Splunk Enterprise Security

Enterprise Security - Malware Operations - Clients By Product Version

securitypaul
Explorer

Hello! Can anyone please lend a hand with this issue? I'm still fairly new to this and am working my way through Fundamentals 2.

Scenario:

Sophos Central antivirus clients installed on Linux and Windows.

Using a Heavy Forwarder to pull Sophos Central logs via an API into a dedicated antivirus index. These logs lack the product_version needed to populate the "Malware Operations - Clients By Product Version" dashboard panel.

I've found the data I need in two places.

A log entry in /var/log/messages which is being ingested to the unix index and looks like this:

Jul 13 03:59:37 server-name savd[5860]: update.updated: Updated to versions - SAV: 10.5.2, Engine: 3.79.0, Data: 5.85

And in a file /opt/sophos-av/engine/suiteVersion which is readable by the splunk user and contains:

10.5.2.3790.203

 

I used the field extractor to create a regex string that matches the log entry and extracts the product_version.

I've created a custom app with these files in it, pushed from the Deployment Server onto one host, and pushed from the Deployer to our Enterprise Security Search Head Cluster:

props.conf
[syslog]
EXTRACT-date,time,host,process_name,product_version = ^(?P<date>\w+\s+\d+)\s+(?P<time>[^ ]+)\s+(?P<host>[^ ]+)\s+(?P<process_name>\w+)(?:[^ \n]* ){6}(?P<product_version>\SAV:\s\d*\.\d*\.\d*,\sEngine:\s\d*\.\d*\.\d*,\sData:\s\d*.\d*.+)

eventtypes.conf
[product_version]
search=product_version=*

tags.conf
[eventtype=product_version]
malware = enabled
operations = enabled

When I search the unix index I can see the product_version field in the search results and the tags.

Questions:

1.) How do I copy these events into the antivirus index and is this necessary? (I'm thinking of efficiency as the cim_Malware_indexes macro contains the antivirus and firewall indexes which are much smaller than the unix index).

2.) How do I get the product_version to show in the "Clients By Product Version" panel which uses this search?

| `malware_operations_tracker(time_product_version)` | search | stats dc(dest) by product_version | sort 10 - dc(dest)

3.) Is there a better way to do this?

Any help is appreciated.

Labels (1)
0 Karma

securitypaul
Explorer

Here's how I've partially solved this for UNIX/Linux clients.

On the Indexer

props.conf
[syslog]
### Match events with sourcetype of syslog and invoke the SophosLogs stanza in transforms.conf ###
TRANSFORMS-antivirus = SophosLogs

transforms.conf
[SophosLogs]
### Look in events of sourcetype syslog specified in props.conf for the string "savd ["
REGEX=savd\[
### Select _MetaData Index field ###
DEST_KEY=_MetaData:Index
### Change the destination Index to antivirus from the original (unix) ###
FORMAT=antivirus


On the Search Head

eventtypes.conf
[sophos_central_events]
### Create an eventtype of sophos_central_events and match the field product_version with any value ###
search=product_version=*

tags.conf
### Enable malware and operations tags for eventtype sophos_central_events ###
[eventtype=sophos_central_events]
malware = enabled
operations = enabled

props.conf
[syslog]
### Match events with sourcetype of syslog and invoke the SophosLogsSH stanza in transforms.conf ###
REPORT-antivirus = SophosLogsSH

transforms.conf
[SophosLogsSH]
### Use REGEX to extract fields date, time, host, process_name, product_version ###
REGEX=^(?P<date>\w+\s+\d+)\s+(?P<time>[^ ]+)\s+(?P<host>[^ ]+)\s+(?P<process_name>\w+)(?:[^ \n]* ){6}(?P<product_version>\SAV:\s\d*\.\d*\.\d*,\sEngine:\s\
d*\.\d*\.\d*,\sData:\s\d*.\d*.+)


The effect of this is that we now have any events written by the savd process to /var/log/messages being routed to the antivirus Index, rather than the UNIX Index.

The Malware datamodel can search the antivirus Index, correctly detects events with malware and operations tags. It then counts the number of hosts with a product_version field and populates the Enterprise Security dashboard with the version numbers.

The next task is to do the same for Windows clients.

Hopefully this helps someone.

0 Karma

efika
Communicator

Hi @securitypaul ,

I would try to create time based lookup from the other two indexes and then define the automatic lookup to populate the relevant Data Model fields.

https://docs.splunk.com/Documentation/Splunk/8.2.1/Knowledge/Configureatime-boundedlookup.

 

 

 

securitypaul
Explorer

Thanks @efika.

Unsure how to do that exactly. I will look at the link you sent and report my progress when I can.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!