Re: Creating search for malware infection

ewonn · ‎04-10-2020

Hi guys,
The team has created this search To Alerts when a host has an infection that has been re-infected remove multiple times over multiple days.

but we are not sure what we could do to get better results because alerts are coming a lot when we did this :

| tstats summariesonly=true allow_old_summaries=true dc(Malware_Attacks.date) as "day_count",count from datamodel="Malware"."Malware_Attacks" by "Malware_Attacks.dest","Malware_Attacks.signature","Malware_Attacks.action" | rename "Malware_Attacks.dest" as "dest","Malware_Attacks.signature" as "signature","Malware_Attacks.action" as action | where 'day_count'>5 | fields dest signature action day_count count | search signature!=unknown

Also do u guys know if the last pipe will break the search since it is a data model search

ewonn · ‎04-10-2020

Yes, Do u know if the last pipe will break the search since it is a data model search ?

DalJeanis · ‎04-10-2020

Are you looking for the value "unknown"? If so, put quotes around it.

ewonn · ‎04-10-2020

Yes, do u know if the last pipe will break the search since it is a data model search

Creating search for malware infection

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation