topic Infosec App - No data for Malware in All Apps and Add-ons

Infosec App - No data for Malware

FraserC1 — Wed, 30 Sep 2020 00:46:55 GMT

I am using the Infosec App but I am not getting any malware information.
I am getting events from Sophos Central and these are searchable etc.

I have set the cim_malware_indexes to search the sophos index, so it can search for them.

But running the below search: (edited to update to correct search)

| tstats prestats=true local=false summariesonly=true allow_old_summaries=true count from datamodel=Malware.Malware_Attacks where  Malware_Attacks.action=* by _time, Malware_Attacks.action span=10m 
| rename "Malware_Attacks.*" AS "*" 
| timechart minspan=10m useother=true count by action

I am returned no results and in this time range there are malware events.

Can anyone help me with this at all? Perhaps someone has used sophos central with the infosec app before.

Cheers.

Re: Infosec App - No data for Malware

alemarzu — Mon, 03 Jun 2019 15:13:57 GMT

Hello there, is that a typo in Malware_Attacks.action field?
Edit: value is missing.

Re: Infosec App - No data for Malware

FraserC1 — Mon, 03 Jun 2019 15:26:53 GMT

Hi, thanks! Can you point out exactly where the typo is? I didn't write the search myself as I took it straight from the dashboard.

I would be surprised if there is a typo, because all dashboards referencing malware do not work.

Re: Infosec App - No data for Malware

alemarzu — Mon, 03 Jun 2019 15:50:42 GMT

After the clause (where), the field Malware_Attacks.action lacks the value after the equal sign.

Re: Infosec App - No data for Malware

FraserC1 — Mon, 03 Jun 2019 16:27:41 GMT

Ah that's very odd.
The search itself has a wildcard operator after the =.
It must have been lost when I pasted it. The correct search is below and I will edit the original post.

| tstats prestats=true local=false summariesonly=true allow_old_summaries=true count from datamodel=Malware.Malware_Attacks where  Malware_Attacks.action=* by _time, Malware_Attacks.action span=10m 
| rename "Malware_Attacks.*" AS "*" 
| timechart minspan=10m useother=true count by action

Re: Infosec App - No data for Malware

igifrin_splunk — Mon, 03 Jun 2019 19:31:36 GMT

You may want to run this search to check whether you data maps to the Malware data model:

index=* tag=malware tag=attack

If you get results, add action=* to the search.

If you get results, check whether your Malware data model is accelerated.

You can also quickly check the health of your data sources going to Health and Stats menu and looking at the report in the lower left corner of the dashboard.

The InfoSec app needs CIM compliant data. You’ll either need to use a CIM-compliant add on or make your data CIM compliant.

Re: Infosec App - No data for Malware

FraserC1 — Tue, 04 Jun 2019 09:43:07 GMT

Hey, thank you for your response.

I am using the Sophos Add-On for Splunk. https://splunkbase.splunk.com/app/4096/
And it does seem to say it is CIM compliant according to the updates on v1.0.1.

But I don't get any results when performing your searches so something is going wrong somewhere or it is not CIM compliant as it states.
I suppose I will have to make the data CIM compliant as you suggested. If you have any ideas on how to do this that would be excellent, if not I will just look into it.

Thanks again!