All Apps and Add-ons

Infosec App - No data for Malware

FraserC1
Path Finder

I am using the Infosec App but I am not getting any malware information.
I am getting events from Sophos Central and these are searchable etc.

I have set the cim_malware_indexes to search the sophos index, so it can search for them.

But running the below search: (edited to update to correct search)

| tstats prestats=true local=false summariesonly=true allow_old_summaries=true count from datamodel=Malware.Malware_Attacks where  Malware_Attacks.action=* by _time, Malware_Attacks.action span=10m 
| rename "Malware_Attacks.*" AS "*" 
| timechart minspan=10m useother=true count by action

I am returned no results and in this time range there are malware events.

Can anyone help me with this at all? Perhaps someone has used sophos central with the infosec app before.

Cheers.

1 Solution

igifrin_splunk
Splunk Employee
Splunk Employee

You may want to run this search to check whether you data maps to the Malware data model:

index=* tag=malware tag=attack

If you get results, add action=* to the search.

If you get results, check whether your Malware data model is accelerated.

You can also quickly check the health of your data sources going to Health and Stats menu and looking at the report in the lower left corner of the dashboard.

The InfoSec app needs CIM compliant data. You’ll either need to use a CIM-compliant add on or make your data CIM compliant.

View solution in original post

igifrin_splunk
Splunk Employee
Splunk Employee

You may want to run this search to check whether you data maps to the Malware data model:

index=* tag=malware tag=attack

If you get results, add action=* to the search.

If you get results, check whether your Malware data model is accelerated.

You can also quickly check the health of your data sources going to Health and Stats menu and looking at the report in the lower left corner of the dashboard.

The InfoSec app needs CIM compliant data. You’ll either need to use a CIM-compliant add on or make your data CIM compliant.

FraserC1
Path Finder

Hey, thank you for your response.

I am using the Sophos Add-On for Splunk. https://splunkbase.splunk.com/app/4096/
And it does seem to say it is CIM compliant according to the updates on v1.0.1.

But I don't get any results when performing your searches so something is going wrong somewhere or it is not CIM compliant as it states.
I suppose I will have to make the data CIM compliant as you suggested. If you have any ideas on how to do this that would be excellent, if not I will just look into it.

Thanks again!

0 Karma

alemarzu
Motivator

Hello there, is that a typo in Malware_Attacks.action field?
Edit: value is missing.

0 Karma

FraserC1
Path Finder

Hi, thanks! Can you point out exactly where the typo is? I didn't write the search myself as I took it straight from the dashboard.

I would be surprised if there is a typo, because all dashboards referencing malware do not work.

0 Karma

alemarzu
Motivator

After the clause (where), the field Malware_Attacks.action lacks the value after the equal sign.

0 Karma

FraserC1
Path Finder

Ah that's very odd.
The search itself has a wildcard operator after the =.
It must have been lost when I pasted it. The correct search is below and I will edit the original post.

| tstats prestats=true local=false summariesonly=true allow_old_summaries=true count from datamodel=Malware.Malware_Attacks where  Malware_Attacks.action=* by _time, Malware_Attacks.action span=10m 
| rename "Malware_Attacks.*" AS "*" 
| timechart minspan=10m useother=true count by action
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...