splunk dashboard searching

sam3655 · ‎05-12-2017

on the splunk dashboard, is there a way to search for origin/source of a malware attack?

sam3655 · ‎05-12-2017

FireEye monitors our network and catches Malware Callbacks, I'm looking for a script tell me who sent the Malware?

lloydknight · ‎05-15-2017

Not very familiar with FireEye logs but logs can be pretty straightforward at most times. If source and destination IPs are visible in the logs, and you know what specific Malware attack to look up to then it's just a matter of identifying what time it occurred.

And if the source is not available in the logs, you'll just have to index the logs that contain the source (most likely firewall and network logs) then try to correlate it with the logs that contain the Malware attack.

Regarding the script that you're asking, you mean search query?

DalJeanis · ‎05-12-2017

Yes. NO. Maybe. It depends.

It depends on what you mean by "dashboard". It depends on what kind of attack. It depends on what your organization actually puts in splunk.

So, please update your question to be VERY specific.

We experienced an ABC attack, which
had THIS effect on our
organization/network/data.

What log data would we need to have
captured in order to determine the
source of the attack? What resources
are available in the splunk platform
to help us track that down?

lloydknight · ‎05-12-2017

your question is vague.

Assuming you're indexing logs containing the Malware attack and given that you know what type of attacks were executed on a certain time, yes, you can search that malware attack.

sam3655 · ‎05-12-2017

is there a script for the search?

akocak · ‎05-12-2017

are you looking at table or raw event data?
Moreover, origin in the sense of ip look lookup? Can you share more about what do you see?

thanks

splunk dashboard searching

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk