Name:Web Fraud - Anomalous User Clickspeed id:31337bbb-bc22-4752-b599-ef192df2dc7a version:3 date:2024-10-17 author:Jim Apger, Splunk status:deprecated type:Anomaly Description:This search is used to examine web sessions to identify those where the clicks are occurring too quickly for a human or are occurring with a near-perfect cadence (high periodicity or low standard deviation), resembling a script driven session. Data_source:
search:`stream_http` http_content_type=text* | rex field=cookie "form_key=(?<session_id>\w+)" | streamstats window=2 current=1 range(_time) as TimeDelta by session_id | where TimeDelta>0 |stats count stdev(TimeDelta) as ClickSpeedStdDev avg(TimeDelta) as ClickSpeedAvg by session_id | where count>5 AND (ClickSpeedStdDev<.5 OR ClickSpeedAvg<.5) | `web_fraud___anomalous_user_clickspeed_filter`
how_to_implement:Start with a dataset that allows you to see clickstream data for each user click on the website. That data must have a time stamp and must contain a reference to the session identifier being used by the website. This ties the clicks together into clickstreams. This value is usually found in the http cookie. With a bit of tuning, a version of this search could be used in high-volume scenarios, such as scraping, crawling, application DDOS, credit-card testing, account takeover, etc. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream. known_false_positives:As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosly written detections that simply detect anamoluous behavior. References: -https://en.wikipedia.org/wiki/Session_ID -https://en.wikipedia.org/wiki/Session_(computer_science) -https://en.wikipedia.org/wiki/HTTP_cookie -https://splunkbase.splunk.com/app/1809/ drilldown_searches:
: tags: analytic_story: - 'Web Fraud Detection' asset_type:Account confidence:50 impact:50 message:tbd mitre_attack_id: - 'T1078' observable: name:'session_id' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'http_content_type' - 'cookie' risk_score:25 security_domain:threat
