All Apps and Add-ons

Example of how to detect endpoints that have uncleaned malware?

Ultra Champion

Does anyone have examples of how to use Splunk to detect endpoints that have uncleaned malware?

0 Karma
1 Solution

Ultra Champion

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Security analysts can detect systems with uncleaned malware to prevent damage or disclosure of personal data, which might have GDPR implications.

General Data Protection Regulation (GDPR) regulates the processing of personal data. To comply with GDPR requirements, organizations must maintain records and audit trails for end-to-end processing of personal data. They must also show compliance if there is a privacy audit and compensate individuals impacted if there is a security breach. See GDPR Compliance with Splunk for more details about meeting your compliance needs.

Load data

How to implement: This example use case uses data from Symantec Endpoint Protection. However, you can adapt it to the anti-virus or anti-malware data in your environment.

Install the Splunk Add-on for Symantec Endpoint Protection from Spunkbase. Additional guidance is available in the Data Source Onboarding Guides for Symantec Endpoint Protection Logs on Splunk Security Essentials Docs.

Best practice: For all of the data inputs, specify a desired target index to provide a more sustainable practice for data access controls and retention models. By default, Splunk collects the data in the default index named main.

Get insights

Uncleaned malware can mean that there is still malware active in your environment. For environments that process personal data, clearing out malware is required for GDPR compliance.

Run the following search.

index=* sourcetype=symantec:ep:*:file 
| where Actual_Action!=Requested_Action AND Actual_Action!=Secondary_Action
| table _time Actual_Action Requested_Action Secondary_Action Risk_Name File_Path Computer_Name

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

How to respond: Initiate your standard incident response process on any infected host.

Help

If no results appear, it may be because the add-ons were not deployed to the search heads, so the needed tags and fields are not defined. Deploy the add-ons to the search heads to access the needed tags and fields. See About installing Splunk add-ons in the Splunk Add-ons manual.

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in the Splunk Add-ons manual.

For more support, post a question to the Splunk Answers community.

View solution in original post

0 Karma

Ultra Champion

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Security analysts can detect systems with uncleaned malware to prevent damage or disclosure of personal data, which might have GDPR implications.

General Data Protection Regulation (GDPR) regulates the processing of personal data. To comply with GDPR requirements, organizations must maintain records and audit trails for end-to-end processing of personal data. They must also show compliance if there is a privacy audit and compensate individuals impacted if there is a security breach. See GDPR Compliance with Splunk for more details about meeting your compliance needs.

Load data

How to implement: This example use case uses data from Symantec Endpoint Protection. However, you can adapt it to the anti-virus or anti-malware data in your environment.

Install the Splunk Add-on for Symantec Endpoint Protection from Spunkbase. Additional guidance is available in the Data Source Onboarding Guides for Symantec Endpoint Protection Logs on Splunk Security Essentials Docs.

Best practice: For all of the data inputs, specify a desired target index to provide a more sustainable practice for data access controls and retention models. By default, Splunk collects the data in the default index named main.

Get insights

Uncleaned malware can mean that there is still malware active in your environment. For environments that process personal data, clearing out malware is required for GDPR compliance.

Run the following search.

index=* sourcetype=symantec:ep:*:file 
| where Actual_Action!=Requested_Action AND Actual_Action!=Secondary_Action
| table _time Actual_Action Requested_Action Secondary_Action Risk_Name File_Path Computer_Name

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

How to respond: Initiate your standard incident response process on any infected host.

Help

If no results appear, it may be because the add-ons were not deployed to the search heads, so the needed tags and fields are not defined. Deploy the add-ons to the search heads to access the needed tags and fields. See About installing Splunk add-ons in the Splunk Add-ons manual.

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in the Splunk Add-ons manual.

For more support, post a question to the Splunk Answers community.

View solution in original post

0 Karma