icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us

Accept License Agreements

SPLUNK SOFTWARE LICENSE AGREEMENT

Splunk Websites Terms and Conditions of Use

Thank You

Downloading Splunk Security Essentials for Ransomware
SHA256 checksum (splunk-security-essentials-for-ransomware_113.tgz) 75f37a4d7fa87cd1a6ec4feabdaa66946c2acb4928bf844e12bd1d65ed5cb685 SHA256 checksum (splunk-security-essentials-for-ransomware_112.tgz) 6fdf27289e3f9177fad8031c440530cbcff1a288a8cb1985ba658ce352c28df0 SHA256 checksum (splunk-security-essentials-for-ransomware_111.tgz) cf45ab3e980981763212802a3e069367470dd4afc10849b05ac253b79eba81de SHA256 checksum (splunk-security-essentials-for-ransomware_100.tgz) 9e915a06727f50bd02534575569272889d51311d889b11c3c672dabc2e25b4c9
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Splunk Security Essentials for Ransomware

Splunk Built
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
This app is End of Life and will not be updated. All of the content has been migrated to Splunk Security Essentials – please switch to that app.

Splunk Security Essentials for Ransomware is an app designed to help Splunk software users manage their risk and response to WannaCry and similar types of ransomware. The app provides you a starting point that you can customize to work in your specific environment. Splunk Security Essentials for Ransomware includes more than a dozen use cases that allow you to measure how effectively you are reducing the risk of WannaCry and similar exploits, as well as searches which can help detect the effects of ransomware within your enterprise. This app uses Splunk Enterprise and the Splunk Search Processing Language (SPL) to showcase working examples of detection and best practices to be employed in your environment to prevent ransomware infections.

Table of Contents

  1. App Description
  2. Use Cases
  3. Data Sources Used
  4. System Requirements
  5. Sample Data
  6. Installation
  7. Configuration
  8. Release Notes

App Description

Splunk Security Essentials for Ransomware is an app designed to help Splunk software users manage their risk and response to WannaCry and similar types of ransomware. The app provides you a starting point that you can customize to work in your specific environment. Splunk Security Essentials for Ransomware includes more than a dozen use cases that allow you to measure how effectively you are reducing the risk of WannaCry and similar exploits, as well as searches which can help detect the effects of ransomware within your enterprise. This app uses Splunk Enterprise and the Splunk Search Processing Language (SPL) to showcase working examples of detection and best practices employed in your environment to prevent ransomware infections.

Use Cases

The following are the use cases included in this app
1. Fake Windows Processes
2. Malicious Command Line Executions
3. Monitor AutoRun Reported Registry Keys
4. Monitoring Successful Backups
5. Monitor Successful Windows Update
6. Monitoring Unsuccessful Backups
7. Monitor Successful Windows Update
8. Ransomware extensions
9. Ransomware Note Files
10. Ransomware Vulnerabilities
11. SMB traffic Allowed
12. Spike in SMB traffic
13. Detect TOR Traffic

Data Sources Used

Splunk Security Essentials for Ransomware relies on the following data sources:
1. Operational and status logs from Enterprise Backup solutions
2. Microsoft Sysmon logs in XML format
3. Windows Registry monitoring events from the Splunk Universal Forwarder
4. Wire data from a solution like Splunk Stream

System Requirements

Platform requirements

Splunk Security Essentials for Ransomware requires Splunk Enterprise running on Linux or Windows.
For more information about other Splunk Enterprise hardware and software requirements, see System Requirements in the Splunk Enterprise Installation Manual.

Splunk Enterprise versions

Splunk Security Essentials for Ransomware works with Splunk Enterprise 6.5.0 and later.

Browser compatibility

Splunk Security Essentials for Ransomware is compatible with the same browsers as Splunk Enterprise. See Supported browsers in the Splunk Enterprise Installation Manual for details.

Add-ons

Splunk Security Essentials for Ransomware requires the following add-ons:

Add-on for Microsoft Sysmon
Splunk Add-On for Tenable
Splunk Add-On for Windows

Data models

None of the searches in Splunk Security Essentials for Ransomware require data models.

Sample data

Splunk Security Essentials for Ransomware contains sample data. This data is contained in 16 lookup files, each corresponding to one of the app use cases:

UC_autorun_reg_keys.csv
UC_backups.csv
UC_fake_win_process.csv
UC_malicious_cmdline.csv
UC_ransomware_extentions.csv
UC_ransomware_notes.csv
UC_ransomware_vulnerabilities.csv
UC_smb_spike_detection.csv
UC_smb_traffic_allowed.csv
UC_successful_backups.csv
UC_tor_traffic.csv
UC_unsuccessful_backups.csv
UC_windows_updates.csv
ransomware_extensions.csv
ransomware_notes.csv
system32_executables.csv
The lookups are automatically excluded from distributed search, so that they will not increase the size of your bundles.

Installation

Install Splunk Security Essentials for Ransomware in a single-instance or distributed environment. Use the tables in this topic to determine where and how to install Splunk Security Essentials for Ransomware in a Splunk Enterprise deployment.

Where to install the app in a distributed deployment

Use the table to determine where to install the app in a Splunk Enterprise distributed deployment.

Splunk instance type Supported Comments
Search Heads Yes Install this app on the search head.
Indexers No The app does not contain indexes or index-time transformations.
Forwarders No The app does not contain inputs for forwarder data collection.

Distributed deployment compatibility

Use the table to check the compatibility of the app with Splunk Enterprise distributed deployment features.

Distributed deployment feature Supported Comments
Search Head Clusters Yes Use search head cluster deployer to distribute apps across members(1)
Indexer Clusters No The app does not contain indexes or index-time transformations.
Deployment Server No The app does not contain inputs for forwarder data collection.

(1) See Install an add-on in a distributed Splunk Enterprise deployment in the Splunk Add-ons documentation

Install the app using Splunk Web

Log on to the Splunk Enterprise search head.
From Splunk Home, click the Apps cog icon to open the Apps page.
Click Browse more apps, locate the app in the list, or type the name in the search box.
Provide your splunk.com credentials.
Accept the license terms
Click Login and Install
Click Done.
Restart splunk services to complete the installation.

Install the app from a downloaded file

Log on to splunkbase.splunk.com
Download Splunk Security Essentials for Ransomware and save it to an accessible location.
Log on to the Splunk Enterprise search head.
From Splunk Home, click the Apps cog icon to open the Apps page.
On the Apps page, click Install app from file.
On the Upload app page, click the Choose file button to locate the app.
Click Upload.
Click Done.
Restart Splunk services to complete the installation.

Install the required add-ons

For each of the required add-ons, refer to its individual installation instructions:

Add-on for Microsoft Sysmon
Splunk Add-On for Tenable
Splunk Add-On for Windows

Configuration

The following searches do not conform to the Splunk Common Information Model (CIM). In order to for these searches to work in your environment, you might have to customize them for their Splunk environment, accounting for your specific indexes and source types.

SRE - Command line length statistical analysis
SRE - Fake Windows Processes
SRE - Ransomware Extensions
SRE - Ransomware Notes
SRE - Successful Backups
SRE - Suspicious Windows Registry activity
SRE - Unsuccessful backups
SRE - Vulnerabilities Exploited by Ransomware
SRE - Windows Successful Updates Install
SRE - Windows Updates Install Failure
For more information about the Common Information Model, see Overview of the Splunk Common Information Model in the Common Information Model Add-on Manual.

Release Notes

Version 1.1.3
Sept. 19, 2017

Updated graphics and search descriptions
Version 1.1.2
Aug. 2, 2017
Version 1.1.1
July 8, 2017
Version 1.0.0
May 25, 2017
506
Installs
5,201
Downloads
Share Subscribe LOGIN TO DOWNLOAD
Version
Built by
Splunk Inc.
Support
Not Supported
Questions on Splunk Answers Flag as inappropriate
Compatibility
This version is not yet available for Splunk Cloud.
This version is not yet available for Splunk Cloud.
This version is not yet available for Splunk Cloud.
Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Cloud, Splunk Enterprise Products: Splunk Enterprise
Splunk Versions: 6.6, 6.5 Platform: Platform Independent Splunk Versions: 6.6, 6.5 Platform: Platform Independent Splunk Versions: 6.6, 6.5 Platform: Platform Independent Splunk Versions: 6.6, 6.5 Platform: Platform Independent
Licensing
SPLUNK SOFTWARE LICENSE AGREEMENT
Category & Contents
Categories: Security, Fraud & Compliance
App Type: App
Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Learn More

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Submit Your App Dev Resources
Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Sitemap | Contact | Careers | Privacy | Terms of Use | Export Control | Report a Problem
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.