Solved: Tags used with Malware events

verifi81 · ‎11-18-2020

Hi all.

I have Symantec Endpoint Protection Manager and troubleshooting the splunk Malware Datamodel. I am trying to determine what exactly constitutes an event as malware.

I've already gone through this link about the CIM for malware but it doesn't answer my question.

Basically I have a minor risk event from SEP but that event did not trigger in a correlation search which is searching from a datamodel "malware". I'll attach screenshots of the datamodel.

I'll attach a screenshot of the datamodel. I'm assuming my event didn't match because it was not tagged as malware as per the constraint of the dataset. My question is, where can I find the criteria of this tag? Hope that makes sense.

richgalloway · ‎11-18-2020

Go to Settings->Tags->List by tag name to see the definition of a tag.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

verifi81 · ‎11-18-2020

That was it. Thanks!

richgalloway · ‎11-18-2020

Go to Settings->Tags->List by tag name to see the definition of a tag.

---
If this reply helps you, Karma would be appreciated.

Tags used with Malware events

Splunk Investigate

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector