Hi All,
We have our Symantec End Point Protection which is sending logs and it is monitoring both servers and user PCs. I have written this search based on the IP subnet where our Servers are present the problem with this we are also having user PC in the same subnet and with the search that I have written I am getting both servers and PCs. How can I get only servers which are infected. The below is the original search that I have written
index=sep sourcetype="symantec:ep:risk:file" | search dest_ip="10.4.." | stats values(signature) as multiple by dest | eventstats dc(multiple) as multiple_malware by dest | rename dest as "Target_Device", multiple as "Malware", multiple_malware as "Malware_Count"
Apart from this I have also tried to us the first 3 letters with which the servers begin like the one below
index=sep sourcetype="symantec:ep:risk:file" | search RIYS* | stats values(signature) as multiple by dest | eventstats dc(multiple) as multiple_malware by dest | rename dest as "Target_Device", multiple as "Malware", multiple_malware as "Malware_Count"
This does not yeild any reults. So I tried with the IP and the first three letters of the server name but that search still gives me the PCs as well. Any suggestion on how to modify this search to get only infected servers would be of great help.
Thank you in advance
Pradeep Seetharaman
Looked at your query and seems like extracted field is dest, which you rename later as Target_Device. So, Try the following (search filter on required fields should be applied as early as possible):
index=sep sourcetype="symantec:ep:risk:file" dest="RIY*"| stats values(signature) as multiple by dest | eventstats dc(multiple) as multiple_malware by dest | rename dest as "Target_Device", multiple as "Malware", multiple_malware as "Malware_Count"
Looked at your query and seems like extracted field is dest, which you rename later as Target_Device. So, Try the following (search filter on required fields should be applied as early as possible):
index=sep sourcetype="symantec:ep:risk:file" dest="RIY*"| stats values(signature) as multiple by dest | eventstats dc(multiple) as multiple_malware by dest | rename dest as "Target_Device", multiple as "Malware", multiple_malware as "Malware_Count"
Hi Niketnilay,
Thanks million that worked like a charm.
Regards
Pradeep
Can you give field name for extracted field for system name along with couple of examples for Server Names and Desktop Names?
Hi Niketnilay,
Find below the names of the severs and PC. The first 2 are servers and the last one is PC
Target_Device Malware Malware_Count
1 RIYSVMOD-001 WS.Reputation.1 1
2 RIYSVNFS-001 Trojan.Gen.2 1
3 rc-9511 Packed.Dromedan!lnk 1