In this recipe, you will write a relatively simple real-time per-result type of alert to look for abnormal user behavior. The abnormal behavior you will be looking for is successful payments that did not go through the checkout process.
To step through this recipe, you will need a running Splunk Enterprise server, with the sample data loaded from Chapter 1, Play Time – Getting Data In. You should be familiar with navigating the Splunk user interface. You should also have configured the e-mail settings on your Splunk server to enable the delivery of e-mail alerts.
Follow the steps in this recipe to create an alert when abnormal user behavior occurs:
index=main sourcetype=log4j requestType=checkout (numberOfItems>10 OR total>3000) | table ipAddress, numberOfItems, total, invoice, customerId, paymentId, orderId
This recipe revolved around a fairly simplistic search that looked for purchase events that included more than 10 items or where the total value of the purchase was greater than $3,000. This might be considered abnormal in an environment where typical purchases involve two items and the total value is less than $1,000. Simplicity aside, it served to illustrate how a per-result type of alert functions. Essentially, as soon as a matching result is detected, the alert is triggered. The search runs over All time, in real time, just waiting and watching for a matching event to come in. There was no throttling enabled, so if five matching events were to come in, then the alert would be triggered five times. A per-result type of alert would not have been suitable for the previous recipe, as the previous recipe relied on a number of events over time being transacted together.
There are many different aspects of abnormal user behavior that you might wish to alert on, and this recipe touched on a rather obvious abnormality. For example, a more discrete user behavior might be where a successful order is made but there is no checkout event. This might indicate unauthorized access to the backend database, where an order has been made without actually paying for it.
In order to detect purchases where no checkout event exists, you will use a similar search as you did in the previous recipe (Alerting on errors during checkout in real time). A transactional search is required to group the entire thread together; once this has been performed, you can look for the threads that do not include the requestType
checkout. The search will be as follows:
index=main sourcetype=log4j | transaction threadId maxspan=5m | search paymentReceived="Y" result="success" NOT requestType="checkout" | stats count by threadId, sessionId, orderId, invoice, paymentId, result
You cannot use a per-result alert type for this alert as it is transactional in nature, grouping events together over a time period. Instead, a rolling-window alert type should be used.
18.220.11.34