The weakest link in corporate security is an individual, and antivirus is one way to protect employees from performing inadvertently harmful actions. Whether it’s clicking on an untrustworthy web link, downloading malicious software or opening a booby-trapped document (often one sent to them by an unsuspecting colleague), antivirus can often prevent, mitigate or reverse the damage. So-called advanced persistent threats (APTs) often enter through a single compromised machine attached to a trusted network. While not perfect, antivirus software can recognize and thwart common attack methods before they can spread. In the Common Information Model, antivirus data is typically mapped to the Malware data model and Endpoint data model.
Antivirus logs support the analysis of malware and vulnerabilities of hosts, laptops and servers; and can be used to monitor for suspicious file paths.
When your Splunk deployment is ingesting antivirus data, you can use it to accomplish security and compliance use cases.
- Detecting the use of randomization in cyberattacks
- Monitoring for signs of Windows privilege escalation attacks
- Recognizing improper use of system administration tools
- Investigating a ransomware attack
- Reconstructing a website defacement
- Complying with General Data Protection Regulation
- Managing firewall rules
- Detecting network and port scanning
- Detecting TOR traffic
- Monitoring for network traffic volume outliers
- Triaging Crowdstrike malware data
Guidance for onboarding data can be found in the Spunk Documentation, Getting Data In (Splunk Enterprise) or Getting Data In (Splunk Cloud). In addition, these Splunk Add-Ons and Apps are helpful for working with antivirus data.
- Splunk Add-on for McAfee Web Gateway
- Kaspersky Add-on for Splunk
- Splunk Add-on for Symantec Endpoint Protection
- Carbon Black
- Palo Alto Networks Add-on for Splunk
- CrowdStrike Falcon Event Streams Technical Add-On
- Splunk Add-on for Symantec Blue Coat ProxySG
Looking for more information on data types? Download the Splunk Essential Guide to Machine Data.