topic Locate Missing Software in Splunk Enterprise Security

Locate Missing Software

crisp023 — Tue, 07 Jan 2020 17:30:34 GMT

I am trying to run a search to locate specific missing software. I'm hitting a roadblock. I don't want to have to pull all software and do an extraction. I just want to be able to see what devices are missing our AV applications. Any thoughts?

Thanks.

Re: Locate Missing Software

richgalloway — Tue, 07 Jan 2020 17:44:17 GMT

You can't search for something that's not there. See https://www.duanewaddle.com/proving-a-negative/
The only way to find who doesn't have something is to subtract those that do have it from the list of everyone.

Re: Locate Missing Software

wmyersas — Tue, 07 Jan 2020 20:20:36 GMT

As @richgalloway said, you cannot look for some that's not there

However, you can look for things that are some places and not others

You might do something like this on a periodic basis (of course, use whatever field names fit your environment):

index=ndx sourcetype=srctp hostname=* appname=*
| stats count by hostname
| fields - count
| outputlookup allendpointswithsoftware.csv

Now you have a list of all endpoints that have installed software of any kind.

Now get a list of all endpoints that have the AV software:

index=ndx sourcetype=srctp hostname=* appname="my-AV-name"
| stats count by hostname
| fields - count
| outputlookup allendpointswithavtools.csv

Then do a diff between them:

| inputlookup allendpointswithsoftware.csv
| search NOT
[ | inputlookup allendpointswithavtools.csv ]

This will give you all the hosts that weren't in the AV-is-installed list, but are known in Splunk