Splunk Search

What is the best way to get the running average and standard deviations for HTTP request character length?

jwalzerpitt
Influencer

What would be the best way to search for anomalies/outliers for HTTP request character length by source IP? Looking for HTTP requests whose standard deviation may indicate a potential hack/indicator of compromise.

Thx

0 Karma

serjandrosov
Path Finder

You can use MLTK for finding numeric outliers of URLs lenght
https://www.youtube.com/watch?v=BIWXSecdkAM
https://splunkbase.splunk.com/app/2890/

Also look at the DGA App for Splunk. It utilized MLTK to detect botnet traffic from internal network by finding auto-generated domain names.
https://splunkbase.splunk.com/app/2890/

Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...