Skip to main content
Lantern Home
 
 
Splunk Lantern

Unscanned content shared to or from Google Chrome

  1. Last updated
  2. Save as PDF

 

You need to search for scenarios where a user has uploaded, downloaded, or transferred content to or from Google Chrome browser, and the shared file is unscanned during the evaluation of Data Protection rules. Within Google Chrome, this is indicated by the event type unscannedContentEvent

Required data

Ensure you are using the recommended Splunk Common Information Model (CIM) Intrusion Detection data model. Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the CIM. For information on installing and using the CIM, see the Common Information Model documentation.

Procedure

  1. Use field mapping to correlate the fields:
Field CIM alias

device_user

user

event

signature

device_name

dest

user_agent

-

result

action

url

-

content_hash

file_hash

content_type

-

content_size

-

reason

-

os_platform

-

browser_version

-

device_id

dvc

client_type

vendor_product

time

-

content_name

file_path

trigger_type

category

profile_user

-

 

3. Look for examples of activity, for example:

{
  "device_user": "test_user_6",
  "event": "unscannedContentEvent",
  "device_name": "chroemtests-MacBook-Pro",
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36",
  "result": "ALLOWED",
  "url": "https://storage.server.com/malware_file.zip",
  "content_hash": "58BDD769D335053BDF66AB4D4A0EC7541C38FABF00F85EA34542481B887E485F",
  "content_type": "application/zip",
  "content_size": "9973",
  "reason": "SERVICE_UNAVAILABLE",
  "os_platform": "Mac OS X 10.14",
  "browser_version": "87.0.4280.141",
  "device_id": "C02T45R8GTFL",
  "client_type": "CHROME_BROWSER",
  "time": "1610883127",
  "content_name": "/Users/test_user_6/Downloads/malware_file (25).zip",
  "trigger_type": "FILE_DOWNLOAD"
}

Next steps

Since this event is triggered when a file is unscanned during evaluation of Data Protection rules, events that appear should be investigated further and assessed against those rules plus other relevant organizational policies.

Finally, you might be interested in other processes associated with the Improving Google Chrome security use case.