Monitor Unsuccessful Windows Updates

Description

Keeping current with Microsoft updates for Windows is one of the best ways to prevent malware. This example identifies hosts that have failed to implement appropriate updates.


Use Case

Security Monitoring

Category

Operations

Alert Volume

Low (?)

SPL Difficulty

Basic

Journey

Stage 1

Data Sources

Patch Management

   How to Implement

This use case requires a universal forwarder on the Windows endpoints you wish to monitor as well as the Windows add-on configured to send your logs to Splunk. You can also implement this use case using Windows event logs.

   Known False Positives

None at the moment

   How To Respond

When this search files, you'll want to investigate why the update was not successfully applied to the system.

   Help

Monitor Unsuccessful Windows Updates Help

Keeping current with Microsoft updates for Windows is one of the best ways to prevent WannaCry and other ransomware attacks. This use case evaluates Windows event logs and Windows update logs to identify hosts that have failed to implement the appropriate updates.

SPL for Monitor Unsuccessful Windows Updates

Demo Data

First we load our basic demo data
Next we filter our search for just Windows Update messages that are related to specific KB we know we need to focus on.
Now we have a large number of events and we will want to roll them up into something more usable. stats is great at that!
And finally we can filter for exactly the events we care about.

Live Data

First we load our Windows Update data, filtered for just Windows Update messages that are related to specific KB we know we need to focus on.
Now we have a large number of events and we will want to roll them up into something more usable. stats is great at that!
And finally we can filter for exactly the events we care about.