Skip to main content
Splunk Lantern

Threat signatures used to investigate a cyberattack

Known malware can have existing intrusion detection and intrusion prevention signatures that fire in response to a threat. Knowing what signatures fired can help you understand when the threat was seen, where in the network it was seen, what technology identified the signature, and the nature of the threat. Signatures can speed up investigations when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example 

You have identified a malware attack on your network and need to gather as much information about the threat as quickly as possible to start an investigation. You decide to look at threat signatures first.

To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Suricata data. You can replace this source with any other system log data used in your organization.

  1. Run the following search:
sourcetype=suricata alert.signature=*<name of threat>* 
|stats count BY alert.signature alert.signature.id
|eval time=strftime(time,”%c”)
|sort count

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=suricata

Search only Suricata log data.

alert.signature=*<name of threat>*

Search for events that include the name of the known threat.

Other types of log data may not have the alert.signature field. Search sig in the Select Fields box to find the right field name for your sourcetype.

|stats count BY alert.signature alert.signature.id

Count the results by a combination of unique signature and signature ID. While each signature likely has a unique ID, this search syntax guarantees no signatures are omitted.

|eval time=strftime(time,”%c”)

Convert the way time is displayed into the format of the locale, as defined by the server's operating system.

|sort count

Sort results from the signature that fired the fewest times to the most.

Result

The results show all combinations of alert signatures and alert signature IDs, along with the times they fired and the number of times they fired. You can compare the times a signature fired to times unexpected processes fired to help establish a cause-and-effect relationship.

  • Was this article helpful?