Monitor Successful Windows Updates

Description

Malware often uses operating system vulnerabilities to infect an endpoint or to spread. This example verifies the Windows updates for specific vulnerabilities exploited by the WannaCry ransomware.


Use Case

Security Monitoring, Compliance

Category

Operations, GDPR

Alert Volume

Very High (?)

SPL Difficulty

Basic

Journey

Stage 1

Data Sources

Patch Management

   GDPR Relevance

Problem:

Similar to “High Number of Hosts Not Updating Malware Signatures,” “Detection of Uncleaned Malware on Endpoint,” and “In-Scope Device with Outdated Anti-Malware Found”, infections can occur or persist if the operating system is not updating with the latest security patches. Even a single host with outdated patch level can indicate a potential infection.

If that host is tagged under the GDPR category, then immediate remediation is required to address that non-compliant condition.

Impact:

Unpatched systems are at higher risk of infection than unpatched. For any environments/systems that are involved in processing personal data, this situation can be critical, and especially so in a GDPR context. Article 32 of the GDPR requires that organizations regularly test, assess and evaluate effectiveness of implemented technical and organizational security controls. In the event that a Supervisory Authority executes powers to place an organization within the scope of a privacy audit, the organization must demonstrate compliance (Article 58) -- therefore, showcase that patching was properly managed and continuously monitored becomes an important capability. If the organization faces a personal data breach and individuals are impacted, those individuals affected have the right to demand compensation for material and non-material damage caused by the breach. The organization must prove that they have understood and addressed the risk appropriately and deployed proper countermeasures (Article 82).

Resolution Path: Generally speaking, it is critical to keep all systems up to date.

Specific to GDPR, the data mapping exercise from the DPO can inform which systems are in-scope -- that is, those systems that are associated with the GDPR category. From there, identify the in-scope systems needing updates, pinpoint the root issue for updates not occurring, and remediate those hosts by configuring them or the environment appropriately, depending on what the root issue turns out to be.

   How to Implement

This use case requires a universal forwarder on the Windows endpoints you wish to monitor as well as the Windows add-on configured to send your logs to Splunk. You can also implement this use case using Windows event logs.

   Known False Positives

None at the moment

   How To Respond

This search will let you know when one of your systems has had an update successfully applied. It will help you understand how long it takes from when a patch is available to when it is applied in your environment.

   Help

Monitor Successful Windows Updates Help

Ransomware often leverages operating system vulnerabilities to infect an endpoint or to spread to other systems. This use case verifies that Windows updates for specific vulnerabilities exploited by the WannaCry ransomware are installed correctly on your Windows endpoints.

SPL for Monitor Successful Windows Updates

Demo Data

First we load our basic demo data
Next we filter our search for just Windows Update messages that are related to specific KB we know we need to focus on.
Now we have a large number of events and we will want to roll them up into something more usable. stats is great at that!
And finally we can filter for exactly the events we care about.

Live Data

First we load our Windows Update data, filtered for just Windows Update messages that are related to specific KB we know we need to focus on.
Now we have a large number of events and we will want to roll them up into something more usable. stats is great at that!
And finally we can filter for exactly the events we care about.