Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Example of how to investigate and remediate malware infections with Splunk Phantom?

sloshburch
Splunk Employee
Splunk Employee
‎01-30-2020 02:25 PM

Does anyone have examples of how to use Splunk Phantom to investigate and remediate malware infections?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎01-30-2020 02:25 PM

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Investigating and responding to malware alerts can take 30 minutes or more. Use the Splunk Phantom Malware Hunt and Contain playbook to automate the investigation and response process, determine whether a process is malicious, and take immediate action to block the hash on infected endpoints.

Load data

How to implement: To run the Splunk Phantom Malware Hunt and Contain playbook, you need a Splunk Enterprise instance from which Phantom can draw data that ingests Windows security and authentication events.

Although there are several ways to get data into Phantom, this example uses the Phantom App for Splunk on Splunkbase. Verify that the playbook is configured to operate on splunk_events.

Before you run the playbook, verify that Splunk Phantom is receiving data from Splunk Enterprise. Also, verify your asset configurations on the Phantom Asset Configuration page, and that all assets are resolved on the Phantom Resolved Assets page.

Get insights

The Splunk Phantom Malware Hunt and Contain playbook is triggered by any suspicious or confirmed malicious processes that require further evaluation.

The Splunk Phantom Malware Hunt and Contain playbook performs a reputation lookup against a potentially malicious file hash. The output from the reputation lookup determines one of two possible containment actions, depending on conditions.

To find the playbook, go to the Phantom main menu, select Playbooks, and search for malware_hunt_and_contain.

How to respond: By default, the playbook uses a file hash from an alert, but you can modify it to get a copy of the file off of the endpoint based on a specified file path. You can then detonate this file in a sandbox to observe its behavior and get additional context and information about the file.

Help

For more support, post a question to the Splunk Answers community.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎01-30-2020 02:25 PM

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Investigating and responding to malware alerts can take 30 minutes or more. Use the Splunk Phantom Malware Hunt and Contain playbook to automate the investigation and response process, determine whether a process is malicious, and take immediate action to block the hash on infected endpoints.

Load data

How to implement: To run the Splunk Phantom Malware Hunt and Contain playbook, you need a Splunk Enterprise instance from which Phantom can draw data that ingests Windows security and authentication events.

Although there are several ways to get data into Phantom, this example uses the Phantom App for Splunk on Splunkbase. Verify that the playbook is configured to operate on splunk_events.

Before you run the playbook, verify that Splunk Phantom is receiving data from Splunk Enterprise. Also, verify your asset configurations on the Phantom Asset Configuration page, and that all assets are resolved on the Phantom Resolved Assets page.

Get insights

The Splunk Phantom Malware Hunt and Contain playbook is triggered by any suspicious or confirmed malicious processes that require further evaluation.

The Splunk Phantom Malware Hunt and Contain playbook performs a reputation lookup against a potentially malicious file hash. The output from the reputation lookup determines one of two possible containment actions, depending on conditions.

To find the playbook, go to the Phantom main menu, select Playbooks, and search for malware_hunt_and_contain.

How to respond: By default, the playbook uses a file hash from an alert, but you can modify it to get a copy of the file off of the endpoint based on a specified file path. You can then detonate this file in a sandbox to observe its behavior and get additional context and information about the file.

Help

For more support, post a question to the Splunk Answers community.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...