DUO Failure Logins

cyences_app_for_splunk/appserver/static/cs_overview.js

@@ -82,6 +82,7 @@ require([
         { token: "vulnerability", product: "Vulnerability" },
         { token: "db_oracle", product: "Oracle" },
         { token: "db_mssql", product: "MSSQL" },
+        { token: "duo", product: "DUO" },
     ];
 
 
@@ -181,7 +182,7 @@ require([
         }
     });
 
-    var tableIDs = ["tbl_authentication", "tbl_vpn", "tbl_radius_authentication", "tbl_crowdstrike_eventstream", "tbl_sophos", "tbl_windows_defender", "tbl_o365_defender_atp", "tbl_aws", "tbl_gws", "tbl_o365", "tbl_email", "tbl_network_compromise", "tbl_cisco_ios", "tbl_fortigate", "tbl_palo_alto", "tbl_sophos_firewall", "tbl_cisco_meraki", "tbl_f5_bigip", "tbl_cloudflare", "tbl_windows", "tbl_ad_windows", "tbl_sysmon", "tbl_linux", "tbl_vulnerability", "tbl_db_oracle", "tbl_db_mssql", "tbl_monthly_alerts", "tbl_other_alerts" ];
+    var tableIDs = ["tbl_authentication", "tbl_vpn", "tbl_radius_authentication", "tbl_crowdstrike_eventstream", "tbl_sophos", "tbl_windows_defender", "tbl_o365_defender_atp", "tbl_aws", "tbl_gws", "tbl_o365", "tbl_email", "tbl_network_compromise", "tbl_cisco_ios", "tbl_fortigate", "tbl_palo_alto", "tbl_sophos_firewall", "tbl_cisco_meraki", "tbl_f5_bigip", "tbl_cloudflare", "tbl_windows", "tbl_ad_windows", "tbl_sysmon", "tbl_linux", "tbl_vulnerability", "tbl_db_oracle", "tbl_db_mssql", "tbl_duo", "tbl_monthly_alerts", "tbl_other_alerts" ];
     for (let i=0;i<tableIDs.length;i++) {
         var sh = mvc.Components.getInstance(tableIDs[i]);
         if(typeof(sh)!="undefined") {

cyences_app_for_splunk/bin/cs_product_list.py

@@ -822,6 +822,25 @@ def build_app_dependency_search(app_list):
             }
         ],
     },
+    {
+        "name": "DUO",
+        "app_dependencies": [
+            {
+                "label": "Duo Security",
+                "link": "https://splunkbase.splunk.com/app/3504/"
+            }
+        ],
+        "macro_configurations": [
+            {
+                "macro_name": "cs_duo",
+                "label": "DUO Data",
+                "search_by": "source",
+                "search_values": "duo",
+                "earliest_time": "-1d@d",
+                "latest_time": "now",
+            }
+        ],
+    },
 ]
 
 for product in PRODUCTS:

cyences_app_for_splunk/default/data/ui/views/cs_overview.xml

@@ -706,6 +706,27 @@
         </drilldown>
       </table>
     </panel>
+    <panel depends="$duo$">
+      <title>DUO</title>
+      <table id="tbl_duo">
+        <search base="basesearch">
+          <query>| `cs_filter_savedsearches("DUO")`</query>
+        </search>
+        <option name="count">10</option>
+        <option name="drilldown">row</option>
+        <option name="refresh.display">progressbar</option>
+        <format type="color" field="disabled">
+          <colorPalette type="map">{"1":#F7BC38}</colorPalette>
+        </format>
+        <format type="color" field="is_scheduled">
+          <colorPalette type="map">{"0":#F7BC38}</colorPalette>
+        </format>
+        <fields>["Name","Notable Events"]</fields>
+        <drilldown>
+          <link target="_blank">/app/cyences_app_for_splunk/cs_forensics?form.tkn_savedsearch=$row.savedsearch_name$&amp;form.timeRange.earliest=$timeRange.earliest$&amp;form.timeRange.latest=$timeRange.latest$&amp;form.tkn_severity=$row.cyences_severity$&amp;$tkn_status_drilldown|n$</link>
+        </drilldown>
+      </table>
+    </panel>
   </row>
   <row>
     <panel depends="$linux$">
@@ -857,7 +878,7 @@
       <title>Other Alerts</title>
       <table id="tbl_other_alerts">
         <search base="basesearch">
-          <query> eval products_to_search="Authentication|VPN|Radius Authentication|Sophos Endpoint Protection|Windows Defender|CrowdStrike EventStream|Office 365 Defender ATP|AWS|Google Workspace|Office 365|Email|Network|Cisco IOS|FortiGate|Palo Alto|Sophos Firewall|Cisco Meraki|F5 BIGIP|Vulnerability|Windows|Windows AD|Sysmon|Linux|Oracle|MSSQL"
+          <query> eval products_to_search="Authentication|VPN|Radius Authentication|Sophos Endpoint Protection|Windows Defender|CrowdStrike EventStream|Office 365 Defender ATP|AWS|Google Workspace|Office 365|Email|Network|Cisco IOS|FortiGate|Palo Alto|Sophos Firewall|Cisco Meraki|F5 BIGIP|Cloudflare|Vulnerability|Windows|Windows AD|Sysmon|Linux|Oracle|MSSQL|DUO"
 | makemv delim="|" products_to_search | eval products_to_search=trim(products_to_search)
 | cyencesmvintersection set1="products_to_search" set2="alert_products"
 | where mvcount(intersection)=0

cyences_app_for_splunk/default/macros.conf

@@ -1483,6 +1483,10 @@ iseval = 0
 definition = search *
 iseval = 0
 
+[cs_duo_user_login_failure_filter]
+definition = search *
+iseval = 0
+
 # Radius Authentication
 [cs_radius_authentication_excessive_login_failure_limit]
 definition = 20

cyences_app_for_splunk/default/savedsearches.conf

@@ -5823,37 +5823,8 @@ action.cyences_send_email_action = 1
 action.cyences_notable_event_action.products = VPN
 action.cyences_notable_event_action.teams = SOC
 
-[DUO - User is Locked Out]
-disabled = 1
-enableSched = 1
-alert.track = 1
-alert.severity = 4
-alert.suppress = 0
-counttype = number of events
-quantity = 0
-relation = greater than
-cron_schedule = 4 * * * *
-description = This alert will pinpoint when a user is locked out from Duo app. 
-dispatch.earliest_time = -4h@h
-dispatch.latest_time = +4h@h
-display.general.type = statistics
-display.page.search.tab = statistics
-display.page.search.mode = fast
-request.ui_dispatch_app = cyences_app_for_splunk
-request.ui_dispatch_view = search
-search =  `cs_duo` source="duo" _index_earliest=-61m@m _index_latest=-1m@m reason="Locked out" \
-| `cs_user_privilege_mapping(username)` \
-| eval cyences_severity = if(is_privileged_user=="Yes", "critical","high") \
-| `cs_human_readable_time_format(_time, event_time)` \
-| table event_time, username, integration, reason, result \
-| `cs_duo_user_locked_out_filter`
-action.cyences_notable_event_action = 1
-action.cyences_notable_event_action.contributing_events = `cs_duo` source="duo" reason="Locked out"
-action.cyences_notable_event_action.system_compromised_search = | stats count by username
-action.cyences_notable_event_action.system_compromised_drilldown = `cs_duo` source="duo" reason="Locked out" username=$row.username$
-action.cyences_send_email_action = 1
-action.cyences_notable_event_action.products = DUO
-action.cyences_notable_event_action.teams = SOC
+
+
 # ===============
 # Radius Authentication
 # ===============
@@ -6299,6 +6270,77 @@ action.cyences_notable_event_action.products = Oracle
 action.cyences_notable_event_action.teams = SOC
 
 
+# =====
+# DUO
+# =====
+
+[DUO - User is Locked Out]
+disabled = 1
+enableSched = 1
+alert.track = 1
+alert.severity = 4
+alert.suppress = 0
+counttype = number of events
+quantity = 0
+relation = greater than
+cron_schedule = 4 * * * *
+description = This alert will pinpoint when a user is locked out from Duo app. 
+dispatch.earliest_time = -4h@h
+dispatch.latest_time = +4h@h
+display.general.type = statistics
+display.page.search.tab = statistics
+display.page.search.mode = fast
+request.ui_dispatch_app = cyences_app_for_splunk
+request.ui_dispatch_view = search
+search =  `cs_duo` source="duo" _index_earliest=-61m@m _index_latest=-1m@m reason="Locked out" \
+| `cs_user_privilege_mapping(username)` \
+| eval cyences_severity = if(is_privileged_user=="Yes", "critical","high") \
+| `cs_human_readable_time_format(_time, event_time)` \
+| table event_time, username, integration, reason, result \
+| `cs_duo_user_locked_out_filter`
+action.cyences_notable_event_action = 1
+action.cyences_notable_event_action.param.filter_macro_name = cs_duo_user_locked_out_filter
+action.cyences_notable_event_action.contributing_events = `cs_duo` source="duo" reason="Locked out"
+action.cyences_notable_event_action.system_compromised_search = | stats count by username
+action.cyences_notable_event_action.system_compromised_drilldown = `cs_duo` source="duo" reason="Locked out" username=$row.username$
+action.cyences_send_email_action = 1
+action.cyences_notable_event_action.products = DUO
+action.cyences_notable_event_action.teams = SOC
+
+
+[DUO - User Login Failure]
+disabled = 1
+enableSched = 1
+alert.track = 1
+alert.severity = 4
+alert.suppress = 0
+counttype = number of events
+quantity = 0
+relation = greater than
+cron_schedule = 4 * * * *
+description = This alert will pinpoint when a user failed to login. 
+dispatch.earliest_time = -4h@h
+dispatch.latest_time = +4h@h
+display.general.type = statistics
+display.page.search.tab = statistics
+display.page.search.mode = fast
+request.ui_dispatch_app = cyences_app_for_splunk
+request.ui_dispatch_view = search
+search =  `cs_duo` source="duo" _index_earliest=-61m@m _index_latest=-1m@m result=FAILURE NOT reason IN ("Locked out") \
+| `cs_user_privilege_mapping(username)` \
+| eval cyences_severity = if(is_privileged_user=="Yes", "critical","high") \
+| `cs_human_readable_time_format(_time, event_time)` \
+| table event_time, username, factor, reason \
+|`cs_duo_user_login_failure_filter`
+action.cyences_notable_event_action = 1
+action.cyences_notable_event_action.param.filter_macro_name = cs_duo_user_login_failure_filter
+action.cyences_notable_event_action.contributing_events = `cs_duo` source="duo" result=FAILURE NOT reason IN ("Locked out")
+action.cyences_notable_event_action.system_compromised_search = | stats count by username
+action.cyences_notable_event_action.system_compromised_drilldown = `cs_duo` source="duo" result=FAILURE NOT reason IN ("Locked out") username=$row.username$
+action.cyences_send_email_action = 1
+action.cyences_notable_event_action.products = DUO
+action.cyences_notable_event_action.teams = SOC
+
 
 # =======================
 # Asset Inventory