Hi guys
We were hit with Cryptolocker about 5 months ago, and since then, we have gone through a bit of an overhaul of our security infrastructure and processes. Included in this was installing and configuring Splunk to help with log file collection and reporting.
One thing I would like to do it create a report and alert based on basically what Crypto does - bulk file changes - as I know from experience that it will attack as many files on as many shares as it can find as quickly as possible.
Being a noob to Splunk, I was wondering if anyone has anything useful I could use as a basis for building this into our Splunk alerting and reporting? At the moment, I only have a basic search created, purely for testing as follows:
"EventCode=4663" WriteData | top limit=20 Account_Name | where count>20
Any help would be appreciated and help me learn a bit more.
cheers,
Brett
... View more