Skip to main content
 
 
Splunk Lantern

Antivirus and antimalware data

 

The weakest link in corporate security is an individual, and antivirus is one way to protect employees from performing inadvertently harmful actions. Whether it’s clicking on an untrustworthy web link, downloading malicious software or opening a booby-trapped document (often one sent to them by an unsuspecting colleague), antivirus can often prevent, mitigate or reverse the damage. So-called advanced persistent threats (APTs) often enter through a single compromised machine attached to a trusted network.

Anti-virus and anti-malware solutions provide malware discovery and quarantine activities on endpoints, such as workstations, business servers, virtual desktops, and mobile devices. They look for specific files and behaviors that indicate presence or the attempted installation of malicious software (for example, Trojans, worms, ransomware, spyware, rootkits, and viruses. Anti-virus and anti-malware help prevent, detect, and quarantine/remove malicious software that has been downloaded and activated. In the Common Information Model, antivirus data is typically mapped to the Malware data model and Endpoint data model

Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: 

Use cases for Splunk security products