Phishing-Spearphishing Splunk to RT Automation
This procedure defines the process for using the Splunk Phishing dashboard to automate some of the evaluation, decision and notification processes based on an algorithm utilizing triggers from the results of a search from inputs provided by the Help Desk
Procedure for use of the Splunk Phishing Automation Dashboard
Procedure Description: This procedure is a step-by-step process designed to provide support helpdesk staff use and function documentation and expected results from the Splunk Phishing Automation Dashboard. The procedure is maintained for standardization and repetition of the process.
The Information Security Office Procedure aligns with and extends the Rice University and Information Security Policies. In order to minimize risks associated with incidental or malicious acts that cause the unintended exposure of confidential and sensitive information associated with Rice University, this document defines a process for using a Splunk SIEM Dashboard to aid in the automation of information gathering and dissemination, processing, notification and evaluation of reported phishing messages. The processes and procedures defined here are meant to be part of an overall measure of due care and diligence for managing Rice data. These processes should be periodically reviewed and as required repeated over time to ensure that changes to the service and function do not modify the risk profile in such a manner as to inappropriately place Rice confidential and sensitive information at undue risk.
Date | Modification Type | Modified by | Approver |
---|---|---|---|
4/6/2019 | Created | bribbeck | |
Scope: This procedure applies to any system or service storing, displaying for general access as a server, or transiting Rice University confidential or sensitive data defined in Rice Policy 808 or 832 and in alignment with Rice Policy 841.
- This process covers all reported phishing and spearphishing emails delivered to *@rice.edu addresses
- This process assumes a basic understanding of the RT helpdesk system
- The process requires access to Splunk with Help Desk access to the Phishing Dashboard
- Personnel with operational responsibility will be required to take Splunk training and sign a confidentiality/privacy document
- The dashboard process when initiated will start a cascade of processes based on trigger criteria that will (may) initiate automated email messaging to customers, OIT staff, and ISO staff.
- The results of the dashboard process will create files that are distributed into the helpdesk ticketing system that will contain the email addresses of Rice students and staff from log data.
REQUIREMENTS:
- Operational knowledge of RT ticketing system
- General Splunk Training
- Splunk Dashboard and Phishing Automation Training
- Fundamental understanding of the processes behind Phishing Automation, triggers, and expected results
- Review of phishing notification template emails
- A customer has been instructed to forward an email to help@rice.edu which will create the Parent ticket
- In the RT Ticket system General queue, obtain the following information from a ticket created when a customer forwards a suspected phishing email
- RT Ticket Number
- From address
- To address
- Date (dd/mm/yyyy)
- Review the email to determine if it included an attached file, requested a login, or money/payment.
- As an example, RT ticket # 832447 has the following information
- From: support@Patricia111122.hostpilot.com
- To: me26@rice.edu
- Date (04/05/2019)
- Contained a requested login with an embedded link https://dashboard.stripe.com/email&bank-account-verification?source=3Demail=<https://emilesse.com/lax/>
- Initiate a web browser session from any Internet-connected system to https://rice.splunkcloud.com
- Click on the word Dashboard in the Green menu bar as shown in the graphic
- Select the Dashboard named Phishing Response Automation
- This will open a new page and display the Dashboard. Input the following fields
- Date - this should be a date that spans two days prior to the present day or up to 7 days beyond the date in the suspected phishing email
- In the From email address field, type in the sender's address as it appears in the From field