Merge pull request #322 from splunk/CRL-1720

adding definitions
splunk · Jan 23, 2020 · f2702a6 · f2702a6
2 parents cbd0c38 + 9e6becd
commit f2702a6
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 6 deletions.
diff --git a/detections/clients_connecting_to_multiple_dns_servers.yml b/detections/clients_connecting_to_multiple_dns_servers.yml
@@ -16,7 +16,7 @@ detect:
   splunk:
     correlation_rule:
       macros:
-        - clients_connecting_to_multiple_dns_servers_filter
+        - clients_connecting_to_multiple_dns_servers_output_filter
       notable:
         nes_fields: src, dest
         rule_description: This search allows you to identify the endpoints that have
@@ -35,7 +35,7 @@ detect:
       search: '| tstats `security_content_summariesonly` count, values(DNS.dest) AS dest dc(DNS.dest)
         as dest_count from datamodel=Network_Resolution where DNS.message_type=QUERY
         by DNS.src | `drop_dm_object_name("Network_Resolution")` |where dest_count
-        > 5 | `clients_connecting_to_multiple_dns_servers_filter`'
+        > 5 | `clients_connecting_to_multiple_dns_servers_output_filter`'
       suppress:
         suppress_fields: src
         suppress_period: 86400s

diff --git a/detections/dns_record_changed.yml b/detections/dns_record_changed.yml
@@ -22,7 +22,7 @@ detect:
       lookups:
         - discovered_dns_records
       macros:
-        - dns_record_changed_filter
+        - dns_record_changed_output_filter
       notable:
         nes_fields: src
         rule_description: The table represents a list of DNS records and their responses
@@ -44,7 +44,7 @@ detect:
         | rename DNS.query as query | where query!="unknown" | rex field=query "(?<domain>\w+\.\w+?)(?:$|/)"]
         | makemv delim=" " answer |  makemv delim=" " type | sort -count | table count,src,domain,type,query,current_answer,discovered_answer
         | makemv current_answer  | mvexpand current_answer | makemv discovered_answer
-        | eval n=mvfind(discovered_answer, current_answer) | where isnull(n) | `dns_record_changed_filter`'
+        | eval n=mvfind(discovered_answer, current_answer) | where isnull(n) | `dns_record_changed_output_filter`'
       suppress:
         suppress_fields: src
         suppress_period: 28800s

diff --git a/macros/clients_connecting_to_multiple_dns_servers.yml b/macros/clients_connecting_to_multiple_dns_servers.yml
@@ -1,2 +1,3 @@
 description: Use this macro to add additional filters for monitoring clients connecting to multiple dns servers 
-name: clients_connecting_to_multiple_dns_servers_filter
+name: clients_connecting_to_multiple_dns_servers_output_filter
+definition: search *
diff --git a/macros/dns_record_changed_filter.yml b/macros/dns_record_changed_filter.yml
@@ -1,2 +1,3 @@
 description: Use this macro to add additional filters for monitoring DNS records changed 
-name: dns_record_changed_filter
+name: dns_record_changed_output_filter
+definition: search *