https://community.splunk.com/t5/Splunk-Enterprise-Security/SPL-to-check-for-timing-attacks/m-p/532128#M9523 <P>You may find that ML is overkill for this particular use-case.</P><P>Consider Apache web logs, for example, which can be configured to include the RequestTimeSeconds, which is the time taken to process a request.</P><P>You could then create an alert with something like the following:</P><LI-CODE lang="markup">index=weblogs earliest=-30m@m | eventstats count, avg(RequestTimeSeconds) as avg_rts, stdev(RequestTimeSeconds) as stdev_rts by url | where RequestTimeSeconds&gt;(2*stdev_avg+avg_rts) AND count&gt;10</LI-CODE><P>This will give you a list of URLs that have been accessed more than 10 times, and have occurrences where the time to respond has been over 2 standard deviations above the average (per each URL).</P><P>You can extend this pattern to looking at SQL logs, authentication logs, etc... You can make a longer time window to develop baselines for, keep track on a daily/weekly/monthly basis, make the limits more than 2 standard deviations above the normal, require more than 10, aggregate based on source/client, etc... You will need to play around with these values to determine values that aren't too noisy, yet detect what you are looking for.</P> Sun, 06 Dec 2020 22:28:13 GMT sduff_splunk 2020-12-06T22:28:13Z https://community.splunk.com/t5/Splunk-Enterprise-Security/SPL-to-check-for-timing-attacks/m-p/532122#M9520 <P>Hello fellow splunkers,</P><P>I would like to know if someone has come across a way to determine via a splunk query timing attacks, I have read some posts on github pointing out to useful information but still nothing concrete.</P><P>I know we could do something with machine learning but not sure how to deal with it deeply in order to check for so.</P><P>Thanks so much,</P> Sun, 06 Dec 2020 17:35:20 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/SPL-to-check-for-timing-attacks/m-p/532122#M9520 jogonz20 2020-12-06T17:35:20Z https://community.splunk.com/t5/Splunk-Enterprise-Security/SPL-to-check-for-timing-attacks/m-p/532126#M9522 <P>Please explain your use case.&nbsp; What is a "timing attack"?&nbsp; How would you detect one?</P> Sun, 06 Dec 2020 21:41:07 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/SPL-to-check-for-timing-attacks/m-p/532126#M9522 richgalloway 2020-12-06T21:41:07Z https://community.splunk.com/t5/Splunk-Enterprise-Security/SPL-to-check-for-timing-attacks/m-p/532128#M9523 <P>You may find that ML is overkill for this particular use-case.</P><P>Consider Apache web logs, for example, which can be configured to include the RequestTimeSeconds, which is the time taken to process a request.</P><P>You could then create an alert with something like the following:</P><LI-CODE lang="markup">index=weblogs earliest=-30m@m | eventstats count, avg(RequestTimeSeconds) as avg_rts, stdev(RequestTimeSeconds) as stdev_rts by url | where RequestTimeSeconds&gt;(2*stdev_avg+avg_rts) AND count&gt;10</LI-CODE><P>This will give you a list of URLs that have been accessed more than 10 times, and have occurrences where the time to respond has been over 2 standard deviations above the average (per each URL).</P><P>You can extend this pattern to looking at SQL logs, authentication logs, etc... You can make a longer time window to develop baselines for, keep track on a daily/weekly/monthly basis, make the limits more than 2 standard deviations above the normal, require more than 10, aggregate based on source/client, etc... You will need to play around with these values to determine values that aren't too noisy, yet detect what you are looking for.</P> Sun, 06 Dec 2020 22:28:13 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/SPL-to-check-for-timing-attacks/m-p/532128#M9523 sduff_splunk 2020-12-06T22:28:13Z