While initially intended to aid in detecting malware, the data WLS provides has many other uses. One that we use is to track software updates and outdated software being used on our network. In theory you could schedule a report similar to the ones below and automatically email people who are using incorrect software versions.
The search I used for the examples is shown below, and could easily be turned into a Splunk form where you can specify any BaseFileName for a quick report.
(EventID=4688 OR EventID=592) BaseFileName=firefox.exe | dedup host | stats count(MD5) by CompanyName, FileVersion, ProductVersion, MD5
Breakdown:
- Find all process creation events
- (EventID=4688 OR EventID=592)
- Find processess named “firefox.exe”
- BaseFileName=firefox.exe
- Deduplicate hosts so we only get the most recent execution
- dedup host
- Calculate statistics (count all the MD5s) by the fields specified
- stats count(MD5) by CompanyName, FileVersion, ProductVersion, MD5
Example results!
firefox.exe
chrome.exe
iexplore.exe
acrord32.exe
java.exe
Too embarrassing to post 😦
Have other ideas for using the data WLS provides? Let me know in the comments below or via the contact form.
If you’d like more information on WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.