Web Fraud - Anomalous User Clickspeed

Description

This search is used to examine web sessions to identify those where the clicks are occurring too quickly for a human or are occurring with a near-perfect cadence (high periodicity or low standard deviation), resembling a script driven session.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Other

Category

Abuse,

Alert Volume

This search is used to examine web sessions to identify those where the clicks are occurring too quickly for a human or are occurring with a near-perfect cadence (high periodicity or low standard deviation), resembling a script driven session.

SPL Difficulty

None

Journey

Stage 1

MITRE ATT&CK Tactics

Defense Evasion
Persistence
Privilege Escalation
Initial Access

MITRE ATT&CK Techniques

Valid Accounts

Valid Accounts

MITRE Threat Groups

APT18
APT28
APT33
APT39
APT41
Carbanak
Chimera
Dragonfly 2.0
FIN10
FIN4
FIN5
FIN6
FIN8
Leviathan
Night Dragon
OilRig
PittyTiger
Sandworm Team
Silence
Soft Cell
Suckfly
TEMP.Veles
Threat Group-3390
Wizard Spider
menuPass

Kill Chain Phases

Actions On Objectives

   Help

Web Fraud - Anomalous User Clickspeed Help

Start with a dataset that allows you to see clickstream data for each user click on the website. That data must have a time stamp and must contain a reference to the session identifier being used by the website. This ties the clicks together into clickstreams. This value is usually found in the http cookie. With a bit of tuning, a version of this search could be used in high-volume scenarios, such as scraping, crawling, application DDOS, credit-card testing, account takeover, etc. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream.

   Search

Open in Search