Sample rules
Web Fraud - Password Sharing Across Accounts
- source: splunk
- technicques:
Description
This search is used to identify user accounts that share a common password.
Detection logic
`stream_http` http_content_type=text* uri=/magento2/customer/account/loginPost*
| rex field=form_data "login\[username\]=(?<Username>[^&
|^$]+)"
| rex field=form_data "login\[password\]=(?<Password>[^&
|^$]+)"
| stats dc(Username) as UniqueUsernames values(Username) as user list(src_ip) as src_ip by Password
|where UniqueUsernames>5
| `web_fraud___password_sharing_across_accounts_filter`
Web Fraud - Anomalous User Clickspeed
- source: splunk
- technicques:
- T1078
Description
This search is used to examine web sessions to identify those where the clicks are occurring too quickly for a human or are occurring with a near-perfect cadence (high periodicity or low standard deviation), resembling a script driven session.
Detection logic
`stream_http` http_content_type=text*
| rex field=cookie "form_key=(?<session_id>\w+)"
| streamstats window=2 current=1 range(_time) as TimeDelta by session_id
| where TimeDelta>0
|stats count stdev(TimeDelta) as ClickSpeedStdDev avg(TimeDelta) as ClickSpeedAvg by session_id
| where count>5 AND (ClickSpeedStdDev<.5 OR ClickSpeedAvg<.5)
| `web_fraud___anomalous_user_clickspeed_filter`
Sample rules
Web Fraud - Password Sharing Across Accounts
- source: splunk
- technicques:
Description
This search is used to identify user accounts that share a common password.
Detection logic
`stream_http` http_content_type=text* uri=/magento2/customer/account/loginPost*
| rex field=form_data "login\[username\]=(?<Username>[^&
|^$]+)"
| rex field=form_data "login\[password\]=(?<Password>[^&
|^$]+)"
| stats dc(Username) as UniqueUsernames values(Username) as user list(src_ip) as src_ip by Password
|where UniqueUsernames>5
| `web_fraud___password_sharing_across_accounts_filter`
Web Fraud - Anomalous User Clickspeed
- source: splunk
- technicques:
- T1078
Description
This search is used to examine web sessions to identify those where the clicks are occurring too quickly for a human or are occurring with a near-perfect cadence (high periodicity or low standard deviation), resembling a script driven session.
Detection logic
`stream_http` http_content_type=text*
| rex field=cookie "form_key=(?<session_id>\w+)"
| streamstats window=2 current=1 range(_time) as TimeDelta by session_id
| where TimeDelta>0
|stats count stdev(TimeDelta) as ClickSpeedStdDev avg(TimeDelta) as ClickSpeedAvg by session_id
| where count>5 AND (ClickSpeedStdDev<.5 OR ClickSpeedAvg<.5)
| `web_fraud___anomalous_user_clickspeed_filter`
Web Fraud - Account Harvesting
- source: splunk
- technicques:
- T1136
Description
This search is used to identify the creation of multiple user accounts using the same email domain name.
Detection logic
`stream_http` http_content_type=text* uri="/magento2/customer/account/loginPost/"
| rex field=cookie "form_key=(?<SessionID>\w+)"
| rex field=form_data "login\[username\]=(?<Username>[^&
|^$]+)"
| search Username=*
| rex field=Username "@(?<email_domain>.*)"
| stats dc(Username) as UniqueUsernames list(Username) as src_user by email_domain
| where UniqueUsernames> 25
| `web_fraud___account_harvesting_filter`