CrossRealms · hardikhdholariya · Jul 27, 2023 · Jul 12, 2023 · Jul 12, 2023 · Jul 12, 2023
diff --git a/cyences_app_for_splunk/default/data/ui/views/cs_windows_reports.xml b/cyences_app_for_splunk/default/data/ui/views/cs_windows_reports.xml
@@ -152,4 +152,52 @@
       </html>
     </panel>
   </row>
+  <row>
+    <panel>
+      <title>Windows Firewall Status</title>
+      <input type="time" token="time_Range">
+        <label>Time Range</label>
+        <default>
+          <earliest>-24h@h</earliest>
+          <latest>now</latest>
+        </default>
+        <change>
+          <set token="form.fw_host">*</set>
+        </change>
+      </input>
+      <input type="dropdown" token="fw_host" searchWhenChanged="true">
+        <label>Host</label>
+        <choice value="*">All</choice>
+        <default>*</default>
+        <initialValue>*</initialValue>
+        <fieldForLabel>host</fieldForLabel>
+        <fieldForValue>host</fieldForValue>
+        <search>
+          <query>| tstats count where index=* AND sourcetype=WindowsFirewallStatus by host 
+| table host</query>
+          <earliest>$time_Range.earliest$</earliest>
+          <latest>$time_Range.latest$</latest>
+        </search>
+      </input>
+      <table>
+        <search>
+          <query>index=* sourcetype=WindowsFirewallStatus host="$fw_host$" 
+| stats latest(Domain_Profile_Status) as "domain profile status" latest(Private_Profile_Status) as "private profile status" latest(Public_Profile_Status) as "public profile status" by host</query>
+          <earliest>$time_Range.earliest$</earliest>
+          <latest>$time_Range.latest$</latest>
+        </search>
+        <option name="drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
+        <format type="color" field="domain profile status">
+          <colorPalette type="map">{"ON": #03991a, "OFF": #a3030b}</colorPalette>
+        </format>
+        <format type="color" field="public profile status">
+          <colorPalette type="map">{"ON": #03991a, "OFF": #a3030b}</colorPalette>
+        </format>
+        <format type="color" field="private profile status">
+          <colorPalette type="map">{"ON": #03991a, "OFF": #a3030b}</colorPalette>
+        </format>
+      </table>
+    </panel>
+  </row>
 </form>
diff --git a/cyences_app_for_splunk/default/macros.conf b/cyences_app_for_splunk/default/macros.conf
@@ -682,6 +682,10 @@ iseval = 0
 definition = search *
 iseval = 0
 
+[cs_windows_firewall_is_disabled_filter]
+definition = search *
+iseval = 0
+
 
 # Sysmon
 [cs_sysmon]

diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf
@@ -926,6 +926,43 @@ action.cyences_send_email_action = 1
 action.cyences_notable_event_action.products = Sysmon
 
 
+[Windows - Windows Firewall is Disabled]
+disabled = 1
+enableSched = 1
+alert.track = 1
+alert.severity = 4
+alert.suppress = 0
+counttype = number of events
+quantity = 0
+relation = greater than
+cron_schedule = 2 * * * *
+description = The alert will be triggered if the Windows Firewall has been disabled from its active state in the past 24 hours. \
+Data Collection - Windows Firewall Status Check Add-on (https://splunkbase.???????)
+dispatch.earliest_time = -24h
+dispatch.latest_time = now
+display.general.type = statistics
+display.page.search.tab = statistics
+display.page.search.mode = fast
+request.ui_dispatch_app = cyences_app_for_splunk
+request.ui_dispatch_view = search
+search = index=* sourcetype=WindowsFirewallStatus \
+| dedup 2 host \
+| stats latest(Domain_Profile_Status) as Domain_Profile_Status latest(Private_Profile_Status) as Private_Profile_Status latest(Public_Profile_Status) as Public_Profile_Status earliest(Domain_Profile_Status) as Previous_Domain_Profile_Status earliest(Private_Profile_Status) as Previous_Private_Profile_Status earliest(Public_Profile_Status) as Previous_Public_Profile_Status count as event_count by host \
+| eval changed = if((Previous_Domain_Profile_Status="ON" AND Domain_Profile_Status="OFF") OR (Previous_Private_Profile_Status="ON" AND Private_Profile_Status="OFF") OR (Previous_Public_Profile_Status="ON" AND Public_Profile_Status="OFF"), "Yes", "No") \
+| search (changed = "Yes") OR ((event_count=1) AND (Domain_Profile_Status="OFF" OR Private_Profile_Status="OFF" OR Public_Profile_Status="OFF")) \
+| rename host as Host \
+| table Host Domain_Profile_Status Private_Profile_Status Public_Profile_Status \
+| eval cyences_severity = case(Public_Profile_Status="OFF" AND Private_Profile_Status="OFF" AND Domain_Profile_Status="OFF", "critical", Public_Profile_Status="OFF", "high", true(), "medium") \
+| `cs_windows_firewall_is_disabled_filter`
+action.cyences_notable_event_action = 1
+action.cyences_notable_event_action.param.filter_macro_name = cs_windows_firewall_is_disabled_filter
+action.cyences_notable_event_action.contributing_events = index=* sourcetype=WindowsFirewallStatus 
+action.cyences_notable_event_action.system_compromised_search = | stats count by Host
+action.cyences_notable_event_action.system_compromised_drilldown = index=* sourcetype=WindowsFirewallStatus host=$row.Host$
+action.cyences_send_email_action = 1
+action.cyences_notable_event_action.products = Windows
+
+
 [AD - Group Changed]
 disabled = 1
 enableSched = 1