By George Panousopoulos March 17, 2020
With more and more users working remotely, it is highly likely that more apps will be downloaded and installed onto the endpoints. Here is an analytic story from the Splunk Enterprise Security Use Case Library.
Analytic Story: Monitor for Unauthorized Software
This story provides guidance to identify and investigate prohibited/unauthorized software or processes that may be concealing malicious behavior within your environment. There is a similar Analytic story to monitor out of date software as well. Consider that the risk of installing more software in the endpoints will be higher. Also, if you are already using this search, consider reviewing the frequency at which this is run, as with the new operations model the specific requirement will most likely change.
Example searches include among others Prohibited Software on Endpoint, Get Authentication Logs for Endpoint, Get Vulnerability Logs for Endpoint, Investigate Web Activity From Host, and Add Prohibited Processes to Enterprise Security. For each one of these, users can edit the correlation search as shown below for the Prohibited Software on Endpoint one:
Tha main data source type for this Analytic Story is EDR, including the likes of Carbon Black, Tanium, CrowdStrike, and Sysmon.
Check here for more practical guides on how to secure your organization in the new work-from-home era.
Thanks to the contributors of this blog post, Bryan Sadowski, Lily Lee, Rene Aguero, James Brodsky, Chris Simmons.