.mode = fast -request.ui_dispatch_app = cyences_app_for_splunk -request.ui_dispatch_view = search -search = `cs_o365` sourcetype="o365:management:activity" _index_earliest=-31m@m _index_latest=-1m@m Workload=AzureActiveDirectory Operation=UserLoginFailed (LogonError="DeviceAuthenticationRequired" OR LogonError="UserStrongAuthClientAuthNRequiredInterrupt" ) user!="not available" \ -| eval ExtendedProperties=mvzip('ExtendedProperties{}.Name','ExtendedProperties{}.Value'," : ") \ -| stats count, values(user_type) as user_type, values(authentication_method) as authentication_method, max(_time) as Last_Failed_Login, values(LogonError) as LogonError, values(ApplicationId) as ApplicationId, values(ExtendedProperties) as ExtendedProperties by user, ClientIP \ -| iplocation ClientIP \ -| where Country!=`cs_home_country` \ -| `cs_confirmiplocation` \ -| fillnull Country, Region, City value="-" \ -| eval Location=ClientIP." (".count.") | ".Country." | ".Region." | ".City \ -| stats sum(count) as count, values(user_type) as user_type, values(authentication_method) as authentication_method, max(Last_Failed_Login) as Last_Failed_Login, list(Location) as Location, values(LogonError) as LogonError, values(ApplicationId) as ApplicationId, values(ExtendedProperties) as ExtendedProperties by user \ -| `cs_user_privilege_mapping(user)` \ -| eval cyences_severity = case(user_type=="Admin" or user_type=="DcAdmin" or is_privileged_user=="Yes", "medium", true(), "low") \ -| sort - count \ -| `cs_human_readable_time_format(Last_Failed_Login)` \ -| `cs_o365_failed_login_due_to_mfs_outside_country_filter` -action.cyences_notable_event_action = 1 -action.cyences_notable_event_action.param.filter_macro_name = cs_o365_failed_login_due_to_mfs_outside_country_filter -action.cyences_notable_event_action.contributing_events = `cs_o365` sourcetype="o365:management:activity" Workload=AzureActiveDirectory Operation=UserLoginFailed (LogonError="DeviceAuthenticationRequired" OR LogonError="UserStrongAuthClientAuthNRequiredInterrupt") user!="not available" -action.cyences_notable_event_action.system_compromised_search = | stats count by user -action.cyences_notable_event_action.system_compromised_drilldown = `cs_o365` sourcetype="o365:management:activity" Workload=AzureActiveDirectory Operation=UserLoginFailed (LogonError="DeviceAuthenticationRequired" OR LogonError="UserStrongAuthClientAuthNRequiredInterrupt") user!="not available" user=$row.user$ -action.cyences_notable_event_action.attacker_search = | stats count by LogonError -action.cyences_notable_event_action.attacker_drilldown = `cs_o365` sourcetype="o365:management:activity" Workload=AzureActiveDirectory Operation=UserLoginFailed user!="not available" LogonError=$row.LogonError$ -action.cyences_send_email_action = 1 -action.cyences_notable_event_action.products = Office 365 -action.cyences_notable_event_action.deprecated = 1 -action.cyences_notable_event_action.deprecated_from_version = 4.0.0 -action.cyences_notable_event_action.deprecated_replacement = O365 - Login Failure From Unusual Country Due To Multi Factor Authentication [O365 - Login Failure From Unusual Country Due To Multi Factor Authentication] disabled = 1 @@ -2496,49 +2450,6 @@ action.cyences_notable_event_action.contributing_events = `cs_o365` sourcetype=" action.cyences_send_email_action = 1 action.cyences_notable_event_action.products = Office 365 -[O365 - Successful Login Outside Home Country] -disabled = 1 -enableSched = 1 -alert.track = 1 -alert.severity = 4 -alert.suppress = 0 -counttype = number of events -quantity = 0 -relation = greater than -cron_schedule = 9,39 * * * * -description = This alert will show the successful login outside home country. \ -\ -Data Collection - Office 365 management activity data (Splunk Add-on for Office 365). -dispatch.earliest_time = -2h@h -dispatch.latest_time = +2h@h -display.general.type = statistics -display.page.search.tab = statistics -display.page.search.mode = fast -request.ui_dispatch_app = cyences_app_for_splunk -request.ui_dispatch_view = search -search = `cs_o365` sourcetype="o365:management:activity" _index_earliest=-31m@m _index_latest=-1m@m Workload=AzureActiveDirectory Operation=UserLoggedIn NOT LogonError=* user!="not available" \ -| stats count, values(user_type) as user_type, values(authentication_method) as authentication_method, max(_time) as Last_Success_Login, values(ApplicationId) as ApplicationId by user, ClientIP \ -| iplocation ClientIP \ -| where Country!=`cs_home_country` \ -| `cs_confirmiplocation` \ -| fillnull Country, Region, City value="-" \ -| eval Location=ClientIP." (".count.") | ".Country." | ".Region." | ".City \ -| stats sum(count) as count, values(user_type) as user_type, values(authentication_method) as authentication_method, max(Last_Success_Login) as Last_Success_Login, list(Location) as Location, values(ApplicationId) as ApplicationId by user \ -| `cs_user_privilege_mapping(user)` \ -| eval cyences_severity = case(user_type=="Admin" or user_type=="DcAdmin" or is_privileged_user=="Yes", "medium", true(), "low") \ -| sort - count \ -| `cs_human_readable_time_format(Last_Success_Login)` \ -| `cs_o365_success_login_outside_country_filter` -action.cyences_notable_event_action = 1 -action.cyences_notable_event_action.param.filter_macro_name = cs_o365_success_login_outside_country_filter -action.cyences_notable_event_action.contributing_events = `cs_o365` sourcetype="o365:management:activity" Workload=AzureActiveDirectory Operation=UserLoggedIn NOT LogonError=* user!="not available" | iplocation ClientIP | where Country!=`cs_home_country` | `cs_confirmiplocation` -action.cyences_notable_event_action.system_compromised_search = | stats count by user -action.cyences_notable_event_action.system_compromised_drilldown = `cs_o365` sourcetype="o365:management:activity" Workload=AzureActiveDirectory Operation=UserLoggedIn NOT LogonError=* user!="not available" user=$row.user$ | iplocation ClientIP | where Country!=`cs_home_country` | `cs_confirmiplocation` -action.cyences_send_email_action = 1 -action.cyences_notable_event_action.products = Office 365 -action.cyences_notable_event_action.deprecated = 1 -action.cyences_notable_event_action.deprecated_from_version = 4.0.0 -action.cyences_notable_event_action.deprecated_replacement = O365 - Successful Login From Unusual Country [O365 - Successful Login From Unusual Country] disabled = 1 @@ -5470,53 +5381,6 @@ action.cyences_send_email_action = 1 action.cyences_notable_event_action.products = VPN -[Authentication - Successful VPN Login Outside Home Country] -disabled = 0 -enableSched = 1 -alert.track = 1 -alert.severity = 4 -alert.suppress = 0 -counttype = number of events -quantity = 0 -relation = greater than -cron_schedule = 59 * * * * -description = A Successful login outside home country for VPN from a perticular source. \ -\ -Data Collection - VPN data mapped with authentication data-model and has dest_category=vpn_auth. -dispatch.earliest_time = -62m@m -dispatch.latest_time = -2m@m -display.general.type = statistics -display.page.search.tab = statistics -display.page.search.mode = fast -request.ui_dispatch_app = cyences_app_for_splunk -request.ui_dispatch_view = search -search = | tstats `cs_summariesonly_authentication` count, max(_time) as Last_Success_Login from datamodel=Cyences_Authentication where Authentication.action="success" AND Authentication.dest_category="vpn_auth" AND `cs_vpn_indexes` by Authentication.user, Authentication.src, Authentication.dest \ -| rename Authentication.* as * \ -| iplocation src \ -| where Country!=`cs_home_country` \ -| `cs_confirmiplocation` \ -| fillnull Country, Region, City value="-" \ -| eval Location=src." (".count.") | ".Country." | ".Region." | ".City \ -| stats sum(count) as count, max(Last_Success_Login) as Last_Success_Login, list(Location) as Location, values(dest) as Dest by user \ -| `cs_user_privilege_mapping(user)` \ -| eval cyences_severity = if(is_privileged_user=="Yes", "critical", "medium") \ -| sort - count \ -| `cs_human_readable_time_format(Last_Success_Login)` \ -| `cs_authentication_successful_vpn_login_outside_home_country_filter` -action.cyences_notable_event_action = 1 -action.cyences_notable_event_action.param.filter_macro_name = cs_authentication_successful_vpn_login_outside_home_country_filter -action.cyences_notable_event_action.contributing_events = index=* `cs_vpn_indexes` tag=authentication action="success" dest_category="vpn_auth" | iplocation src | where Country!=`cs_home_country` | `cs_confirmiplocation` -action.cyences_notable_event_action.system_compromised_search = | stats count by Dest -action.cyences_notable_event_action.system_compromised_drilldown = index=* `cs_vpn_indexes` dest=$row.Dest$ tag=authentication action="success" dest_category="vpn_auth" | iplocation src | where Country!=`cs_home_country` | `cs_confirmiplocation` -action.cyences_notable_event_action.attacker_search = | stats count by user -action.cyences_notable_event_action.attacker_drilldown = index=* `cs_vpn_indexes` user=$row.user$ tag=authentication action="success" dest_category="vpn_auth" | iplocation src | where Country!=`cs_home_country` | `cs_confirmiplocation` -action.cyences_send_email_action = 1 -action.cyences_notable_event_action.products = VPN -action.cyences_notable_event_action.deprecated = 1 -action.cyences_notable_event_action.deprecated_from_version = 4.0.0 -action.cyences_notable_event_action.deprecated_replacement = Authentication - Successful VPN Login From Unusual Country - - [Authentication - VPN Login Attemps Outside Working Hours] disabled = 0 enableSched = 1 @@ -5778,97 +5642,6 @@ action.cyences_notable_event_action.products = Radius Authentication # =============== # Linux/Unix # =============== -[Linux - Change in Sudo Access of Local Linux Account] -disabled = 1 -enableSched = 1 -alert.track = 1 -alert.severity = 3 -alert.suppress = 0 -cron_schedule = 59 * * * * -counttype = number of events -quantity = 0 -relation = greater than -description = This report generate lookup of linux local accounts and raise an alert when there is change in sudo access for last 60mins.\ -\ -Data Collection : Below two scripted inputs must be enable. \ - Splunk_TA_nix Add-on -> usersWithLoginPrivs.sh \ - Cyences add-on for Splunk -> sudousers.sh -dispatch.earliest_time = -62m@m -dispatch.latest_time = -2m@m -display.general.type = statistics -display.page.search.tab = statistics -display.page.search.mode = fast -request.ui_dispatch_app = cyences_app_for_splunk -request.ui_dispatch_view = search -search = `cs_linux_users_with_previledge` \ -| table _time host UID USERNAME GID HOME_DIR \ -| eval user_discovery=_time \ -| stats earliest(_time) as _time latest(*) as * by host UID \ -| append \ - [| search `cs_linux_sudousers` \ - | stats latest(_raw) as raw latest(_time) as sudo_discover by host \ - | rex field=raw "sudouser=(?.*)" max_match=0 \ - | fields - raw \ - | mvexpand USERNAME \ - | eval sudo_access="Yes" ] \ -| stats first(sudo*) as sudo*_new first(user_discovery) as user_discovery_new first(*) as * by host, USERNAME \ -| appendpipe \ - [| inputlookup cs_linux_user_list.csv \ - | rename sudo_last_modified as sudo_discover,user_last_modified as user_discovery ] \ -| join host type=left \ - [| tstats count where index=_internal host=* earliest=-5m@m latest=now by host \ - | eval internal_logs="Yes" ] \ -| stats first(*) as * by host USERNAME \ -| eval sudo_last_modified=case(isnull(internal_logs),sudo_discover,\ - isnull(user_discovery_new) and isnull(sudo_access),null(),\ - isnull(user_discovery_new) and isnotnull(sudo_access),now(),\ - isnull(sudo_access_new) and isnull(sudo_access),null(),\ - isnotnull(sudo_access_new) and isnull(sudo_access),sudo_discover_new,\ - isnotnull(sudo_access_new) and isnotnull(sudo_access) and sudo_access=="Yes",sudo_discover,\ - isnotnull(sudo_access_new) and isnotnull(sudo_access) and (sudo_access=="Sudo Access Revoked" OR sudo_access=="User Removed"),sudo_discover_new,\ - isnull(sudo_access_new) and isnotnull(sudo_access) and sudo_access=="Yes",now(),\ - isnull(sudo_access_new) and isnotnull(sudo_access) and (sudo_access=="Sudo Access Revoked" OR sudo_access=="User Removed"),sudo_discover) \ -| eval sudo_access=case(isnull(internal_logs),sudo_access,\ - isnull(user_discovery_new) and isnull(sudo_access),null(),\ - isnull(user_discovery_new) and isnotnull(sudo_access),"User Removed",\ - isnull(sudo_access_new) and isnull(sudo_access),null(),\ - isnotnull(sudo_access_new) and isnull(sudo_access),"Yes",\ - isnotnull(sudo_access_new) and isnotnull(sudo_access) and sudo_access=="Yes",sudo_access,\ - isnotnull(sudo_access_new) and isnotnull(sudo_access) and (sudo_access=="Sudo Access Revoked" OR sudo_access=="User Removed"),"Yes",\ - isnull(sudo_access_new) and isnotnull(sudo_access) and sudo_access=="Yes","Sudo Access Revoked",\ - isnull(sudo_access_new) and isnotnull(sudo_access) and (sudo_access=="Sudo Access Revoked" OR sudo_access=="User Removed"),sudo_access) \ -| eval user_status=case(isnull(internal_logs),user_status,\ - isnull(user_discovery_new) and isnull(user_discovery), null(),\ - isnotnull(user_discovery_new) and isnull(user_discovery), "User Available",\ - isnotnull(user_discovery_new) and isnotnull(user_discovery), "User Available",\ - isnull(user_discovery_new) and isnotnull(user_discovery), "User Removed") \ -| eval user_last_modified=case(isnull(internal_logs),user_discovery,\ - isnull(user_discovery_new) and isnull(user_discovery), null(),\ - isnotnull(user_discovery_new) and isnull(user_discovery), user_discovery_new,\ - isnotnull(user_discovery_new) and isnotnull(user_discovery),user_discovery,\ - isnull(user_discovery_new) and isnotnull(user_discovery), now()) \ -| fields - user_discovery*,sudo_discover*,sudo_access_new,internal_logs,count,sudo_last_modified_check, \ -| appendpipe \ - [| outputlookup cs_linux_user_list.csv \ - | where hostname="DO-NOT-RETURN-ANYRESULTS"] \ -| where sudo_last_modified>relative_time(now(),"-62m") \ -| eval cyences_severity = case(sudo_access=="Yes", "high", sudo_access=="Sudo Access Revoked", "medium", true(), "low") \ -| `cs_human_readable_time_format(sudo_last_modified)` \ -| `cs_human_readable_time_format(user_last_modified)` \ -| `cs_change_in_sudo_access_of_local_linux_account_filter` -action.cyences_notable_event_action = 1 -action.cyences_notable_event_action.param.filter_macro_name = cs_change_in_sudo_access_of_local_linux_account_filter -action.cyences_notable_event_action.contributing_events = `cs_linux_sudousers` | rex field=_raw "sudouser=(?.*)" max_match=0 -action.cyences_notable_event_action.system_compromised_search = | stats count by host -action.cyences_notable_event_action.system_compromised_drilldown = `cs_linux_sudousers` host=$row.host$ | rex field=_raw "sudouser=(?.*)" max_match=0 -action.cyences_notable_event_action.attacker_search = | stats count by USERNAME -action.cyences_notable_event_action.attacker_drilldown = `cs_linux_sudousers` $row.USERNAME$ | rex field=_raw "sudouser=(?.*)" max_match=0 -action.cyences_send_email_action = 1 -action.cyences_notable_event_action.products = Linux -action.cyences_notable_event_action.deprecated = 1 -action.cyences_notable_event_action.deprecated_from_version = 4.1.0 -action.cyences_notable_event_action.deprecated_replacement = Linux - User Added/Updated/Deleted - [Linux - cs_linux_groups Lookup Gen] disabled = 0