topic Re: How to modify the below search so I can get only servers which are infected ? in Splunk Search

How to modify the below search so I can get only servers which are infected ?

seetharamanPr — Tue, 29 Sep 2020 11:44:00 GMT

Hi All,

We have our Symantec End Point Protection which is sending logs and it is monitoring both servers and user PCs. I have written this search based on the IP subnet where our Servers are present the problem with this we are also having user PC in the same subnet and with the search that I have written I am getting both servers and PCs. How can I get only servers which are infected. The below is the original search that I have written

index=sep sourcetype="symantec:ep:risk:file" | search dest_ip="10.4.." | stats values(signature) as multiple by dest | eventstats dc(multiple) as multiple_malware by dest | rename dest as "Target_Device", multiple as "Malware", multiple_malware as "Malware_Count"

Apart from this I have also tried to us the first 3 letters with which the servers begin like the one below

index=sep sourcetype="symantec:ep:risk:file" | search RIYS* | stats values(signature) as multiple by dest | eventstats dc(multiple) as multiple_malware by dest | rename dest as "Target_Device", multiple as "Malware", multiple_malware as "Malware_Count"

This does not yeild any reults. So I tried with the IP and the first three letters of the server name but that search still gives me the PCs as well. Any suggestion on how to modify this search to get only infected servers would be of great help.

Thank you in advance
Pradeep Seetharaman

Re: How to modify the below search so I can get only servers which are infected ?

niketn — Thu, 10 Nov 2016 06:52:08 GMT

Can you give field name for extracted field for system name along with couple of examples for Server Names and Desktop Names?

Re: How to modify the below search so I can get only servers which are infected ?

seetharamanPr — Thu, 10 Nov 2016 06:59:23 GMT

Hi Niketnilay,

Find below the names of the severs and PC. The first 2 are servers and the last one is PC

Target_Device   Malware Malware_Count

1 RIYSVMOD-001 WS.Reputation.1 1
2 RIYSVNFS-001 Trojan.Gen.2 1
3 rc-9511 Packed.Dromedan!lnk 1

Re: How to modify the below search so I can get only servers which are infected ?

niketn — Tue, 29 Sep 2020 11:47:30 GMT

Looked at your query and seems like extracted field is dest, which you rename later as Target_Device. So, Try the following (search filter on required fields should be applied as early as possible):

index=sep sourcetype="symantec:ep:risk:file" dest="RIY*"| stats values(signature) as multiple by dest | eventstats dc(multiple) as multiple_malware by dest | rename dest as "Target_Device", multiple as "Malware", multiple_malware as "Malware_Count"

Re: How to modify the below search so I can get only servers which are infected ?

seetharamanPr — Thu, 10 Nov 2016 07:11:11 GMT

Hi Niketnilay,

Thanks million that worked like a charm.

Regards
Pradeep