topic Re: Ransomware in Splunk Search

How to detect Ransomware using splunk?

Gauri001 — Mon, 13 Jun 2022 17:41:20 GMT

Q): How to detect ransomware using Splunk?, please give query also to create alert in ransomware,

Re: Ransomware

richgalloway — Sat, 11 Jun 2022 17:52:59 GMT

Splunk doesn't detect ransomware directly. Instead, it detects behaviors that could indicate the presence of ransomware, such as a sudden increase in file writes (as when files are encrypted) or filename extensions commonly used by ransomware.

Install the Splunk Security Essentials app and search for "ransomware" to find suggested queries.

Re: Ransomware

PickleRick — Sat, 11 Jun 2022 20:07:30 GMT

@Gauri001Also remember that splunk on its own does not "detect" anything. Splunk, using proper searches, can deduce information from the data it's given. If you don't have relevant data onboarded from source machines splunk won't be able to "detect" anything. It's not an EDR solution.