Seeking help to create a dashboard for Antivirus a...

mputtam · ‎11-25-2020

Hi community,

Need your help..! is there any possibility that we can create a dashboard for AV related issues or notables...?

was using the below query but could get the exact results. requesting you to help me on this to create a dashboard for AV related alerts for the servers.

| tstats summariesonly=true max(_time) AS time values(Malware_Attacks.file_name) AS fileName values(Malware_Attacks.signature) AS signature from datamodel=Malware.Malware_Attacks by Malware_Attacks.event_description, Malware_Attacks.dest Malware_Attacks.action | makemv delim="|" fileName
| makemv delim="|" signature
| rename Malware_Attacks.event_description AS event_description
| rename Malware_Attacks.dest AS dest
| rename Malware_Attacks.action as action
| regex event_description!="blocked"
| regex event_description!="deleted"
| regex event_description!="Cleaned"
| regex event_description!="handled"
| where event_description!="Exploit Prevention Files/Process/Registry violation detected" OR threat_handled!=1
| where event_description!="Infected file found, access denied" OR threat_handled!=1
| search action!=handled event_description!=DLL* event_description!="Script security violation detected, AMSI would block"
| table time event_description dest fileName signature

Thanks,

Kishore

Seeking help to create a dashboard for Antivirus alerts in splunk

lookup

other

regex

tstats

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability

Introducing the Splunk Community Dashboard Challenge!