You are concerned about employees accidentally accessing malicious websites that can damage your network, such as attacker-controlled domains that are hubs for command and control communications and for data exfiltration. You want to monitor internet usage for traffic to new domains on the hypothesis that never-before-seen domains are the ones most likely to pose a threat.
How to use Splunk software for this use case
You should establish baselines and lookup tables of the domains typically accessed by your network users. You can then construct searches to compare daily usage against those baselines and alerts to notify you of anomalies.
To deploy this use case, you need Splunk Security Essentials (SSE), a free application with a security content library. The search uses macros that come packaged with the Splunk Security Essentials application.
To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case:
- Establishing internet usage policies
- Configuring firewalls
- Creating blocklists and allowlists
Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:
- Malicious domains identified: The number of domains alerted on that posed a threat
This additional Splunk resource might help you understand and implement this specific use case: