Solved: Malware_attacks dataset is not showing event under...

rashid47010 · ‎05-18-2019

Dear Experts,

there are no events for "Malware"."Malware_attacks".

tags and eventtypes seems fine
but there are no events when I select
tag=malware in the search.

how can I troubleshoot Malware Datamodel issue.

koshyk · ‎05-21-2019

Ok, there are few moving parts for displaying the tags

Splunk CIM => https://docs.splunk.com/Documentation/CIM/4.13.0/User/Malware
The Addon/TA which contains logic to extract the tags
Your data/sourcetype

You need all of the above for the tag to show properly. So inorder to debug
a. Ensure your data/sourcetype contains malware type of events. Check if this sourcetype is used by the relevant Addon/TA
b. Go into the TA and check for props.conf, transforms.conf, eventtypes.conf & tags.conf. See if they are extracting properly from your data. Test this in DEV
c. If (a) and (b) is all good, then ensure your CIM app/addon is correct version.
d. Check for datamodels and its acceleration

View solution in original post

koshyk · ‎05-21-2019

Ok, there are few moving parts for displaying the tags

Splunk CIM => https://docs.splunk.com/Documentation/CIM/4.13.0/User/Malware
The Addon/TA which contains logic to extract the tags
Your data/sourcetype

You need all of the above for the tag to show properly. So inorder to debug
a. Ensure your data/sourcetype contains malware type of events. Check if this sourcetype is used by the relevant Addon/TA
b. Go into the TA and check for props.conf, transforms.conf, eventtypes.conf & tags.conf. See if they are extracting properly from your data. Test this in DEV
c. If (a) and (b) is all good, then ensure your CIM app/addon is correct version.
d. Check for datamodels and its acceleration

Malware_attacks dataset is not showing event under Malware Datamodel

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk