Solved: Example of a ransomware use case?

sloshburch · ‎09-04-2019

Anyone have examples of how to use Splunk to check for compliance against ransomware vulnerabilities?

sloshburch · ‎09-04-2019

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Check out the Splunk Security Essentials for Ransomware for more than a dozen use cases that allow you to measure how effectively you are reducing the risk of WannaCry and similar exploits, as well as searches which can help detect the effects of ransomware within your enterprise.

Additionally, what follows is a specific use case that queries the vulnerability management logs from solutions such as Tenable (Nessus) to identify the hosts in the environment that might be vulnerable to ransomware. This use case is from Splunk Security Essentials. Check it out for more examples and demo data of the below use case.

Load data

This use case depends on vulnerabilities data generated by the Splunk Add-on for Tenable.

Install the Splunk Add-on for Tenable and configure inputs for Security Center. Pay special attention to the Install the Splunk Add-on for Tenable topic for deployment to the search heads to identify which knowledge objects are necessary for this use case.

Get insights

Use the the following search to identify hosts that may be vulnerable to ransomware.

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

index=* (sourcetype=nessus:scan OR tag=vulnerability) (cve = cve-2017-0143 OR cve = cve-2017-0144 OR cve = cve-2017-0145 OR cve = cve-2017-0146 OR cve = cve-2017-0147 OR cve = cve-2017-0148 OR cve = cve-2014-6332 OR cve = cve-2012-0158 OR cve = cve-2014-4114 OR cve = cve-2014-1761 OR cve = cve-2013-3906 OR cve = cve-2015-1641)
| bucket _time span=1d
| stats values(cve) as CVEs by _time, signature, netbios-name, hostname

Known false positives: There are no know false positives at this time.

How to respond: Verify that all patches for these vulnerabilities have been applied. If you need to apply patches, start the update process to remove these vulnerabilities from your environment.

If no results appear, you may need to deploy the Splunk Add-on for Tenable to the search heads to use the knowledge objects necessary for simple searching.

View solution in original post

sloshburch · ‎09-04-2019

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Check out the Splunk Security Essentials for Ransomware for more than a dozen use cases that allow you to measure how effectively you are reducing the risk of WannaCry and similar exploits, as well as searches which can help detect the effects of ransomware within your enterprise.

Additionally, what follows is a specific use case that queries the vulnerability management logs from solutions such as Tenable (Nessus) to identify the hosts in the environment that might be vulnerable to ransomware. This use case is from Splunk Security Essentials. Check it out for more examples and demo data of the below use case.

Load data

This use case depends on vulnerabilities data generated by the Splunk Add-on for Tenable.

Install the Splunk Add-on for Tenable and configure inputs for Security Center. Pay special attention to the Install the Splunk Add-on for Tenable topic for deployment to the search heads to identify which knowledge objects are necessary for this use case.

Get insights

Use the the following search to identify hosts that may be vulnerable to ransomware.

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

index=* (sourcetype=nessus:scan OR tag=vulnerability) (cve = cve-2017-0143 OR cve = cve-2017-0144 OR cve = cve-2017-0145 OR cve = cve-2017-0146 OR cve = cve-2017-0147 OR cve = cve-2017-0148 OR cve = cve-2014-6332 OR cve = cve-2012-0158 OR cve = cve-2014-4114 OR cve = cve-2014-1761 OR cve = cve-2013-3906 OR cve = cve-2015-1641)
| bucket _time span=1d
| stats values(cve) as CVEs by _time, signature, netbios-name, hostname

Known false positives: There are no know false positives at this time.

How to respond: Verify that all patches for these vulnerabilities have been applied. If you need to apply patches, start the update process to remove these vulnerabilities from your environment.

If no results appear, you may need to deploy the Splunk Add-on for Tenable to the search heads to use the knowledge objects necessary for simple searching.

adukes_splunk · ‎10-21-2019

Added related video.

Example of a ransomware use case?

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Load data

Get insights

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Load data

Get insights

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?