Solved: Tags used with Malware events

verifi81 · ‎11-18-2020

Hi all.

I have Symantec Endpoint Protection Manager and troubleshooting the splunk Malware Datamodel. I am trying to determine what exactly constitutes an event as malware.

I've already gone through this link about the CIM for malware but it doesn't answer my question.

Basically I have a minor risk event from SEP but that event did not trigger in a correlation search which is searching from a datamodel "malware". I'll attach screenshots of the datamodel.

I'll attach a screenshot of the datamodel. I'm assuming my event didn't match because it was not tagged as malware as per the constraint of the dataset. My question is, where can I find the criteria of this tag? Hope that makes sense.

richgalloway · ‎11-18-2020

Go to Settings->Tags->List by tag name to see the definition of a tag.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

verifi81 · ‎11-18-2020

That was it. Thanks!

richgalloway · ‎11-18-2020

Go to Settings->Tags->List by tag name to see the definition of a tag.

---
If this reply helps you, Karma would be appreciated.

Tags used with Malware events

Splunk Investigate

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...