icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Cancel Visit New Splunkbase Visit
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us
Log4Shell Vulnerability: Information and guidance for you. Get resources.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

SPLUNK SOFTWARE LICENSE AGREEMENT

Splunk Websites Terms and Conditions of Use

Thank You

Downloading Splunk Security Essentials for Ransomware
SHA256 checksum (splunk-security-essentials-for-ransomware_113.tgz) 75f37a4d7fa87cd1a6ec4feabdaa66946c2acb4928bf844e12bd1d65ed5cb685 SHA256 checksum (splunk-security-essentials-for-ransomware_112.tgz) 6fdf27289e3f9177fad8031c440530cbcff1a288a8cb1985ba658ce352c28df0 SHA256 checksum (splunk-security-essentials-for-ransomware_111.tgz) cf45ab3e980981763212802a3e069367470dd4afc10849b05ac253b79eba81de SHA256 checksum (splunk-security-essentials-for-ransomware_110.tgz) edfcd67f77f200377e79f4e27184bb3d9ebe02c9f1201ad3ab541ef66d1c1eaf SHA256 checksum (splunk-security-essentials-for-ransomware_100.tgz) 9e915a06727f50bd02534575569272889d51311d889b11c3c672dabc2e25b4c9
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate
splunk

Splunk Security Essentials for Ransomware

Splunk Cloud
Splunk Labs
This app has been archived. Learn more about app archiving.
This app is NOT supported by Splunk. Please read about what that means for you here.
Overview
Details
This app is End of Life and will not be updated. All of the content has been migrated to Splunk Security Essentials – please switch to that app.

Splunk Security Essentials for Ransomware is an app designed to help Splunk software users manage their risk and response to WannaCry and similar types of ransomware. The app provides you a starting point that you can customize to work in your specific environment. Splunk Security Essentials for Ransomware includes more than a dozen use cases that allow you to measure how effectively you are reducing the risk of WannaCry and similar exploits, as well as searches which can help detect the effects of ransomware within your enterprise. This app uses Splunk Enterprise and the Splunk Search Processing Language (SPL) to showcase working examples of detection and best practices to be employed in your environment to prevent ransomware infections.

Table of Contents

  1. App Description
  2. Use Cases
  3. Data Sources Used
  4. System Requirements
  5. Sample Data
  6. Installation
  7. Configuration
  8. Release Notes

App Description

Splunk Security Essentials for Ransomware is an app designed to help Splunk software users manage their risk and response to WannaCry and similar types of ransomware. The app provides you a starting point that you can customize to work in your specific environment. Splunk Security Essentials for Ransomware includes more than a dozen use cases that allow you to measure how effectively you are reducing the risk of WannaCry and similar exploits, as well as searches which can help detect the effects of ransomware within your enterprise. This app uses Splunk Enterprise and the Splunk Search Processing Language (SPL) to showcase working examples of detection and best practices employed in your environment to prevent ransomware infections.

Use Cases

The following are the use cases included in this app
1. Fake Windows Processes
2. Malicious Command Line Executions
3. Monitor AutoRun Reported Registry Keys
4. Monitoring Successful Backups
5. Monitor Successful Windows Update
6. Monitoring Unsuccessful Backups
7. Monitor Successful Windows Update
8. Ransomware extensions
9. Ransomware Note Files
10. Ransomware Vulnerabilities
11. SMB traffic Allowed
12. Spike in SMB traffic
13. Detect TOR Traffic

Data Sources Used

Splunk Security Essentials for Ransomware relies on the following data sources:
1. Operational and status logs from Enterprise Backup solutions
2. Microsoft Sysmon logs in XML format
3. Windows Registry monitoring events from the Splunk Universal Forwarder
4. Wire data from a solution like Splunk Stream

System Requirements

Platform requirements

Splunk Security Essentials for Ransomware requires Splunk Enterprise running on Linux or Windows.
For more information about other Splunk Enterprise hardware and software requirements, see System Requirements in the Splunk Enterprise Installation Manual.

Splunk Enterprise versions

Splunk Security Essentials for Ransomware works with Splunk Enterprise 6.5.0 and later.

Browser compatibility

Splunk Security Essentials for Ransomware is compatible with the same browsers as Splunk Enterprise. See Supported browsers in the Splunk Enterprise Installation Manual for details.

Add-ons

Splunk Security Essentials for Ransomware requires the following add-ons:

Add-on for Microsoft Sysmon
Splunk Add-On for Tenable
Splunk Add-On for Windows

Data models

None of the searches in Splunk Security Essentials for Ransomware require data models.

Sample data

Splunk Security Essentials for Ransomware contains sample data. This data is contained in 16 lookup files, each corresponding to one of the app use cases:

UC_autorun_reg_keys.csv
UC_backups.csv
UC_fake_win_process.csv
UC_malicious_cmdline.csv
UC_ransomware_extentions.csv
UC_ransomware_notes.csv
UC_ransomware_vulnerabilities.csv
UC_smb_spike_detection.csv
UC_smb_traffic_allowed.csv
UC_successful_backups.csv
UC_tor_traffic.csv
UC_unsuccessful_backups.csv
UC_windows_updates.csv
ransomware_extensions.csv
ransomware_notes.csv
system32_executables.csv
The lookups are automatically excluded from distributed search, so that they will not increase the size of your bundles.

Installation

Install Splunk Security Essentials for Ransomware in a single-instance or distributed environment. Use the tables in this topic to determine where and how to install Splunk Security Essentials for Ransomware in a Splunk Enterprise deployment.

Where to install the app in a distributed deployment

Use the table to determine where to install the app in a Splunk Enterprise distributed deployment.

Splunk instance type Supported Comments
Search Heads Yes Install this app on the search head.
Indexers No The app does not contain indexes or index-time transformations.
Forwarders No The app does not contain inputs for forwarder data collection.

Distributed deployment compatibility

Use the table to check the compatibility of the app with Splunk Enterprise distributed deployment features.

Distributed deployment feature Supported Comments
Search Head Clusters Yes Use search head cluster deployer to distribute apps across members(1)
Indexer Clusters No The app does not contain indexes or index-time transformations.
Deployment Server No The app does not contain inputs for forwarder data collection.

(1) See Install an add-on in a distributed Splunk Enterprise deployment in the Splunk Add-ons documentation

Install the app using Splunk Web

Log on to the Splunk Enterprise search head.
From Splunk Home, click the Apps cog icon to open the Apps page.
Click Browse more apps, locate the app in the list, or type the name in the search box.
Provide your splunk.com credentials.
Accept the license terms
Click Login and Install
Click Done.
Restart splunk services to complete the installation.

Install the app from a downloaded file

Log on to splunkbase.splunk.com
Download Splunk Security Essentials for Ransomware and save it to an accessible location.
Log on to the Splunk Enterprise search head.
From Splunk Home, click the Apps cog icon to open the Apps page.
On the Apps page, click Install app from file.
On the Upload app page, click the Choose file button to locate the app.
Click Upload.
Click Done.
Restart Splunk services to complete the installation.

Install the required add-ons

For each of the required add-ons, refer to its individual installation instructions:

Add-on for Microsoft Sysmon
Splunk Add-On for Tenable
Splunk Add-On for Windows

Configuration

The following searches do not conform to the Splunk Common Information Model (CIM). In order to for these searches to work in your environment, you might have to customize them for their Splunk environment, accounting for your specific indexes and source types.

SRE - Command line length statistical analysis
SRE - Fake Windows Processes
SRE - Ransomware Extensions
SRE - Ransomware Notes
SRE - Successful Backups
SRE - Suspicious Windows Registry activity
SRE - Unsuccessful backups
SRE - Vulnerabilities Exploited by Ransomware
SRE - Windows Successful Updates Install
SRE - Windows Updates Install Failure
For more information about the Common Information Model, see Overview of the Splunk Common Information Model in the Common Information Model Add-on Manual.

Release Notes

Version 1.1.3
Sept. 19, 2017

Updated graphics and search descriptions
Version 1.1.2
Aug. 2, 2017
Version 1.1.1
July 8, 2017
Version 1.1.0
June 30, 2017
Version 1.0.0
May 25, 2017
5,915
Downloads
Share Subscribe LOGIN TO DOWNLOAD
Version
Built by
Splunk Works
Support
Not Supported
Questions on Splunk Answers Flag as inappropriate
Compatibility
This version of the app (1.1.2) is not available for Splunk Cloud. However, version 1.1.3 of this app is available for Splunk Cloud.
This version of the app (1.1.1) is not available for Splunk Cloud. However, version 1.1.3 of this app is available for Splunk Cloud.
This version of the app (1.1.0) is not available for Splunk Cloud. However, version 1.1.3 of this app is available for Splunk Cloud.
This version of the app (1.0.0) is not available for Splunk Cloud. However, version 1.1.3 of this app is available for Splunk Cloud.
Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise
Platform: Platform Independent Platform: Platform Independent Platform: Platform Independent Platform: Platform Independent CIM Versions: 4.x Platform: Platform Independent
Licensing
SPLUNK SOFTWARE LICENSE AGREEMENT
Category & Contents
Categories: Security, Fraud & Compliance
App Type: App
Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Submit New Splunk App Dev Resources
PLATFORM
Data-to-Everything Platform
Splunk Cloud
Splunk Enterprise
Splunk Machine Learning Toolkit
Splunk Data Stream Processor
Pricing
Free Trials & Downloads
SECURITY PRODUCTS
Splunk Enterprise Security
Splunk Phantom
Splunk Mission Control
Splunk User Behavior Analytics
IT OPERATIONS & OBSERVABILITY PRODUCTS
Splunk Infrastructure Monitoring
Splunk IT Service Intelligence
Splunk Application Performance Monitoring
Splunk On-Call
SOLUTIONS BY INITIATIVE
Cloud Transformation
SOLUTIONS BY FUNCTION
Security
IT
Devops
SOLUTIONS BY INDUSTRY
Aerospace & Defense
Communications
Energy & Utilities
Financial Services
Healthcare
Higher Education
Manufacturing
Nonprofits
Online Services
Public Sector
Retail
WHY SPLUNK?
Why Splunk?
Customer Stories
Partners
Data-to-Everything
Diversity & Inclusion
SUPPORT
Support Portal
Support Programs
Splunk Answers
Contact Us
Product Security Updates
RESOURCES
Events
Webinars
Blogs
Customer Success
Expert Services
Data Insider
View All Resources
FOR DEVELOPERS
Documentation
Best Practices
Get Started with Splunk
Training & Certification
User Groups
Community
Splunkbase
Splunk dev
COMPANY
About Splunk
Careers
Leadership
Splunk for Good
Splunk Ventures
Splunk Protects
Newsroom
COVID-19 Response
SPLUNK SITES
.conf
Splunk Live!
T-Shirt Store
Investor Relations
Follow Us:
© 2005-2022 Splunk Inc. All rights reserved.
Sitemap | Privacy | Website Terms of Use | Splunk Licensing Terms | Export Control | Modern Slavery Statement | Splunk Patents | Report a Problem
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.