Skip to main content
 
Splunk Lantern

Configuring Alert Actions with the Google Chrome Add On for Splunk

 

You’re a SOC analyst who understands that as employees spend more time working in browsers, the chances of risky browser behavior impacting enterprise resiliency also increases. You are concerned about the following risky browser behavior and more:

  • Installing an extension that was impersonating a legitimate one and is now acting maliciously
  • Accessing content considered dangerous, malicious, banned, or unwanted
  • Opening, clicking, or visiting a URL that is considered deceptive or malicious
  • Updating an extension to the latest version that contains malicious code due to a recent acquisition by a malicious entity

You want to be able to automatically take action against any risky browser behavior by creating alerts with alert actions. Some examples of these actions include:

  1. Block extensions that are risky.
  2. Change policies on a user or device that is exhibiting suspicious behavior.
  3. Send an email to users who need to remove something from their device or receive training on safe browsing.
  4. Create a ticket in ServiceNow or Jira to document work and pass on to a responsible team.

Solution

The Google Chrome Add on for Splunk and Google Chrome App for Splunk are able to help address these risks by:

  1. Bringing Chrome Threat and Data Protection events into Splunk and mapping them to the Splunk Common Information Model (CIM) to allow for easy correlation with other data sources and maximum efficiency at search time. 
  2. Providing prebuilt dashboards and analytics such as the one below to help investigate the most critical incidents of extension installs, malware transfer and unsafe site visits.
  3. Alerting on the events that are the most important and automatically responding to these events with the following actions:
    1. Block extensions that are risky.
    2. Change policies on a user or device that is exhibiting suspicious behavior.
    3. Send an email to users who need to remove something from their device or receive training on safe browsing.
    4. Create a ticket in ServiceNow or Jira to document work and pass on to a responsible team.

Google Chrome Solution for Splunk features alert actions that enhance the security posture of your organization. Users can set up any kind of alert to get notified of unusual behavior. The solution equips them with tools to immediately remediate and minimize the risk.

The add-on provides actions that can change a user’s or managed browser’s organizational unit for quarantine and danger mitigation, or block a risky browser extension. These two examples of alert action usage in a typical alert setup are described below. To learn more about alerts, read Getting started with alerts.

Prerequisites

If you have not installed the add-on yet, see Getting started with the Google Chrome App for Splunk.

Move an organizational unit

Administrators in Google can use organizational units to manage devices and policies. Making use of this feature can help mitigate security risks.

  1. To create a new alert to monitor unsafe site visit events, navigate to Settings > Searches, Reports, and Alerts, then click New Alert.
  2. Configure the alert to search for events with eventtype=”unsafe_site_visit”, and set to run on the desired schedule.
    clipboard_e9c36dd147464f306e1a6ef2688331a24.png
  3. In the Trigger Actions section, click Add Actions and add a custom trigger: "Google Chrome - Move to OU".
  4. Configure the scope to target the desired object: either the user, the managed browser, or both. 
    It is recommended to keep this setting at default (both) and use single type scope only within justified use cases.
  5. Select the service account that will be used to call the Chrome API.
    clipboard_eccad55d8694cf5c8a3aae90a46e44063.png
  6. Select the target Organizational Unit Path.

Now when an unsafe site visit event occurs, the user or device will be automatically quarantined in the account purgatory organizational unit so that the security risk is reduced.

Block an extension

The Chrome Browser Cloud Management (CBCM) console allows administrators to block extensions. To learn more about this feature, see Allow or block apps and extensions in the Google documentation.

  1. To create a new alert to monitor extension install events, navigate to Settings > Searches, Reports, and Alerts, then click New Alert.
  2. Configure the alert to search for events with eventtype=”extension_install”, and use the chrome extension risk summary lookup to search for the highest risk permission that the extension requests.
    clipboard_efac2d3c6b6e2595ef20104368d07821a.png
  3. Set the alert to run on the desired schedule.
  4. In the Trigger Actions section, click Add Actions and add the custom trigger action “Google Chrome - Block Extension”.
  5. Select the service account that will be used to call the Chrome API.
  6. Select target Organizational Unit Path where the extension will be blocked.
    Always take into consideration the inheritance of policies through a parent unit and its children.

Now any extension that is installed with a high risk permission will be automatically blocked for all users and devices within the chosen organizational unit.

Next steps

Still need help? Check out some of the resources below or email our team directly at splunkchrome-external@google.com.