Data model definitions
Use the following tables for information on the various fields in the fraud related data models:
Fraud account data model
Name | Description | Example | Format | Source |
---|---|---|---|---|
acc_age
|
Age of the account (in days) | 107 | Number | Extracted |
acc_holder_dob
|
Date of birth | 05/25/1995 | String | Extracted |
acc_holder_first_name
|
FIrst name | John | String | Extracted |
acc_holder_last_name
|
Last name | Smith | String | Extracted |
acc_holder_middle
|
Middle initial | P | String | Extracted |
acc_status
|
Account status | Approve | String | Extracted |
addr_home_city
|
City of home address | Seattle | String | Extracted |
addr_home_state
|
State of home address | Washington | String | Extracted |
addr_home_zip
|
Zip Code of home address | 92017 | Number | Extracted |
addr_home_zip_lat
|
Latitude of zip code | String | Lookup | |
addr_home_zip_lon
|
Longitude of zip code | String | Lookup | |
deviceid
|
Device identifier | |||
direct_deposit
|
Destination account for funds | 12345678 | Number | Extracted |
email
|
Email address | john.smith@gmail.com | String | Extracted |
email_domain_root
|
Email address domain (root) | gmail | String | Eval Expression |
email_domain_tld
|
Email address domain (top level) | gmail.com | String | Eval Expression |
email_normalized
|
Email address (Includes the name) | johnsmith@gmail.com | String | Eval Expression |
host
|
Host of the data source | String | Inherited | |
http_accept
|
String | Extracted | ||
http_accept_language
|
String | Extracted | ||
http_content_type | String | Extracted | ||
http_method
|
API method (Post, Get, and so on) | String | Extracted | |
http_referer
|
Referring URL | String | Extracted | |
http_user_agent
|
Web browser identifier | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393 |
String | Extracted |
mmn
|
Mother's maiden name | Smith | String | Extracted |
occupation
|
Occupation | Janitor | String | Extracted |
password
|
Password | Hash of pwd | String | Eval Expression |
phone_home
|
Home phone number | 209-121-2398 | String | Extracted |
r_10
|
Deprecated | Number | Eval Expression | |
source
|
Source of the data source | String | Inherited | |
sourcetype
|
Sourcetype of the data source | String | Inherited | |
src_ip
|
IP address logged for the event | 123.10.10.234 | IPv4 | Extracted |
src_ip_City
|
City corresponding to the IP address | Los Angeles | String | Geo IP |
src_ip_Country
|
Country corresponding to the IP address | United States | String | Geo IP |
src_ip_lat
|
Latitude corresponding to the IP address | String | Geo IP | |
src_ip_lon
|
Longitude corresponding to the IP address | String | Geo IP | |
src_ip_Region
|
State or province corresponding to the IP address | Florida | String | Geo IP |
ssn
|
Social security number | 172-90-9201 | String | Extracted |
uniqueid
|
Credit, benefits application ID, or permanent user ID that supersedes SSN or username | String | Extracted | |
username
|
Username | barneysmith | String | Extracted |
Fraud web data model
Name | Description | Example | Format | Source |
---|---|---|---|---|
accept_language
|
Language accepted by the browser | String | Extracted | |
action
|
High level action taken by user. See SPL example. | login, logout, money_movement | String | Extracted |
actions
|
Multivalue field containing all actions per user session | String | Extracted | |
bill_payments_num
|
Number of bill payments actions per session | Number | Extracted | |
bytes_in
|
Bytes transferred to server during HTTP request | Number | Extracted | |
bytes_in_total
|
Sum of bytes_in per session | Number | Extracted | |
bytes_out
|
Bytes transferred from the server during HTTP response | Number | Extracted | |
bytes_out_total
|
Sum of bytes_out per session | Number | Extracted | |
City
|
Resolved City of IP address | String | Extracted | |
Countries_num
|
Number of distinct countries IP's are originating from within the same session | Number | Extracted | |
Country
|
Resolved Country of IP address | String | Extracted | |
date_hour
|
Splunk field, _time derivative | Number | Extracted | |
date_mday
|
Splunk field, _time derivative | Number | Extracted | |
date_month
|
Splunk field, _time derivative | String | Extracted | |
date_wday
|
Splunk field, _time derivative | String | Extracted | |
date_year
|
Splunk field, _time derivative | Number | Extracted | |
date_zone
|
Splunk field, _time derivative | Number | Extracted | |
deposit_checks_num
|
Number of deposit_check actions within the same session | Number | Extracted | |
errors
|
Number of errors within the same session. See SPL below | Number | Extracted | |
host
|
Host value | String | Inherited | |
http_accept
|
Client accept media type values | See RFC 2616 | String | Extracted |
http_accept_language
|
Client accepted languages | See RFC 2616 | String | Extracted |
http_content_type
|
Media type sent to recipient | See RFC 2616 | String | Extracted |
http_method
|
HTTP Request method | API method (Post, Get, and so on) | String | Extracted |
http_referer
|
Referring URL | String | Extracted | |
http_user_agent | Browser identifier | String | Extracted | |
http_user_agents_num
|
Number of unique user agents per session | Number | Extracted | |
ip_16_subnet
|
Extracted 2 high octets of IP field. See SPL example. | String | Extracted | |
ip_16_subnets
|
Multivalue field with all subnets | String | Extracted | |
ip_16_subnets_num
|
Number of unique subnets per session | Number | Extracted | |
ip_subnet_16
|
deprecated | String | Extracted | |
ip_subnet_24
|
deprecated | String | Extracted | |
is_aggregator
|
0 or 1. If 1 - source IP belongs to aggregator. These events typically can be filtered out. | Number | Extracted | |
languages
|
Multivalue fields containing all variations of http_accept_language within the same session | String | Extracted | |
logged_in
|
1: success, 0:failed to log in | Number | Extracted | |
logins_success_num
|
Number of successful logins within the same session | Number | Extracted | |
money_movements_num
|
Number of money_movement events within the same session | Number | Extracted | |
r_10
|
deprecated | Number | Eval expression | |
r_100
|
Deprecated | Number | Eval expression | |
r_1000
|
Deprecated | Number | Eval expression | |
r_10000
|
Deprecated | Number | Eval expression | |
r_100000
|
Deprecated | Number | Eval expression | |
r_1000000
|
Deprecated | Number | Eval expression | |
Region
|
Resolved Region of IP address | String | Extracted | |
risk_exposure
|
Sum total dollar value of all transactions within the same session. | Number | Extracted | |
risk_exposure_r
|
Rounded value of total risk exposure. See SPL example. | Number | Extracted | |
risk_level
|
Numerical value of total calculated risk per session. | Number | Extracted | |
risk_level_r
|
deprecated | Number | Extracted | |
screen
|
Screen characteristics of client (if available) | String | Extracted | |
screens
|
Multivalue field of all unique screens within the same session | String | Extracted | |
security_code_requests_num
|
Number of security_code_request actions per session | Number | Extracted | |
session_duration
|
Duration of session in seconds | Number | Extracted | |
session_events_num
|
Number of events per session | Number | Extracted | |
session_id
|
Web session ID | Web session id | String | Extracted |
source
|
Splunk field - source | String | Inherited | |
sourcetype
|
Splunk field - sourcetype | String | Inherited | |
src_ip
|
Client IP address | 10.10.10.20 | String | Extracted |
src_ips_num
|
Number of unique src_ip values within session | Number | Extracted | |
status
|
Web request status code | 400, 200, etc | Number | Extracted |
trade_securities_num
|
Number of trade_securities actions per session | Number | Extracted | |
uri
|
Page URI requested | String | Extracted | |
uri_path
|
Full path of page URI | String | Extracted | |
username
|
Clean username value within database of business application | barneysmith | String | Extracted |
username_ex
|
username value entered during attempted login | BarneySmith | String | Extracted |
username_tried
|
Same as username_ex | String | Extracted | |
usernames
|
Pipe-separated string of unique usernames entered within the same session | String | Extracted | |
usernames_num
|
Number of unique usernames tried within the same session | Number | Extracted |
Example of SPL calculating 'action' field
index=web_logs | eval action=case( match(uri, "(?i)/(default|login)\.aspx$") AND http_method="POST", "login", match(uri, "(?i)/logout(\.aspx)?$"), "logout", match(uri, "(?i)/(passwordupdate\.|editpassword\.|auth/changepassword)"), "edit_password", match(uri, "(?i)/edit(yourprofile|personalinfo)\.aspx$"), "edit_profile", match(uri, "(?i)/edit(username|subuser|multiuser)\.aspx$"), "edit_username", match(uri, "(?i)/(buy|sell|orderentry)[a-z]*\.aspx$") AND http_method="POST", "trade_securities", match(uri, "(?i)/forgot(username|credentials|tenpassword)[\./]"), "forgot_credentials", match(uri, "(?i)/mrdc/(capturecheck|submitcheckdeposit)"), "deposit_check", match(uri, "(?i)(/transfers/submittransfer|/moneymovement)"), "money_movement", match(uri, "(?i)(/proxy/auth/validatekba)"), "kba_requested", match(uri, "(?i)(/lockkbauser)"), "kba_failed", match(uri, "(?i)(/secure/billpayment/status\.aspx)"), "bill_payment", match(uri, "(?i)(/billpay/addpayments)"), "add_payee", true(), "---")
Example of SPL calculating 'errors' field
index=web_logs | stats sum(eval(if(status>=400,1,0))) as errors by session_id
index=web_logs | eval ip_16_subnet=replace(src_ip, "((\d+\.){2}).*", "\1*.*") ... | eval ip_16_subnets=mvjoin(ip_16_subnets, "|") index=web_logs | ... | stats dc(ip_16_subnet) as ip_16_subnets_num by session_id
Example of SPL calculating 'risk_exposure_r' field
... | eval risk_exposure_r=case(isnull(risk_exposure) OR risk_exposure=0, 0, risk_exposure<=100, 100, risk_exposure<=1000, 1000, risk_exposure<=10000, 10000, risk_exposure<=100000, 100000, true(), ceil(risk_exposure/1000000)*1000000)
Fraud anti money laundering data model
The data model for anti money laundering use cases.
Name | Description | Example | Format | Source |
---|---|---|---|---|
account
|
Unique identity of an account | 020-68723985 | String | Extracted |
amount
|
Transfer amount in default currency | 5000.00 | Number | Extracted |
amount_usd
|
Transfer amount in USD | 2500.00 | Number | Extracted |
country
|
Location of an account: Country | USA | String | Extracted |
currency
|
Currency of a transfer | US Dollar | String | Extracted |
direction
|
Direction of a transfer | In, Out | String | Extracted |
oth_account
|
Unique identity of other account | 650892343-32 | String | Extracted |
oth_bank
|
Bank ID of other account | 0375 | String | Extracted |
oth_country
|
Location of other account: Country | Italy | String | Extracted |
oth_currency
|
Default currency of other account | Euro | String | Extracted |
payment_format
|
Type of payment | Wire transfer | String | Extracted |
date_*
|
date_* variables calculated from _time | String, Number | Auto Calculated |
Fraud unemployment insurance data model
The data model for unemployment insurance fraud use cases. When looking at fraud detection in unemployment insurance, build a lookup file that aggregates statistical information on social security numbers and bank accounts over a period of time. See Fraud unemployment insurance data model lookups for more information.
Name | Description | Example | Format | Source |
---|---|---|---|---|
ADDR_ZIP
|
ZIP code of claimant address | 07675-1211 | String | Extracted |
data_source
|
Source of transaction | CERTS | String | Extracted |
date_*
|
date_* variables calculated from _time | String, Number | Auto calculated | |
email_norm
|
Normalized email address | alex@buttercupgames.com | String | Extracted |
IP_City
|
IP address location: City | New York | String | Extracted |
IP_Country
|
IP address location: Country | USA | String | Extracted |
IP_Region
|
IP address location: Region | New York | String | Extracted |
IPADDRESS
|
IP Address | 123.45.6.78 | String | Extracted |
NAME
|
Claimant name | John Smith | String | Extracted |
SSN
|
Social Security number | 123-45-6789 | String | Extracted |
SSN_NUM
|
Social Security number, numbers only | 123456789 | String | Extracted |
TEL_NO
|
Telephone number of a claimant | 201-123-4567 | String | Extracted |
accounts_num
|
Number of distinct bank accounts associated with the Social Security number | 5 | Number | Lookup |
acct_shared_with
|
Number of distinct Social Security numbers the bank account is shared with | 4 | Number | Lookup |
emails_norm
|
Number of distinct emails given that email normalized is mapped to | 7 | Number | Lookup |
risk | Text | String | Lookup |
Medicine activity data model
The data model used for fraud detections over controlled substances and opioids in hospital environments. These fields are used in detections and within investigative dashboards. The actual data model might contain more fields for future detections and more advanced use cases.
Name | Description | Example | Format | Source |
---|---|---|---|---|
drug_control_level
|
Level describing controlled substance | 3 | Number | Extracted |
user_id
|
Hospital employee ID | 2139846543 | String | Extracted |
user_department
|
Name of department | Pharmacy | String | Extracted |
user_title
|
Job title of the user. | Registered nurse | String | Extracted |
med_order_id
|
Document to administer medication | 123098657 | String | Extracted |
witness_id
|
ID of a witness | 5132-780946 | String | Extracted |
transaction_name
|
Name of transaction | Issue: Standard | String | Extracted |
transaction_type
|
Type of transaction | I-UN | String | Extracted |
transaction_subtype
|
Subtype of transaction | I | String | Extracted |
patient_id
|
ID of a patient | 435766543 | String | Extracted |
drug_name_short
|
Short name of medication | OXYCODONE | String | Extracted |
drug_name_long
|
Long name of medication | oxyCODONE HCL 10MG TABLET | String | Extracted |
drug_is_opioid
|
If it is an opioid or controlled substance | 1 | Number | Extracted |
witness_department
|
Department of witness | PWC-Psych | String | Extracted |
witness_title
|
Title of witness | Staff nurse | String | Extracted |
Workflow actions in Splunk App for Fraud Analytics | Interactive search panel visualization commands |
This documentation applies to the following versions of Splunk® App for Fraud Analytics: 1.2.4
Feedback submitted, thanks!