Content transfer to or from Google Chrome
You need to search for scenarios where a user has uploaded, downloaded, transferred content to or from Google Chrome browser. While not inherently suspicious, this activity can help identify potentially compromised used behavior. Within Google Chrome, this is indicated by the event type contentTransferEvent.
Required data
Ensure you are using the recommended Splunk Common Information Model (CIM) Intrusion Detection data model. Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the CIM. For information on installing and using the CIM, see the Common Information Model documentation.
Procedure
- Use field mapping to correlate the fields:
Field | CIM alias |
---|---|
device_user |
user |
event |
signature |
device_name |
dest |
user_agent |
- |
scan_id |
??? |
url |
- |
content_hash |
file_hash |
content_type |
- |
content_size |
- |
os_platform |
- |
browser_version |
- |
device_id |
dvc |
client_type |
vendor_product |
time |
- |
content_name |
file_path |
trigger_type |
category |
3. Look for examples of activity, for example:
{ "device_user": "test_user_6", "event": "contentTransferEvent", "device_name": "chroemtests-MacBook-Pro", "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36", "url": "https://storage.server.com/malware_file.zip", "content_hash": "58BDD769D335053BDF66AB4D4A0EC7541C38FABF00F85EA34542481B887E485F", "content_type": "application/zip", "content_size": "9973", "os_platform": "Mac OS X", "os_version": "10.14", "browser_version": "87.0.4280.141", "device_id": "C02T45R8GTFL", "client_type": "CHROME_BROWSER", "time": "1610883127", "content_name": "/Users/test_user_6/Downloads/malware_file (25).zip", "trigger_type": "FILE_DOWNLOAD" }
{ "event": "contentTransferEvent", "time": "1610883127", "client_type": "CHROME_BROWSER", "device_id": "C02T45R8GTFL", "device_name": "chroemtests-MacBook-Pro", "os_platform": "Mac OS X", "os_version": "10.14", "device_user": "test_user_6", "browser_version": "87.0.4280.141", "profile_user": "test_user_12@gmail.com", "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36", "url": "https://storage.server.com/malware_file.zip", "content_name": "/Users/test_user_6/Downloads/malware_file (25).zip", "content_size": "9973", "content_type": "application/zip", "content_hash": "58BDD769D335053BDF66AB4D4A0EC7541C38FABF00F85EA34542481B887E485F", "trigger_type": "FILE_DOWNLOAD" }
Next steps
Since this event is triggered when a file is transferred to/from the browser, this behavior in itself is not inherently suspicious. Events that appear should be investigated further and assessed against your existing organizational policies.
Finally, you might be interested in other processes associated with the Improving Google Chrome security use case.