Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Example of how to detect malware infections across...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does anyone have examples of how to use Splunk to detect malware infections across multiple hosts?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Splunk Product Best Practices team helped produce this response. Read more about use case examples Splunk® Platform Use Cases on Splunk Docs.
Multiple, simultaneous viruses are a concern because they can indicate an exploit kit that tries several techniques where some succeed on a single host with multiple unrelated viruses. Prioritize these hosts and investigate them immediately to ensure nothing is missed.
This use case is from the Splunk Security Essentials app. For more examples, see the Splunk Security Essentials app on Splunkbase.
Load data
How to implement: With Symantec logs onboard, these searches should work easily. If you have a different anti-virus product, adapt the searches to the field names and source types for that product. Search on Splunkbase for a Splunk add-on that maps field names and source types to the Common Information Model.
Data check: This use case requires Symantec AV data.
Get insights
Find hosts that logged into multiple, different, and infected endpoints in a short period of time.
Use the following search:
index=* tag=malware tag=attack
| transaction maxpause=1h dest
| where eventcount>=3 AND duration>240
| table Occurrences, signature, Requested_Action, Actual_Action, Secondary_Action, ApplicationHash, HashType, dest, src, user, Confidence, Disposition, file_path, Prevalence, _time
Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.
How to respond: Use your malware response procedure.
Help
This search works with Symantec logs onboard. However, you can adapt it to work with a different anti-virus product by updating the field names and source types for that product. Search Splunkbase to find a Splunk Add-on that maps your product to the Common Information Model.
This search is for Symantec AV data. However, you can adapt it to work with other anit-virus products.
If no results appear, deploy the Add-ons to the search heads to access the knowledge objects necessary for simple searching. See About installing Splunk add-ons on Splunk Docs for assistance.
For more support, post a question to the Splunk Answers community.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Splunk Product Best Practices team helped produce this response. Read more about use case examples Splunk® Platform Use Cases on Splunk Docs.
Multiple, simultaneous viruses are a concern because they can indicate an exploit kit that tries several techniques where some succeed on a single host with multiple unrelated viruses. Prioritize these hosts and investigate them immediately to ensure nothing is missed.
This use case is from the Splunk Security Essentials app. For more examples, see the Splunk Security Essentials app on Splunkbase.
Load data
How to implement: With Symantec logs onboard, these searches should work easily. If you have a different anti-virus product, adapt the searches to the field names and source types for that product. Search on Splunkbase for a Splunk add-on that maps field names and source types to the Common Information Model.
Data check: This use case requires Symantec AV data.
Get insights
Find hosts that logged into multiple, different, and infected endpoints in a short period of time.
Use the following search:
index=* tag=malware tag=attack
| transaction maxpause=1h dest
| where eventcount>=3 AND duration>240
| table Occurrences, signature, Requested_Action, Actual_Action, Secondary_Action, ApplicationHash, HashType, dest, src, user, Confidence, Disposition, file_path, Prevalence, _time
Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.
How to respond: Use your malware response procedure.
Help
This search works with Symantec logs onboard. However, you can adapt it to work with a different anti-virus product by updating the field names and source types for that product. Search Splunkbase to find a Splunk Add-on that maps your product to the Common Information Model.
This search is for Symantec AV data. However, you can adapt it to work with other anit-virus products.
If no results appear, deploy the Add-ons to the search heads to access the knowledge objects necessary for simple searching. See About installing Splunk add-ons on Splunk Docs for assistance.
For more support, post a question to the Splunk Answers community.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
