All Apps and Add-ons
Highlighted

Example of how to detect malware infections across multiple hosts?

Ultra Champion

Does anyone have examples of how to use Splunk to detect malware infections across multiple hosts?

0 Karma
Highlighted

Re: Example of how to detect malware infections across multiple hosts?

Ultra Champion

The Splunk Product Best Practices team helped produce this response. Read more about use case examples Splunk® Platform Use Cases on Splunk Docs.

Multiple, simultaneous viruses are a concern because they can indicate an exploit kit that tries several techniques where some succeed on a single host with multiple unrelated viruses. Prioritize these hosts and investigate them immediately to ensure nothing is missed.

This use case is from the Splunk Security Essentials app. For more examples, see the Splunk Security Essentials app on Splunkbase.

Load data

How to implement: With Symantec logs onboard, these searches should work easily. If you have a different anti-virus product, adapt the searches to the field names and source types for that product. Search on Splunkbase for a Splunk add-on that maps field names and source types to the Common Information Model.

Data check: This use case requires Symantec AV data.

Get insights

Find hosts that logged into multiple, different, and infected endpoints in a short period of time.

Use the following search:

index=* tag=malware tag=attack
| transaction maxpause=1h dest
| where eventcount>=3 AND duration>240
| table Occurrences, signature, RequestedAction, ActualAction, SecondaryAction, ApplicationHash, HashType, dest, src, user, Confidence, Disposition, filepath, Prevalence, _time

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

How to respond: Use your malware response procedure.

Help

This search works with Symantec logs onboard. However, you can adapt it to work with a different anti-virus product by updating the field names and source types for that product. Search Splunkbase to find a Splunk Add-on that maps your product to the Common Information Model.

This search is for Symantec AV data. However, you can adapt it to work with other anit-virus products.

If no results appear, deploy the Add-ons to the search heads to access the knowledge objects necessary for simple searching. See About installing Splunk add-ons on Splunk Docs for assistance.

For more support, post a question to the Splunk Answers community.

View solution in original post

0 Karma