Security

Example of an outdated anti-malware use case?

adukes_splunk
Splunk Employee
Splunk Employee

Does anyone have examples of how to use Splunk to find systems with outdated anti-malware?

0 Karma
1 Solution

adukes_splunk
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

In this use case, we'll search for systems that process personal data but have outdated anti-malware protection or lack protection and are at high risk for infection. This use case is from the Splunk Security Essentials app. Check it out for more examples and demo data for this type of use case.

Load data

This example use case depends on Symantec Endpoint Protection data. Install the Splunk Add-on for Symantec Endpoint Protection and enable malware category automatic updates to collect anti-virus data.

Get insights

These searches expose aspects of systems with outdated anti-malware software using the standard sourcetypes for Symantec Endpoint Protection.

Best practice: In the searches below, replace the asterisk in index= with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index= becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

Hosts with Up To Data AV

index=* sourcetype=symantec:*
| stats max(eval(if(like(Event_Description, "%LiveUpdate session ran successfully%") , _time, null))) as LatestUpdate max(_time) as  LatestMessage max(eval(if(tag="error", _time, null))) as LatestError by Host_Name
| eval Up_To_Date = if( LatestUpdate < relative_time(LatestMessage, "-3d") OR LatestError > LatestUpdate , "No", "Yes")
| search Up_To_Date = Yes
| convert ctime(LatestUpdate) ctime(LatestMessage) ctime(LatestError)

Hosts with Expired AV

index=* sourcetype=symantec:*
| stats max(eval(if(like(Event_Description, "%LiveUpdate session ran successfully%") , _time, null))) as LatestUpdate max(_time) as LatestMessage max(eval(if(tag="error", _time, null))) as LatestError by Host_Name
| eval Up_To_Date = if( LatestUpdate < relative_time(LatestMessage, "-3d") OR LatestError > LatestUpdate , "No", "Yes")
| search Up_To_Date = No
| convert ctime(LatestUpdate) ctime(LatestMessage) ctime(LatestError)

Known false positives: No known false positives at this time.

How to respond: When this search fires, look on the host to see why the Anti-Virus isn't updating. If there is not an obvious reason such as specific and logical error, then consider investigating that host to see if there are any other suspicious events have occurred to rule out an infection.

If no results appear, you may need to deploy the Splunk Add-on for Symantec Endpoint Protection to the search heads to use the knowledge objects necessary for simple searching. They are needed to since they have the knowledge objects necessary for simple searching.

Also consider using anti-virus logs to detect if malware is recurring on a host after being removed. The following video shows how to detect recurring malware on a host.

Detecting Recurring Malware on Host

View solution in original post

0 Karma

adukes_splunk
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

In this use case, we'll search for systems that process personal data but have outdated anti-malware protection or lack protection and are at high risk for infection. This use case is from the Splunk Security Essentials app. Check it out for more examples and demo data for this type of use case.

Load data

This example use case depends on Symantec Endpoint Protection data. Install the Splunk Add-on for Symantec Endpoint Protection and enable malware category automatic updates to collect anti-virus data.

Get insights

These searches expose aspects of systems with outdated anti-malware software using the standard sourcetypes for Symantec Endpoint Protection.

Best practice: In the searches below, replace the asterisk in index= with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index= becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

Hosts with Up To Data AV

index=* sourcetype=symantec:*
| stats max(eval(if(like(Event_Description, "%LiveUpdate session ran successfully%") , _time, null))) as LatestUpdate max(_time) as  LatestMessage max(eval(if(tag="error", _time, null))) as LatestError by Host_Name
| eval Up_To_Date = if( LatestUpdate < relative_time(LatestMessage, "-3d") OR LatestError > LatestUpdate , "No", "Yes")
| search Up_To_Date = Yes
| convert ctime(LatestUpdate) ctime(LatestMessage) ctime(LatestError)

Hosts with Expired AV

index=* sourcetype=symantec:*
| stats max(eval(if(like(Event_Description, "%LiveUpdate session ran successfully%") , _time, null))) as LatestUpdate max(_time) as LatestMessage max(eval(if(tag="error", _time, null))) as LatestError by Host_Name
| eval Up_To_Date = if( LatestUpdate < relative_time(LatestMessage, "-3d") OR LatestError > LatestUpdate , "No", "Yes")
| search Up_To_Date = No
| convert ctime(LatestUpdate) ctime(LatestMessage) ctime(LatestError)

Known false positives: No known false positives at this time.

How to respond: When this search fires, look on the host to see why the Anti-Virus isn't updating. If there is not an obvious reason such as specific and logical error, then consider investigating that host to see if there are any other suspicious events have occurred to rule out an infection.

If no results appear, you may need to deploy the Splunk Add-on for Symantec Endpoint Protection to the search heads to use the knowledge objects necessary for simple searching. They are needed to since they have the knowledge objects necessary for simple searching.

Also consider using anti-virus logs to detect if malware is recurring on a host after being removed. The following video shows how to detect recurring malware on a host.

Detecting Recurring Malware on Host

View solution in original post

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!