The Web Fraud - Account Harvesting detection rule is designed to identify instances where multiple user accounts are created using the same email domain within a Magento2 e-commerce context. The detection logic utilizes Splunk’s search capabilities, specifically targeting HTTP streams to analyze login activity on the specified URI path for the account creation process. The key phases of the implementation include extracting the session ID and usernames from the HTTP request data, followed by parsing the domains from these usernames. By applying statistical aggregation, this rule identifies email domains with more than 25 unique usernames, highlighting potentially fraudulent account creation activities. However, the rule is marked as deprecated, and users are advised to customize it according to their environment to improve accuracy and reduce false positives. It is recommended to implement additional contextual checks, such as examining device IDs or analyzing registration patterns over time to enhance the fidelity of results.