All Apps and Add-ons

Example of how to review unencrypted web activity?

Ultra Champion

Does anyone have examples of how to use Splunk to review unencrypted web activity?

0 Karma
1 Solution

Ultra Champion

This answer has been merged into Example of how to track access to sensitive web-based resources?. That post, originally covered all traffic but has now been enhanced to cover this topic, un-encrypted traffic.

View solution in original post

0 Karma

Ultra Champion

This answer has been merged into Example of how to track access to sensitive web-based resources?. That post, originally covered all traffic but has now been enhanced to cover this topic, un-encrypted traffic.

View solution in original post

0 Karma

Ultra Champion

The Splunk Product Best Practices team helped produce this response. Read more about use case examples Splunk® Platform Use Cases on Splunk Docs.

This use case is from the Splunk Security Essentials app. For more examples, see the Splunk Security Essentials on Splunkbase.

Access to In-Scope Unencrypted Resources

Load data

How to implement: How you set up this capability varies from system to system. Tracking access through firewall connections is a popular approach. However, using application logs provides more granular access. Ensure that all data flows are encrypted, including backups, remote management, and so on. Consider working with your auditor and Splunk Professional Services for complicated situations.

Data check: This use case requires firewall data with an app field and workday data source. However, you can modify the search for your environment.

Get insights

Unencrypted communications can make your environment vulnerable to a data breach. Ensure that all connections are encrypted when users access PII data.

Use the following search:

index=* tag=network tag=communicate app=workday* destport!=443
| table _time user app bytes* src
ip destip destport

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

How to respond: Identify the reason and method used to access the application over an insecure connection. For in-house apps, identify the configuration settings. For SaaS apps, analyze your communication paths for a proxy that sends in cleartext or potentially note a major bug in a SaaS provider.

Help

This example looks for someone using Workday to download data over an unencrypted connection using the standardized source types for Palo Alto Networks or the Common Information Model. You can search for destinations that have sensitive data, including your cloud providers, databases, and so on.

This search requires firewall or Netflow data to run. By default, you're checking for Common Information Model compliant data and manually specifying the standard source types for Check Point, Palo Alto Networks, and Cisco ASAs. Specify the index and source type in the search to improve performance. You can accelerate with the Common Information Model. This search looks for firewall logs, but with the added filter of making sure that an app is defined. This search is also looking for firewall logs with an added filter to ensure the Workday app exists in the data.

If no results appear, deploy the Add-ons to the search heads to access the knowledge objects necessary for simple searching. See About installing Splunk add-ons on Splunk Docs for assistance.

For more support, post a question to the Splunk Answers community.

0 Karma

Ultra Champion

Update: I changed the video link to youtube version.

0 Karma