I’d like to create an alert on ransomware detections. I have file events logs and their most important field is ‘file_name’. It looks like this:
File_name File1.txt File2.pdf File3.xls Etc.
At the same time I have a lookup called ‘ransomware_extensions’ with only one column ‘extension’ which contains ransomware extensions. It looks like this:
Extension .wtf .exx .locked Etc.
I’m trying to create a search which checks if ‘file_name’ value matches an ‘extension’ value. Something like that one:
*my basic search | eval ransomware=if(like(file_name,"%[|lookup ransomware_extensions.csv extension output extension]%"), 1, 0)
Unfortunately it doesn’t work.
Do you have any ideas?
You should check the ES content updates app (https://splunkbase.splunk.com/app/3449/). It has a story (with searches included) on ransomware.
But from what you have, you can try to extract the file extension from you file_name and then use a lookup with
extension, ransomware exx, true
in your search use
|lookup ransomware_extensions.csv extension output extension ransomware
OR make it and automatic lookup.
this way you can search ransomware="true"
Populate your ransomware extension lookup with
*.ext and set the match_type of that field of the lookup to WILDCARD. That way you can match the entire filename against the extension patterns in the lookup.
And as @diogofgm mentions, you can then use the lookup (either automated or as part of your search) to add a field ransonware = true/false to your results which can then be used to filter.