forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathanomalous_webclick.yml
More file actions
101 lines (101 loc) · 3.76 KB
/
anomalous_webclick.yml
File metadata and controls
101 lines (101 loc) · 3.76 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
asset_type: account
confidence: medium
creation_date: '2018-07-12'
data_metadata:
data_source:
- Network Communications
data_sourcetypes:
- stream:http
providing_technologies:
- Splunk Stream
description: This search is used to examine web sessions to identify those where the
clicks are occurring too quickly for a human or are occurring with a near-perfect
cadence (high periodicity or low standard deviation), resembling a script driven
session.
detect:
splunk:
correlation_rule:
notable:
nes_fields: session_id
rule_description: This search is used to examine web sessions in order to
identify unnaturally rapid clicks with near-perfect cadence (high periodicity
or low standard deviation), which resemble a script-driven session.
rule_title: 'Web Fraud Detection: Anomalous User Clickspeed'
risk:
risk_object: session_id
risk_object_type:
- other
risk_score: 40
schedule:
cron_schedule: 0 * * * *
earliest_time: -70m@m
latest_time: -10m@m
search: sourcetype=stream:http http_content_type=text* | rex field=cookie "form_key=(?<session_id>\w+)"
| streamstats window=2 current=1 range(_time) as TimeDelta by session_id |
where TimeDelta>0 |stats count stdev(TimeDelta) as ClickSpeedStdDev avg(TimeDelta)
as ClickSpeedAvg by session_id | where count>5 AND (ClickSpeedStdDev<.5 OR
ClickSpeedAvg<.5)
suppress:
suppress_fields: session_id
suppress_period: 3600s
eli5: It's suspicious when someone or something is moving throughout your website
too quickly or with a perfect click cadence. Fortunately, it's easy to detect by
calculating the time between clicks for each session and highlighting the anomalous
behavior.
entities:
- session_id
how_to_implement: Start with a dataset that allows you to see clickstream data for
each user click on the website. That data must have a time stamp and must contain
a reference to the session identifier being used by the website. This ties the clicks
together into clickstreams. This value is usually found in the http cookie. With
a bit of tuning, a version of this search could be used in high-volume scenarios,
such as scraping, crawling, application DDOS, credit-card testing, account takeover,
etc. Common data sources used for this detection are customized Apache logs, customized
IIS, and Splunk Stream.
id: 31337bbb-bc22-4752-b599-ef192df2dc7a
investigations:
- id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
name: Get Notable History
type: splunk
- id: f3fb4d1b-5f33-4b01-b541-c7af9534c242
name: Get Notable Info
type: splunk
- id: bc91a8cf-35e7-4bb2-1120-e756cc06fd89
name: Get Web Session Information via session_id
type: splunk
- id: 5df39b3f-447d-4869-b673-8f45ad4616fe
name: Get Emails From Specific Sender
type: splunk
known_false_positives: As is common with many fraud-related searches, we are usually
looking to attribute risk or synthesize relevant context with loosly written detections
that simply detect anamoluous behavior.
maintainers:
- company: Splunk
email: Mayhem@splunk.com
name: Jim Apger
mappings:
cis20:
- CIS 6
kill_chain_phases:
- Actions on Objectives
mitre_attack:
- Initial Access
- Valid Accounts
nist:
- DE.AE
- DE.CM
modification_date: '2018-10-08'
name: Web Fraud - Anomalous User Clickspeed
original_authors:
- company: Splunk
email: Mayhem@splunk.com
name: Jim Apger
references:
- https://en.wikipedia.org/wiki/Session_ID
- https://en.wikipedia.org/wiki/Session_(computer_science)
- https://en.wikipedia.org/wiki/HTTP_cookie
- https://splunkbase.splunk.com/app/1809/
security_domain: threat
spec_version: 2
type: splunk
version: '1.0'