Analytics Story: Information Sabotage

Date: 2021-11-17 ID: b71ba595-ef80-4e39-8b66-887578a7a71b Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might correlate to insider threat specially in terms of information sabotage.

Why it matters

Information sabotage is the type of crime many people associate with insider threat. Where the current or former employees, contractors, or business partners intentionally exceeded or misused an authorized level of access to networks, systems, or data with the intention of harming a specific individual, the organization, or the organization's data, systems, and/or daily business operations.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
High Frequency Copy Of Files In Network Share	Transfer Data to Cloud Account	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Windows Event Log Security 5145	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`

References

https://insights.sei.cmu.edu/blog/insider-threat-deep-dive-it-sabotage/

Source: GitHub | Version: 1