Track high risk behavior using lookups
This is the first step in the Isolate user behaviors that pose threats with risk-based alerting scenario.
Ram tracks high risk users by creating lookups with specific fields that help monitor suspicious behavior as follows:
- First, Ram adds calculated fields to events at search time to identify high value files that contain sensitive or confidential information.
Ram uses these fields to score files based on the following logic:
if(match(file, "CONFIDENTIAL, SENSITIVE, IMPORTANT"), "1", "0")
If a file is confidential or contains sensitive or important information, Ram assigns it a score of 1, otherwise Ram assigns the file a score of 0. - Next, Ram searches for references to information related to competitors using the following logic:
if(match(file, "Other_Company, Not_as_Good, Product_Stinks"), "1", "0")
Often, threats exist in the data flowing into an organization through new employees. New employees might bring confidential information that they plan to use for building products. Knowing that this behavior might lead to legal problems for Buttercup Games in the future, Ram monitors the network to identify such high risk users.
Through partnerships with cross-functional organizations, Ram has already determined the typical risky behaviors that might pose an insider threat. For example:- A manager reporting an employee for engaging in suspicious activities.
- Terminated employees
- Employees working on sensitive projects such as mergers and acquisitions that can have financial implications for the company.
- Finally, with this information, Ram creates the following lookup to track high risk users that need additional monitoring.
index = risk | lookup high_risk_user.csv user as user OUTPUT hru_status notes date_added | search hru_status = "active"
This lookup tracks the following fields:
- Username
- Date added
- Status (active or not active)
- Notes
Ram ensures that the lookup is constantly updated, adds comments as required based on any new information received, and keeps the access list to the lookup limited to few individuals. To edit lookups, Ram uses the Splunk App for Lookup File Editing from Splunkbase.
When an alert gets triggered, Ram outputs specific fields from the lookup and runs them against the risk index to determine if they must escalate the investigation.
Next step
Assign risk scores to high risk users
See also
For more information on using lookups and calculated fields, see the product documentation:
Creating lookups to reduce noisy alert volume
About calculated fields in the Splunk Enterprise Knowledge Manager Manual
Isolate user behaviors that pose threats with risk-based alerting | Assign risk scores to high risk users |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2
Feedback submitted, thanks!