Splunk® App for Fraud Analytics

User Guide

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure Splunk App for Fraud Analytics

Configure the Splunk App for Fraud Analytics by doing the following tasks:


Display the Splunk App for Fraud Analytics in Splunk Enterprise Security

Follow these steps to display the Splunk App for Fraud Analytics in the Splunk Enterprise Security menu:

  1. Within Enterprise Security, select Configure > General > Navigation.
  2. Click Add a New Collection.
  3. Click Add Existing.
  4. In the Select an App dropdown, select Fraud_Analytics_Splunk.
  5. In the Select a Collection dropdown, select Fraud Analytics.
  6. Click Save.
  7. Click Save again for the Edit Navigation page.

Add fraud as a security domain in Splunk Enterprise Security

Follow these steps to add Fraud as a security domain in Splunk Enterprise Security so that you can categorize notable events as fraud:

  1. Install the Splunk App for Lookup File Editing from Splunkbase.
  2. Open the Lookup Editor app from the Splunk Enterprise apps dropdown.
  3. Filter by Security.
  4. Open security_domains.csv lookup.
  5. Add fraud for the security_domain and the label columns.
  6. Click Save Lookup to save the lookup.

Edit fraud source macros

Data models use fraud source macros to point to fraud data sources. Editing these fraud source macros minimizes the need to edit data models, dashboards, and searches. Follow these steps to edit the fraud source macros in the Splunk App for Fraud Analytics:

  1. Edit the macro indexes_fraud_web to include the correct indexes and data sources for fraud related data.
    The macro indexes_fraud_web is the data source for the fraud_web data model.
  2. Edit the macro datasources__fraud_account to include the correct indexes and data sources for fraud related data.
    The macro datasources__fraud_account is the data source for the fraud_account data model.

Match fields in data sources and data models

Follow these steps to match fields in data sources and data models:

  1. Review the field names using the data model definitions listed in the Appendix.
  2. Match the fields in the data sources with the expected fields in the data models.

Configure Splunk Enterprise Security to display additional fields

Follow these steps to configure Enterprise Security to display additional fields if the fields are not enabled.

  1. Within Enterprise Security, select Configure > Incident Management > Incident Review Settings.
  2. Scroll to Incident Review - Table and Event Attributes and use the following table to add the fields:

    Field names must match the values provided in the table. However, you can change the labels.

    Field Label
    risk_score_total Risk Score Total
    AF__DD01 Investigate ════════════➤
    AF__DD02 Investigate ════════════➤
    AF__DD03 Investigate ════════════➤
    AF__DD04 Investigate ════════════➤
    AF__DD05 Investigate ════════════➤
    risk_score_total Risk Score Total
Last modified on 22 February, 2024
PREVIOUS
Install Splunk App for Fraud Analytics 		  NEXT
Dashboards in Splunk App for Fraud Analytics

This documentation applies to the following versions of Splunk® App for Fraud Analytics: 1.1.3, 1.2.4

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters