Investigating unusual file system queries
Your organization uses NetFlow data, which you are ingesting into Splunk. These data show a handful of machines reaching out via HDFS (Hadoop Distributed File System) to your Hadoop cluster, randomly querying for specific files that don't exist.
Data required
To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses the Hadoop Distributed File System source type. You can replace this source with any other server log data used in your organization.
Procedure
A Splunk customer ran the following search:
| protocol=hdfs response=404 | sort BY rare filename
Next steps
After running this search, the customer found that the machines in question had malware on them and were searching for sensitive documents with names like salary.xls and personal.doc. The customer's endpoint detection and response solution did not detect the malware. Running this search improved their mean time to respond.
These additional Splunk resources might help you understand and implement this use case in your organization:
- .Conf Talk: Using NetFlow for insider threat detection
- .Conf Talk: Tricks you can do with NetFlow analytics