Seeking help to create a dashboard for Antivirus a...

mputtam · ‎11-25-2020

Hi community,

Need your help..! is there any possibility that we can create a dashboard for AV related issues or notables...?

was using the below query but could get the exact results. requesting you to help me on this to create a dashboard for AV related alerts for the servers.

| tstats summariesonly=true max(_time) AS time values(Malware_Attacks.file_name) AS fileName values(Malware_Attacks.signature) AS signature from datamodel=Malware.Malware_Attacks by Malware_Attacks.event_description, Malware_Attacks.dest Malware_Attacks.action | makemv delim="|" fileName
| makemv delim="|" signature
| rename Malware_Attacks.event_description AS event_description
| rename Malware_Attacks.dest AS dest
| rename Malware_Attacks.action as action
| regex event_description!="blocked"
| regex event_description!="deleted"
| regex event_description!="Cleaned"
| regex event_description!="handled"
| where event_description!="Exploit Prevention Files/Process/Registry violation detected" OR threat_handled!=1
| where event_description!="Infected file found, access denied" OR threat_handled!=1
| search action!=handled event_description!=DLL* event_description!="Script security violation detected, AMSI would block"
| table time event_description dest fileName signature

Thanks,

Kishore

Seeking help to create a dashboard for Antivirus alerts in splunk

lookup

regex

tstats

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?