The weakest link in corporate security is an individual, and antivirus is one way to protect employees from performing inadvertently harmful actions. Whether it’s clicking on an untrustworthy web link, downloading malicious software or opening a booby-trapped document (often one sent to them by an unsuspecting colleague), antivirus can often prevent, mitigate or reverse the damage. So-called advanced persistent threats (APTs) often enter through a single compromised machine attached to a trusted network. Antivirus logs support the analysis of malware and vulnerabilities of hosts, laptops and servers; and can be used to monitor for suspicious file paths. While not perfect, antivirus software can recognize and thwart common attack methods before they can spread. In the Common Information Model, antivirus data is typically mapped to the Malware data model and Endpoint data model.
Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: