forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsystems_ready_for_spectre_meltdown_windows_patch.yml
41 lines (41 loc) · 1.64 KB
/
systems_ready_for_spectre_meltdown_windows_patch.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
name: Systems Ready for Spectre-Meltdown Windows Patch
id: fc0edc95-ff2b-48b0-9f6f-63da3789fd61
version: 1
date: '2018-01-08'
author: David Dorsey, Splunk
type: Baseline
datamodel:
- Change
description: Some AV applications can cause the Spectre/Meltdown patch for Windows
not to install successfully. This registry key is supposed to be created by the
AV engine when it has been patched to be able to handle the Windows patch. If this
key has been written, the system can then be patched for Spectre and Meltdown.
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime FROM datamodel=Change_Analysis.All_Changes where All_Changes.object_category=registry
AND (All_Changes.object_path="HKLM\Software\Microsoft\Windows\CurrentVersion\QualityCompat*")
by All_Changes.dest, All_Changes.command, All_Changes.user, All_Changes.object,
All_Changes.object_path | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`
| `drop_dm_object_name("All_Changes")`'
how_to_implement: You need to be ingesting logs with both the process name and command-line
from your endpoints. If you are using Sysmon, you must have at least version 6.0.4
of the Sysmon TA.
known_false_positives: none
references: []
tags:
analytic_story:
- Spectre And Meltdown Vulnerabilities
detections:
- Spectre and Meltdown Vulnerable Systems
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- All_Changes.object_category
- All_Changes.object_path
- All_Changes.dest
- All_Changes.command
- All_Changes.user
- All_Changes.object
security_domain: endpoint