Unsafe site visit by Google Chrome user
You need to search for scenarios where a user has opened, clicked, or visited a URL which is considered deceptive or malicious by the Data Protection rules. Within Google Chrome, this is indicated by the event type badNavigationEvent.
Required data
Ensure you are using the recommended Splunk Common Information Model (CIM) Data Loss Prevention data model. Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the CIM. For information on installing and using the CIM, see the Common Information Model documentation.
Procedure
- Use field mapping to correlate the fields:
| Field | CIM alias |
|---|---|
|
device_user |
src_user |
|
event |
signature |
|
device_name |
dest |
|
user_agent |
- |
|
result |
action |
|
reason |
category |
|
url |
- |
|
os_platform |
- |
|
browser_version |
- |
|
profile_user |
user |
|
device_id |
dvc |
|
client_type |
vendor_product |
|
time |
- |
3. Look for examples of activity, for example:
{
"device_user": "test_user_6",
"event": "badNavigationEvent",
"device_name": "chroemtests-MacBook-Pro",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4400.10 Safari/537.36",
"result": "WARNED",
"url": "https://testsafebrowsing.appspot.com/s/rt_phishing.html",
"reason": "SOCIAL_ENGINEERING",
"os_platform": "Mac OS X 10.14",
"browser_version": "90.0.4400.10",
"profile_user": "test_user_12@gmail.com",
"device_id": "C02T45R8GTFL",
"client_type": "CHROME_BROWSER",
"time": "1611905631.0"
}
Next steps
Since this event is triggered when URLs that are considered to be deceptive or malicious are visited, events that appear should be investigated further and assessed against your organizational policies in this area.
Finally, you might be interested in other processes associated with the Improving Google Chrome security use case.