Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is the Splunk Enterprise Security Malware Center not displaying infection counts?

daniel333
Builder
‎03-02-2017 06:32 PM

All,

I have installed Splunk Enterprise Security (ES) and the Clam AV apps. Searching tag=malware tag=attack works, bringing up the expected event. I can even see it in the visualizations. But I am not seeing it the host itself showing as infected. Any idea why? Very new to ES so I am not sure where to start on troubleshooting this.

alt text

Preview file
1 KB
0 Karma
Reply

bcyates
Communicator
‎08-23-2018 02:36 PM

Those two indicators at the top look for 'action=allowed.' Your action is deferred so it does not match the search that the Key Indicators are looking for

0 Karma
Reply

adayton20
Contributor
‎03-03-2017 03:33 AM

A few things I noticed from your picture. I'm purely speculating because I don't know what those underlying searches look like.

Did you check the date and time of that event in comparison to the time you were searching for it?
Did you check whether the TZ and/or timestamp settings are correct for both the host you used the Eicar test file on, and the indexer?

I looked at the time chart dates and times in your picture, and compared that to the time you posted. It looks as if that event might have a time stamp in the future. Not sure what time zone you're in, but I've run into an issue before where an appliance had the incorrect system time set for events, and events were showing up in Splunk in the future. I also noticed something similar with my case that you also did; the events show up in a time chart, but not in a single value count or any adhoc search that specified a particular time range that wasn't all time.

If that isn't the case, I could take a look at the searches for you?

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...