Solved: Re: Ransomware

Gauri001 · ‎06-11-2022

Q): How to detect ransomware using Splunk?, please give query also to create alert in ransomware,

richgalloway · ‎06-11-2022

Splunk doesn't detect ransomware directly. Instead, it detects behaviors that could indicate the presence of ransomware, such as a sudden increase in file writes (as when files are encrypted) or filename extensions commonly used by ransomware.

Install the Splunk Security Essentials app and search for "ransomware" to find suggested queries.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎06-11-2022

Splunk doesn't detect ransomware directly. Instead, it detects behaviors that could indicate the presence of ransomware, such as a sudden increase in file writes (as when files are encrypted) or filename extensions commonly used by ransomware.

Install the Splunk Security Essentials app and search for "ransomware" to find suggested queries.

---
If this reply helps you, Karma would be appreciated.

PickleRick · ‎06-11-2022

@Gauri001Also remember that splunk on its own does not "detect" anything. Splunk, using proper searches, can deduce information from the data it's given. If you don't have relevant data onboarded from source machines splunk won't be able to "detect" anything. It's not an EDR solution.

How to detect Ransomware using splunk?

other

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!