
Summary
The 'Web Fraud - Anomalous User Clickspeed' detection rule aims to identify automated, script-driven user sessions on websites by analyzing the speed at which user clicks occur. This rule utilizes clickstream data to detect anomalies in user behavior, specifically focusing on unusual click cadence that would be atypical for human interaction. The detection mechanism employs a search query that extracts session identifiers from cookies, evaluates time intervals between clicks, and applies statistical measures, like standard deviation and average click speed. It flags sessions where clicks are recorded at a significantly high frequency or with little variation between clicks, indicating possible fraudulent activity such as web scraping, credential stuffing, or automated bot traffic. The detection rule is designed for high volume scenarios and leverages common web server logs for implementation, such as customized Apache or IIS logs. Although it provides a means to flag potentially fraudulent actions, the detection is known to produce false positives, as legitimate user actions may sometimes mimic automated behavior. Overall, this rule serves as a protective measure against various forms of web fraud by highlighting potentially suspicious user interactions.
Categories
- Web
- Application
- Identity Management
Data Sources
- Web Credential
- Application Log
- Network Traffic
ATT&CK Techniques
- T1078
Created: 2024-11-14