Skip to main content
 
 
Splunk Lantern

Getting started with the Google Chrome App for Splunk

 

You’re a SOC analyst who understands that as employees spend more time working in browsers, the chances of risky browser behavior impacting enterprise resiliency increases. You are concerned about the following risky browser behavior and more:

  • Installing an extension that was impersonating a legitimate one and is now acting maliciously
  • Accessing content that is considered dangerous, malicious, banned, or unwanted
  • Opening, clicking, or visiting a URL that is considered deceptive or malicious
  • Updating an extension to the latest version that contains malicious code due to a recent acquisition by a malicious entity
  • Changing passwords or password entry into a URL outside of the allowed enterprise login URLs

The Google Chrome Add on for Splunk and Google Chrome App for Splunk are able to help address these risks by:

  1. Bringing Chrome Threat and Data Protection events into Splunk and mapping them to the Splunk Common Information Model (CIM) to allow for easy correlation with other data sources and maximum efficiency at search time. 
  2. Providing prebuilt dashboards and analytics to help investigate the most critical incidents of extension installs, malware transfer, unsafe site visits, and password reuse/change events.
  3. Alerting on the events that are the most important and automatically responding to these events with the following actions:
    1. Block extensions that are risky
    2. Change policies on a user or device that is exhibiting suspicious behavior
    3. Send an email to users who need to remove something from their device or receive training on safe browsing
    4. Create a ticket in ServiceNow or Jira to document work and pass on to a responsible team

Configuration 

Requirements 

Step 1: Prepare the Splunk platform

  1. In your Splunk instance, navigate to Settings > Data Inputs > HTTP Event Collector.
  2. Click New Token to issue a new token.
  3. Enter a name for the token, and leave the other fields as their default values. You do not need to select Enable indexer acknowledgement.
    clipboard_ead7ac85054da2de3fa7e53a59bffa8b9.png
  4. On the next page, leave the Source type set to Automatic, and either create a new or select an existing index for testing Chrome event ingestion. We recommend you create a new index for testing.
    clipboard_e4ea163fd302779976117457e4c0f6d74.png
  5. Click Review, then Submit if the information is correct.
  6. Copy the HEC token value for use in the next step.

Step 2: Set up the Splunk integration in Chrome Browser Cloud Management (CBCM)

Using the newly created Splunk HEC token, set up the Splunk reporting connector in the CBCM console. For instructions, see Getting started with the Splunk integration in Chrome Browser Cloud Management.  

It is also recommended that you update the browser reporting frequency from the default of 24 hours to the minimum of 3 hours so that extension data is reported more frequently. For more information, see Turn on Chrome browser reporting in the Google documentation. 

Step 3: Install and configure the service account and external lookup inputs

  1. Install the Google Chrome Add on for Splunk from Splunkbase. For instructions, see Install apps on your Splunk Cloud Platform deployment
    clipboard_e259e8146aaa4eb7fba7bc38c02606437.png
  2. Navigate to the Configuration panel in the Google Chrome Add-on for Splunk.
  3. Click Add to create a new service account configuration.
  4. Input the required credentials shown in the following screenshot. You can obtain these from the CBCM console.clipboard_e32f0f54d4e3354cabf0553ae27745c2d.png
  5. Navigate to the Inputs panel in the Google Chrome Add-on for Splunk.
  6. Click Create New Input and create the Extensions Lookup Query input. Use the Service Account that you saved in the Configuration panel. Then do the same to create the Organization Units Lookup Query input.
    clipboard_e4379aeab2c4c3044b8581690310518a8.png

Step 4: Verify the configuration

  1. If you have already set up the Splunk Reporting Connector in the Google Chrome Admin console, then there may already be events in the Splunk instance. Run a search for events using the test index with index="chrome_test"
  2. If there are no events, you can simulate chrome browser events using the website (Safe) Safe Browsing Testing Links.
  3. If there are still no events, then review and repeat the setup steps to ensure everything is configured correctly. 

Set up the Google Chrome App for Splunk

  1. In your Splunk instance, navigate to Apps > Find More Apps.
  2. Search “Google Chrome App for Splunk” and install. For instructions, see Install apps on your Splunk Cloud Platform deployment.
  3. Configure the chrome search macro to use the same index that the HEC token is configured for.
    1. Navigate to Settings > Advanced Search > Search Macros, and click chrome.
    2. If necessary, edit the search to change the value for the index field.
      clipboard_eec3db9439a1a3120bdf3b08917551c7b.png
    3. Verify that data has been ingested correctly by viewing one of the dashboards in the app and ensuring the visualizations are populated. 

FAQ

Q: What products do I need for this? 
    A: Splunk Core (version 8.1.x and above) and Chrome Browser Cloud Management

Q: Do I need to have Splunk Enterprise Security?
    A: Splunk Enterprise Security is not required. All events are CIM tagged so any Splunk Enterprise Security content built on the data models that an event is tagged to will populate with the tagged event.

Q: Is this a joint developed product with Google? 
    A: Yes, we jointly developed this product with Google Chrome.

Q: What types of events are ingested? Does this include ChromeOS events? 
    A: See all the different types of events here. Check out the ChromeOS App for Splunk and the events ingested here.

Q: What use cases does this app address?
    A: The app focuses on malware downloads, unsafe site visits, browser extensions, and password reuse/change events. All Chrome security log events are ingested and CIM tagged, allowing for ease of use for developing additional analytics and event population in content that references data models. We plan to address additional use cases in the future.

Q: Which browsers will this app work for?
    A: Chrome 110+ is required for extension events. Chrome 104+ is required for malicious download events.

Q: Where can I find this app? Will it be Splunk supported?
    A: In Splunkbase. It is Splunkworks supported.

Next steps

Now that you have the app running configured, the next best step is to configure alert actions, which you can learn how to do here.

Still need help? Check out some of the resources below or email our team directly at splunkchrome-external@google.com.