Skip to main content
Splunk Lantern

Monitoring employee network traffic

 

You are concerned about employees accidentally accessing malicious websites that can damage your network, such as attacker-controlled domains that are hubs for command and control communications and for data exfiltration. You want to monitor internet usage for traffic to new domains on the hypothesis that never-before-seen domains are the ones most likely to pose a threat.

Data required 

How to use Splunk software for this use case

You should establish baselines and lookup tables of the domains typically accessed by your network users. You can then construct searches to compare daily usage against those baselines and alerts to notify you of anomalies.

To deploy this use case, you need Splunk Security Essentials (SSE), a free application with a security content library. The search uses macros that come packaged with the Splunk Security Essentials application.

Next steps

To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case: 

  • Establishing internet usage policies
  • Configuring firewalls
  • Creating blocklists and allowlists

Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:

  • Malicious domains identified: The number of domains alerted on that posed a threat

This additional Splunk resource might help you understand and implement this specific use case:

Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.com if you require assistance.