All Apps and Add-ons

Example of how to detect large web uploads?

adukes_splunk
Splunk Employee
Splunk Employee

Does anyone have examples of how to use Splunk to detect large web upload exfiltrations?

0 Karma
1 Solution

adukes_splunk
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Data exfiltration usually occurs over standard channels in most organizations because users upload data to Google, Dropbox, Box, smaller file sharing sites, or unlisted drop sites. Since HTTPS is always allowed out, exfiltration becomes easy and it's easy to detect those big transfers!

This use case is from the Splunk Security Essentials app. Check it out for more examples and demo data for this type of use case.

Finding Large Web Uploads

Load data

This use case leverages the Palo Alto Networks Add-on for Splunk. Install the add-on and enable the inputs to collect data.

Get insights

This search uses a basic threshold to detect a large web upload that can be exfiltration from malware or a malicious insider using the standard sourcetypes for Palo Alto Networks.

Best practice: In the searche below, replace the asterisk in index= with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index= becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

Number of File Uploads

index=* sourcetype=pan:traffic OR (tag=web tag=proxy) OR (sourcetype=opsec URL Filtering) OR sourcetype=bluecoat:proxysg* OR sourcetype=websense* earliest=-10m
| where bytes_out>300000
| where 2 * bytes_out > bytes_in
| stats count sum(bytes_*) as bytes_* by src_ip
| stats sum(count) as Number_File_Uploads

Source IPs Uploading the Most

index=* sourcetype=pan:traffic OR (tag=web tag=proxy) OR (sourcetype=opsec URL Filtering) OR sourcetype=bluecoat:proxysg* OR sourcetype=websense* earliest=-10m
| where bytes_out>300000
| where 2 * bytes_out > bytes_in
| stats count sum(bytes_*) as bytes_* by src_ip
| sort - bytes_out

Known false positives: These simple searches can fire for innocent occurrences such as uploading vacation photos. Many organizations try to filter this behavior by focusing on users who are on a watchlist either because they have access to sensitive data, for example executives and scientists, or because of the employee’s status in the organization. For example, employees with a performance plan, notice given, or contract ending are at greater risk of data exfiltration. Implement such filtering watchlists using lookups.

How to respond: When this fires, it usually happens for perfectly legitimate reasons. When this fires, many analysts look where the data was sent to and if the user has uploaded data to that site before. Often analysts call the user to confirm the activity, preferably with the knowledge of that employee's status in the organization. If you have SSL inspection turned from the NGFW or DLP for that site, you can sometimes see the actual files that were transferred, which can help provide context.

If no results appear, you may need to deploy the Palo Alto Networks Add-on for Splunk to the search heads to use the knowledge objects necessary for simple searching.

View solution in original post

0 Karma

adukes_splunk
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Data exfiltration usually occurs over standard channels in most organizations because users upload data to Google, Dropbox, Box, smaller file sharing sites, or unlisted drop sites. Since HTTPS is always allowed out, exfiltration becomes easy and it's easy to detect those big transfers!

This use case is from the Splunk Security Essentials app. Check it out for more examples and demo data for this type of use case.

Finding Large Web Uploads

Load data

This use case leverages the Palo Alto Networks Add-on for Splunk. Install the add-on and enable the inputs to collect data.

Get insights

This search uses a basic threshold to detect a large web upload that can be exfiltration from malware or a malicious insider using the standard sourcetypes for Palo Alto Networks.

Best practice: In the searche below, replace the asterisk in index= with the name of the index that contains the data. By default, Splunk stores data in the main index. Therefore, index= becomes index=main. Use the OR operator to specify one or multiple indexes to search. For example, index=main OR index=security. See About managing indexes and How indexing works in Splunk docs for details.

Number of File Uploads

index=* sourcetype=pan:traffic OR (tag=web tag=proxy) OR (sourcetype=opsec URL Filtering) OR sourcetype=bluecoat:proxysg* OR sourcetype=websense* earliest=-10m
| where bytes_out>300000
| where 2 * bytes_out > bytes_in
| stats count sum(bytes_*) as bytes_* by src_ip
| stats sum(count) as Number_File_Uploads

Source IPs Uploading the Most

index=* sourcetype=pan:traffic OR (tag=web tag=proxy) OR (sourcetype=opsec URL Filtering) OR sourcetype=bluecoat:proxysg* OR sourcetype=websense* earliest=-10m
| where bytes_out>300000
| where 2 * bytes_out > bytes_in
| stats count sum(bytes_*) as bytes_* by src_ip
| sort - bytes_out

Known false positives: These simple searches can fire for innocent occurrences such as uploading vacation photos. Many organizations try to filter this behavior by focusing on users who are on a watchlist either because they have access to sensitive data, for example executives and scientists, or because of the employee’s status in the organization. For example, employees with a performance plan, notice given, or contract ending are at greater risk of data exfiltration. Implement such filtering watchlists using lookups.

How to respond: When this fires, it usually happens for perfectly legitimate reasons. When this fires, many analysts look where the data was sent to and if the user has uploaded data to that site before. Often analysts call the user to confirm the activity, preferably with the knowledge of that employee's status in the organization. If you have SSL inspection turned from the NGFW or DLP for that site, you can sometimes see the actual files that were transferred, which can help provide context.

If no results appear, you may need to deploy the Palo Alto Networks Add-on for Splunk to the search heads to use the knowledge objects necessary for simple searching.

0 Karma

adukes_splunk
Splunk Employee
Splunk Employee

Added related video.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...