Dashboards and reports on Malware events in Splunk.
This App provides the following scripts:
This app provides dashboards and reports based on events from anti-malware systems. To do this, the app relies on the Splunk Common Information Model (CIM) for malware detection events. This means that the app can report on any malware/av data, as long as it has been on-boarded properly, and is available through the Malware data model.
This app requires data model acceleration, which will use additional disk space. If you are using the Splunk App for Enterprise Security, this is already enabled, and should have been factored into your retention policies. If not, you should review the documentation on data model acceleration, how it uses disk space, and how to plan for it.
As mentioned above, the app uses the CIM for malware events. The CIM allows you to take events from a number of sources or products, and report on them in one cohesive manner, using a common set of names for fields and event types.
Provides a starting point for exploring your malware detection events. Most panels will drill-down to other pages in the application.
Panels around a particular signature detected. Note that there is no normalization for the values of this field, so this will be dependent on the naming used by the vendor for the individual anti-malware products.
Panels around a malware detected on a particular destination. The destination field in the Malware data model is the system on which the malware has been detected. This dashboard also contains a panel which shows malware operations (such as signatures being updated).
Panels with reports on category of malware. As with signature names, category names are not normalized across vendors.
Reports on individual file names.
A form for finding events based on various field values.
Information about the sourcetypes which are present in the accelerated data.
A simple HTML version of this document.
Access questions and answers specific to PAVO Malware App for Splunk at https://answers.splunk.com/app/questions/4228.html . Be sure to tag your question with the App.
Support Email: email@example.com
Support Offered: Splunk Answers
Because this App runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.
This app depends on data models included in the Splunk Common Information Model Add-on, specifically the Malware data model. Please review the information on installing and using the Splunk Common Information Model Add-on and information on configuring the acceleration on the data model.
The Splunk Common Information Model Add-on can be downloaded from Splunkbase.
This app has been tested with versions 4.9 of the CIM add-on.
In order to make the app respond and load quickly, accelerated data models are used to provide summary data. For this data to be available, the Malware data model must be accelerated. Information on how to enable acceleration for the Malware data model can be found here. The data model must be accelerated for the length of time for which you would like to see reporting.
Splunk Common Information Model add-on Malware data model https://docs.splunk.com/Documentation/CIM/latest/user/Malware
Reminder: This app should be installed on a search head where the Malware data model has been accelerated. More information on installing or upgrading Splunk apps can be found here.
Download PAVO Malware App for Splunk at https://splunkbase.splunk.com/app/4228.
Make sure the field extractions and tags on your malware events are correct.
Install the Splunk Common Information Model Add-on (skip if you are installing on an ES search head).
Install the PAVO Malware App for Splunk for Splunk.
Enable accelerations on the Malware data model (skip if you are installing on an ES search head).
Wait for the accelerations to start. After the acceleration searches have run, you should start seeing the dashboards populate
Follow these steps to install the app in a single server instance of Splunk Enterprise:
Deploy as you would any App, and restart Splunk.
PAVO Malware App for Splunk contains the following lookup files.
PAVO Malware App for Splunk does not include an event generator.
Summary Indexing: No
Data Model Acceleration: If Enabled
Report Acceleration: No
Version 1.0.2 of PAVO Malware App for Splunk incorporates the following Third-party software or third-party services.
Version 1.0.2 of PAVO Malware App for Splunk has the following known issues:
Update dashboard titles
Documentation and Rename
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.