- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to modify the below search so I can get only s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
We have our Symantec End Point Protection which is sending logs and it is monitoring both servers and user PCs. I have written this search based on the IP subnet where our Servers are present the problem with this we are also having user PC in the same subnet and with the search that I have written I am getting both servers and PCs. How can I get only servers which are infected. The below is the original search that I have written
index=sep sourcetype="symantec:ep:risk:file" | search dest_ip="10.4.." | stats values(signature) as multiple by dest | eventstats dc(multiple) as multiple_malware by dest | rename dest as "Target_Device", multiple as "Malware", multiple_malware as "Malware_Count"
Apart from this I have also tried to us the first 3 letters with which the servers begin like the one below
index=sep sourcetype="symantec:ep:risk:file" | search RIYS* | stats values(signature) as multiple by dest | eventstats dc(multiple) as multiple_malware by dest | rename dest as "Target_Device", multiple as "Malware", multiple_malware as "Malware_Count"
This does not yeild any reults. So I tried with the IP and the first three letters of the server name but that search still gives me the PCs as well. Any suggestion on how to modify this search to get only infected servers would be of great help.
Thank you in advance
Pradeep Seetharaman
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looked at your query and seems like extracted field is dest, which you rename later as Target_Device. So, Try the following (search filter on required fields should be applied as early as possible):
index=sep sourcetype="symantec:ep:risk:file" dest="RIY*"| stats values(signature) as multiple by dest | eventstats dc(multiple) as multiple_malware by dest | rename dest as "Target_Device", multiple as "Malware", multiple_malware as "Malware_Count"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looked at your query and seems like extracted field is dest, which you rename later as Target_Device. So, Try the following (search filter on required fields should be applied as early as possible):
index=sep sourcetype="symantec:ep:risk:file" dest="RIY*"| stats values(signature) as multiple by dest | eventstats dc(multiple) as multiple_malware by dest | rename dest as "Target_Device", multiple as "Malware", multiple_malware as "Malware_Count"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Niketnilay,
Thanks million that worked like a charm.
Regards
Pradeep
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you give field name for extracted field for system name along with couple of examples for Server Names and Desktop Names?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Niketnilay,
Find below the names of the severs and PC. The first 2 are servers and the last one is PC
Target_Device Malware Malware_Count
1 RIYSVMOD-001 WS.Reputation.1 1
2 RIYSVNFS-001 Trojan.Gen.2 1
3 rc-9511 Packed.Dromedan!lnk 1
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
