Hi community,
Need your help..! is there any possibility that we can create a dashboard for AV related issues or notables...?
was using the below query but could get the exact results. requesting you to help me on this to create a dashboard for AV related alerts for the servers.
| tstats summariesonly=true max(_time) AS time values(Malware_Attacks.file_name) AS fileName values(Malware_Attacks.signature) AS signature from datamodel=Malware.Malware_Attacks by Malware_Attacks.event_description, Malware_Attacks.dest Malware_Attacks.action | makemv delim="|" fileName
| makemv delim="|" signature
| rename Malware_Attacks.event_description AS event_description
| rename Malware_Attacks.dest AS dest
| rename Malware_Attacks.action as action
| regex event_description!="blocked"
| regex event_description!="deleted"
| regex event_description!="Cleaned"
| regex event_description!="handled"
| where event_description!="Exploit Prevention Files/Process/Registry violation detected" OR threat_handled!=1
| where event_description!="Infected file found, access denied" OR threat_handled!=1
| search action!=handled event_description!=DLL* event_description!="Script security violation detected, AMSI would block"
| table time event_description dest fileName signature
Thanks,
Kishore
