Splunk Enterprise Security

Enterprise Security - Malware Operations - Clients By Product Version


Hello! Can anyone please lend a hand with this issue? I'm still fairly new to this and am working my way through Fundamentals 2.


Sophos Central antivirus clients installed on Linux and Windows.

Using a Heavy Forwarder to pull Sophos Central logs via an API into a dedicated antivirus index. These logs lack the product_version needed to populate the "Malware Operations - Clients By Product Version" dashboard panel.

I've found the data I need in two places.

A log entry in /var/log/messages which is being ingested to the unix index and looks like this:

Jul 13 03:59:37 server-name savd[5860]: update.updated: Updated to versions - SAV: 10.5.2, Engine: 3.79.0, Data: 5.85

And in a file /opt/sophos-av/engine/suiteVersion which is readable by the splunk user and contains:


I used the field extractor to create a regex string that matches the log entry and extracts the product_version.

I've created a custom app with these files in it, pushed from the Deployment Server onto one host, and pushed from the Deployer to our Enterprise Security Search Head Cluster:

EXTRACT-date,time,host,process_name,product_version = ^(?P<date>\w+\s+\d+)\s+(?P<time>[^ ]+)\s+(?P<host>[^ ]+)\s+(?P<process_name>\w+)(?:[^ \n]* ){6}(?P<product_version>\SAV:\s\d*\.\d*\.\d*,\sEngine:\s\d*\.\d*\.\d*,\sData:\s\d*.\d*.+)


malware = enabled
operations = enabled

When I search the unix index I can see the product_version field in the search results and the tags.


1.) How do I copy these events into the antivirus index and is this necessary? (I'm thinking of efficiency as the cim_Malware_indexes macro contains the antivirus and firewall indexes which are much smaller than the unix index).

2.) How do I get the product_version to show in the "Clients By Product Version" panel which uses this search?

| `malware_operations_tracker(time_product_version)` | search | stats dc(dest) by product_version | sort 10 - dc(dest)

3.) Is there a better way to do this?

Any help is appreciated.

Labels (1)
0 Karma


Here's how I've partially solved this for UNIX/Linux clients.

On the Indexer

### Match events with sourcetype of syslog and invoke the SophosLogs stanza in transforms.conf ###
TRANSFORMS-antivirus = SophosLogs

### Look in events of sourcetype syslog specified in props.conf for the string "savd ["
### Select _MetaData Index field ###
### Change the destination Index to antivirus from the original (unix) ###

On the Search Head

### Create an eventtype of sophos_central_events and match the field product_version with any value ###

### Enable malware and operations tags for eventtype sophos_central_events ###
malware = enabled
operations = enabled

### Match events with sourcetype of syslog and invoke the SophosLogsSH stanza in transforms.conf ###
REPORT-antivirus = SophosLogsSH

### Use REGEX to extract fields date, time, host, process_name, product_version ###
REGEX=^(?P<date>\w+\s+\d+)\s+(?P<time>[^ ]+)\s+(?P<host>[^ ]+)\s+(?P<process_name>\w+)(?:[^ \n]* ){6}(?P<product_version>\SAV:\s\d*\.\d*\.\d*,\sEngine:\s\

The effect of this is that we now have any events written by the savd process to /var/log/messages being routed to the antivirus Index, rather than the UNIX Index.

The Malware datamodel can search the antivirus Index, correctly detects events with malware and operations tags. It then counts the number of hosts with a product_version field and populates the Enterprise Security dashboard with the version numbers.

The next task is to do the same for Windows clients.

Hopefully this helps someone.

0 Karma


Hi @securitypaul ,

I would try to create time based lookup from the other two indexes and then define the automatic lookup to populate the relevant Data Model fields.






Thanks @efika.

Unsure how to do that exactly. I will look at the link you sent and report my progress when I can.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...