All Apps and Add-ons

Example of how to find the reason for recurring malware on a host?

Ultra Champion

Does anyone have examples of how to use Splunk to find the reason for recurring malware on a host?

0 Karma

Re: Example of how to find the reason for recurring malware on a host?

Ultra Champion

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Security analysts can detect malware that occurs repeatedly on a host as the result of either a recurring attack or an incomplete clean so you can remediate them quickly.

Load data

How to implement: This example use case uses data from Symantec Endpoint Protection. However, you can adapt it to the anti-virus or anti-malware data in your environment.

Install the add-on for Symantec Endpoint Protection from Splunkbase. Additional guidance is available in the Symantec Endpoint Protection Logs Data Source Onboarding Guide on Splunk Security Essentials Docs.

Best practice: For all of the data inputs, specify a desired target index to provide a more sustainable practice for data access controls and retention models. By default, Splunk collects the data in the default index named main.

Get insights

Detect whether the same malware occurs multiple times on the same host.

Run the following search.

index=* sourcetype=symantec:*
| stats count range(time) AS TimeRange BY RiskName, ComputerName
| where TimeRange>1800
| eval TimeRange
InHours = round(TimeRange/3600,2), TimeRangeIn_Days = round(TimeRange/3600/24,2)

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

How to respond: When there are reoccurring infections on the same host, it's important to understand why the system gets continues to get infected. If you see suspicious activity on your proxy logs or suspicious emails going through the spam filter, make sure your users have the proper education, and consider strengthening your malware solution. If you can't determine the reason for the reinfection, it's possible the host is still infected from the first occurrence. Other functionality from the virus may get activated if your antivirus didn't fully clean the host previously.


See the following video for more details related to this use case.
find the reason for recurring malware on a host

If no results appear, it may be because the add-ons were not deployed to the search heads, so the needed tags and fields are not defined. Deploy the add-ons to the search heads to access the needed tags and fields. See About installing Splunk add-ons in the Splunk Add-ons manual.

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in the Splunk Add-ons manual.

For more support, post a question to the Splunk Answers community.

View solution in original post

0 Karma