Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to modify the below search so I can get only servers which are infected ?

seetharamanPr
New Member
‎11-09-2016 10:45 PM

Hi All,

We have our Symantec End Point Protection which is sending logs and it is monitoring both servers and user PCs. I have written this search based on the IP subnet where our Servers are present the problem with this we are also having user PC in the same subnet and with the search that I have written I am getting both servers and PCs. How can I get only servers which are infected. The below is the original search that I have written

index=sep sourcetype="symantec:ep:risk:file" | search dest_ip="10.4.." | stats values(signature) as multiple by dest | eventstats dc(multiple) as multiple_malware by dest | rename dest as "Target_Device", multiple as "Malware", multiple_malware as "Malware_Count"

Apart from this I have also tried to us the first 3 letters with which the servers begin like the one below

index=sep sourcetype="symantec:ep:risk:file" | search RIYS* | stats values(signature) as multiple by dest | eventstats dc(multiple) as multiple_malware by dest | rename dest as "Target_Device", multiple as "Malware", multiple_malware as "Malware_Count"

This does not yeild any reults. So I tried with the IP and the first three letters of the server name but that search still gives me the PCs as well. Any suggestion on how to modify this search to get only infected servers would be of great help.

Thank you in advance
Pradeep Seetharaman

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎11-09-2016 11:05 PM

Looked at your query and seems like extracted field is dest, which you rename later as Target_Device. So, Try the following (search filter on required fields should be applied as early as possible):

index=sep sourcetype="symantec:ep:risk:file" dest="RIY*"| stats values(signature) as multiple by dest | eventstats dc(multiple) as multiple_malware by dest | rename dest as "Target_Device", multiple as "Malware", multiple_malware as "Malware_Count"

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎11-09-2016 11:05 PM

Looked at your query and seems like extracted field is dest, which you rename later as Target_Device. So, Try the following (search filter on required fields should be applied as early as possible):

index=sep sourcetype="symantec:ep:risk:file" dest="RIY*"| stats values(signature) as multiple by dest | eventstats dc(multiple) as multiple_malware by dest | rename dest as "Target_Device", multiple as "Malware", multiple_malware as "Malware_Count"

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

seetharamanPr
New Member
‎11-09-2016 11:11 PM

Hi Niketnilay,

Thanks million that worked like a charm.

Regards
Pradeep

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎11-09-2016 10:52 PM

Can you give field name for extracted field for system name along with couple of examples for Server Names and Desktop Names?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

seetharamanPr
New Member
‎11-09-2016 10:59 PM

Hi Niketnilay,

Find below the names of the severs and PC. The first 2 are servers and the last one is PC

Target_Device   Malware Malware_Count

1 RIYSVMOD-001 WS.Reputation.1 1
2 RIYSVNFS-001 Trojan.Gen.2 1
3 rc-9511 Packed.Dromedan!lnk 1

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...