Suspicious Referring Websites

Goal

Identifies and flags potential brand abuse and phishing attempts by analyzing websites that reference legitimate web resources or the official company website.

Description

The system analyzes daily traffic patterns for each referrer. Referrers exhibiting consistently traffic volumes are categorized as normal, whereas those with unusual volumes are flagged as anomalous.

Characteristics

Name

Suspicious Referring Websites

Data involved

Web data is obtained from the Incapsula vendor, specifically:

The resource requested.
The referer from which the resource was requested.

Alert Generation

This model offers the following configuration method to identify anomalous referrers:

Minimum absolute count: Anomaly detection is based on a minimum absolute count of occurrences for a specific referer.

Additionally, the analysis can be configured to consider either the complete referrer string or only the primary DNS entry from the referrer for evaluation.

Raw outputs of the model

A boolean value that indicates if the referer is unusual.

PreviousLogon Spike Detection NextAnomalies in SalesFolder searches

Last updated 2 months ago