All Apps and Add-ons

Infosec App - No data for Malware

Path Finder

I am using the Infosec App but I am not getting any malware information.
I am getting events from Sophos Central and these are searchable etc.

I have set the cim_malware_indexes to search the sophos index, so it can search for them.

But running the below search: (edited to update to correct search)

| tstats prestats=true local=false summariesonly=true allow_old_summaries=true count from datamodel=Malware.Malware_Attacks where  Malware_Attacks.action=* by _time, Malware_Attacks.action span=10m 
| rename "Malware_Attacks.*" AS "*" 
| timechart minspan=10m useother=true count by action

I am returned no results and in this time range there are malware events.

Can anyone help me with this at all? Perhaps someone has used sophos central with the infosec app before.

Cheers.

1 Solution

Splunk Employee
Splunk Employee

You may want to run this search to check whether you data maps to the Malware data model:

index=* tag=malware tag=attack

If you get results, add action=* to the search.

If you get results, check whether your Malware data model is accelerated.

You can also quickly check the health of your data sources going to Health and Stats menu and looking at the report in the lower left corner of the dashboard.

The InfoSec app needs CIM compliant data. You’ll either need to use a CIM-compliant add on or make your data CIM compliant.

View solution in original post

Splunk Employee
Splunk Employee

You may want to run this search to check whether you data maps to the Malware data model:

index=* tag=malware tag=attack

If you get results, add action=* to the search.

If you get results, check whether your Malware data model is accelerated.

You can also quickly check the health of your data sources going to Health and Stats menu and looking at the report in the lower left corner of the dashboard.

The InfoSec app needs CIM compliant data. You’ll either need to use a CIM-compliant add on or make your data CIM compliant.

View solution in original post

Path Finder

Hey, thank you for your response.

I am using the Sophos Add-On for Splunk. https://splunkbase.splunk.com/app/4096/
And it does seem to say it is CIM compliant according to the updates on v1.0.1.

But I don't get any results when performing your searches so something is going wrong somewhere or it is not CIM compliant as it states.
I suppose I will have to make the data CIM compliant as you suggested. If you have any ideas on how to do this that would be excellent, if not I will just look into it.

Thanks again!

0 Karma

Motivator

Hello there, is that a typo in Malware_Attacks.action field?
Edit: value is missing.

0 Karma

Path Finder

Hi, thanks! Can you point out exactly where the typo is? I didn't write the search myself as I took it straight from the dashboard.

I would be surprised if there is a typo, because all dashboards referencing malware do not work.

0 Karma

Motivator

After the clause (where), the field Malware_Attacks.action lacks the value after the equal sign.

0 Karma

Path Finder

Ah that's very odd.
The search itself has a wildcard operator after the =.
It must have been lost when I pasted it. The correct search is below and I will edit the original post.

| tstats prestats=true local=false summariesonly=true allow_old_summaries=true count from datamodel=Malware.Malware_Attacks where  Malware_Attacks.action=* by _time, Malware_Attacks.action span=10m 
| rename "Malware_Attacks.*" AS "*" 
| timechart minspan=10m useother=true count by action
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!