Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DUO Failure Logins #697

Merged
merged 3 commits into from
Dec 24, 2024
Merged

DUO Failure Logins #697

merged 3 commits into from
Dec 24, 2024

Conversation

roaaattalla
Copy link
Contributor

No description provided.

hardikhdholariya
hardikhdholariya requested changes Dec 23, 2024
View reviewed changes
cyences_app_for_splunk/default/savedsearches.conf Outdated
| table event_time ,username, factor, reason \
|`cs_duo_user_failed_login_filter`
action.cyences_notable_event_action = 1
action.cyences_notable_event_action.contributing_events = `cs_duo `source="duo" result=FAILURE NOT reason IN ("Locked out")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove space inside the macro.

cyences_app_for_splunk/default/savedsearches.conf Outdated
action.cyences_notable_event_action = 1
action.cyences_notable_event_action.contributing_events = `cs_duo `source="duo" result=FAILURE NOT reason IN ("Locked out")
action.cyences_notable_event_action.system_compromised_search = | stats count by username
action.cyences_notable_event_action.system_compromised_drilldown = `cs_duo `source="duo" result=FAILURE NOT reason IN ("Locked out") username=$row.username$
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove space inside the macro.

cyences_app_for_splunk/default/savedsearches.conf Outdated
@@ -5854,6 +5854,38 @@ action.cyences_notable_event_action.system_compromised_drilldown = `cs_duo` sour
action.cyences_send_email_action = 1
action.cyences_notable_event_action.products = DUO
action.cyences_notable_event_action.teams = SOC

[DUO - User Failure Login]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DUO - User Login Failure

cyences_app_for_splunk/default/macros.conf Outdated
@@ -1483,6 +1483,10 @@ iseval = 0
definition = search *
iseval = 0

[cs_duo_user_failed_login_filter]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cs_duo_user_login_failure_filter

cyences_app_for_splunk/default/savedsearches.conf Outdated Show resolved Hide resolved
cyences_app_for_splunk/default/savedsearches.conf Outdated Show resolved Hide resolved
cyences_app_for_splunk/default/savedsearches.conf Outdated
| eval cyences_severity = if(is_privileged_user=="Yes", "critical","high") \
| `cs_human_readable_time_format(_time, event_time)` \
| table event_time ,username, factor, reason \
|`cs_duo_user_failed_login_filter`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cs_duo_user_login_failure_filter

@hardikhdholariya hardikhdholariya merged commit b165405 into master Dec 24, 2024
1 check passed
@hardikhdholariya hardikhdholariya deleted the DUO-Failure branch December 24, 2024 12:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hardikhdholariya hardikhdholariya hardikhdholariya approved these changes

@VatsalJagani VatsalJagani Awaiting requested review from VatsalJagani

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@roaaattalla @VatsalJagani @hardikhdholariya