[BUG] Missing Wildcards in Splunk Rule for Detecting Known Services Killed by Ransomware

[shimonShouei]

Product: Splunk Security Content

Description:

The Splunk rule named "known_services_killed_by_ransomware" is intended to detect when certain critical services have entered the stopped state, potentially as a result of ransomware activity. However, there is an inconsistency in the use of wildcards within the Message IN list, which may lead to the rule not triggering on relevant log messages.

Steps to Reproduce:
Navigate to the Splunk search interface.
Enter the provided Splunk rule named "known_services_killed_by_ransomware".
Execute the rule against the wineventlog_system log data containing EventCode 7036.

Expected Result:

The rule should match any Message that contains the names of the specified services followed by the phrase "service entered the stopped state", regardless of any additional text or variations in case.

Actual Result:

Due to missing wildcards for some service names and the lack of a comma between "QBCFMonitorService" and "YooBackup", the rule may not match all relevant Message field values, resulting in potential false negatives.

Bug Impact:

The effectiveness of the rule in detecting service interruptions related to ransomware activities is compromised. Critical alerts may be missed, reducing the ability of the security team to respond to ransomware threats in a timely manner.

Suggested Fix:

Review and update the rule to ensure consistent use of wildcards with all service names in the Message IN list. Add missing wildcards where necessary to capture variations in the Message field values. Ensure that all service names are correctly separated by commas.