Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Example of an outdated anti-malware use case?

adukes_splunk
Splunk Employee
Splunk Employee
‎09-05-2019 01:20 PM

Does anyone have examples of how to use Splunk to find systems with outdated anti-malware?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adukes_splunk
Splunk Employee
Splunk Employee
‎09-05-2019 01:24 PM

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

In this use case, we'll search for systems that process personal data but have outdated anti-malware protection or lack protection and are at high risk for infection. This use case is from the Splunk Security Essentials app. Check it out for more examples and demo data for this type of use case.

Load data

This example use case depends on Symantec Endpoint Protection data. Install the Splunk Add-on for Symantec Endpoint Protection and enable malware category automatic updates to collect anti-virus data.

Get insights

These searches expose aspects of systems with outdated anti-malware software using the standard sourcetypes for Symantec Endpoint Protection.

Best practice: In the searches below, replace the asterisk in index= with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index= becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

Hosts with Up To Data AV

index=* sourcetype=symantec:*
| stats max(eval(if(like(Event_Description, "%LiveUpdate session ran successfully%") , _time, null))) as LatestUpdate max(_time) as  LatestMessage max(eval(if(tag="error", _time, null))) as LatestError by Host_Name
| eval Up_To_Date = if( LatestUpdate < relative_time(LatestMessage, "-3d") OR LatestError > LatestUpdate , "No", "Yes")
| search Up_To_Date = Yes
| convert ctime(LatestUpdate) ctime(LatestMessage) ctime(LatestError)

Hosts with Expired AV

index=* sourcetype=symantec:*
| stats max(eval(if(like(Event_Description, "%LiveUpdate session ran successfully%") , _time, null))) as LatestUpdate max(_time) as LatestMessage max(eval(if(tag="error", _time, null))) as LatestError by Host_Name
| eval Up_To_Date = if( LatestUpdate < relative_time(LatestMessage, "-3d") OR LatestError > LatestUpdate , "No", "Yes")
| search Up_To_Date = No
| convert ctime(LatestUpdate) ctime(LatestMessage) ctime(LatestError)

Known false positives: No known false positives at this time.

How to respond: When this search fires, look on the host to see why the Anti-Virus isn't updating. If there is not an obvious reason such as specific and logical error, then consider investigating that host to see if there are any other suspicious events have occurred to rule out an infection.

If no results appear, you may need to deploy the Splunk Add-on for Symantec Endpoint Protection to the search heads to use the knowledge objects necessary for simple searching. They are needed to since they have the knowledge objects necessary for simple searching.

Also consider using anti-virus logs to detect if malware is recurring on a host after being removed. The following video shows how to detect recurring malware on a host.

Detecting Recurring Malware on Host

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

adukes_splunk
Splunk Employee
Splunk Employee
‎09-05-2019 01:24 PM

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

In this use case, we'll search for systems that process personal data but have outdated anti-malware protection or lack protection and are at high risk for infection. This use case is from the Splunk Security Essentials app. Check it out for more examples and demo data for this type of use case.

Load data

This example use case depends on Symantec Endpoint Protection data. Install the Splunk Add-on for Symantec Endpoint Protection and enable malware category automatic updates to collect anti-virus data.

Get insights

These searches expose aspects of systems with outdated anti-malware software using the standard sourcetypes for Symantec Endpoint Protection.

Best practice: In the searches below, replace the asterisk in index= with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index= becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

Hosts with Up To Data AV

index=* sourcetype=symantec:*
| stats max(eval(if(like(Event_Description, "%LiveUpdate session ran successfully%") , _time, null))) as LatestUpdate max(_time) as  LatestMessage max(eval(if(tag="error", _time, null))) as LatestError by Host_Name
| eval Up_To_Date = if( LatestUpdate < relative_time(LatestMessage, "-3d") OR LatestError > LatestUpdate , "No", "Yes")
| search Up_To_Date = Yes
| convert ctime(LatestUpdate) ctime(LatestMessage) ctime(LatestError)

Hosts with Expired AV

index=* sourcetype=symantec:*
| stats max(eval(if(like(Event_Description, "%LiveUpdate session ran successfully%") , _time, null))) as LatestUpdate max(_time) as LatestMessage max(eval(if(tag="error", _time, null))) as LatestError by Host_Name
| eval Up_To_Date = if( LatestUpdate < relative_time(LatestMessage, "-3d") OR LatestError > LatestUpdate , "No", "Yes")
| search Up_To_Date = No
| convert ctime(LatestUpdate) ctime(LatestMessage) ctime(LatestError)

Known false positives: No known false positives at this time.

How to respond: When this search fires, look on the host to see why the Anti-Virus isn't updating. If there is not an obvious reason such as specific and logical error, then consider investigating that host to see if there are any other suspicious events have occurred to rule out an infection.

If no results appear, you may need to deploy the Splunk Add-on for Symantec Endpoint Protection to the search heads to use the knowledge objects necessary for simple searching. They are needed to since they have the knowledge objects necessary for simple searching.

Also consider using anti-virus logs to detect if malware is recurring on a host after being removed. The following video shows how to detect recurring malware on a host.

Detecting Recurring Malware on Host

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...