review comments

CrossRealms · Oct 7, 2024 · e149b4d · e149b4d
1 parent 052f9df
commit e149b4d
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 14 deletions.
diff --git a/cyences_app_for_splunk/bin/cs_product_list.py b/cyences_app_for_splunk/bin/cs_product_list.py
@@ -301,7 +301,7 @@ def build_app_dependency_search(app_list):
         ],
         "macro_configurations": [
             {
-                "macro_name": "cs_email_indexes",
+                "macro_name": "cs_email_sources",
                 "label": "Email Data",
                 "search_by": "sourcetype",
                 "search_values": "ms:o365:reporting:messagetrace,o365:reporting:messagetrace,gws:gmail",
@@ -475,15 +475,15 @@ def build_app_dependency_search(app_list):
     {
         "name": "Vulnerability",
         "app_dependencies": [],
-        "metadata_count_search": '`cs_vulnerabilities_indexes` sourcetype="*vuln*" | stats count',
+        "metadata_count_search": '`cs_vulnerabilities_indexes` tag=vulnerability tag=report tag=cyences | stats count',
         "macro_configurations": [
             {
                 "macro_name": "cs_vulnerabilities_indexes",
                 "label": "Vulnerability Data (indexes)",
-                "search": '`cs_vulnerabilities_indexes` sourcetype="*vuln*" | stats count by index, sourcetype',
-                "host_reviewer_search": '`cs_vulnerabilities_indexes` sourcetype="*vuln*" | stats count by sourcetype host | rename sourcetype as sources',
-                "sources_reviewer_search": '`cs_vulnerabilities_indexes` sourcetype="*vuln*" | stats dc(host) as host_count values(index) as index by sourcetype | rename sourcetype as sources',
-                "data_availablity_panel_search": '`cs_vulnerabilities_indexes` sourcetype="*vuln*" | head 1 | stats count | eval data=if(count>0, "Data Present", "Data Not Present"), label="`cs_vulnerabilities_indexes` sourcetype="*vuln*" | table label, data',
+                "search": '`cs_vulnerabilities_indexes` tag=vulnerability tag=report tag=cyences | stats count by index, sourcetype',
+                "host_reviewer_search": '`cs_vulnerabilities_indexes` tag=vulnerability tag=report tag=cyences | stats count by sourcetype host | rename sourcetype as sources',
+                "sources_reviewer_search": '`cs_vulnerabilities_indexes` tag=vulnerability tag=report tag=cyences | stats dc(host) as host_count values(index) as index by sourcetype | rename sourcetype as sources',
+                "data_availablity_panel_search": '`cs_vulnerabilities_indexes` tag=vulnerability tag=report tag=cyences | head 1 | stats count | eval data=if(count>0, "Data Present", "Data Not Present"), label="`cs_vulnerabilities_indexes` tag=vulnerability tag=report tag=cyences | table label, data',
                 "earliest_time": "-1d@d",
                 "latest_time": "now",
             }

diff --git a/cyences_app_for_splunk/default/macros.conf b/cyences_app_for_splunk/default/macros.conf
@@ -1007,8 +1007,8 @@ definition = NOT activityDisplayName IN ("ApprovalNotification_Create", "Feature
 iseval = 0
 
 # Email
-[cs_email_indexes]
-definition = `cs_o365` OR `cs_gws`
+[cs_email_sources]
+definition = (`cs_o365` (sourcetype="ms:o365:reporting:messagetrace" OR sourcetype="o365:reporting:messagetrace")) OR (`cs_gws` sourcetype="gws:gmail")
 iseval = 0
 
 

diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf
@@ -2788,7 +2788,7 @@ display.page.search.mode = fast
 display.visualizations.show = 0
 request.ui_dispatch_app = cyences_app_for_splunk
 request.ui_dispatch_view = search
-search = (`cs_o365` (sourcetype="ms:o365:reporting:messagetrace" OR sourcetype="o365:reporting:messagetrace")) OR (`cs_gws` sourcetype="gws:gmail") \
+search = `cs_email_sources` \
 | bin span=1h _time \
 | stats dc(MessageId) as count by SenderAddress, _time \
 | stats avg(count) as avg, stdev(count) as stdev by SenderAddress \
@@ -2817,7 +2817,7 @@ display.page.search.tab = statistics
 display.page.search.mode = fast
 request.ui_dispatch_app = cyences_app_for_splunk
 request.ui_dispatch_view = search
-search = (`cs_o365` (sourcetype="ms:o365:reporting:messagetrace" OR sourcetype="o365:reporting:messagetrace")) OR (`cs_gws` sourcetype="gws:gmail") _index_earliest=-61m@m _index_latest=-1m@m \
+search = `cs_email_sources` _index_earliest=-61m@m _index_latest=-1m@m \
 | rex field=RecipientAddress "(?<RecipientUser>[^@]+)(?<RecipientDomain>.+)" \
 | rename recipient_domain as RecipientDomain, recipient as RecipientUser \
 | fillnull value="Unknown" RecipientDomain \
@@ -2863,18 +2863,18 @@ display.page.search.tab = statistics
 display.page.search.mode = fast
 request.ui_dispatch_app = cyences_app_for_splunk
 request.ui_dispatch_view = search
-search = (`cs_o365` (sourcetype="ms:o365:reporting:messagetrace" OR sourcetype="o365:reporting:messagetrace") Status=FilteredAsSpam) OR (`cs_gws` sourcetype="gws:gmail" "message_info.is_spam"=true) _index_earliest=-25h@m _index_latest=-1h@m \
+search = `cs_email_sources` (Status=FilteredAsSpam OR "message_info.is_spam"=true) _index_earliest=-25h@m _index_latest=-1h@m \
 | stats count, values(RecipientAddress) as RecipientAddress, values(vendor_product) as Product by SenderAddress, Subject \
 | eval cyences_severity = "info" \
 | sort - count \
 | `cs_email_daily_spam_email_filter`
 action.cyences_notable_event_action = 1
 action.cyences_notable_event_action.param.filter_macro_name = cs_email_daily_spam_email_filter
-action.cyences_notable_event_action.contributing_events = (`cs_o365` (sourcetype="ms:o365:reporting:messagetrace" OR sourcetype="o365:reporting:messagetrace") Status=FilteredAsSpam) OR (`cs_gws` sourcetype="gws:gmail" "message_info.is_spam"=true)
+action.cyences_notable_event_action.contributing_events = `cs_email_sources` (Status=FilteredAsSpam OR "message_info.is_spam"=true) \
 action.cyences_notable_event_action.system_compromised_search = | stats count by SenderAddress
-action.cyences_notable_event_action.system_compromised_drilldown =  (`cs_o365` (sourcetype="ms:o365:reporting:messagetrace" OR sourcetype="o365:reporting:messagetrace") Status=FilteredAsSpam) OR (`cs_gws` sourcetype="gws:gmail" "message_info.is_spam"=true) | search SenderAddress=$row.SenderAddress$
+action.cyences_notable_event_action.system_compromised_drilldown = `cs_email_sources` (Status=FilteredAsSpam OR "message_info.is_spam"=true) | search SenderAddress=$row.SenderAddress$
 action.cyences_notable_event_action.attacker_search = | stats count by Subject
-action.cyences_notable_event_action.attacker_drilldown = (`cs_o365` (sourcetype="ms:o365:reporting:messagetrace" OR sourcetype="o365:reporting:messagetrace") Status=FilteredAsSpam) OR (`cs_gws` sourcetype="gws:gmail" "message_info.is_spam"=true) | search Subject=$row.Subject$
+action.cyences_notable_event_action.attacker_drilldown = `cs_email_sources` (Status=FilteredAsSpam OR "message_info.is_spam"=true) | search Subject=$row.Subject$
 action.cyences_send_email_action = 1
 action.cyences_notable_event_action.products = Office 365, Google Workspace