
This example leverages the Simple Search search assistant. If you don't see an obvious reason (e.g., specific and logical error), then it may be worth investigating that host to see if there are any other suspicious events that have occurred to rule out an infection. When this fires, look on the host to see why the Anti-Virus isn't updating. Always hard-code your sourcetypes and indexes rather than doing index=* in searches.

If you did not follow the data onboarding guide, make sure that your sourcetypes and indexes match. If you are using Symantec AV and followed the data onboarding guide, this should work automatically. Many Anti-Virus products are found to provide insufficient logging to be able to see when the definitions are updated (often, just when there is malware found). This particular search usually finds most of its success with just Symantec AV.
