Best practice: For all of the data inputs, specify a desired target index to provide a more sustainable practice for data access controls and retention models. By default, Splunk collects the data in the default index named main.
Detect whether the same malware occurs multiple times on the same host.
Run the following search.
| stats count range(time) AS TimeRange BY RiskName, ComputerName
| where TimeRange>1800
| eval TimeRangeInHours = round(TimeRange/3600,2), TimeRangeIn_Days = round(TimeRange/3600/24,2)
How to respond: When there are reoccurring infections on the same host, it's important to understand why the system gets continues to get infected. If you see suspicious activity on your proxy logs or suspicious emails going through the spam filter, make sure your users have the proper education, and consider strengthening your malware solution. If you can't determine the reason for the reinfection, it's possible the host is still infected from the first occurrence. Other functionality from the virus may get activated if your antivirus didn't fully clean the host previously.
See the following video for more details related to this use case.
If no results appear, it may be because the add-ons were not deployed to the search heads, so the needed tags and fields are not defined. Deploy the add-ons to the search heads to access the needed tags and fields. See About installing Splunk add-ons in the Splunk Add-ons manual.
For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in the Splunk Add-ons manual.