Ransomware Vulnerabilities

Description

This use case queries your Vulnerability Management logs from solutions like Nessus in order to identify the hosts in your environment that might be vulnerable to ransomware.


Use Case

Security Monitoring, Compliance

Category

Vulnerability

Alert Volume

Low (?)

SPL Difficulty

Basic

Journey

Stage 4

Kill Chain Phases

Actions on Objectives

Data Sources

Vulnerability Detection

   How to Implement

Index data from your vulnerability management system to search for or alert on systems with vulnerabilities that ransomware families often exploit. In this example, we use Nessus data with the Splunk Add-on for Tenable.

   Known False Positives

None at the moment

   How To Respond

When this search fires, you will want to verify that the patches for these vulnerabilities have not been applied yet. If they have not been applied, then you should start your update process to remove these vulnerabilities from your environment.

   Help

Ransomware Vulnerabilities Help

This use case queries your Vulnerability Management logs from solutions like Nessus in order to identify the hosts in your environment that might be vulnerable to ransomware.

SPL for Ransomware Vulnerabilities

Demo Data

First we load our Vuln Scanning demo data
Then we filter the specific CVEs that we care about (in this case, for WannaCry related exploits
Vuln data is refreshed over time, so we will want that context. Bucket (aliased to bin) allows us to group events based on _time, effectively flattening the actual _time value to that day.
Finally, we can use stats to put this data in a usable format, showing the CVEs per host, per status, per day.

Live Data

First we load our Vuln Scanning data and filter the specific CVEs that we care about (in this case, for WannaCry related exploits
Vuln data is refreshed over time, so we will want that context. Bucket (aliased to bin) allows us to group events based on _time, effectively flattening the actual _time value to that day.
Finally, we can use stats to put this data in a usable format, showing the CVEs per host, per status, per day.