Detecting Abnormal or suspicious upload (or) download activity by a user using a Machine learning model. A leading power distribution organization wants to monitor its insider threat using the abnormal or suspicious upload (or) download activity by the user.
CHALLENGES
- Security threat: Identify malicious insiders who might leak sensitive data from the power utility.
- False positive reduction: Using traditional SIEM rules generates many false positive alerts, and so focus is to leverage ML capabilities for anomaly detection.
SOLUTIONS
- Leveraged Splunk Enterprise for integration, aggregation, and cleaning/transformation of data.
- Utilized Splunk MLTK app to visualize data, model the data and evaluate the model performance.
- Multiple ML models were evaluated for detecting suspicious uploads (or) downloads activity.
- The selected model was packaged and deployed in the production environment successfully.
BENEFITS
- Visibility into insider threats.
- Reduced false positive alerts.
- Reduced manual effort around log and alert review.
Monitored Systems/Data Sources: Squid proxy logs.
Users: Security Operation Center Team
Product: Splunk Enterprise
Splunk App: Machine Learning Tool Kit