I am using the Infosec App but I am not getting any malware information.
I am getting events from Sophos Central and these are searchable etc.
I have set the cim_malware_indexes to search the sophos index, so it can search for them.
But running the below search: (edited to update to correct search)
| tstats prestats=true local=false summariesonly=true allow_old_summaries=true count from datamodel=Malware.Malware_Attacks where Malware_Attacks.action=* by _time, Malware_Attacks.action span=10m
| rename "Malware_Attacks.*" AS "*"
| timechart minspan=10m useother=true count by action
I am returned no results and in this time range there are malware events.
Can anyone help me with this at all? Perhaps someone has used sophos central with the infosec app before.
Cheers.
You may want to run this search to check whether you data maps to the Malware data model:
index=* tag=malware tag=attack
If you get results, add action=* to the search.
If you get results, check whether your Malware data model is accelerated.
You can also quickly check the health of your data sources going to Health and Stats menu and looking at the report in the lower left corner of the dashboard.
The InfoSec app needs CIM compliant data. You’ll either need to use a CIM-compliant add on or make your data CIM compliant.
You may want to run this search to check whether you data maps to the Malware data model:
index=* tag=malware tag=attack
If you get results, add action=* to the search.
If you get results, check whether your Malware data model is accelerated.
You can also quickly check the health of your data sources going to Health and Stats menu and looking at the report in the lower left corner of the dashboard.
The InfoSec app needs CIM compliant data. You’ll either need to use a CIM-compliant add on or make your data CIM compliant.
Hey, thank you for your response.
I am using the Sophos Add-On for Splunk. https://splunkbase.splunk.com/app/4096/
And it does seem to say it is CIM compliant according to the updates on v1.0.1.
But I don't get any results when performing your searches so something is going wrong somewhere or it is not CIM compliant as it states.
I suppose I will have to make the data CIM compliant as you suggested. If you have any ideas on how to do this that would be excellent, if not I will just look into it.
Thanks again!
Hello there, is that a typo in Malware_Attacks.action field?
Edit: value is missing.
Hi, thanks! Can you point out exactly where the typo is? I didn't write the search myself as I took it straight from the dashboard.
I would be surprised if there is a typo, because all dashboards referencing malware do not work.
After the clause (where), the field Malware_Attacks.action lacks the value after the equal sign.
Ah that's very odd.
The search itself has a wildcard operator after the =.
It must have been lost when I pasted it. The correct search is below and I will edit the original post.
| tstats prestats=true local=false summariesonly=true allow_old_summaries=true count from datamodel=Malware.Malware_Attacks where Malware_Attacks.action=* by _time, Malware_Attacks.action span=10m
| rename "Malware_Attacks.*" AS "*"
| timechart minspan=10m useother=true count by action