Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alter when a user's behavior is abnormal

Jackiifilwhh
Path Finder
‎04-13-2022 07:00 AM

Background information

In our system, every visit consist of one or more actions. Every action has its name and in Splunk it's a field named "transId". Every time an action triggered, it has an unique sequence and in Splunk it's a field named "gsn". A customer has its unique id and in Splunk it's a field named "uid". During the period of a customer visit our system, he has an unique session id and in Splunk it's a field named "sessionId". If we want to locate a complete operation of a user, we need to use uid and sessionId together. Like many other systems, the order of actions in our system is fixed, under normal circumstances.

What we want

We want to create an alter to monitor the abnormal order of actions. For example, an important action named "D", it is at the last of an action-chain. Under normal circumstances, you must  access our system by the order of actions "A B C D". But some hackers my skip the trans B, which may be an action that verify his identity. The problem is I don't know the command to get abnormal results. We can accept that we need to input the order of actions for every action-chain. It's better to read the order by configuration file.

What I've tried

 

| stats count by sessionId uid transId gsn _time
| sort 0 sessionId uid _time

 

I can get every use's order of actions by this command.

Can you give me some advice? If you want to get more information, you can ask me here.

Best wishes!

Labels (3)
Tags (2)
0 Karma
Reply

tscroggins
Influencer
‎04-17-2022 09:01 AM

@Jackiifilwhh 

A quick and non-scientific approach might just count the number of distinct transId values per sessionId and alert on unexpected count values:

| stats earliest(_time) as _time dc(transId) as dc_transId by sessionId
| where dc_transId!=4

You can also use algorithms from Splunk Machine Learning Toolkit. For example, this search associates a set of training transId values with a sequence value by sessionId and fits the data to a random forest classifier:

| sort 0 _time
| streamstats count as sequence by sessionId 
| fit AutoPrediction transId from sequence into Jackiifilwhh_behavior_model

Th sequence field is similar to your gsn field but local rather than global.

You can subsequently monitor live data with the assumption that all sessions in the time range are complete. Partial sessions will generate false positives:

| sort 0 _time 
| streamstats count as sequence by sessionId 
| apply Jackiifilwhh_behavior_model 
| where 'predicted(transId)'!=transId

 

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...