Searching for Kaspersky Scan Engine events in Splunk

Searching for object scan results

To display events containing object scan results,

Use the following search query:

source="scanengine" "Scan result" msg=*scan* | eval cs2=coalesce(cs2,"-") | rename cs1 as "Scan Result", cs2 as "Virus Name", fname as "Object", src as "Source Address", fileHash as "Object Hashsum" |table _time, "Object Hashsum",Object,"Scan Result","Virus Name","Source Address"

Kaspersky Scan Engine objects scan search form and search results.

Searching for object scan results

Searching for URL check results

To display events containing URL check results,

Use the following search query:

source="scanengine" "Scan result" msg=URL* | rename cs1 as "Scan Result", request as "Scanned URL", src as "Source Address" | table _time, "Scanned URL", "Scan Result", "Source Address"

Kaspersky Scan Engine URL check search form and search results.

Searching for URL check results

Page top