Merge pull request #575 from CrossRealms/filter-out-not-available-use…

…rs-from-the-bruteforce-alerts filter out user not available logs from alerts
CrossRealms · Jun 7, 2024 · c9ffaf7 · c9ffaf7
2 parents f1c23a1 + 152bd68
commit c9ffaf7
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf
@@ -5261,7 +5261,7 @@ display.page.search.tab = statistics
 display.page.search.mode = fast
 request.ui_dispatch_app = cyences_app_for_splunk
 request.ui_dispatch_view = search
-search = | tstats `cs_summariesonly_authentication` count, min(_time) as firstTime, max(_time) as lastTime, values(Authentication.signature) as signature from datamodel=Cyences_Authentication where `cs_authentication_indexes` (`cs_o365_login_filter_source` OR `cs_aws_login_filter_source`) Authentication.app!=OktaIM2:log Authentication.user!="*$" Authentication.action="failure" `cs_authentication_app_filter` `cs_bruteforce_from_user_additional_filter` by Authentication.app, Authentication.user, Authentication.src, Authentication.dest \
+search = | tstats `cs_summariesonly_authentication` count, min(_time) as firstTime, max(_time) as lastTime, values(Authentication.signature) as signature from datamodel=Cyences_Authentication where `cs_authentication_indexes` (`cs_o365_login_filter_source` OR `cs_aws_login_filter_source`) Authentication.app!=OktaIM2:log Authentication.user!="*$" Authentication.user!="Not Available" Authentication.action="failure" `cs_authentication_app_filter` `cs_bruteforce_from_user_additional_filter` by Authentication.app, Authentication.user, Authentication.src, Authentication.dest \
 | `drop_dm_object_name(Authentication)` \
 | appendpipe \
     [| stats sum(count) as count by app, user, dest \
@@ -5309,7 +5309,7 @@ display.page.search.tab = statistics
 display.page.search.mode = fast
 request.ui_dispatch_app = cyences_app_for_splunk
 request.ui_dispatch_view = search
-search = | tstats `cs_summariesonly_authentication` count, min(_time) as firstTime, max(_time) as lastTime, values(Authentication.signature) as signature from datamodel=Cyences_Authentication where `cs_authentication_indexes` `cs_o365_login_filter_source` Authentication.app!=OktaIM2:log Authentication.user!="*$" Authentication.action="failure" `cs_authentication_app_filter` `cs_bruteforce_from_source_additional_filter` by Authentication.app, Authentication.src, Authentication.user, Authentication.dest \
+search = | tstats `cs_summariesonly_authentication` count, min(_time) as firstTime, max(_time) as lastTime, values(Authentication.signature) as signature from datamodel=Cyences_Authentication where `cs_authentication_indexes` `cs_o365_login_filter_source` Authentication.app!=OktaIM2:log Authentication.user!="*$" Authentication.user!="Not Available" Authentication.action="failure" `cs_authentication_app_filter` `cs_bruteforce_from_source_additional_filter` by Authentication.app, Authentication.src, Authentication.user, Authentication.dest \
 | `drop_dm_object_name(Authentication)` \
 | `cs_user_privilege_mapping(user)` \
 | appendpipe \