Detecting Bank Accounts Takeover Fraud Cyberattacks with Splunk. Part3: The Advanced Negative Look Behind Query
In the final part of this writeup I’ll show you the actual query that does it all and explain how it works.
To remind – this is the challenge – what we want to accomplish:
Detect and alert when C-class IP subnet tries to access at least 5 different accounts within an hour and at least 75% of total accounts touched has never been accessed from this subnet *and* from this USER_AGENT within the last 45 days.
And, as you may remember from Part 1, here’s the basic logic that we need to implement to make it happen:
- Scan last hour of access log data and find the list of subnets that tried to access multiple accounts within that hour.
- For each of these accounts – take username, IP, USER_AGENT and scan the previous 45 days of traffic history to find usernames that has never been touched by this IP/USER_AGENT combo.
- Alert if number of found accounts is above threshold.
I’ve spent quite a bit of effort to come up with a single query that does all of the above and in a pretty efficient manner.
The biggest part of challenge is that the query needs to find events (#1 above) but then it needs to run very custom search for each event against summary index that we’ve created (#2 above). And added icing on this cake is that the query needs to return results only if there are *no matches* found for the second part of search.
This quickly gets mind-boggling and it is a rather interesting puzzle to solve with SPL.
The way I solved it – is with a combination of macros + advanced subsearch. But instead of returning traditional results – the subsearch will return new, custom crafted Splunk search query to be executed by the outer search.
I named this approach Advanced Negative Look Behind (ANLB) query.
ANLB query is the query that has these capabilities: (more…)