All Apps and Add-ons

Example of how to track access to sensitive web-based resources?

Ultra Champion

Does anyone have examples of how to use Splunk to track access to sensitive web-based resources?

0 Karma
1 Solution

Ultra Champion

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Track access to sensitive systems, like those with personal identifiable information or GDPR-sensitive data. Access of sensitive resources can indicate a vulnerability or even a data breach. Additionally, access to sensitive systems in clear text (not encrypted) are of additional concern since such traffic can be observed by bad actors.

General Data Protection Regulation (GDPR) regulates the processing of personal data. To comply with GDPR requirements, organizations must maintain records and audit trails for end-to-end processing of personal data. They must also show compliance if there is a privacy audit and compensate individuals impacted if there is a security breach. See GDPR Compliance with
Splunk
for more details about meeting your compliance needs.

Load data

How to implement: This example use case requires data from firewall devices.

Install the add-on(s) that correspond to the firewall devices used in your data center. Find these and other add-ons on Splunkbase: Splunk Add-on for Check Point OPSEC LEA, Splunk Add-on for Cisco ASA, and the Palo Alto Networks Add-on for Splunk. Some add-ons in this answer are not Splunk-supported, but are available for download from Splunkbase as an open-source tool. See their entry in Splunkbase for more information. Follow the documentation of the respective add-on to install it and to collect data.

Best practice: For all of the data inputs, specify a desired target index to provide a more sustainable practice for data access controls and retention models. By default, Splunk collects the data in the default index named main.

Data check: Run the following search to verify you are searching for normalized network data that is ready for this use case:

earliest=-1day index=* tag=network tag=communicate
| head 10

Get insights

The example search here shows un-encrypted traffic to workday resources. Replace workday with an app represented in your firewall data. Remove dest_port!=443 to search across both encrypted and un-encrypted traffic.

Run the following search.

index=* tag=network tag=communicate dest_port!=443 app=workday*
| table _time user bytes* src_ip dest_ip

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

Help

See the following video for more details related to this use case.
track access to sensitive web-based resources

The search looks for firewall events when users access Workday. Modify the search to look in destinations that contain sensitive data, such as cloud providers, databases, and so on.

If no results appear, it may be because the add-ons were not deployed to the search heads, so the needed tags and fields are not defined. Deploy the add-ons to the search heads to access the needed tags and fields. See About installing Splunk add-ons in the Splunk Add-ons manual.

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in the Splunk Add-ons manual.

For more support, post a question to the Splunk Answers community.

View solution in original post

0 Karma

Ultra Champion

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Track access to sensitive systems, like those with personal identifiable information or GDPR-sensitive data. Access of sensitive resources can indicate a vulnerability or even a data breach. Additionally, access to sensitive systems in clear text (not encrypted) are of additional concern since such traffic can be observed by bad actors.

General Data Protection Regulation (GDPR) regulates the processing of personal data. To comply with GDPR requirements, organizations must maintain records and audit trails for end-to-end processing of personal data. They must also show compliance if there is a privacy audit and compensate individuals impacted if there is a security breach. See GDPR Compliance with
Splunk
for more details about meeting your compliance needs.

Load data

How to implement: This example use case requires data from firewall devices.

Install the add-on(s) that correspond to the firewall devices used in your data center. Find these and other add-ons on Splunkbase: Splunk Add-on for Check Point OPSEC LEA, Splunk Add-on for Cisco ASA, and the Palo Alto Networks Add-on for Splunk. Some add-ons in this answer are not Splunk-supported, but are available for download from Splunkbase as an open-source tool. See their entry in Splunkbase for more information. Follow the documentation of the respective add-on to install it and to collect data.

Best practice: For all of the data inputs, specify a desired target index to provide a more sustainable practice for data access controls and retention models. By default, Splunk collects the data in the default index named main.

Data check: Run the following search to verify you are searching for normalized network data that is ready for this use case:

earliest=-1day index=* tag=network tag=communicate
| head 10

Get insights

The example search here shows un-encrypted traffic to workday resources. Replace workday with an app represented in your firewall data. Remove dest_port!=443 to search across both encrypted and un-encrypted traffic.

Run the following search.

index=* tag=network tag=communicate dest_port!=443 app=workday*
| table _time user bytes* src_ip dest_ip

Best practice: In searches, replace the asterisk in index=* with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index=* becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

Help

See the following video for more details related to this use case.
track access to sensitive web-based resources

The search looks for firewall events when users access Workday. Modify the search to look in destinations that contain sensitive data, such as cloud providers, databases, and so on.

If no results appear, it may be because the add-ons were not deployed to the search heads, so the needed tags and fields are not defined. Deploy the add-ons to the search heads to access the needed tags and fields. See About installing Splunk add-ons in the Splunk Add-ons manual.

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in the Splunk Add-ons manual.

For more support, post a question to the Splunk Answers community.

View solution in original post

0 Karma

Ultra Champion

I've updated this answer to also cover un-encrypted traffic to the same sensitive resources.

0 Karma