Malware data is a type of security data that is found in the endpoint security domain. It facilitates detection of viruses, worms, spyware, and other potentially unwanted programs running on endpoints. Endpoints are any device that is at the end of a network. These are typically user devices, such as laptops and phones, but can also be servers. There is a growing list of single purpose entities, such as sensors, webcams, microphones, and actuators, that are also considered endpoints.
Malware detection and monitoring requires broad device and network coverage. It includes signature- and file-based detection, as well as network behavior such as beaconing and DNS usage patterns. Detection is difficult because malware is a fast moving and constantly changing target that requires large scale automation and continuous updating in order to detect and mitigate.
How can I use this data?
When your Splunk deployment is ingesting malware data, you can use the data to achieve objectives related to the following use cases:
- Detecting the use of randomization in cyberattacks
- Monitoring for signs of Windows privilege escalation attacks
- Recognizing improper use of system administration tools
- Investigating a ransomware attack
- Reconstructing a website defacement
- Complying with General Data Protection Regulation
This data type has many available fields, but users typically derive the most value out of the fields listed here.
Action taken by the reporting device.
Category of the malware event, such as keylogger or ad-supported.
System that was infected by the malware.
Hash of the file with suspected malware.
Name of the file with suspected malware.
Severity of the network protection event.
Name of the malware infection detected on the endpoint.
Version of the malware signature bundle used in an update operation event.
Source of the event, such as a file or relay server.
Vendor name of the malware operations product.
Note that the names of these fields vary, depending on the data source. The Splunk Common Information Model (CIM) can be added to your deployment to normalize and validate data at search time, accelerate key data in searches and dashboards, or create new reports and visualizations. In the Common Information Model, malware is typically mapped to the Malware and Endpoint models.
Known data sources and source types
Guidance for onboarding data can be found in the Splunk documentation, Getting Data In. In addition, the following data sources have add-ons and apps available in Splunkbase to optimize data collection and help you with analysis and visualizations.