Skip to main content
Splunk Lantern

Spikes in printer activity in a Windows environment

You might need to see spikes in printer activity in a Windows environment when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Users who suddenly start printing a lot more pages from networked printers than is normal could be a sign of data exfiltration. Sensitive data could be leaving your corporation, literally in black-and-white! You want information about print jobs when a spike is detected, including the destination printers, the source of the print jobs, the names of files printed, and even whether the output was black-and-white or color.

To optimize the search shown below, you should specify an index and a time range.

  1. Verify that you deployed the add-on to the search heads and Splunk Universal Forwarders on the monitored systems. For more information, see About installing Splunk add-ons.
  2. Ensure that the WinPrintMon://job input is enabled.
  3. Run the following search: 
sourcetype=WinPrintMon 
eventtype=printmon_windows
|bucket _time span=1d 
|stats sum(page_printed) AS Pages BY user _time 
|eventstats max(_time) AS maxtime 
|stats count AS num_data_samples max(eval(if(_time >= relative_time(maxtime, "-1d@d"), Pages,null))) AS Pages avg(eval(if(_time<relative_time(maxtime,"-1d@d"),Pages,null))) AS avg stdev(eval(if(_time<relative_time(maxtime,"-1d@d"),Pages,null))) AS stdev BY user 
|eval lowerBound=(avg-stdev*1), upperBound=(avg+stdev*1) 
|eval isOutlier=if((Pages < lowerBound OR Pages > upperBound) AND num_data_samples >=7, “Yes”, “No”) 
|table user num_data_samples Pages avg lowerBound upperBound isOutlier

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=WinPrintMon 

eventtype=printmon_windows

Search only printer data.

|bucket _time span=1d

Group data into bins that are 1-day spans. 

|stats sum(page_printed) AS Pages BY user _time

Calculate the total number of pages printed by each user per day. 

|eventstats max(_time) AS maxtime

Keep the maximum time value in the event to be used as the latest day from which to look back one day. 

|stats count AS num_data_samples max(eval(if(_time >= relative_time(maxtime, "-1d@d"), Pages,null))) AS Pages avg(eval(if(_time<relative_time(maxtime,"-1d@d"),Pages,null))) AS avg stdev(eval(if(_time<relative_time(maxtime,"-1d@d"),Pages,null))) AS stdev BY user

Calculate actual number of pages printed in the most recent day or current day.  Then calculate the average pages printed in the days before the most recent day and the standard deviation for the same days before.

|eval lowerBound=(avg-stdev*1), upperBound=(avg+stdev*1)

Set the upper and lower bounds of the average to be the average + and - a single standard deviation. 

|eval isOutlier=if((Pages < lowerBound OR Pages > upperBound) AND num_data_samples >=7, “Yes”, “No”)

Determine outliers (and therefore a spike in pages printed or not printed) by evaluating if today's number of pages is near the average plus or minus one standard deviation. Set data to an outlier only if the number of days sampled is at least 7 days. 

|table user num_data_samples Pages avg lowerBound upperBound isOutlier

Display the results in a table with columns in the order shown.

Result

The search shows some useful techniques for comparing current rates of change to past rates of change and could be a framework for other basic predictive searches. It might be interesting to correlate this behavior to a watchlist that contains the user IDs of personnel who are considered higher risk: contractors, new employees, employees that never go on vacation, and employees with access to particularly sensitive data. In the sample data below, the large number of pages printed by Chuck could be indicative of risky user behavior. 

user num_data_samples pages avg lowerBound upperBound isOutlier

alice

26

12

62.625

-1.53228804

126.782288

No

chuck

22

4983

16.7

0.393398173

33.00660183

Yes

 

  • Was this article helpful?