All Apps and Add-ons

Example of how to detect users who are potential flight risks?

Ultra Champion

Does anyone have examples of how to use Splunk to detect users who are potential flight risks?

0 Karma
1 Solution

Ultra Champion

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Security analysts can detect users who might consider leaving before they give notice, which can give you the opportunity to fix problems for an unhappy employee or prevent exfiltration of sensitive data that might happen before an employee gives notice.

Load data

How to implement: This example use case depends on next-generation firewall data, web proxy data, or both.

Install the add-on(s) that correspond to the next-generation firewall, web proxy devices, or both. Some examples you can find on Splunkbase include Splunk Add-on for Check Point OPSEC LEA, Splunk Add-on for Symantec Blue Coat ProxySG, and the Palo Alto Networks Add-on for Splunk. Some add-ons in this answer are not Splunk-supported, but are available for download from Splunkbase as an open-source tool. See their entry in Splunkbase for more information. Follow the documentation of the respective add-on to install it and to collect data.

Best practice: For all of the data inputs, specify a desired target index to provide a more sustainable practice for data access controls and retention models. By default, Splunk collects the data in the default index named main.

Data check: Run the following search to verify you are searching for normalized web data that is ready for this use case:

earliest=-1day index=* tag=web
| head 10

Get insights

Search your logs to find signs of job hunting, which may indicate that a user is a potential flight risk, or may plan to leave before they give notice. Correlate results from this search with other risky events, such as data exfiltration alerts coming from your Data Loss Prevention (DLP) or your User and Entity Behavior Analytics (UEBA) systems. Consider these scenarios when you set up this search:

  • Browsing to Job Hunting Sites over Multiple Days: Recruiters may spend their entire days on job hunting sites. However, most users rarely visit job hunting sites.

  • Searching for "Interview Questions": Many users review common interview questions or similar resources when they begin a job search.

  • Browsing to the Top Results for Interview Questions: Most organizations can't introspect Google searches because of their implementation of HTTPS with certificate pinning. However, you can see if users click on the top results for those queries.

Run the following search.

index=* tag=web category=job-search 
| bucket _time span=1d
| stats dc(_time) AS num_days, values(app), count AS num_connections BY user
| where num_days>1

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

Known false positives: This search generates false positives when a user is helping a friend who is job hunting, or when they are interviewing a candidate. To reduce the number of false positives, build correlation searches that tune out false positiv

How to respond: This search runs multiple checks that you can tune according to your needs. Correlate results from this search with other risky events using the Risk Framework in ES or the Threat Models in UBA.

Help

If no results appear, it may be because the add-ons were not deployed to the search heads, so the needed tags and fields are not defined. Deploy the add-ons to the search heads to access the needed tags and fields. See About installing Splunk add-ons in the Splunk Add-ons manual.

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in the Splunk Add-ons manual.

For more support, post a question to the Splunk Answers community.

View solution in original post

Ultra Champion

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Security analysts can detect users who might consider leaving before they give notice, which can give you the opportunity to fix problems for an unhappy employee or prevent exfiltration of sensitive data that might happen before an employee gives notice.

Load data

How to implement: This example use case depends on next-generation firewall data, web proxy data, or both.

Install the add-on(s) that correspond to the next-generation firewall, web proxy devices, or both. Some examples you can find on Splunkbase include Splunk Add-on for Check Point OPSEC LEA, Splunk Add-on for Symantec Blue Coat ProxySG, and the Palo Alto Networks Add-on for Splunk. Some add-ons in this answer are not Splunk-supported, but are available for download from Splunkbase as an open-source tool. See their entry in Splunkbase for more information. Follow the documentation of the respective add-on to install it and to collect data.

Best practice: For all of the data inputs, specify a desired target index to provide a more sustainable practice for data access controls and retention models. By default, Splunk collects the data in the default index named main.

Data check: Run the following search to verify you are searching for normalized web data that is ready for this use case:

earliest=-1day index=* tag=web
| head 10

Get insights

Search your logs to find signs of job hunting, which may indicate that a user is a potential flight risk, or may plan to leave before they give notice. Correlate results from this search with other risky events, such as data exfiltration alerts coming from your Data Loss Prevention (DLP) or your User and Entity Behavior Analytics (UEBA) systems. Consider these scenarios when you set up this search:

  • Browsing to Job Hunting Sites over Multiple Days: Recruiters may spend their entire days on job hunting sites. However, most users rarely visit job hunting sites.

  • Searching for "Interview Questions": Many users review common interview questions or similar resources when they begin a job search.

  • Browsing to the Top Results for Interview Questions: Most organizations can't introspect Google searches because of their implementation of HTTPS with certificate pinning. However, you can see if users click on the top results for those queries.

Run the following search.

index=* tag=web category=job-search 
| bucket _time span=1d
| stats dc(_time) AS num_days, values(app), count AS num_connections BY user
| where num_days>1

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

Known false positives: This search generates false positives when a user is helping a friend who is job hunting, or when they are interviewing a candidate. To reduce the number of false positives, build correlation searches that tune out false positiv

How to respond: This search runs multiple checks that you can tune according to your needs. Correlate results from this search with other risky events using the Risk Framework in ES or the Threat Models in UBA.

Help

If no results appear, it may be because the add-ons were not deployed to the search heads, so the needed tags and fields are not defined. Deploy the add-ons to the search heads to access the needed tags and fields. See About installing Splunk add-ons in the Splunk Add-ons manual.

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in the Splunk Add-ons manual.

For more support, post a question to the Splunk Answers community.

View solution in original post