What would be the best way to search for anomalies/outliers for HTTP request character length by source IP? Looking for HTTP requests whose standard deviation may indicate a potential hack/indicator of compromise.
Thx
You can use MLTK for finding numeric outliers of URLs lenght
https://www.youtube.com/watch?v=BIWXSecdkAM
https://splunkbase.splunk.com/app/2890/
Also look at the DGA App for Splunk. It utilized MLTK to detect botnet traffic from internal network by finding auto-generated domain names.
https://splunkbase.splunk.com/app/2890/