Phishing-Spearphishing Splunk to RT Automation

This procedure defines the process for using the Splunk Phishing dashboard to automate some of the evaluation, decision and notification processes based on an algorithm utilizing triggers from the results of a search from inputs provided by the Help Desk

Procedure for use of the Splunk Phishing Automation Dashboard

Procedure Description:  This procedure is a step-by-step process designed to provide support helpdesk staff use and function documentation and expected results from the Splunk Phishing Automation Dashboard.  The procedure is maintained for standardization and repetition of the process.

The Information Security Office  Procedure aligns with and extends the Rice University and Information Security Policies. In order to minimize risks associated with incidental or malicious acts that cause the unintended exposure of confidential and sensitive information associated with Rice University, this document defines a process for using a Splunk SIEM Dashboard to aid in the automation of information gathering and dissemination, processing, notification and evaluation of reported phishing messages.  The processes and procedures defined here are meant to be part of an overall measure of due care and diligence for managing Rice data.  These processes should be periodically reviewed and as required repeated over time to ensure that changes to the service and function do not modify the risk profile in such a manner as to inappropriately place Rice confidential and sensitive information at undue risk.

Phishing-Spearphishing Splunk Table
 Date  Modification Type  Modified by  Approver
 4/6/2019  Created  bribbeck  

Scope: This procedure applies to any system or service storing, displaying for general access as a server, or transiting Rice University confidential or sensitive data defined in Rice Policy 808 or 832 and in alignment with Rice Policy 841.

  • This process covers all reported phishing and spearphishing emails delivered to * addresses 
  • This process assumes a basic understanding of the RT helpdesk system
  • The process requires access to Splunk with Help Desk access to the Phishing Dashboard
Operating Standards:
  • Personnel with operational responsibility will be required to take Splunk training and sign a confidentiality/privacy document
Communications and data:
  • The dashboard process when initiated will start a cascade of processes based on trigger criteria that will (may) initiate automated email messaging to customers, OIT staff, and ISO staff.
  • The results of the dashboard process will create files that are distributed into the helpdesk ticketing system that will contain the email addresses of Rice students and staff from log data.
Step by Step Process to complete a deployment of an IOS device for PCI use with a Rice Entity.

  • Operational knowledge of RT ticketing system
  • General Splunk Training
  • Splunk Dashboard and Phishing Automation Training
  • Fundamental understanding of the processes behind Phishing Automation, triggers, and expected results
  • Review of phishing notification template emails
  • A customer has been instructed to forward an email to which will create the Parent ticket
    Prologue:  This tool will take input from the helpdesk staff, perform a search of the email logs for key information from the suspected phishing email and return impact statistics and actionable information related to potential victims. 
    1. In the RT Ticket system General queue, obtain the following information from a ticket created when a customer forwards a suspected phishing email
      1. RT Ticket Number
      2. From address
      3. To address
      4. Date (dd/mm/yyyy)
      5. Review the email to determine if it included an attached file, requested a login, or money/payment. 
        1. As an example, RT ticket # 832447 has the following information
          1. From:
          2. To:
          3. Date (04/05/2019)
          4. Contained a requested login with an embedded link<>
    2. Initiate a web browser session from any Internet-connected system to
    3. Click on the word Dashboard in the Green menu bar as shown in the graphic
      1. Splunk Dashboard
    4. Select the Dashboard named Phishing Response Automation
    5. This will open a new page and display the Dashboard.  Input the following fields
    6. Date - this should be a date that spans two days prior to the present day or up to 7 days beyond the date in the suspected phishing email
      1. Time Picker
    7. In the From email address field, type in the sender's address as it appears in the From fieldInputs

    Keywords:Information Security, Procedure, Splunk, RT, Phishing, Spearphishing, Automation   Doc ID:90878
    Owner:Dan H.Group:Rice University
    Created:2019-04-05 14:33 CDTUpdated:2023-03-29 09:21 CDT
    Sites:Rice University
    Feedback:  0   0