Cy 514 add the panel and alert for windows firewall status

cyences_app_for_splunk/default/data/ui/views/cs_windows_reports.xml

@@ -152,4 +152,34 @@
       </html>
     </panel>
   </row>
+  <row>
+    <panel>
+      <title>Windows Firewall Status</title>    
+      <table>
+        <search>
+          <query>`cs_windows_firewall_status_logs` host=$tkn_host|s$ 
+| stats latest(_time) as "Time" latest(Domain_Profile_Status) as "Domain Profile Status" latest(Private_Profile_Status) as "Private Profile Status" latest(Public_Profile_Status) as "Public Profile Status" by host 
+| eval "Last Updated Time" = strftime(Time, "%+") 
+| rename host as Host 
+| table Host "Last Updated Time" "Domain Profile Status" "Private Profile Status" "Public Profile Status"</query>
+          <earliest>-24h</earliest>
+          <latest>now</latest>
+        </search>
+        <option name="drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
+        <format type="color" field="Domain Profile Status">
+          <colorPalette type="map">{"ON": #03991a, "OFF": #a3030b}</colorPalette>
+        </format>
+        <format type="color" field="Public Profile Status">
+          <colorPalette type="map">{"ON": #03991a, "OFF": #a3030b}</colorPalette>
+        </format>
+        <format type="color" field="Private Profile Status">
+          <colorPalette type="map">{"ON": #03991a, "OFF": #a3030b}</colorPalette>
+        </format>
+      </table>
+      <html>
+        <p>This panel looks for the latest status of the firewall on each Windows host. Regardless of dashboard timerange, this panel search the data within 24 hours time-range.</p>
+      </html>
+    </panel>
+  </row>
 </form>

cyences_app_for_splunk/default/macros.conf

@@ -596,6 +596,10 @@ iseval = 0
 definition = `cs_windows_idx` sourcetype="*WinEventLog" source="*WinEventLog:System"
 iseval = 0
 
+[cs_windows_firewall_status_logs]
+definition = `cs_windows_idx` sourcetype="WindowsFirewallStatus"
+iseval = 0
+
 [cs_ad_active_directory]
 definition = `cs_windows_idx` sourcetype="ActiveDirectory"
 iseval = 0
@@ -682,6 +686,10 @@ iseval = 0
 definition = search *
 iseval = 0
 
+[cs_windows_firewall_is_disabled_filter]
+definition = search *
+iseval = 0
+
 
 # Sysmon
 [cs_sysmon]

cyences_app_for_splunk/default/savedsearches.conf

@@ -926,6 +926,46 @@ action.cyences_send_email_action = 1
 action.cyences_notable_event_action.products = Sysmon
 
 
+[Windows - Windows Firewall is Disabled]
+disabled = 1
+enableSched = 1
+alert.track = 1
+alert.severity = 4
+alert.suppress = 0
+counttype = number of events
+quantity = 0
+relation = greater than
+# It will run every hour at minute 2 (savedsearch is scheduled 2 minutes delayed to capture the latest event which is generated every hour at minute 0).
+cron_schedule = 2 * * * *
+description = The alert will be triggered if the Windows Firewall has been disabled from its active state. The same alert will be suppressed if it triggers again on the same day. \
+Data Collection - Windows Firewall Status Check Add-on (TODO: <Add the splunkbase link>).
+# To Keep the current day as a suppression time, the earliest time is set to the current day's start time to generate the notable every day if the firewall is disabled.
+dispatch.earliest_time = @d
+dispatch.latest_time = now
+display.general.type = statistics
+display.page.search.tab = statistics
+display.page.search.mode = fast
+request.ui_dispatch_app = cyences_app_for_splunk
+request.ui_dispatch_view = search
+# The search captures the latest 2 events of every host and checks whether at least one Windows Firewall profile has been disabled from its active state. If this occurs, an alert will be triggered.
+# Also, If an event with a firewall status disabled occurs for the first time in a day, an alert will be triggered.
+search = `cs_windows_firewall_status_logs` \
+| dedup 2 host \
+| stats latest(Domain_Profile_Status) as Domain_Profile_Status latest(Private_Profile_Status) as Private_Profile_Status latest(Public_Profile_Status) as Public_Profile_Status earliest(Domain_Profile_Status) as Previous_Domain_Profile_Status earliest(Private_Profile_Status) as Previous_Private_Profile_Status earliest(Public_Profile_Status) as Previous_Public_Profile_Status count as event_count by host \
+| eval changed = if((Previous_Domain_Profile_Status="ON" AND Domain_Profile_Status="OFF") OR (Previous_Private_Profile_Status="ON" AND Private_Profile_Status="OFF") OR (Previous_Public_Profile_Status="ON" AND Public_Profile_Status="OFF"), "Yes", "No") \
+| search (changed = "Yes") OR ((event_count=1) AND (Domain_Profile_Status="OFF" OR Private_Profile_Status="OFF" OR Public_Profile_Status="OFF")) \
+| eval cyences_severity = if(Public_Profile_Status="OFF" AND Private_Profile_Status="OFF" AND Domain_Profile_Status="OFF", "high", "medium") \
+| table host Domain_Profile_Status Private_Profile_Status Public_Profile_Status cyences_severity \
+| `cs_windows_firewall_is_disabled_filter`
+action.cyences_notable_event_action = 1
+action.cyences_notable_event_action.param.filter_macro_name = cs_windows_firewall_is_disabled_filter
+action.cyences_notable_event_action.contributing_events = `cs_windows_firewall_status_logs` 
+action.cyences_notable_event_action.system_compromised_search = | stats count by host
+action.cyences_notable_event_action.system_compromised_drilldown = `cs_windows_firewall_status_logs` host=$row.host$
+action.cyences_send_email_action = 1
+action.cyences_notable_event_action.products = Windows
+
+
 [AD - Group Changed]
 disabled = 1
 enableSched = 1
@@ -2834,7 +2874,7 @@ counttype = number of events
 quantity = 0
 relation = greater than
 cron_schedule = 7,22,37,52 * * * *
-description = This alet will trigger when a Sophos endpoint service is no longer running. \
+description = This alert will trigger when a Sophos endpoint service is no longer running. \
 \
 Data Collection - Sophos Central SIEM Integration Add-on (https://splunkbase.splunk.com/app/4647/) \
 \