I have Symantec Endpoint Protection Manager and troubleshooting the splunk Malware Datamodel. I am trying to determine what exactly constitutes an event as malware.
I've already gone through this link about the CIM for malware but it doesn't answer my question.
Basically I have a minor risk event from SEP but that event did not trigger in a correlation search which is searching from a datamodel "malware". I'll attach screenshots of the datamodel.
I'll attach a screenshot of the datamodel. I'm assuming my event didn't match because it was not tagged as malware as per the constraint of the dataset. My question is, where can I find the criteria of this tag? Hope that makes sense.