Splunk Enterprise Security

How to use "nodename" in tstats

nb1030
New Member

In the default ES data model "Malware", the "tag" field is extracted for the parent "Malware_Attacks", but it does not contain any values (not even the default "malware" or "attack" used in the "Constraints". They are, however, found in the "tag" field under the children "Allowed_Malware", "Blocked_Malware", and "Quarantined_Malware". In IR, there is a correlation search ("Host With A Recurring Malware Infection"). I created an event type and tag for tagging certain software as "approved_software". It is working and showing in the "tag" field under the 3 children above. The correlation search does not work with calling out the field "Malware_Attacks.tag" as there are no values in this field. I am trying to use "nodename" to call all three of the above children datasets, but I am not sure how to call the individual field "tag" in each of them. Below is the furthest I have gotten where the search works. How do I call the individual fields (i.e. "Allowed_Malware.tag", or "Blocked_Malware.tag") so I can exclude those with a tag "approved_software"?

| tstats summariesonly=true allow_old_summaries=true dc(Malware_Attacks.date) as "day_count",count from datamodel=Malware.Malware_Attacks where nodename=Malware_Attacks.Allowed_Malware by "Malware_Attacks.dest","Malware_Attacks.signature"

0 Karma

muralimadhavan
Explorer

Try this

| tstats summariesonly=true allow_old_summaries=true dc(Malware_Attacks.date) as "day_count",count from datamodel=Malware.Malware_Attacks where nodename=* by nodename "Malware_Attacks.dest","Malware_Attacks.signature" | search nodename!=Malware_Attacks.Allowed_Malware

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...