Skip to main content
Lantern Home
 
 
Splunk Lantern

Sensitive data transferred via Google Chrome

  1. Last updated
  2. Save as PDF

 

You need to search for scenarios where a user has downloaded, uploaded, or pasted content that is considered to contain sensitive data, as detected by the Data Protection rules. Within Google Chrome, this is indicated by the event type sensitiveDataTransferEvent

Required data

Ensure you are using the recommended Splunk Common Information Model (CIM) Data Loss Prevention data model. Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the CIM. For information on installing and using the CIM, see the Common Information Model documentation.

Procedure

  1. Use field mapping to correlate the fields:
Field CIM alias

event

signature

user_agent

-

result

action

url

-

content_type

-

triggered_rules

-

content_size

-

browser_version

-

profile_user

user

client_type

-

time

-

content_name

-

trigger_type

category

device_user

src_user

device_name

dest

reason

  

os_platform

  

device_id

dvc

 

3. Look for examples of activity, for example:

{
  "event": "sensitiveDataTransferEvent",
  "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4403.2 Safari/537.36",
  "result": "BYPASSED",
  "url": "https://www.google.com/",
  "content_type": "text/plain",
  "triggered_rules": "test_user_16_test_rule_warn",
  "content_size": "40",
  "browser_version": "90.0.4403.2",
  "profile_user": "test_user_16-test-user@domain.test",
  "client_type": "CHROME_BROWSER_PROFILE",
  "time": "1611916714",
  "content_name": "Text data",
  "trigger_type": "WEB_CONTENT_UPLOAD"
}

Next steps

Since this event is triggered when content uploaded, downloaded, or pasted by the user is considered to contain sensitive data, as detected by Data Protection rules, events that appear should be investigated further and assessed against your organizational policies in this area.

Finally, you might be interested in other processes associated with the Improving Google Chrome security use case.