The Splunk Product Best Practices team helped produce this response. Read more about use case examples Splunk® Platform Use Cases on Splunk Docs.
Multiple, simultaneous viruses are a concern because they can indicate an exploit kit that tries several techniques where some succeed on a single host with multiple unrelated viruses. Prioritize these hosts and investigate them immediately to ensure nothing is missed.
This use case is from the Splunk Security Essentials app. For more examples, see the Splunk Security Essentials app on Splunkbase.
How to implement: With Symantec logs onboard, these searches should work easily. If you have a different anti-virus product, adapt the searches to the field names and source types for that product. Search on Splunkbase for a Splunk add-on that maps field names and source types to the Common Information Model.
Data check: This use case requires Symantec AV data.
Find hosts that logged into multiple, different, and infected endpoints in a short period of time.
Use the following search:
index=* tag=malware tag=attack
| transaction maxpause=1h dest
| where eventcount>=3 AND duration>240
| table Occurrences, signature, RequestedAction, ActualAction, SecondaryAction, ApplicationHash, HashType, dest, src, user, Confidence, Disposition, filepath, Prevalence, _time
How to respond: Use your malware response procedure.
This search works with Symantec logs onboard. However, you can adapt it to work with a different anti-virus product by updating the field names and source types for that product. Search Splunkbase to find a Splunk Add-on that maps your product to the Common Information Model.
This search is for Symantec AV data. However, you can adapt it to work with other anit-virus products.
If no results appear, deploy the Add-ons to the search heads to access the knowledge objects necessary for simple searching. See About installing Splunk add-ons on Splunk Docs for assistance.