×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
bpatel_splunk
Splunk Employee
Member since: ‎06-03-2014
‎12-08-2020
Community Statistics
Posts 3
Solutions 1
Karma Given 0
Karma Received 2
Member Since ‎06-03-2014
Activity Feed
View All

Re: Analytic Story Detail "Unusual Processes" - wh...

by Splunk Employee in All Apps and Add-ons
‎12-08-2017 12:38 PM
‎12-08-2017 12:38 PM
Hey Robert! That's smart. Not every process should be whitelisted and the ProcessTrust>=8 is a much needed filter to have . I would still recommend you go through that whitelist atleast once after its created. It will also help you reinforce the ProcessTrust ratings given by Biit9. From my previous life as a security analyst, I also found it useful to include a "time" field in the lookup file which would correspond to when a process is added to the whitelist. This becomes useful in the long run to maintain and keep the whitelist accurate. Please let us know if you have any additional questions with ESCU. ... View more

Re: Analytic Story Detail "Unusual Processes" - wh...

by Splunk Employee in All Apps and Add-ons
‎12-07-2017 10:24 AM
1 Karma
‎12-07-2017 10:24 AM
1 Karma
Thanks for the question. The answer is to match the whitelist to how your “process” field is extracted in Splunk. According to the documentation (here), the process field will be just the name of the executable. So we recommend using only the name of the process in the whitelist_process.csv under the “process” column. For example: the whitelist_process.csv would look something like: process,whitelist splunk-regmon.exe, whitelist winword.exe, whitelist excel.exe, whitelist outlook.exe, whitelist powerpnt.exe, whitelist visio.exe, whitelist The following steps may be helpful in achieving your goal: Considering your datamodel: All_Application_State.Processes is populated correctly and accelerated. 1) Get a count of process’ from your logs and curate this list. | tstats `summariesonly` count from datamodel=Application_State.All_Application_State where nodename=All_Application_State.Processes by All_Application_State.process |`drop_dm_object_name("All_Application_State")`| `drop_dm_object_name("Processes")` | sort -count 2) Automatically add process to the whitelist_process.csv by appending the following to above search: <bit9 search to get process names> | eval whitelist="whitelist" | table process whitelist | outputlookup whitelist_process append=true 3) Make sure this list if thoroughly curated by checking the values using: |inputlookup whitelist_process ... View more

WannaCry [New variants] : How to detect the new va...

by Splunk Employee in Splunk Enterprise Security
‎05-16-2017 09:47 AM
1 Karma
‎05-16-2017 09:47 AM
1 Karma
I read the blog post that Splunk put out on Wannacry over the weekend which was really helpful to detect some of those earlier versions of the ransomware but in my understanding that this is evolving situation and there are many variants of the ransomware showing up in the wild. Do you have any technical information useful to the Splunk community concerning Wannacry that you'd like to capture here? What kind of searches are you using to find and detect these variants? Any IOCs you care to share? Blog which I am referring to: https://www.splunk.com/blog/2017/05/13/steering-clear-of-the-wannacry-or-wanna-decryptor-ransomware-attack.html ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎12-08-2020 03:33 PM
Karma from
View All