Malware data is a type of security data that is found in the endpoint security domain. It facilitates detection of viruses, worms, spyware, and other potentially unwanted programs running on endpoints. Endpoints are any device that is at the end of a network. These are typically user devices, such as laptops and phones, but can also be servers. There is a growing list of single purpose entities, such as sensors, webcams, microphones, and actuators, that are also considered endpoints.
Data visibility
Malware detection and monitoring requires broad device and network coverage. It includes signature- and file-based detection, as well as network behavior such as beaconing and DNS usage patterns. Detection is difficult because malware is a fast moving and constantly changing target that requires large scale automation and continuous updating in order to detect and mitigate.
How can I use this data?
When your Splunk deployment is ingesting malware data, you can use the data to achieve objectives related to the following use cases:
- Detecting the use of randomization in cyberattacks
- Monitoring for signs of Windows privilege escalation attacks
- Recognizing improper use of system administration tools
- Investigating a ransomware attack
- Reconstructing a website defacement
- Complying with General Data Protection Regulation
High-value fields
This data type has many available fields, but users typically derive the most value out of the fields listed here.
action
Action taken by the reporting device.
category
Category of the malware event, such as keylogger or ad-supported.
dest
System that was infected by the malware.
file_hash
Hash of the file with suspected malware.
file_name
Name of the file with suspected malware.
severity
Severity of the network protection event.
signature
Name of the malware infection detected on the endpoint.
signature_version
Version of the malware signature bundle used in an update operation event.
src
Source of the event, such as a file or relay server.
vendor_product
Vendor name of the malware operations product.
Note that the names of these fields vary, depending on the data source. The Splunk Common Information Model (CIM) can be added to your deployment to normalize and validate data at search time, accelerate key data in searches and dashboards, or create new reports and visualizations. In the Common Information Model, malware is typically mapped to the Malware and Endpoint models.
Known data sources and source types
Guidance for onboarding data can be found in the Splunk documentation, Getting Data In. In addition, the following data sources have add-ons and apps available in Splunkbase to optimize data collection and help you with analysis and visualizations.
Comments
0 comments
Please sign in to leave a comment.