Does anyone have examples of how to use Splunk to detect a basic malware outbreak?
When the same malware occurs on multiple systems, your environment can be at risk. Detect worms, ransomware, broad phishing campaigns, and so on before they become a major threat.
This use case is from the Splunk Security Essentials app. For more examples, see the Splunk Security Essentials on Splunkbase.
How to implement: These searches work with Symantec Endpoint Protection logs. If you have a different anti-virus product, you can adapt the field names and source types for your product. Search for a Splunk Add-on on Splunkbase that maps your product source types to the Common Information Model.
Data check: This use case depends on Symantec AV data.
In this use case, you can explore how use the Splunk platform to find the same malware on multiple systems in a short period of time.
Use the following search:
index=* tag=attack tag=malware
| transaction maxpause=1d Risk_Name
| where mvcount(Computer_Name)>3
| table Occurrences, Risk_Name, Requested_Action, Actual_Action, Secondary_Action, ApplicationHash, HashType, Computer_Name, Source, User_Name, Confidence, Disposition, File_Path, Prevalence, _time
Best practice: In searches, replace the asterisk in index=*
with the name of the index that contains the data. By default, Splunk stores data in the main
index. Therefore, index=*
becomes index=main
. Use the OR
operator to specify one or multiple indexes to search. For example, index=main OR index=security
. See About managing indexes and How indexing works in Splunk docs for details.
How to respond: When you see the same malware on multiple systems, it is important to understand how the malware is spreading so you can stop the threat. For example, if WannaCry is spreading through an unpatched SMB vulnerability, you need a network or patching response. Phishing campaigns require that you remove messages from mailboxes and filter them. Drive-by download responses require an entirely different set of actions. Perform all standard malware incident response actions, such as updating definitions, reimaging systems, and so on.
This example searches for undesired activity using the standardized source types for Symantec Endpoint Protection or the Common Information Model.
This search is written for Symantec AV data. However, you can modifiy it for other sources.
If no results appear, deploy the Add-ons to the search heads to access the knowledge objects necessary for simple searching. See About installing Splunk add-ons
on Splunk Docs for assistance.
For more support, post a question to the Splunk Answers community.
When the same malware occurs on multiple systems, your environment can be at risk. Detect worms, ransomware, broad phishing campaigns, and so on before they become a major threat.
This use case is from the Splunk Security Essentials app. For more examples, see the Splunk Security Essentials on Splunkbase.
How to implement: These searches work with Symantec Endpoint Protection logs. If you have a different anti-virus product, you can adapt the field names and source types for your product. Search for a Splunk Add-on on Splunkbase that maps your product source types to the Common Information Model.
Data check: This use case depends on Symantec AV data.
In this use case, you can explore how use the Splunk platform to find the same malware on multiple systems in a short period of time.
Use the following search:
index=* tag=attack tag=malware
| transaction maxpause=1d Risk_Name
| where mvcount(Computer_Name)>3
| table Occurrences, Risk_Name, Requested_Action, Actual_Action, Secondary_Action, ApplicationHash, HashType, Computer_Name, Source, User_Name, Confidence, Disposition, File_Path, Prevalence, _time
Best practice: In searches, replace the asterisk in index=*
with the name of the index that contains the data. By default, Splunk stores data in the main
index. Therefore, index=*
becomes index=main
. Use the OR
operator to specify one or multiple indexes to search. For example, index=main OR index=security
. See About managing indexes and How indexing works in Splunk docs for details.
How to respond: When you see the same malware on multiple systems, it is important to understand how the malware is spreading so you can stop the threat. For example, if WannaCry is spreading through an unpatched SMB vulnerability, you need a network or patching response. Phishing campaigns require that you remove messages from mailboxes and filter them. Drive-by download responses require an entirely different set of actions. Perform all standard malware incident response actions, such as updating definitions, reimaging systems, and so on.
This example searches for undesired activity using the standardized source types for Symantec Endpoint Protection or the Common Information Model.
This search is written for Symantec AV data. However, you can modifiy it for other sources.
If no results appear, deploy the Add-ons to the search heads to access the knowledge objects necessary for simple searching. See About installing Splunk add-ons
on Splunk Docs for assistance.
For more support, post a question to the Splunk Answers community.
Update: I changed the video link to youtube version.