Configure Splunk App for Fraud Analytics
Configure the Splunk App for Fraud Analytics by doing the following tasks:
- Display the Splunk App for Fraud Analytics in Splunk Enterprise Security
- Add fraud as a security domain in Splunk Enterprise Security
- Edit fraud source macros
- Match fields in data sources and data models
- Configure Splunk Enterprise Security to display additional fields
Display the Splunk App for Fraud Analytics in Splunk Enterprise Security
Follow these steps to display the Splunk App for Fraud Analytics in the Splunk Enterprise Security menu:
- Within Enterprise Security, select Configure > General > Navigation.
- Click Add a New Collection.
- Click Add Existing.
- In the Select an App dropdown, select Fraud_Analytics_Splunk.
- In the Select a Collection dropdown, select Fraud Analytics.
- Click Save.
- Click Save again for the Edit Navigation page.
Add fraud as a security domain in Splunk Enterprise Security
Follow these steps to add Fraud as a security domain in Splunk Enterprise Security so that you can categorize notable events as fraud:
- Install the Splunk App for Lookup File Editing from Splunkbase.
- Open the Lookup Editor app from the Splunk Enterprise apps dropdown.
- Filter by Security.
- Open security_domains.csv lookup.
- Add fraud for the security_domain and the label columns.
- Click Save Lookup to save the lookup.
Edit fraud source macros
Data models use fraud source macros to point to fraud data sources. Editing these fraud source macros minimizes the need to edit data models, dashboards, and searches. Follow these steps to edit the fraud source macros in the Splunk App for Fraud Analytics:
- Edit the macro
indexes_fraud_web
to include the correct indexes and data sources for fraud related data.
The macroindexes_fraud_web
is the data source for thefraud_web
data model. - Edit the macro
datasources__fraud_account
to include the correct indexes and data sources for fraud related data.
The macrodatasources__fraud_account
is the data source for thefraud_account
data model.
Match fields in data sources and data models
Follow these steps to match fields in data sources and data models:
- Review the field names using the data model definitions listed in the Appendix.
- Match the fields in the data sources with the expected fields in the data models.
Configure Splunk Enterprise Security to display additional fields
Follow these steps to configure Enterprise Security to display additional fields if the fields are not enabled.
- Within Enterprise Security, select Configure > Incident Management > Incident Review Settings.
- Scroll to Incident Review - Table and Event Attributes and use the following table to add the fields:
Field names must match the values provided in the table. However, you can change the labels.
Field Label risk_score_total Risk Score Total AF__DD01 Investigate ════════════➤ AF__DD02 Investigate ════════════➤ AF__DD03 Investigate ════════════➤ AF__DD04 Investigate ════════════➤ AF__DD05 Investigate ════════════➤ risk_score_total Risk Score Total
Install Splunk App for Fraud Analytics | Dashboards in Splunk App for Fraud Analytics |
This documentation applies to the following versions of Splunk® App for Fraud Analytics: 1.1.3, 1.2.4
Feedback submitted, thanks!