Splunk® App for Fraud Analytics

User Guide

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® App for Fraud Analytics. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Correlation searches in Splunk App for Fraud Analytics

Splunk App for Fraud Analytics contains the following categories of pre-configured and customizable correlation searches:

  • RR-Fraud*: Risk incident rule that write results to the risk index.
  • Notable-Fraud*: Creates notables and write results to the notable index.

The correlation searches scan multiple data sources for defined fraud patterns and performs workflow actions when patterns are identified and the notable events match search conditions.

Correlation search name Correlation search action Description
RR-Fraud-NewAcct-dotted gmail - one or more dots Writes to the risk index Searches Gmail addresses that include one or more dots in the email. This help to identify multiple email addresses that point to the same mailbox and assign them a risk score.

Periods in the Gmail address are ignored, which enabled fraudsters to register multiple email addresses that point to a single mailbox. For example: johnasmith=john.asmith=john.a.smith.

  • For email addresses that contain less than two dots, risk score = 10.
  • For email addresses that contain less than three dots, risk score = 15.
  • For email addresses that contain more than or equal to three dots, risk score = 25.
RR-Fraud-NewAcct-duplicate dotted gmail Writes to the risk index Searches duplicate emails after normalizing the Gmail address and identifying duplicate addresses.

Periods in the Gmail address are ignored, which enables fraudsters to reposition the dot in the Gmail address and register multiple email addresses that point to the same mailbox. For example: john.smith=joh.nsmith

RR-Fraud-NewAcct-email-velocity Writes to the risk index Searches for email addresses that are used by multiple accounts.
RR-Fraud-NewAcct-IP Country NOT USA Writes to the risk index Searches for IP addresses originating from countries other than the United States that may indicate fraud. This search can be customized for specific countries.
RR-Fraud-NewAcct-IP-Zip-distance over 1000km USA IP Writes to the risk index Searches by zip code to trace the geo-location of IP addresses originating at a distance greater than 1000 kilometers.
RR-Fraud-NewAcct-shared bank acct Writes to the risk index Searches for duplicate deposit accounts or email addresses. The risk weight of these searches is lower since this might represent a legitimate scenario.
RR-Fraud-NewAcct-shared IP address Writes to the risk index Searches for duplicate IP addresses used across multiple accounts for potential fraud.
RR-Fraud-NewAcct-shared passwords Writes to the risk index Searches for duplicate passwords used across multiple accounts for potential fraud, especially if complex passwords are required.
RR-Fraud-NewAcct-shared phone number Writes to the risk index Searches for duplicate phone numbers used across multiple accounts for potential fraud.
RR-Fraud -- Excessive Logins - group behavior Writes to the risk index Searches for excessive login attempts over time, including higher login count that indicates potential account compromise.
RR-Fraud -- Brute force attack on user Writes to the risk index Searches for multiple failed logins across multiple usernames and IP addresses that indicates potential fraud through password guessing or testing a list of compromised accounts.
RR-Fraud -- Country of login doesn't match browser language Writes to the risk index Searches for native languages from specific countries that were left enabled on browsers accidentally. This may indicate potential account hacking attempts, especially in English speaking countries.
RR-Fraud -- IP hitting multiple user accounts Writes to the risk index Searches for an IP address that attempts to log in with multiple usernames and might indicate potential fraud.
RR-Fraud -- Significant edit user profile followed by quick money movement Writes to the risk index Searches for a combination of events such as password change to block legitimate users followed by abnormal money movements, which might indicate potential fraud.
RR-Fraud -- Successful logins from different regions Writes to the risk index Searches for login attempts from different geographical regions in a short time period that might indicate potential account takeover.
RR-Fraud -- Successful logins from multiple IP addresses Writes to the risk index Searches for successful logins of one user account from different IP addresses in a short time period that might indicate potential account takeover.
RR-Fraud -- Suspicious attempts to login to high value accounts Writes to the risk index Searches for login attempts and successful logins against a predefined VIP type account. High numbers of failed logins followed by successful logins to VIP accounts can be high risk indicators of fraud.
Notable-Fraud -- Risk Threshold Exceeded For User - all channels Writes to the notable index Searches based on the total risk score of the user as defined in the risk index. Creates a notable when the sum of the risk scores is greater than 20.

Additionally, searches based on rule type. This search contains risk incident rules from multiple data models. If multiple rules are triggered from multiple categories, the risk score might be low. However, the associated risk can still be high because the rules pertain to different categories. Using this correlation search requires business knowledge to accurately evaluate risk. For example: | where risk_score_total > 35 AND like(source,"%RR-Fraud-NewAcct%") AND like(source,"%RR-Fraud -- %")

Notable-Fraud -- Suspicious Behavior with Risk Exposure Writes to the risk index and the notable index Searches for a sequence of events such as a combination of money movement, logins, and profile changes. Risk scores associated with such risk notables is high.
Notable-Fraud -- Possible Account Takeover Attack Notable - Writes to the notable index eval severity=case(risk_score_sum<20,"low", risk_score_sum<30,"medium", risk_score_sum<40,"high", risk_score_sum>=40,"critical")
Notable-Fraud -- New Account risk threshold exceeded Writes to the notable index Searches for account creation events based on the total score in the risk index and creates a notable where the sum of the risk score is greater than 20.

This search takes noisy alerts that create false positives and combines them to provide more meaningful notable events so that threshold numbers can be tuned accordingly. For example: | eval severity=case(risk_score_total<40,"high", risk_score_total>=40,"critical") | eval urgency=case(risk_score_total>100,"critical") ncy=case(risk_score_total>100,"critical")

Last modified on 10 November, 2023
PREVIOUS
Macros in Splunk App for Fraud Analytics 		  NEXT
Lookups in Splunk App for Fraud Analytics

This documentation applies to the following versions of Splunk® App for Fraud Analytics: 1.1.3

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters