Detecting Bank Accounts Takeover Fraud Cyberattacks with Splunk. Part 2: Building Reference Summary Index of Logins Data
Summary indexing is a great way to speedup Splunk searches by pre-creating a subset of only necessary data for specific purpose. In our case we need to filter out of all available WEB traffic data only login events. This will allow us to have very fast, much smaller data subset with all the information we need to reference against when matching with new, suspicious login events.
To proceed with building summary index we need to make a set of assumptions. These assumptions are needed to build the query and all other elements of the solution. You’ll be able to substitute names to your specifics later on if wanted to.
- Lets assume you have your WEB logs with all the event data indexed in Splunk already.
All web events are located within index named: logs. - Field names (or aliases):
- HTTP request method (GET, POST, HEAD, etc..): method
- URL of page accessed: page
- Username field: username
- IP address of visitor: ip
- USER_AGENT value: ua
To generate summary index of login data – we need to create index itself first.