From 57346a72b85a52d9a1a0694d7c417a1a15d90024 Mon Sep 17 00:00:00 2001
From: roaaattalla <rattalla@crossrealms.com>
Date: Mon, 23 Dec 2024 18:42:16 +0200
Subject: [PATCH 1/3] DUO Failure Lohins

---
 cyences_app_for_splunk/default/macros.conf    |  4 +++
 .../default/savedsearches.conf                | 32 +++++++++++++++++++
 2 files changed, 36 insertions(+)

diff --git a/cyences_app_for_splunk/default/macros.conf b/cyences_app_for_splunk/default/macros.conf
index a03115cb..c5494c1a 100644
--- a/cyences_app_for_splunk/default/macros.conf
+++ b/cyences_app_for_splunk/default/macros.conf
@@ -1483,6 +1483,10 @@ iseval = 0
 definition = search *
 iseval = 0
 
+[cs_duo_user_failed_login_filter]
+definition = search *
+iseval = 0
+
 # Radius Authentication
 [cs_radius_authentication_excessive_login_failure_limit]
 definition = 20
diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf
index 2645a261..e50a9311 100644
--- a/cyences_app_for_splunk/default/savedsearches.conf
+++ b/cyences_app_for_splunk/default/savedsearches.conf
@@ -5854,6 +5854,38 @@ action.cyences_notable_event_action.system_compromised_drilldown = `cs_duo` sour
 action.cyences_send_email_action = 1
 action.cyences_notable_event_action.products = DUO
 action.cyences_notable_event_action.teams = SOC
+
+[DUO - User Failure Login]
+disabled = 1
+enableSched = 1
+alert.track = 1
+alert.severity = 4
+alert.suppress = 0
+counttype = number of events
+quantity = 0
+relation = greater than
+cron_schedule = 4 * * * *
+description = This alert will pinpoint when a user failed to login. 
+dispatch.earliest_time = -4h@h
+dispatch.latest_time = +4h@h
+display.general.type = statistics
+display.page.search.tab = statistics
+display.page.search.mode = fast
+request.ui_dispatch_app = cyences_app_for_splunk
+request.ui_dispatch_view = search
+search =  `cs_duo `source="duo" _index_earliest=-61m@m _index_latest=-1m@m result=FAILURE NOT reason IN ("Locked out") \
+| `cs_user_privilege_mapping(username)` \
+| eval cyences_severity = if(is_privileged_user=="Yes", "critical","high") \
+| `cs_human_readable_time_format(_time, event_time)` \
+| table event_time ,username, factor, reason \
+|`cs_duo_user_failed_login_filter`
+action.cyences_notable_event_action = 1
+action.cyences_notable_event_action.contributing_events = `cs_duo `source="duo" result=FAILURE NOT reason IN ("Locked out")
+action.cyences_notable_event_action.system_compromised_search = | stats count by username
+action.cyences_notable_event_action.system_compromised_drilldown = `cs_duo `source="duo" result=FAILURE NOT reason IN ("Locked out") username=$row.username$
+action.cyences_send_email_action = 1
+action.cyences_notable_event_action.products = DUO
+action.cyences_notable_event_action.teams = SOC
 # ===============
 # Radius Authentication
 # ===============

From 20d722c9c88b644923565b96301aee0910f1a0a0 Mon Sep 17 00:00:00 2001
From: roaaattalla <rattalla@crossrealms.com>
Date: Tue, 24 Dec 2024 00:56:49 +0200
Subject: [PATCH 2/3] DUO Failure

---
 cyences_app_for_splunk/default/macros.conf        |  2 +-
 cyences_app_for_splunk/default/savedsearches.conf | 12 +++++++-----
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/cyences_app_for_splunk/default/macros.conf b/cyences_app_for_splunk/default/macros.conf
index c5494c1a..e1f63ddf 100644
--- a/cyences_app_for_splunk/default/macros.conf
+++ b/cyences_app_for_splunk/default/macros.conf
@@ -1483,7 +1483,7 @@ iseval = 0
 definition = search *
 iseval = 0
 
-[cs_duo_user_failed_login_filter]
+[cs_duo_user_login_failure_filter]
 definition = search *
 iseval = 0
 
diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf
index e50a9311..afeb307b 100644
--- a/cyences_app_for_splunk/default/savedsearches.conf
+++ b/cyences_app_for_splunk/default/savedsearches.conf
@@ -5848,6 +5848,7 @@ search =  `cs_duo` source="duo" _index_earliest=-61m@m _index_latest=-1m@m reaso
 | table event_time, username, integration, reason, result \
 | `cs_duo_user_locked_out_filter`
 action.cyences_notable_event_action = 1
+action.cyences_notable_event_action.param.filter_macro_name = cs_duo_user_locked_out_filter
 action.cyences_notable_event_action.contributing_events = `cs_duo` source="duo" reason="Locked out"
 action.cyences_notable_event_action.system_compromised_search = | stats count by username
 action.cyences_notable_event_action.system_compromised_drilldown = `cs_duo` source="duo" reason="Locked out" username=$row.username$
@@ -5855,7 +5856,7 @@ action.cyences_send_email_action = 1
 action.cyences_notable_event_action.products = DUO
 action.cyences_notable_event_action.teams = SOC
 
-[DUO - User Failure Login]
+[DUO - User Login Failure]
 disabled = 1
 enableSched = 1
 alert.track = 1
@@ -5873,16 +5874,17 @@ display.page.search.tab = statistics
 display.page.search.mode = fast
 request.ui_dispatch_app = cyences_app_for_splunk
 request.ui_dispatch_view = search
-search =  `cs_duo `source="duo" _index_earliest=-61m@m _index_latest=-1m@m result=FAILURE NOT reason IN ("Locked out") \
+search =  `cs_duo`source="duo" _index_earliest=-61m@m _index_latest=-1m@m result=FAILURE NOT reason IN ("Locked out") \
 | `cs_user_privilege_mapping(username)` \
 | eval cyences_severity = if(is_privileged_user=="Yes", "critical","high") \
 | `cs_human_readable_time_format(_time, event_time)` \
 | table event_time ,username, factor, reason \
-|`cs_duo_user_failed_login_filter`
+|`cs_duo_user_login_failure_filter`
 action.cyences_notable_event_action = 1
-action.cyences_notable_event_action.contributing_events = `cs_duo `source="duo" result=FAILURE NOT reason IN ("Locked out")
+action.cyences_notable_event_action.param.filter_macro_name = cs_duo_user_login_failure_filter
+action.cyences_notable_event_action.contributing_events = `cs_duo`source="duo" result=FAILURE NOT reason IN ("Locked out")
 action.cyences_notable_event_action.system_compromised_search = | stats count by username
-action.cyences_notable_event_action.system_compromised_drilldown = `cs_duo `source="duo" result=FAILURE NOT reason IN ("Locked out") username=$row.username$
+action.cyences_notable_event_action.system_compromised_drilldown = `cs_duo`source="duo" result=FAILURE NOT reason IN ("Locked out") username=$row.username$
 action.cyences_send_email_action = 1
 action.cyences_notable_event_action.products = DUO
 action.cyences_notable_event_action.teams = SOC

From 14854d9569b562db84058cd2f8f4bd5a6b151bc3 Mon Sep 17 00:00:00 2001
From: Hardik Dholariya <hardikdholariya1@gmail.com>
Date: Tue, 24 Dec 2024 15:06:12 +0530
Subject: [PATCH 3/3] Added DUO information

---
 .../appserver/static/cs_overview.js           |   3 +-
 cyences_app_for_splunk/bin/cs_product_list.py |  19 +++
 .../default/data/ui/views/cs_overview.xml     |  23 ++-
 .../default/savedsearches.conf                | 136 +++++++++---------
 4 files changed, 115 insertions(+), 66 deletions(-)

diff --git a/cyences_app_for_splunk/appserver/static/cs_overview.js b/cyences_app_for_splunk/appserver/static/cs_overview.js
index 4b0dcf3e..fabf9431 100644
--- a/cyences_app_for_splunk/appserver/static/cs_overview.js
+++ b/cyences_app_for_splunk/appserver/static/cs_overview.js
@@ -82,6 +82,7 @@ require([
         { token: "vulnerability", product: "Vulnerability" },
         { token: "db_oracle", product: "Oracle" },
         { token: "db_mssql", product: "MSSQL" },
+        { token: "duo", product: "DUO" },
     ];
 
 
@@ -181,7 +182,7 @@ require([
         }
     });
 
-    var tableIDs = ["tbl_authentication", "tbl_vpn", "tbl_radius_authentication", "tbl_crowdstrike_eventstream", "tbl_sophos", "tbl_windows_defender", "tbl_o365_defender_atp", "tbl_aws", "tbl_gws", "tbl_o365", "tbl_email", "tbl_network_compromise", "tbl_cisco_ios", "tbl_fortigate", "tbl_palo_alto", "tbl_sophos_firewall", "tbl_cisco_meraki", "tbl_f5_bigip", "tbl_cloudflare", "tbl_windows", "tbl_ad_windows", "tbl_sysmon", "tbl_linux", "tbl_vulnerability", "tbl_db_oracle", "tbl_db_mssql", "tbl_monthly_alerts", "tbl_other_alerts" ];
+    var tableIDs = ["tbl_authentication", "tbl_vpn", "tbl_radius_authentication", "tbl_crowdstrike_eventstream", "tbl_sophos", "tbl_windows_defender", "tbl_o365_defender_atp", "tbl_aws", "tbl_gws", "tbl_o365", "tbl_email", "tbl_network_compromise", "tbl_cisco_ios", "tbl_fortigate", "tbl_palo_alto", "tbl_sophos_firewall", "tbl_cisco_meraki", "tbl_f5_bigip", "tbl_cloudflare", "tbl_windows", "tbl_ad_windows", "tbl_sysmon", "tbl_linux", "tbl_vulnerability", "tbl_db_oracle", "tbl_db_mssql", "tbl_duo", "tbl_monthly_alerts", "tbl_other_alerts" ];
     for (let i=0;i<tableIDs.length;i++) {
         var sh = mvc.Components.getInstance(tableIDs[i]);
         if(typeof(sh)!="undefined") {
diff --git a/cyences_app_for_splunk/bin/cs_product_list.py b/cyences_app_for_splunk/bin/cs_product_list.py
index 65d379ff..dbd02bf6 100644
--- a/cyences_app_for_splunk/bin/cs_product_list.py
+++ b/cyences_app_for_splunk/bin/cs_product_list.py
@@ -822,6 +822,25 @@ def build_app_dependency_search(app_list):
             }
         ],
     },
+    {
+        "name": "DUO",
+        "app_dependencies": [
+            {
+                "label": "Duo Security",
+                "link": "https://splunkbase.splunk.com/app/3504/"
+            }
+        ],
+        "macro_configurations": [
+            {
+                "macro_name": "cs_duo",
+                "label": "DUO Data",
+                "search_by": "source",
+                "search_values": "duo",
+                "earliest_time": "-1d@d",
+                "latest_time": "now",
+            }
+        ],
+    },
 ]
 
 for product in PRODUCTS:
diff --git a/cyences_app_for_splunk/default/data/ui/views/cs_overview.xml b/cyences_app_for_splunk/default/data/ui/views/cs_overview.xml
index 16b13a04..e0e3c766 100644
--- a/cyences_app_for_splunk/default/data/ui/views/cs_overview.xml
+++ b/cyences_app_for_splunk/default/data/ui/views/cs_overview.xml
@@ -706,6 +706,27 @@
         </drilldown>
       </table>
     </panel>
+    <panel depends="$duo$">
+      <title>DUO</title>
+      <table id="tbl_duo">
+        <search base="basesearch">
+          <query>| `cs_filter_savedsearches("DUO")`</query>
+        </search>
+        <option name="count">10</option>
+        <option name="drilldown">row</option>
+        <option name="refresh.display">progressbar</option>
+        <format type="color" field="disabled">
+          <colorPalette type="map">{"1":#F7BC38}</colorPalette>
+        </format>
+        <format type="color" field="is_scheduled">
+          <colorPalette type="map">{"0":#F7BC38}</colorPalette>
+        </format>
+        <fields>["Name","Notable Events"]</fields>
+        <drilldown>
+          <link target="_blank">/app/cyences_app_for_splunk/cs_forensics?form.tkn_savedsearch=$row.savedsearch_name$&amp;form.timeRange.earliest=$timeRange.earliest$&amp;form.timeRange.latest=$timeRange.latest$&amp;form.tkn_severity=$row.cyences_severity$&amp;$tkn_status_drilldown|n$</link>
+        </drilldown>
+      </table>
+    </panel>
   </row>
   <row>
     <panel depends="$linux$">
@@ -857,7 +878,7 @@
       <title>Other Alerts</title>
       <table id="tbl_other_alerts">
         <search base="basesearch">
-          <query> eval products_to_search="Authentication|VPN|Radius Authentication|Sophos Endpoint Protection|Windows Defender|CrowdStrike EventStream|Office 365 Defender ATP|AWS|Google Workspace|Office 365|Email|Network|Cisco IOS|FortiGate|Palo Alto|Sophos Firewall|Cisco Meraki|F5 BIGIP|Vulnerability|Windows|Windows AD|Sysmon|Linux|Oracle|MSSQL"
+          <query> eval products_to_search="Authentication|VPN|Radius Authentication|Sophos Endpoint Protection|Windows Defender|CrowdStrike EventStream|Office 365 Defender ATP|AWS|Google Workspace|Office 365|Email|Network|Cisco IOS|FortiGate|Palo Alto|Sophos Firewall|Cisco Meraki|F5 BIGIP|Cloudflare|Vulnerability|Windows|Windows AD|Sysmon|Linux|Oracle|MSSQL|DUO"
 | makemv delim="|" products_to_search | eval products_to_search=trim(products_to_search)
 | cyencesmvintersection set1="products_to_search" set2="alert_products"
 | where mvcount(intersection)=0
diff --git a/cyences_app_for_splunk/default/savedsearches.conf b/cyences_app_for_splunk/default/savedsearches.conf
index afeb307b..cac928a7 100644
--- a/cyences_app_for_splunk/default/savedsearches.conf
+++ b/cyences_app_for_splunk/default/savedsearches.conf
@@ -5823,71 +5823,8 @@ action.cyences_send_email_action = 1
 action.cyences_notable_event_action.products = VPN
 action.cyences_notable_event_action.teams = SOC
 
-[DUO - User is Locked Out]
-disabled = 1
-enableSched = 1
-alert.track = 1
-alert.severity = 4
-alert.suppress = 0
-counttype = number of events
-quantity = 0
-relation = greater than
-cron_schedule = 4 * * * *
-description = This alert will pinpoint when a user is locked out from Duo app. 
-dispatch.earliest_time = -4h@h
-dispatch.latest_time = +4h@h
-display.general.type = statistics
-display.page.search.tab = statistics
-display.page.search.mode = fast
-request.ui_dispatch_app = cyences_app_for_splunk
-request.ui_dispatch_view = search
-search =  `cs_duo` source="duo" _index_earliest=-61m@m _index_latest=-1m@m reason="Locked out" \
-| `cs_user_privilege_mapping(username)` \
-| eval cyences_severity = if(is_privileged_user=="Yes", "critical","high") \
-| `cs_human_readable_time_format(_time, event_time)` \
-| table event_time, username, integration, reason, result \
-| `cs_duo_user_locked_out_filter`
-action.cyences_notable_event_action = 1
-action.cyences_notable_event_action.param.filter_macro_name = cs_duo_user_locked_out_filter
-action.cyences_notable_event_action.contributing_events = `cs_duo` source="duo" reason="Locked out"
-action.cyences_notable_event_action.system_compromised_search = | stats count by username
-action.cyences_notable_event_action.system_compromised_drilldown = `cs_duo` source="duo" reason="Locked out" username=$row.username$
-action.cyences_send_email_action = 1
-action.cyences_notable_event_action.products = DUO
-action.cyences_notable_event_action.teams = SOC
 
-[DUO - User Login Failure]
-disabled = 1
-enableSched = 1
-alert.track = 1
-alert.severity = 4
-alert.suppress = 0
-counttype = number of events
-quantity = 0
-relation = greater than
-cron_schedule = 4 * * * *
-description = This alert will pinpoint when a user failed to login. 
-dispatch.earliest_time = -4h@h
-dispatch.latest_time = +4h@h
-display.general.type = statistics
-display.page.search.tab = statistics
-display.page.search.mode = fast
-request.ui_dispatch_app = cyences_app_for_splunk
-request.ui_dispatch_view = search
-search =  `cs_duo`source="duo" _index_earliest=-61m@m _index_latest=-1m@m result=FAILURE NOT reason IN ("Locked out") \
-| `cs_user_privilege_mapping(username)` \
-| eval cyences_severity = if(is_privileged_user=="Yes", "critical","high") \
-| `cs_human_readable_time_format(_time, event_time)` \
-| table event_time ,username, factor, reason \
-|`cs_duo_user_login_failure_filter`
-action.cyences_notable_event_action = 1
-action.cyences_notable_event_action.param.filter_macro_name = cs_duo_user_login_failure_filter
-action.cyences_notable_event_action.contributing_events = `cs_duo`source="duo" result=FAILURE NOT reason IN ("Locked out")
-action.cyences_notable_event_action.system_compromised_search = | stats count by username
-action.cyences_notable_event_action.system_compromised_drilldown = `cs_duo`source="duo" result=FAILURE NOT reason IN ("Locked out") username=$row.username$
-action.cyences_send_email_action = 1
-action.cyences_notable_event_action.products = DUO
-action.cyences_notable_event_action.teams = SOC
+
 # ===============
 # Radius Authentication
 # ===============
@@ -6333,6 +6270,77 @@ action.cyences_notable_event_action.products = Oracle
 action.cyences_notable_event_action.teams = SOC
 
 
+# =====
+# DUO
+# =====
+
+[DUO - User is Locked Out]
+disabled = 1
+enableSched = 1
+alert.track = 1
+alert.severity = 4
+alert.suppress = 0
+counttype = number of events
+quantity = 0
+relation = greater than
+cron_schedule = 4 * * * *
+description = This alert will pinpoint when a user is locked out from Duo app. 
+dispatch.earliest_time = -4h@h
+dispatch.latest_time = +4h@h
+display.general.type = statistics
+display.page.search.tab = statistics
+display.page.search.mode = fast
+request.ui_dispatch_app = cyences_app_for_splunk
+request.ui_dispatch_view = search
+search =  `cs_duo` source="duo" _index_earliest=-61m@m _index_latest=-1m@m reason="Locked out" \
+| `cs_user_privilege_mapping(username)` \
+| eval cyences_severity = if(is_privileged_user=="Yes", "critical","high") \
+| `cs_human_readable_time_format(_time, event_time)` \
+| table event_time, username, integration, reason, result \
+| `cs_duo_user_locked_out_filter`
+action.cyences_notable_event_action = 1
+action.cyences_notable_event_action.param.filter_macro_name = cs_duo_user_locked_out_filter
+action.cyences_notable_event_action.contributing_events = `cs_duo` source="duo" reason="Locked out"
+action.cyences_notable_event_action.system_compromised_search = | stats count by username
+action.cyences_notable_event_action.system_compromised_drilldown = `cs_duo` source="duo" reason="Locked out" username=$row.username$
+action.cyences_send_email_action = 1
+action.cyences_notable_event_action.products = DUO
+action.cyences_notable_event_action.teams = SOC
+
+
+[DUO - User Login Failure]
+disabled = 1
+enableSched = 1
+alert.track = 1
+alert.severity = 4
+alert.suppress = 0
+counttype = number of events
+quantity = 0
+relation = greater than
+cron_schedule = 4 * * * *
+description = This alert will pinpoint when a user failed to login. 
+dispatch.earliest_time = -4h@h
+dispatch.latest_time = +4h@h
+display.general.type = statistics
+display.page.search.tab = statistics
+display.page.search.mode = fast
+request.ui_dispatch_app = cyences_app_for_splunk
+request.ui_dispatch_view = search
+search =  `cs_duo` source="duo" _index_earliest=-61m@m _index_latest=-1m@m result=FAILURE NOT reason IN ("Locked out") \
+| `cs_user_privilege_mapping(username)` \
+| eval cyences_severity = if(is_privileged_user=="Yes", "critical","high") \
+| `cs_human_readable_time_format(_time, event_time)` \
+| table event_time, username, factor, reason \
+|`cs_duo_user_login_failure_filter`
+action.cyences_notable_event_action = 1
+action.cyences_notable_event_action.param.filter_macro_name = cs_duo_user_login_failure_filter
+action.cyences_notable_event_action.contributing_events = `cs_duo` source="duo" result=FAILURE NOT reason IN ("Locked out")
+action.cyences_notable_event_action.system_compromised_search = | stats count by username
+action.cyences_notable_event_action.system_compromised_drilldown = `cs_duo` source="duo" result=FAILURE NOT reason IN ("Locked out") username=$row.username$
+action.cyences_send_email_action = 1
+action.cyences_notable_event_action.products = DUO
+action.cyences_notable_event_action.teams = SOC
+
 
 # =======================
 # Asset Inventory