Solved: Tags used with Malware events

verifi81 · ‎11-18-2020

Hi all.

I have Symantec Endpoint Protection Manager and troubleshooting the splunk Malware Datamodel. I am trying to determine what exactly constitutes an event as malware.

I've already gone through this link about the CIM for malware but it doesn't answer my question.

Basically I have a minor risk event from SEP but that event did not trigger in a correlation search which is searching from a datamodel "malware". I'll attach screenshots of the datamodel.

I'll attach a screenshot of the datamodel. I'm assuming my event didn't match because it was not tagged as malware as per the constraint of the dataset. My question is, where can I find the criteria of this tag? Hope that makes sense.

richgalloway · ‎11-18-2020

Go to Settings->Tags->List by tag name to see the definition of a tag.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

verifi81 · ‎11-18-2020

That was it. Thanks!

richgalloway · ‎11-18-2020

Go to Settings->Tags->List by tag name to see the definition of a tag.

---
If this reply helps you, Karma would be appreciated.

Tags used with Malware events

Splunk Investigate

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!