Skip to main content
Splunk Lantern

Investigating unusual file system queries

 

Your organization uses NetFlow data, which you are ingesting into Splunk. These data show a handful of machines reaching out via HDFS (Hadoop Distributed File System) to your Hadoop cluster, randomly querying for specific files that don't exist.

Data required

Apache: Hadoop

To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses the Hadoop Distributed File System source type. You can replace this source with any other server log data used in your organization. 

Procedure

A Splunk customer ran the following search:

| protocol=hdfs response=404
| sort BY rare filename

Next steps

After running this search, the customer found that the machines in question had malware on them and were searching for sensitive documents with names like salary.xls and personal.doc. The customer's endpoint detection and response solution did not detect the malware. Running this search improved their mean time to respond.

These additional Splunk resources might help you understand and implement this use case in your organization:

Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.com if you require assistance.