Monitoring employee network traffic
You are concerned about employees accidentally accessing malicious websites that can damage your network, such as attacker-controlled domains that are hubs for command and control communications and for data exfiltration. You want to monitor internet usage for traffic to new domains on the hypothesis that never-before-seen domains are the ones most likely to pose a threat.
You can use Splunk software to establish baselines and lookup tables of the domains typically accessed by your network users. You can then construct searches to compare daily usage against those baselines and alerts to notify you of anomalies.
Data required
How to use Splunk software for this use case
You can run many searches with Splunk software to monitor for connections to new domains. Depending on what information you have available, you might find it useful to identify some or all of the following:
Next steps
To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case:
- Establishing internet usage policies
- Configuring firewalls
- Creating blocklists and allowlists
Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:
- Malicious domains identified: The number of domains alerted on that posed a threat
The content in this use case comes from a previously published blog, one of the thousands of Splunk resources available to help users succeed. These additional Splunk resources might help you understand and implement this specific use case:
- Conf Talk: Real-time asset discovery and identity attribution using Splunk
- Blog: Detecting dynamic DNS domains in Splunk
- Blog: UT_parsing Domains Like House Slytherin
- White paper: Operationalize machine learning to find malicious domains
- Use case procedure: DNS queries to randomized subcommands
- Use case procedure: DNS tunneling through randomized subdomains
- Use case procedure: HTTP GET requests
- Use case procedure: Typosquatting clicks on a network
- Use case procedure: Algorithmically generated domain names
- Use case procedure: String conversion to a common format