All Apps and Add-ons

Infosec App - No data for Malware

FraserC1
Path Finder

I am using the Infosec App but I am not getting any malware information.
I am getting events from Sophos Central and these are searchable etc.

I have set the cim_malware_indexes to search the sophos index, so it can search for them.

But running the below search: (edited to update to correct search)

| tstats prestats=true local=false summariesonly=true allow_old_summaries=true count from datamodel=Malware.Malware_Attacks where  Malware_Attacks.action=* by _time, Malware_Attacks.action span=10m 
| rename "Malware_Attacks.*" AS "*" 
| timechart minspan=10m useother=true count by action

I am returned no results and in this time range there are malware events.

Can anyone help me with this at all? Perhaps someone has used sophos central with the infosec app before.

Cheers.

1 Solution

igifrin_splunk
Splunk Employee
Splunk Employee

You may want to run this search to check whether you data maps to the Malware data model:

index=* tag=malware tag=attack

If you get results, add action=* to the search.

If you get results, check whether your Malware data model is accelerated.

You can also quickly check the health of your data sources going to Health and Stats menu and looking at the report in the lower left corner of the dashboard.

The InfoSec app needs CIM compliant data. You’ll either need to use a CIM-compliant add on or make your data CIM compliant.

View solution in original post

igifrin_splunk
Splunk Employee
Splunk Employee

You may want to run this search to check whether you data maps to the Malware data model:

index=* tag=malware tag=attack

If you get results, add action=* to the search.

If you get results, check whether your Malware data model is accelerated.

You can also quickly check the health of your data sources going to Health and Stats menu and looking at the report in the lower left corner of the dashboard.

The InfoSec app needs CIM compliant data. You’ll either need to use a CIM-compliant add on or make your data CIM compliant.

FraserC1
Path Finder

Hey, thank you for your response.

I am using the Sophos Add-On for Splunk. https://splunkbase.splunk.com/app/4096/
And it does seem to say it is CIM compliant according to the updates on v1.0.1.

But I don't get any results when performing your searches so something is going wrong somewhere or it is not CIM compliant as it states.
I suppose I will have to make the data CIM compliant as you suggested. If you have any ideas on how to do this that would be excellent, if not I will just look into it.

Thanks again!

0 Karma

alemarzu
Motivator

Hello there, is that a typo in Malware_Attacks.action field?
Edit: value is missing.

0 Karma

FraserC1
Path Finder

Hi, thanks! Can you point out exactly where the typo is? I didn't write the search myself as I took it straight from the dashboard.

I would be surprised if there is a typo, because all dashboards referencing malware do not work.

0 Karma

alemarzu
Motivator

After the clause (where), the field Malware_Attacks.action lacks the value after the equal sign.

0 Karma

FraserC1
Path Finder

Ah that's very odd.
The search itself has a wildcard operator after the =.
It must have been lost when I pasted it. The correct search is below and I will edit the original post.

| tstats prestats=true local=false summariesonly=true allow_old_summaries=true count from datamodel=Malware.Malware_Attacks where  Malware_Attacks.action=* by _time, Malware_Attacks.action span=10m 
| rename "Malware_Attacks.*" AS "*" 
| timechart minspan=10m useother=true count by action
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...