Does anyone have examples of how to use Splunk to detect large web upload exfiltrations?
The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.
Data exfiltration usually occurs over standard channels in most organizations because users upload data to Google, Dropbox, Box, smaller file sharing sites, or unlisted drop sites. Since HTTPS is always allowed out, exfiltration becomes easy and it's easy to detect those big transfers!
This use case is from the Splunk Security Essentials app. Check it out for more examples and demo data for this type of use case.
This use case leverages the Palo Alto Networks Add-on for Splunk. Install the add-on and enable the inputs to collect data.
This search uses a basic threshold to detect a large web upload that can be exfiltration from malware or a malicious insider using the standard sourcetypes for Palo Alto Networks.
Best practice: In the searche below, replace the asterisk in index=
with the name of the index that contains the data. By default, Splunk stores data in the main
index. Therefore, index=
becomes
index=main
. Use the OR
operator to specify one or multiple indexes to search. For example, index=main OR index=security
. See About managing indexes and How indexing works in Splunk docs for details.
index=* sourcetype=pan:traffic OR (tag=web tag=proxy) OR (sourcetype=opsec URL Filtering) OR sourcetype=bluecoat:proxysg* OR sourcetype=websense* earliest=-10m
| where bytes_out>300000
| where 2 * bytes_out > bytes_in
| stats count sum(bytes_*) as bytes_* by src_ip
| stats sum(count) as Number_File_Uploads
index=* sourcetype=pan:traffic OR (tag=web tag=proxy) OR (sourcetype=opsec URL Filtering) OR sourcetype=bluecoat:proxysg* OR sourcetype=websense* earliest=-10m
| where bytes_out>300000
| where 2 * bytes_out > bytes_in
| stats count sum(bytes_*) as bytes_* by src_ip
| sort - bytes_out
Known false positives: These simple searches can fire for innocent occurrences such as uploading vacation photos. Many organizations try to filter this behavior by focusing on users who are on a watchlist either because they have access to sensitive data, for example executives and scientists, or because of the employee’s status in the organization. For example, employees with a performance plan, notice given, or contract ending are at greater risk of data exfiltration. Implement such filtering watchlists using lookups.
How to respond: When this fires, it usually happens for perfectly legitimate reasons. When this fires, many analysts look where the data was sent to and if the user has uploaded data to that site before. Often analysts call the user to confirm the activity, preferably with the knowledge of that employee's status in the organization. If you have SSL inspection turned from the NGFW or DLP for that site, you can sometimes see the actual files that were transferred, which can help provide context.
If no results appear, you may need to deploy the Palo Alto Networks Add-on for Splunk to the search heads to use the knowledge objects necessary for simple searching.
The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.
Data exfiltration usually occurs over standard channels in most organizations because users upload data to Google, Dropbox, Box, smaller file sharing sites, or unlisted drop sites. Since HTTPS is always allowed out, exfiltration becomes easy and it's easy to detect those big transfers!
This use case is from the Splunk Security Essentials app. Check it out for more examples and demo data for this type of use case.
This use case leverages the Palo Alto Networks Add-on for Splunk. Install the add-on and enable the inputs to collect data.
This search uses a basic threshold to detect a large web upload that can be exfiltration from malware or a malicious insider using the standard sourcetypes for Palo Alto Networks.
Best practice: In the searche below, replace the asterisk in index=
with the name of the index that contains the data. By default, Splunk stores data in the main
index. Therefore, index=
becomes
index=main
. Use the OR
operator to specify one or multiple indexes to search. For example, index=main OR index=security
. See About managing indexes and How indexing works in Splunk docs for details.
index=* sourcetype=pan:traffic OR (tag=web tag=proxy) OR (sourcetype=opsec URL Filtering) OR sourcetype=bluecoat:proxysg* OR sourcetype=websense* earliest=-10m
| where bytes_out>300000
| where 2 * bytes_out > bytes_in
| stats count sum(bytes_*) as bytes_* by src_ip
| stats sum(count) as Number_File_Uploads
index=* sourcetype=pan:traffic OR (tag=web tag=proxy) OR (sourcetype=opsec URL Filtering) OR sourcetype=bluecoat:proxysg* OR sourcetype=websense* earliest=-10m
| where bytes_out>300000
| where 2 * bytes_out > bytes_in
| stats count sum(bytes_*) as bytes_* by src_ip
| sort - bytes_out
Known false positives: These simple searches can fire for innocent occurrences such as uploading vacation photos. Many organizations try to filter this behavior by focusing on users who are on a watchlist either because they have access to sensitive data, for example executives and scientists, or because of the employee’s status in the organization. For example, employees with a performance plan, notice given, or contract ending are at greater risk of data exfiltration. Implement such filtering watchlists using lookups.
How to respond: When this fires, it usually happens for perfectly legitimate reasons. When this fires, many analysts look where the data was sent to and if the user has uploaded data to that site before. Often analysts call the user to confirm the activity, preferably with the knowledge of that employee's status in the organization. If you have SSL inspection turned from the NGFW or DLP for that site, you can sometimes see the actual files that were transferred, which can help provide context.
If no results appear, you may need to deploy the Palo Alto Networks Add-on for Splunk to the search heads to use the knowledge objects necessary for simple searching.
Added related video.