How to search for hosts with an issue where a type...

shellnight · ‎11-24-2014

Need to find hosts where an event of a type was not followed by event of another type within an hour

I need to find hosts where virus infection was detected and it failed to perform any action, where "None" is not followed up by of the other events " Blocked OR removed OR quarantined" in 1 hour

Fields available are

ComputerName=
VirusName= 
Action Taken=

Sample log

10/11/2014 20:01 : ComputerName=test1 VirusName=conficker  ActionTaken=None 
10/11/2014 20:02 "ComputerName=test1 VirusName=conficker  ActionTaken=blocked 
10/11/2014 22:01 : ComputerName=test20 VirusName=conficker  ActionTaken=None
10/11/2014 20:01 : ComputerName=test30 VirusName=conficker  ActionTaken=None 
10/11/2014 20:02 "ComputerName=test30 VirusName=conficker  ActionTaken=removed

As you can seen above, no action was taken by antivirus on Computer test20. I need to write a search query to create a report or dashboard to find any such machine.

Any pointers in the right direction would be appreciated

somesoni2 · ‎11-24-2014

Give this a try

your base search | transaction maxspan=60m startswith="ActionTaken=None" keeporphans=t  | where mvcount(ActionTaken) =1 AND mvindex(ActionTaken,0)="None"

shellnight · ‎12-11-2014

Hello there

can you please check if there is something wrong in the syntax

ppablo · ‎12-29-2014

Hi @shellnight

@somesoni2 updated the query. can you confirm whether or not this worked for you?

somesoni2 · ‎12-17-2014

I updated the query. Please check back.

shellnight · ‎12-10-2014

Error in 'where' command: The arguments to the 'isnull' function are invalid.

somesoni2 · ‎11-28-2014

I hope you're saying you want to INCLUDE events where final "Action Taken" is "Partly Remove" OR "Unkonwn", so try this one.

your base search | transaction maxspan=60m startswith="ActionTaken=None" keeporphans=t  | where isnull(mvfind(ActionTaken,"removed")) OR isnull(mvfind(ActionTaken,"blocked"))

Basically add all the ActionTaken your want to exclude in the where clause

shellnight · ‎11-28-2014

Hello please can you provide update

ppablo · ‎12-02-2014

Hi @shellnight

@somesoni2 responded to the thread above with an update. Can you respond to that as a comment to confirm whether or not that updated search solves your requirement?

shellnight · ‎11-28-2014

Hello somesoni2 can you update the query to exclude the events where actiontaken is either partly removed or Unknown so that they show up in search

your base search | transaction maxspan=60m startswith="ActionTaken=None" keeporphans=t | where mvcount(ActionTaken) =1 AND mvindex(ActionTaken,0)="None"

shellnight · ‎11-24-2014

thank you very much 🙂

It works fine

shellnight · ‎11-24-2014

please can someone help

shellnight · ‎11-24-2014

The search ran for logs of a 1 month period with no errors but failed to retrieve any results

One machine had 3 occurrences of action taken= none and wasnt followed by any removal actions

10/11/2014 20:01 : ComputerName=test1 VirusName=conficker ActionTaken=None 
10/11/2014 20:02 "ComputerName=test1 VirusName=conficker ActionTaken=None 
10/11/2014 20:03 : ComputerName=test1 VirusName=conficker ActionTaken=None

felipetesta · ‎11-24-2014

Would it work?

<your search here> | transaction maxspan=70m ComputerName startswith="ActionTaken=None" keepevicted=f | search NOT Blocked NOT removed NOT quarantined | table ComputerName, VirusName

hagjos43 · ‎11-24-2014

What Antivirus software are you using?

How to search for hosts with an issue where a type of event was not followed by another type within an hour?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!