Accept License Agreements

Thank You

Downloading Splunk Security Essentials for Ransomware
MD5 checksum (splunk-security-essentials-for-ransomware_100.tgz) 791c7e19160895c94a727554edfd4bf5
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Splunk Security Essentials for Ransomware

Splunk Built
Overview
Details
Splunk Security Essentials for Ransomware is an app designed to help Splunk software users manage their risk and response to WannaCry and similar types of ransomware. The app provides you a starting point that you can customize to work in your specific environment. Splunk Security Essentials for Ransomware includes more than a dozen use cases that allow you to measure how effectively you are reducing the risk of WannaCry and similar exploits, as well as searches which can help detect the effects of ransomware within your enterprise. This app uses Splunk Enterprise and the Splunk Search Processing Language (SPL) to showcase working examples of detection and best practices to be employed in your environment to prevent ransomware infections.

Table of Contents

  1. App Description
  2. Use Cases
  3. Data Sources Used
  4. System Requirements
  5. Sample Data
  6. Installation
  7. Configuration
  8. Release Notes

App Description

Splunk Security Essentials for Ransomware is an app designed to help Splunk software users manage their risk and response to WannaCry and similar types of ransomware. The app provides you a starting point that you can customize to work in your specific environment. Splunk Security Essentials for Ransomware includes more than a dozen use cases that allow you to measure how effectively you are reducing the risk of WannaCry and similar exploits, as well as searches which can help detect the effects of ransomware within your enterprise. This app uses Splunk Enterprise and the Splunk Search Processing Language (SPL) to showcase working examples of detection and best practices employed in your environment to prevent ransomware infections.

Use Cases

The following are the use cases included in this app
1. Fake Windows Processes
2. Malicious Command Line Executions
3. Monitor AutoRun Reported Registry Keys
4. Monitoring Successful Backups
5. Monitor Successful Windows Update
6. Monitoring Unsuccessful Backups
7. Monitor Successful Windows Update
8. Ransomware extensions
9. Ransomware Note Files
10. Ransomware Vulnerabilities
11. SMB traffic Allowed
12. Spike in SMB traffic
13. Detect TOR Traffic

Data Sources Used

Splunk Security Essentials for Ransomware relies on the following data sources:
1. Operational and status logs from Enterprise Backup solutions
2. Microsoft Sysmon logs in XML format
3. Windows Registry monitoring events from the Splunk Universal Forwarder
4. Wire data from a solution like Splunk Stream

System Requirements

Platform requirements

Splunk Security Essentials for Ransomware requires Splunk Enterprise running on Linux or Windows.
For more information about other Splunk Enterprise hardware and software requirements, see System Requirements in the Splunk Enterprise Installation Manual.

Splunk Enterprise versions

Splunk Security Essentials for Ransomware works with Splunk Enterprise 6.5.0 and later.
Splunk Security Essentials for Ransomware is currently not supported on Splunk Cloud.

Browser compatibility

Splunk Security Essentials for Ransomware is compatible with the same browsers as Splunk Enterprise. See Supported browsers in the Splunk Enterprise Installation Manual for details.

Add-ons

Splunk Security Essentials for Ransomware requires the following add-ons:

Add-on for Microsoft Sysmon
Splunk Add-On for Tenable
Splunk Add-On for Windows

Data models

None of the searches in Splunk Security Essentials for Ransomware require data models.

Sample data

Splunk Security Essentials for Ransomware contains sample data. This data is contained in 16 lookup files, each corresponding to one of the app use cases:

UC_autorun_reg_keys.csv
UC_backups.csv
UC_fake_win_process.csv
UC_malicious_cmdline.csv
UC_ransomware_extentions.csv
UC_ransomware_notes.csv
UC_ransomware_vulnerabilities.csv
UC_smb_spike_detection.csv
UC_smb_traffic_allowed.csv
UC_successful_backups.csv
UC_tor_traffic.csv
UC_unsuccessful_backups.csv
UC_windows_updates.csv
ransomware_extensions.csv
ransomware_notes.csv
system32_executables.csv
The lookups are automatically excluded from distributed search, so that they will not increase the size of your bundles.

Installation

Install Splunk Security Essentials for Ransomware in a single-instance or distributed environment. Use the tables in this topic to determine where and how to install Splunk Security Essentials for Ransomware in a Splunk Enterprise deployment.

Where to install the app in a distributed deployment

Use the table to determine where to install the app in a Splunk Enterprise distributed deployment.

Splunk instance type Supported Comments
Search Heads Yes Install this app on the search head.
Indexers No The app does not contain indexes or index-time transformations.
Forwarders No The app does not contain inputs for forwarder data collection.

Distributed deployment compatibility

Use the table to check the compatibility of the app with Splunk Enterprise distributed deployment features.

Distributed deployment feature Supported Comments
Search Head Clusters Yes Use search head cluster deployer to distribute apps across members(1)
Indexer Clusters No The app does not contain indexes or index-time transformations.
Deployment Server No The app does not contain inputs for forwarder data collection.

(1) See Install an add-on in a distributed Splunk Enterprise deployment in the Splunk Add-ons documentation

Install the app using Splunk Web

Log on to the Splunk Enterprise search head.
From Splunk Home, click the Apps cog icon to open the Apps page.
Click Browse more apps, locate the app in the list, or type the name in the search box.
Provide your splunk.com credentials.
Accept the license terms
Click Login and Install
Click Done.
Restart splunk services to complete the installation.

Install the app from a downloaded file

Log on to splunkbase.splunk.com
Download Splunk Security Essentials for Ransomware and save it to an accessible location.
Log on to the Splunk Enterprise search head.
From Splunk Home, click the Apps cog icon to open the Apps page.
On the Apps page, click Install app from file.
On the Upload app page, click the Choose file button to locate the app.
Click Upload.
Click Done.
Restart Splunk services to complete the installation.

Install the required add-ons

For each of the required add-ons, refer to its individual installation instructions:

Add-on for Microsoft Sysmon
Splunk Add-On for Tenable
Splunk Add-On for Windows

Configuration

The following searches do not conform to the Splunk Common Information Model (CIM). In order to for these searches to work in your environment, you might have to customize them for their Splunk environment, accounting for your specific indexes and source types.

SRE - Command line length statistical analysis
SRE - Fake Windows Processes
SRE - Ransomware Extensions
SRE - Ransomware Notes
SRE - Successful Backups
SRE - Suspicious Windows Registry activity
SRE - Unsuccessful backups
SRE - Vulnerabilities Exploited by Ransomware
SRE - Windows Successful Updates Install
SRE - Windows Updates Install Failure
For more information about the Common Information Model, see Overview of the Splunk Common Information Model in the Common Information Model Add-on Manual.

Release Notes

Version 1.0.0
May 25, 2017

289
Installs
634
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

Splunk Certification Program

Splunk's App Certification program uses a specific set of criteria to evaluate the level of quality, usability and security your app offers to its users. In addition, we evaluate the documentation and support you offer to your app's users.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2017 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.