Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filtered the failed action events #645

Merged
merged 2 commits into from
Oct 3, 2024
Merged

Filtered the failed action events #645

merged 2 commits into from
Oct 3, 2024

Conversation

hardikhdholariya
Copy link
Contributor

No description provided.

VatsalJagani
VatsalJagani requested changes Sep 26, 2024
View reviewed changes
cyences_app_for_splunk/default/savedsearches.conf Outdated
@@ -6526,7 +6526,7 @@ display.page.search.tab = statistics
display.page.search.mode = fast
request.ui_dispatch_app = cyences_app_for_splunk
request.ui_dispatch_view = search
search = index=* sourcetype!="WinRegistry" NOT (sourcetype="WinEventLog" user_type="computer") NOT (sourcetype="meraki:accesspoints" (NOT eventData.identity="*")) (user=* OR User=* OR UserName=* OR Username=* OR userName=* OR username=* OR user_name=* OR src_user=*) \
search = index=* sourcetype!="WinRegistry" NOT (sourcetype="WinEventLog" user_type="computer") NOT (sourcetype="meraki:accesspoints" (NOT eventData.identity="*")) NOT (action=fail*) (user=* OR User=* OR UserName=* OR Username=* OR userName=* OR username=* OR user_name=* OR src_user=*) \
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's exclude some of the big sources that we are aware of to reduce the search space.

pan:traffic, fortigate-traffic-logs (not sure exact sourcetype), etc

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there are many sourcetypes having action field.

do we have to exclude logs for some login specific sourcetypes or for any sourcetypes?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for performance completely exclude some of the unuseful sourcetypes

@hardikhdholariya hardikhdholariya merged commit 3113176 into master Oct 3, 2024
1 check passed
@hardikhdholariya hardikhdholariya deleted the filter-login-failure-users-from-user-inventory branch October 3, 2024 06:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@VatsalJagani VatsalJagani VatsalJagani approved these changes

@mahirchavda mahirchavda Awaiting requested review from mahirchavda

@roaaattalla roaaattalla Awaiting requested review from roaaattalla

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hardikhdholariya @VatsalJagani