Splunk Enterprise Security

Enterprise Security - Malware Operations - Clients By Product Version


Hello! Can anyone please lend a hand with this issue? I'm still fairly new to this and am working my way through Fundamentals 2.


Sophos Central antivirus clients installed on Linux and Windows.

Using a Heavy Forwarder to pull Sophos Central logs via an API into a dedicated antivirus index. These logs lack the product_version needed to populate the "Malware Operations - Clients By Product Version" dashboard panel.

I've found the data I need in two places.

A log entry in /var/log/messages which is being ingested to the unix index and looks like this:

Jul 13 03:59:37 server-name savd[5860]: update.updated: Updated to versions - SAV: 10.5.2, Engine: 3.79.0, Data: 5.85

And in a file /opt/sophos-av/engine/suiteVersion which is readable by the splunk user and contains:


I used the field extractor to create a regex string that matches the log entry and extracts the product_version.

I've created a custom app with these files in it, pushed from the Deployment Server onto one host, and pushed from the Deployer to our Enterprise Security Search Head Cluster:

EXTRACT-date,time,host,process_name,product_version = ^(?P<date>\w+\s+\d+)\s+(?P<time>[^ ]+)\s+(?P<host>[^ ]+)\s+(?P<process_name>\w+)(?:[^ \n]* ){6}(?P<product_version>\SAV:\s\d*\.\d*\.\d*,\sEngine:\s\d*\.\d*\.\d*,\sData:\s\d*.\d*.+)


malware = enabled
operations = enabled

When I search the unix index I can see the product_version field in the search results and the tags.


1.) How do I copy these events into the antivirus index and is this necessary? (I'm thinking of efficiency as the cim_Malware_indexes macro contains the antivirus and firewall indexes which are much smaller than the unix index).

2.) How do I get the product_version to show in the "Clients By Product Version" panel which uses this search?

| `malware_operations_tracker(time_product_version)` | search | stats dc(dest) by product_version | sort 10 - dc(dest)

3.) Is there a better way to do this?

Any help is appreciated.

Labels (1)
0 Karma


Here's how I've partially solved this for UNIX/Linux clients.

On the Indexer

### Match events with sourcetype of syslog and invoke the SophosLogs stanza in transforms.conf ###
TRANSFORMS-antivirus = SophosLogs

### Look in events of sourcetype syslog specified in props.conf for the string "savd ["
### Select _MetaData Index field ###
### Change the destination Index to antivirus from the original (unix) ###

On the Search Head

### Create an eventtype of sophos_central_events and match the field product_version with any value ###

### Enable malware and operations tags for eventtype sophos_central_events ###
malware = enabled
operations = enabled

### Match events with sourcetype of syslog and invoke the SophosLogsSH stanza in transforms.conf ###
REPORT-antivirus = SophosLogsSH

### Use REGEX to extract fields date, time, host, process_name, product_version ###
REGEX=^(?P<date>\w+\s+\d+)\s+(?P<time>[^ ]+)\s+(?P<host>[^ ]+)\s+(?P<process_name>\w+)(?:[^ \n]* ){6}(?P<product_version>\SAV:\s\d*\.\d*\.\d*,\sEngine:\s\

The effect of this is that we now have any events written by the savd process to /var/log/messages being routed to the antivirus Index, rather than the UNIX Index.

The Malware datamodel can search the antivirus Index, correctly detects events with malware and operations tags. It then counts the number of hosts with a product_version field and populates the Enterprise Security dashboard with the version numbers.

The next task is to do the same for Windows clients.

Hopefully this helps someone.

0 Karma


Hi @securitypaul ,

I would try to create time based lookup from the other two indexes and then define the automatic lookup to populate the relevant Data Model fields.






Thanks @efika.

Unsure how to do that exactly. I will look at the link you sent and report my progress when I can.

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...