Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Enterprise Security - Malware Operations - Clients By Product Version

securitypaul
Explorer
‎07-14-2021 02:36 AM

Hello! Can anyone please lend a hand with this issue? I'm still fairly new to this and am working my way through Fundamentals 2.

Scenario:

Sophos Central antivirus clients installed on Linux and Windows.

Using a Heavy Forwarder to pull Sophos Central logs via an API into a dedicated antivirus index. These logs lack the product_version needed to populate the "Malware Operations - Clients By Product Version" dashboard panel.

I've found the data I need in two places.

A log entry in /var/log/messages which is being ingested to the unix index and looks like this:

Jul 13 03:59:37 server-name savd[5860]: update.updated: Updated to versions - SAV: 10.5.2, Engine: 3.79.0, Data: 5.85

And in a file /opt/sophos-av/engine/suiteVersion which is readable by the splunk user and contains:

10.5.2.3790.203

 

I used the field extractor to create a regex string that matches the log entry and extracts the product_version.

I've created a custom app with these files in it, pushed from the Deployment Server onto one host, and pushed from the Deployer to our Enterprise Security Search Head Cluster:

props.conf
[syslog]
EXTRACT-date,time,host,process_name,product_version = ^(?P<date>\w+\s+\d+)\s+(?P<time>[^ ]+)\s+(?P<host>[^ ]+)\s+(?P<process_name>\w+)(?:[^ \n]* ){6}(?P<product_version>\SAV:\s\d*\.\d*\.\d*,\sEngine:\s\d*\.\d*\.\d*,\sData:\s\d*.\d*.+)

eventtypes.conf
[product_version]
search=product_version=*

tags.conf
[eventtype=product_version]
malware = enabled
operations = enabled

When I search the unix index I can see the product_version field in the search results and the tags.

Questions:

1.) How do I copy these events into the antivirus index and is this necessary? (I'm thinking of efficiency as the cim_Malware_indexes macro contains the antivirus and firewall indexes which are much smaller than the unix index).

2.) How do I get the product_version to show in the "Clients By Product Version" panel which uses this search?

| `malware_operations_tracker(time_product_version)` | search | stats dc(dest) by product_version | sort 10 - dc(dest)

3.) Is there a better way to do this?

Any help is appreciated.

Labels (1)
Labels
0 Karma
Reply

securitypaul
Explorer
‎09-17-2021 01:09 PM

Here's how I've partially solved this for UNIX/Linux clients.

On the Indexer

props.conf
[syslog]
### Match events with sourcetype of syslog and invoke the SophosLogs stanza in transforms.conf ###
TRANSFORMS-antivirus = SophosLogs

transforms.conf
[SophosLogs]
### Look in events of sourcetype syslog specified in props.conf for the string "savd ["
REGEX=savd\[
### Select _MetaData Index field ###
DEST_KEY=_MetaData:Index
### Change the destination Index to antivirus from the original (unix) ###
FORMAT=antivirus


On the Search Head

eventtypes.conf
[sophos_central_events]
### Create an eventtype of sophos_central_events and match the field product_version with any value ###
search=product_version=*

tags.conf
### Enable malware and operations tags for eventtype sophos_central_events ###
[eventtype=sophos_central_events]
malware = enabled
operations = enabled

props.conf
[syslog]
### Match events with sourcetype of syslog and invoke the SophosLogsSH stanza in transforms.conf ###
REPORT-antivirus = SophosLogsSH

transforms.conf
[SophosLogsSH]
### Use REGEX to extract fields date, time, host, process_name, product_version ###
REGEX=^(?P<date>\w+\s+\d+)\s+(?P<time>[^ ]+)\s+(?P<host>[^ ]+)\s+(?P<process_name>\w+)(?:[^ \n]* ){6}(?P<product_version>\SAV:\s\d*\.\d*\.\d*,\sEngine:\s\
d*\.\d*\.\d*,\sData:\s\d*.\d*.+)


The effect of this is that we now have any events written by the savd process to /var/log/messages being routed to the antivirus Index, rather than the UNIX Index.

The Malware datamodel can search the antivirus Index, correctly detects events with malware and operations tags. It then counts the number of hosts with a product_version field and populates the Enterprise Security dashboard with the version numbers.

The next task is to do the same for Windows clients.

Hopefully this helps someone.

0 Karma
Reply

efika
Communicator
‎07-16-2021 08:50 AM

Hi @securitypaul ,

I would try to create time based lookup from the other two indexes and then define the automatic lookup to populate the relevant Data Model fields.

https://docs.splunk.com/Documentation/Splunk/8.2.1/Knowledge/Configureatime-boundedlookup.

 

 

 

Reply

securitypaul
Explorer
‎07-19-2021 02:56 AM

Thanks @efika.

Unsure how to do that exactly. I will look at the link you sent and report my progress when I can.

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...