Skip to main content
 
 
 
Splunk Lantern

Configuring Alert Actions with the Google Chrome Add On for Splunk

 

You are a SOC analyst whose employees interact with Google Chrome in two different ways - through a browser and through ChromeOS devices. You're concerned about several different types of risky behavior that impact enterprise resiliency, including:

Risky browser behavior Risky ChromeOS behavior
  • Installing an extension that was impersonating a legitimate one and is now acting maliciously
  • Accessing content considered dangerous, malicious, or banned/unwanted
  • Opening, clicking, or visiting a URL that is considered deceptive or malicious
  • Updating an extension to the latest version that contains malicious code due to a recent acquisition by a malicious entity
  • Multiple failed login attempts on a device
  • USB peripherals added to an endpoint
  • Unaffiliated or unauthorized users added to a device or system
  • Multiple Chrome Remote Desktop sessions on a device
  • Logins from a guest or unaffiliated user
  • Multiple screenshot attempts

You want to be able to automatically take action against any risky behavior by creating alerts with alert actions. Whether you're looking at instances of risky browser or ChromeOS behavior, you want to be able to bring Chrome Threat and Data Protection events into the Splunk platform and map them to the Splunk Common Information Model (CIM) to allow for easy correlation with other data sources and maximum efficiency at search time. Other actions you want to accomplish:

Browser actions ChromeOS actions
  1. Access prebuilt dashboards and analytics to help investigate the most critical incidents of extension installs, malware transfer and unsafe site visits.
  2. Alert on events and respond automatically with the following actions:
    1. Block extensions that are risky.
    2. Change policies on a user or device that is exhibiting suspicious behavior.
    3. Send an email to users who need to remove something from their device or receive training on safe browsing.
    4. Create a ticket in ServiceNow or Jira to document work and pass on to a responsible team.

 

  1. Access pre-built dashboards and analytics to help investigate the most critical incidents of suspicious logins, device and session/endpoint activities.
  2. Alert on events and respond automatically with the following actions:
    1. Move a device to an organizational unit (OU)
    2. Move a user to an organizational unit (OU)
    3. Issue commands to
      1. Suspend users
      2. Wipe a device
      3. Wipe (delete) users
      4. Reboot a device
      5. Disable a device

 

Solution

The Google Chrome Solution for Splunk features alert actions that enhance the security posture of your organization. Users can set up any kind of alert to get notified of unusual behavior. The solution equips them with tools to immediately remediate and minimize the risk.

You'll use the Google Chrome App for Splunk to detect risky browser-based behaviour, and the Google ChromeOS App for Splunk to detect risky ChromeOS behavior. You can jump to the instructions below to detect risky browser behavior or detect risky ChromeOS behavior.

Prerequisites

To learn more about alerts, read Getting started with alerts.

Detecting risky browser behavior with the Google Chrome App for Splunk

Move an organizational unit

Administrators in Google can use organizational units to manage devices and policies. Making use of this feature can help mitigate security risks.

  1. To create a new alert to monitor unsafe site visit events, navigate to Settings > Searches, Reports, and Alerts, then click New Alert.
  2. Configure the alert to search for events with eventtype=”unsafe_site_visit”, and set to run on the desired schedule.
    clipboard_e9c36dd147464f306e1a6ef2688331a24.png
  3. In the Trigger Actions section, click Add Actions and add a custom trigger: "Google Chrome - Move to OU".
  4. Configure the scope to target the desired object: either the user, the managed browser, or both. 
    It is recommended to keep this setting at default (both) and use single type scope only within justified use cases.
  5. Select the service account that will be used to call the Chrome API.
    clipboard_eccad55d8694cf5c8a3aae90a46e44063.png
  6. Select the target Organizational Unit Path.

Now when an unsafe site visit event occurs, the user or device will be automatically quarantined in the account purgatory organizational unit so that the security risk is reduced.

Block an extension

The Chrome Browser Cloud Management (CBCM) console allows administrators to block extensions. To learn more about this feature, see Allow or block apps and extensions in the Google documentation.

  1. To create a new alert to monitor extension install events, navigate to Settings > Searches, Reports, and Alerts, then click New Alert.
  2. Configure the alert to search for events with eventtype=”extension_install”, and use the chrome extension risk summary lookup to search for the highest risk permission that the extension requests.
    clipboard_efac2d3c6b6e2595ef20104368d07821a.png
  3. Set the alert to run on the desired schedule.
  4. In the Trigger Actions section, click Add Actions and add the custom trigger action “Google Chrome - Block Extension”.
  5. Select the service account that will be used to call the Chrome API.
  6. Select target Organizational Unit Path where the extension will be blocked.
    Always take into consideration the inheritance of policies through a parent unit and its children.

Now any extension that is installed with a high risk permission will be automatically blocked for all users and devices within the chosen organizational unit.

Detecting risky ChromeOS behavior with the Google ChromeOS App for Splunk

For more information on working with alert actions including detailed process steps, see Splunk Docs.

Configuring alert actions

  1. Navigate to Settings > Searches, Reports, and Alerts.
  2. Select the App you want to use.
  3. Change the Owner filter value to All.
  4. Enable, edit, or create the alerts per your requirements.
  5. Select the required alert action from the list.

Using alert actions

Move a device within an organizational unit (OU) 

  1. Write an SPL query to search for relevant ChromeOS events. 
  2. Configure the alert schedule and other settings as appropriate, such as the alert description.
  3. Select Alert Action - Move Device to OU.
  4. On the configuration page of the add-on, select the target OU. The values are based on the OU lookup table, which needs to be populated via the modular data input. 
  5. Select Service Account set up.
  6. Click Save.

Issue commands to suspend users, wipe devices, reboot devices, or disable devices

  1. Write an SPL query to search for relevant ChromeOS events. 
  2. Configure the alert schedule and other settings as appropriate, such as the alert description.
  3. Select the alert action you want to set up:
    1. Alert Action - Suspend User
    2. Alert Action - Wipe Device
    3. Alert Action - Wipe User
    4. Alert Action - Reboot Device
    5. Alert Action - Disable Device
  4. On the configuration page of the add-on, select Service Account set up.
  5. Click Save.

Next steps

Still need help? Check out some of the resources below or email our team directly at splunkchrome-external@google.com.