Splunk Security Essentials for Ransomware is an app designed to help Splunk software users manage their risk and response to WannaCry and similar types of ransomware. The app provides you a starting point that you can customize to work in your specific environment. Splunk Security Essentials for Ransomware includes more than a dozen use cases that allow you to measure how effectively you are reducing the risk of WannaCry and similar exploits, as well as searches which can help detect the effects of ransomware within your enterprise. This app uses Splunk Enterprise and the Splunk Search Processing Language (SPL) to showcase working examples of detection and best practices employed in your environment to prevent ransomware infections.
The following are the use cases included in this app
1. Fake Windows Processes
2. Malicious Command Line Executions
3. Monitor AutoRun Reported Registry Keys
4. Monitoring Successful Backups
5. Monitor Successful Windows Update
6. Monitoring Unsuccessful Backups
7. Monitor Successful Windows Update
8. Ransomware extensions
9. Ransomware Note Files
10. Ransomware Vulnerabilities
11. SMB traffic Allowed
12. Spike in SMB traffic
13. Detect TOR Traffic
Splunk Security Essentials for Ransomware relies on the following data sources:
1. Operational and status logs from Enterprise Backup solutions
2. Microsoft Sysmon logs in XML format
3. Windows Registry monitoring events from the Splunk Universal Forwarder
4. Wire data from a solution like Splunk Stream
Splunk Security Essentials for Ransomware requires Splunk Enterprise running on Linux or Windows.
For more information about other Splunk Enterprise hardware and software requirements, see System Requirements in the Splunk Enterprise Installation Manual.
Splunk Security Essentials for Ransomware works with Splunk Enterprise 6.5.0 and later.
Splunk Security Essentials for Ransomware is compatible with the same browsers as Splunk Enterprise. See Supported browsers in the Splunk Enterprise Installation Manual for details.
Splunk Security Essentials for Ransomware requires the following add-ons:
Add-on for Microsoft Sysmon
Splunk Add-On for Tenable
Splunk Add-On for Windows
None of the searches in Splunk Security Essentials for Ransomware require data models.
Splunk Security Essentials for Ransomware contains sample data. This data is contained in 16 lookup files, each corresponding to one of the app use cases:
UC_autorun_reg_keys.csv
UC_backups.csv
UC_fake_win_process.csv
UC_malicious_cmdline.csv
UC_ransomware_extentions.csv
UC_ransomware_notes.csv
UC_ransomware_vulnerabilities.csv
UC_smb_spike_detection.csv
UC_smb_traffic_allowed.csv
UC_successful_backups.csv
UC_tor_traffic.csv
UC_unsuccessful_backups.csv
UC_windows_updates.csv
ransomware_extensions.csv
ransomware_notes.csv
system32_executables.csv
The lookups are automatically excluded from distributed search, so that they will not increase the size of your bundles.
Install Splunk Security Essentials for Ransomware in a single-instance or distributed environment. Use the tables in this topic to determine where and how to install Splunk Security Essentials for Ransomware in a Splunk Enterprise deployment.
Use the table to determine where to install the app in a Splunk Enterprise distributed deployment.
| Splunk instance type | Supported | Comments |
|---|---|---|
| Search Heads | Yes | Install this app on the search head. |
| Indexers | No | The app does not contain indexes or index-time transformations. |
| Forwarders | No | The app does not contain inputs for forwarder data collection. |
Use the table to check the compatibility of the app with Splunk Enterprise distributed deployment features.
| Distributed deployment feature | Supported | Comments |
|---|---|---|
| Search Head Clusters | Yes | Use search head cluster deployer to distribute apps across members(1) |
| Indexer Clusters | No | The app does not contain indexes or index-time transformations. |
| Deployment Server | No | The app does not contain inputs for forwarder data collection. |
(1) See Install an add-on in a distributed Splunk Enterprise deployment in the Splunk Add-ons documentation
Log on to the Splunk Enterprise search head.
From Splunk Home, click the Apps cog icon to open the Apps page.
Click Browse more apps, locate the app in the list, or type the name in the search box.
Provide your splunk.com credentials.
Accept the license terms
Click Login and Install
Click Done.
Restart splunk services to complete the installation.
Log on to splunkbase.splunk.com
Download Splunk Security Essentials for Ransomware and save it to an accessible location.
Log on to the Splunk Enterprise search head.
From Splunk Home, click the Apps cog icon to open the Apps page.
On the Apps page, click Install app from file.
On the Upload app page, click the Choose file button to locate the app.
Click Upload.
Click Done.
Restart Splunk services to complete the installation.
For each of the required add-ons, refer to its individual installation instructions:
Add-on for Microsoft Sysmon
Splunk Add-On for Tenable
Splunk Add-On for Windows
The following searches do not conform to the Splunk Common Information Model (CIM). In order to for these searches to work in your environment, you might have to customize them for their Splunk environment, accounting for your specific indexes and source types.
SRE - Command line length statistical analysis
SRE - Fake Windows Processes
SRE - Ransomware Extensions
SRE - Ransomware Notes
SRE - Successful Backups
SRE - Suspicious Windows Registry activity
SRE - Unsuccessful backups
SRE - Vulnerabilities Exploited by Ransomware
SRE - Windows Successful Updates Install
SRE - Windows Updates Install Failure
For more information about the Common Information Model, see Overview of the Splunk Common Information Model in the Common Information Model Add-on Manual.
Updated graphics and search descriptions
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.