Navigation :

Web Fraud - Password Sharing Across Accounts

Description

This search is used to identify user accounts that share a common password.

Help
Web Fraud - Password Sharing Across Accounts Help We need to start with a dataset that allows us to see the values of usernames and passwords that users are submitting to the website hosting the Magento2 e-commerce platform (commonly found in the HTTP form_data field). A tokenized or hashed value of a password is acceptable and certainly preferable to a clear-text password. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream.

Help

Web Fraud - Password Sharing Across Accounts Help

We need to start with a dataset that allows us to see the values of usernames and passwords that users are submitting to the website hosting the Magento2 e-commerce platform (commonly found in the HTTP form_data field). A tokenized or hashed value of a password is acceptable and certainly preferable to a clear-text password. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream.

Search
`stream_http` http_content_type=text* uri=/magento2/customer/account/loginPost* \| rex field=form_data "login\[username\]=(?<Username>[^&\|^$]+)" \| rex field=form_data "login\[password\]=(?<Password>[^&\|^$]+)" \| stats dc(Username) as UniqueUsernames values(Username) as user list(src_ip) as src_ip by Password\|where UniqueUsernames>5 \| `web_fraud___password_sharing_across_accounts_filter` Open in Search

Search

`stream_http` http_content_type=text* uri=/magento2/customer/account/loginPost*  | rex field=form_data "login\[username\]=(?<Username>[^&|^$]+)" | rex field=form_data "login\[password\]=(?<Password>[^&|^$]+)" | stats dc(Username) as UniqueUsernames values(Username) as user list(src_ip) as src_ip by Password|where UniqueUsernames>5 | `web_fraud___password_sharing_across_accounts_filter`

Open in Search