You might want to gather details about all web activity to and from a host when doing the following:
- Monitoring for signs of Windows privilege escalation attacks
- Detecting techniques in the Orangeworm attack group
Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). This search requires the Web data model. For information on installing and using the CIM, see the Common Information Model documentation.
As part of an insider threat investigation, you want to profile web activity to characterize some specific host activity.
To optimize the search shown below, you should specify an index and a time range.
- Ensure that your deployment is ingesting your web traffic and populating the Web data model.
- Run the following search:
|from datamodel Web.Web |search src=<dest>
- Update the second line of the search to reflect the source, rather than the destination, to gather more information and rerun the search:
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
||from datamodel Web.Web
|Query the Web.Web data model object.|
||search src=<dest>||Search for web activity from a source. The required <dest> field is the remote host.|
This search returns all web traffic for the specific IP addresses. The results show URls you can investigate to verify maliciousness.
For additional information about this search, such as its applicability to common frameworks and standards, see this project on GitHub.