Skip to main content

Malware data

  • Updated

Malware data is a type of security data that is found in the endpoint security domain. It facilitates detection of viruses, worms, spyware, and other potentially unwanted programs running on endpoints. Endpoints are any device that is at the end of a network. These are typically user devices, such as laptops and phones, but can also be servers. There is a growing list of single purpose entities, such as sensors, webcams, microphones, and actuators, that are also considered endpoints.

Data visibility 

Malware detection and monitoring requires broad device and network coverage. It includes signature- and file-based detection, as well as network behavior such as beaconing and DNS usage patterns. Detection is difficult because malware is a fast moving and constantly changing target that requires large scale automation and continuous updating in order to detect and mitigate. 

How can I use this data?

When your Splunk deployment is ingesting malware data, you can use the data to achieve objectives related to the following use cases:

High-value fields

This data type has many available fields, but users typically derive the most value out of the fields listed here.

action

Action taken by the reporting device. 

category 

Category of the malware event, such as keylogger or ad-supported.

dest

System that was infected by the malware.

file_hash

Hash of the file with suspected malware.

file_name

Name of the file with suspected malware.

severity

Severity of the network protection event. 

signature

Name of the malware infection detected on the endpoint.

signature_version

Version of the malware signature bundle used in an update operation event. 

src

Source of the event, such as a file or relay server.

vendor_product

Vendor name of the malware operations product. 

Note that the names of these fields vary, depending on the data source. The Splunk Common Information Model (CIM) can be added to your deployment to normalize and validate data at search time, accelerate key data in searches and dashboards, or create new reports and visualizations. In the Common Information Model, malware is typically mapped to the Malware and Endpoint models.

Known data sources and source types

Guidance for onboarding data can be found in the Splunk documentation, Getting Data In. In addition, the following data sources have add-ons and apps available in Splunkbase to optimize data collection and help you with analysis and visualizations.



Related articles

Comments

0 comments

Please sign in to leave a comment.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.