Antivirus data
The weakest link in corporate security is an individual, and antivirus is one way to protect employees from performing inadvertently harmful actions. Whether it’s clicking on an untrustworthy web link, downloading malicious software or opening a booby-trapped document (often one sent to them by an unsuspecting colleague), antivirus can often prevent, mitigate or reverse the damage. So-called advanced persistent threats (APTs) often enter through a single compromised machine attached to a trusted network. Antivirus logs support the analysis of malware and vulnerabilities of hosts, laptops and servers; and can be used to monitor for suspicious file paths. While not perfect, antivirus software can recognize and thwart common attack methods before they can spread. In the Common Information Model, antivirus data is typically mapped to the Malware data model and Endpoint data model.
Application
Security monitoring
- Detecting the use of randomization in cyberattacks
- Monitoring for signs of Windows privilege escalation attacks
- Recognizing improper use of system administration tools
- Managing firewall rules
- Detecting network and port scanning
- Detecting TOR traffic
- Monitoring for network traffic volume outliers
- Detecting recurring malware on a host
Security incidents investigation and resolution
Sources
Guidance for onboarding data can be found in the Spunk Documentation, Getting Data In (Splunk Enterprise) or Getting Data In (Splunk Cloud). In addition, these Splunk Add-Ons and Apps are helpful for working with antivirus data.
- Splunk Add-on for McAfee Web Gateway
- Kaspersky Add-on for Splunk
- Splunk Add-on for Symantec Endpoint Protection
- Carbon Black
- Palo Alto Networks Add-on for Splunk
- CrowdStrike Falcon Event Streams Technical Add-On
- Splunk Add-on for Symantec Blue Coat ProxySG
Looking for more information on data types? Download the Splunk Essential Guide to Machine Data.