All Apps and Add-ons

Example of how to detect a basic malware outbreak?

sloshburch
Ultra Champion

Does anyone have examples of how to use Splunk to detect a basic malware outbreak?

0 Karma
1 Solution

sloshburch
Ultra Champion

The Splunk Product Best Practices team helped produce this response. Read more about use case examples Splunk® Platform Use Cases on Splunk Docs.

When the same malware occurs on multiple systems, your environment can be at risk. Detect worms, ransomware, broad phishing campaigns, and so on before they become a major threat.

This use case is from the Splunk Security Essentials app. For more examples, see the Splunk Security Essentials on Splunkbase.

Basic Malware Outbreak

Load data

How to implement: These searches work with Symantec Endpoint Protection logs. If you have a different anti-virus product, you can adapt the field names and source types for your product. Search for a Splunk Add-on on Splunkbase that maps your product source types to the Common Information Model.

Data check: This use case depends on Symantec AV data.

Get insights

In this use case, you can explore how use the Splunk platform to find the same malware on multiple systems in a short period of time.

Use the following search:

index=* tag=attack tag=malware
| transaction maxpause=1d Risk_Name
| where mvcount(Computer_Name)>3
| table Occurrences, Risk_Name, Requested_Action, Actual_Action, Secondary_Action, ApplicationHash, HashType, Computer_Name, Source, User_Name, Confidence, Disposition, File_Path, Prevalence, _time

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

How to respond: When you see the same malware on multiple systems, it is important to understand how the malware is spreading so you can stop the threat. For example, if WannaCry is spreading through an unpatched SMB vulnerability, you need a network or patching response. Phishing campaigns require that you remove messages from mailboxes and filter them. Drive-by download responses require an entirely different set of actions. Perform all standard malware incident response actions, such as updating definitions, reimaging systems, and so on.

Help

This example searches for undesired activity using the standardized source types for Symantec Endpoint Protection or the Common Information Model.

This search is written for Symantec AV data. However, you can modifiy it for other sources.

If no results appear, deploy the Add-ons to the search heads to access the knowledge objects necessary for simple searching. See About installing Splunk add-ons
on Splunk Docs for assistance.

For more support, post a question to the Splunk Answers community.

View solution in original post

0 Karma

sloshburch
Ultra Champion

The Splunk Product Best Practices team helped produce this response. Read more about use case examples Splunk® Platform Use Cases on Splunk Docs.

When the same malware occurs on multiple systems, your environment can be at risk. Detect worms, ransomware, broad phishing campaigns, and so on before they become a major threat.

This use case is from the Splunk Security Essentials app. For more examples, see the Splunk Security Essentials on Splunkbase.

Basic Malware Outbreak

Load data

How to implement: These searches work with Symantec Endpoint Protection logs. If you have a different anti-virus product, you can adapt the field names and source types for your product. Search for a Splunk Add-on on Splunkbase that maps your product source types to the Common Information Model.

Data check: This use case depends on Symantec AV data.

Get insights

In this use case, you can explore how use the Splunk platform to find the same malware on multiple systems in a short period of time.

Use the following search:

index=* tag=attack tag=malware
| transaction maxpause=1d Risk_Name
| where mvcount(Computer_Name)>3
| table Occurrences, Risk_Name, Requested_Action, Actual_Action, Secondary_Action, ApplicationHash, HashType, Computer_Name, Source, User_Name, Confidence, Disposition, File_Path, Prevalence, _time

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

How to respond: When you see the same malware on multiple systems, it is important to understand how the malware is spreading so you can stop the threat. For example, if WannaCry is spreading through an unpatched SMB vulnerability, you need a network or patching response. Phishing campaigns require that you remove messages from mailboxes and filter them. Drive-by download responses require an entirely different set of actions. Perform all standard malware incident response actions, such as updating definitions, reimaging systems, and so on.

Help

This example searches for undesired activity using the standardized source types for Symantec Endpoint Protection or the Common Information Model.

This search is written for Symantec AV data. However, you can modifiy it for other sources.

If no results appear, deploy the Add-ons to the search heads to access the knowledge objects necessary for simple searching. See About installing Splunk add-ons
on Splunk Docs for assistance.

For more support, post a question to the Splunk Answers community.

View solution in original post

0 Karma

sloshburch
Ultra Champion

Update: I changed the video link to youtube version.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!