All Apps and Add-ons

Example of how to detect large web uploads?

Splunk Employee
Splunk Employee

Does anyone have examples of how to use Splunk to detect large web upload exfiltrations?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Data exfiltration usually occurs over standard channels in most organizations because users upload data to Google, Dropbox, Box, smaller file sharing sites, or unlisted drop sites. Since HTTPS is always allowed out, exfiltration becomes easy and it's easy to detect those big transfers!

This use case is from the Splunk Security Essentials app. Check it out for more examples and demo data for this type of use case.

Finding Large Web Uploads

Load data

This use case leverages the Palo Alto Networks Add-on for Splunk. Install the add-on and enable the inputs to collect data.

Get insights

This search uses a basic threshold to detect a large web upload that can be exfiltration from malware or a malicious insider using the standard sourcetypes for Palo Alto Networks.

Best practice: In the searche below, replace the asterisk in index= with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index= becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

Number of File Uploads

index=* sourcetype=pan:traffic OR (tag=web tag=proxy) OR (sourcetype=opsec URL Filtering) OR sourcetype=bluecoat:proxysg* OR sourcetype=websense* earliest=-10m
| where bytes_out>300000
| where 2 * bytes_out > bytes_in
| stats count sum(bytes_*) as bytes_* by src_ip
| stats sum(count) as Number_File_Uploads

Source IPs Uploading the Most

index=* sourcetype=pan:traffic OR (tag=web tag=proxy) OR (sourcetype=opsec URL Filtering) OR sourcetype=bluecoat:proxysg* OR sourcetype=websense* earliest=-10m
| where bytes_out>300000
| where 2 * bytes_out > bytes_in
| stats count sum(bytes_*) as bytes_* by src_ip
| sort - bytes_out

Known false positives: These simple searches can fire for innocent occurrences such as uploading vacation photos. Many organizations try to filter this behavior by focusing on users who are on a watchlist either because they have access to sensitive data, for example executives and scientists, or because of the employee’s status in the organization. For example, employees with a performance plan, notice given, or contract ending are at greater risk of data exfiltration. Implement such filtering watchlists using lookups.

How to respond: When this fires, it usually happens for perfectly legitimate reasons. When this fires, many analysts look where the data was sent to and if the user has uploaded data to that site before. Often analysts call the user to confirm the activity, preferably with the knowledge of that employee's status in the organization. If you have SSL inspection turned from the NGFW or DLP for that site, you can sometimes see the actual files that were transferred, which can help provide context.

If no results appear, you may need to deploy the Palo Alto Networks Add-on for Splunk to the search heads to use the knowledge objects necessary for simple searching.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Data exfiltration usually occurs over standard channels in most organizations because users upload data to Google, Dropbox, Box, smaller file sharing sites, or unlisted drop sites. Since HTTPS is always allowed out, exfiltration becomes easy and it's easy to detect those big transfers!

This use case is from the Splunk Security Essentials app. Check it out for more examples and demo data for this type of use case.

Finding Large Web Uploads

Load data

This use case leverages the Palo Alto Networks Add-on for Splunk. Install the add-on and enable the inputs to collect data.

Get insights

This search uses a basic threshold to detect a large web upload that can be exfiltration from malware or a malicious insider using the standard sourcetypes for Palo Alto Networks.

Best practice: In the searche below, replace the asterisk in index= with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index= becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

Number of File Uploads

index=* sourcetype=pan:traffic OR (tag=web tag=proxy) OR (sourcetype=opsec URL Filtering) OR sourcetype=bluecoat:proxysg* OR sourcetype=websense* earliest=-10m
| where bytes_out>300000
| where 2 * bytes_out > bytes_in
| stats count sum(bytes_*) as bytes_* by src_ip
| stats sum(count) as Number_File_Uploads

Source IPs Uploading the Most

index=* sourcetype=pan:traffic OR (tag=web tag=proxy) OR (sourcetype=opsec URL Filtering) OR sourcetype=bluecoat:proxysg* OR sourcetype=websense* earliest=-10m
| where bytes_out>300000
| where 2 * bytes_out > bytes_in
| stats count sum(bytes_*) as bytes_* by src_ip
| sort - bytes_out

Known false positives: These simple searches can fire for innocent occurrences such as uploading vacation photos. Many organizations try to filter this behavior by focusing on users who are on a watchlist either because they have access to sensitive data, for example executives and scientists, or because of the employee’s status in the organization. For example, employees with a performance plan, notice given, or contract ending are at greater risk of data exfiltration. Implement such filtering watchlists using lookups.

How to respond: When this fires, it usually happens for perfectly legitimate reasons. When this fires, many analysts look where the data was sent to and if the user has uploaded data to that site before. Often analysts call the user to confirm the activity, preferably with the knowledge of that employee's status in the organization. If you have SSL inspection turned from the NGFW or DLP for that site, you can sometimes see the actual files that were transferred, which can help provide context.

If no results appear, you may need to deploy the Palo Alto Networks Add-on for Splunk to the search heads to use the knowledge objects necessary for simple searching.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Added related video.

0 Karma