Splunk® App for Fraud Analytics

User Guide

Data model definitions

Use the following tables for information on the various fields in the fraud related data models:

Fraud account data model

Name Description Example Format Source
acc_age Age of the account (in days) 107 Number Extracted
acc_holder_dob Date of birth 05/25/1995 String Extracted
acc_holder_first_name FIrst name John String Extracted
acc_holder_last_name Last name Smith String Extracted
acc_holder_middle Middle initial P String Extracted
acc_status Account status Approve String Extracted
addr_home_city City of home address Seattle String Extracted
addr_home_state State of home address Washington String Extracted
addr_home_zip Zip Code of home address 92017 Number Extracted
addr_home_zip_lat Latitude of zip code String Lookup
addr_home_zip_lon Longitude of zip code String Lookup
deviceid Device identifier
direct_deposit Destination account for funds 12345678 Number Extracted
email Email address john.smith@gmail.com String Extracted
email_domain_root Email address domain (root) gmail String Eval Expression
email_domain_tld Email address domain (top level) gmail.com String Eval Expression
email_normalized Email address (Includes the name) johnsmith@gmail.com String Eval Expression
host Host of the data source String Inherited
http_accept String Extracted
http_accept_language String Extracted
http_content_type String Extracted
http_method API method (Post, Get, and so on) String Extracted
http_referer Referring URL String Extracted
http_user_agent Web browser identifier Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393 		String Extracted
mmn Mother's maiden name Smith String Extracted
occupation Occupation Janitor String Extracted
password Password Hash of pwd String Eval Expression
phone_home Home phone number 209-121-2398 String Extracted
r_10 Deprecated Number Eval Expression
source Source of the data source String Inherited
sourcetype Sourcetype of the data source String Inherited
src_ip IP address logged for the event 123.10.10.234 IPv4 Extracted
src_ip_City City corresponding to the IP address Los Angeles String Geo IP
src_ip_Country Country corresponding to the IP address United States String Geo IP
src_ip_lat Latitude corresponding to the IP address String Geo IP
src_ip_lon Longitude corresponding to the IP address String Geo IP
src_ip_Region State or province corresponding to the IP address Florida String Geo IP
ssn Social security number 172-90-9201 String Extracted
uniqueid Credit, benefits application ID, or permanent user ID that supersedes SSN or username String Extracted
username Username barneysmith String Extracted


Fraud web data model

Name Description Example Format Source
accept_language Language accepted by the browser String Extracted
action High level action taken by user. See SPL example. login, logout, money_movement String Extracted
actions Multivalue field containing all actions per user session String Extracted
bill_payments_num Number of bill payments actions per session Number Extracted
bytes_in Bytes transferred to server during HTTP request Number Extracted
bytes_in_total Sum of bytes_in per session Number Extracted
bytes_out Bytes transferred from the server during HTTP response Number Extracted
bytes_out_total Sum of bytes_out per session Number Extracted
City Resolved City of IP address String Extracted
Countries_num Number of distinct countries IP's are originating from within the same session Number Extracted
Country Resolved Country of IP address String Extracted
date_hour Splunk field, _time derivative Number Extracted
date_mday Splunk field, _time derivative Number Extracted
date_month Splunk field, _time derivative String Extracted
date_wday Splunk field, _time derivative String Extracted
date_year Splunk field, _time derivative Number Extracted
date_zone Splunk field, _time derivative Number Extracted
deposit_checks_num Number of deposit_check actions within the same session Number Extracted
errors Number of errors within the same session. See SPL below Number Extracted
host Host value String Inherited
http_accept Client accept media type values See RFC 2616 String Extracted
http_accept_language Client accepted languages See RFC 2616 String Extracted
http_content_type Media type sent to recipient See RFC 2616 String Extracted
http_method HTTP Request method API method (Post, Get, and so on) String Extracted
http_referer Referring URL String Extracted
http_user_agent Browser identifier String Extracted
http_user_agents_num Number of unique user agents per session Number Extracted
ip_16_subnet Extracted 2 high octets of IP field. See SPL example. String Extracted
ip_16_subnets Multivalue field with all subnets String Extracted
ip_16_subnets_num Number of unique subnets per session Number Extracted
ip_subnet_16 deprecated String Extracted
ip_subnet_24 deprecated String Extracted
is_aggregator 0 or 1. If 1 - source IP belongs to aggregator. These events typically can be filtered out. Number Extracted
languages Multivalue fields containing all variations of http_accept_language within the same session String Extracted
logged_in 1: success, 0:failed to log in Number Extracted
logins_success_num Number of successful logins within the same session Number Extracted
money_movements_num Number of money_movement events within the same session Number Extracted
r_10 deprecated Number Eval expression
r_100 Deprecated Number Eval expression
r_1000 Deprecated Number Eval expression
r_10000 Deprecated Number Eval expression
r_100000 Deprecated Number Eval expression
r_1000000 Deprecated Number Eval expression
Region Resolved Region of IP address String Extracted
risk_exposure Sum total dollar value of all transactions within the same session. Number Extracted
risk_exposure_r Rounded value of total risk exposure. See SPL example. Number Extracted
risk_level Numerical value of total calculated risk per session. Number Extracted
risk_level_r deprecated Number Extracted
screen Screen characteristics of client (if available) String Extracted
screens Multivalue field of all unique screens within the same session String Extracted
security_code_requests_num Number of security_code_request actions per session Number Extracted
session_duration Duration of session in seconds Number Extracted
session_events_num Number of events per session Number Extracted
session_id Web session ID Web session id String Extracted
source Splunk field - source String Inherited
sourcetype Splunk field - sourcetype String Inherited
src_ip Client IP address 10.10.10.20 String Extracted
src_ips_num Number of unique src_ip values within session Number Extracted
status Web request status code 400, 200, etc Number Extracted
trade_securities_num Number of trade_securities actions per session Number Extracted
uri Page URI requested String Extracted
uri_path Full path of page URI String Extracted
username Clean username value within database of business application barneysmith String Extracted
username_ex username value entered during attempted login BarneySmith String Extracted
username_tried Same as username_ex String Extracted
usernames Pipe-separated string of unique usernames entered within the same session String Extracted
usernames_num Number of unique usernames tried within the same session Number Extracted

Example of SPL calculating 'action' field

index=web_logs
| eval action=case(
  match(uri, "(?i)/(default|login)\.aspx$") AND http_method="POST",             "login",
  match(uri, "(?i)/logout(\.aspx)?$"),                                          "logout",
  match(uri, "(?i)/(passwordupdate\.|editpassword\.|auth/changepassword)"),     "edit_password",
  match(uri, "(?i)/edit(yourprofile|personalinfo)\.aspx$"),                     "edit_profile",
  match(uri, "(?i)/edit(username|subuser|multiuser)\.aspx$"),                   "edit_username",
  match(uri, "(?i)/(buy|sell|orderentry)[a-z]*\.aspx$") AND http_method="POST", "trade_securities",
  match(uri, "(?i)/forgot(username|credentials|tenpassword)[\./]"),             "forgot_credentials",
  match(uri, "(?i)/mrdc/(capturecheck|submitcheckdeposit)"),                    "deposit_check",
  match(uri, "(?i)(/transfers/submittransfer|/moneymovement)"),                 "money_movement",
  match(uri, "(?i)(/proxy/auth/validatekba)"),                                  "kba_requested",
  match(uri, "(?i)(/lockkbauser)"),                                             "kba_failed",
  match(uri, "(?i)(/secure/billpayment/status\.aspx)"),                         "bill_payment",
  match(uri, "(?i)(/billpay/addpayments)"),                                     "add_payee",
  true(), "---")

Example of SPL calculating 'errors' field

index=web_logs | stats sum(eval(if(status>=400,1,0))) as errors by session_id

Example of SPL calculating 'ip_16_subnet' and related fields

index=web_logs 
| eval ip_16_subnet=replace(src_ip, "((\d+\.){2}).*", "\1*.*")
...
| eval ip_16_subnets=mvjoin(ip_16_subnets, "|")
index=web_logs | ... | stats dc(ip_16_subnet) as ip_16_subnets_num by session_id

Example of SPL calculating 'risk_exposure_r' field

... | eval risk_exposure_r=case(isnull(risk_exposure) OR risk_exposure=0, 0, risk_exposure<=100, 100, risk_exposure<=1000, 1000, risk_exposure<=10000, 10000, risk_exposure<=100000, 100000, true(), ceil(risk_exposure/1000000)*1000000)


Fraud anti money laundering data model

The data model for anti money laundering use cases.

Name Description Example Format Source
account Unique identity of an account 020-68723985 String Extracted
amount Transfer amount in default currency 5000.00 Number Extracted
amount_usd Transfer amount in USD 2500.00 Number Extracted
country Location of an account: Country USA String Extracted
currency Currency of a transfer US Dollar String Extracted
direction Direction of a transfer In, Out String Extracted
oth_account Unique identity of other account 650892343-32 String Extracted
oth_bank Bank ID of other account 0375 String Extracted
oth_country Location of other account: Country Italy String Extracted
oth_currency Default currency of other account Euro String Extracted
payment_format Type of payment Wire transfer String Extracted
date_* date_* variables calculated from _time String, Number Auto Calculated

Fraud unemployment insurance data model

The data model for unemployment insurance fraud use cases. When looking at fraud detection in unemployment insurance, build a lookup file that aggregates statistical information on social security numbers and bank accounts over a period of time. See Fraud unemployment insurance data model lookups for more information.

Name Description Example Format Source
ADDR_ZIP ZIP code of claimant address 07675-1211 String Extracted
data_source Source of transaction CERTS String Extracted
date_* date_* variables calculated from _time String, Number Auto calculated
email_norm Normalized email address alex@buttercupgames.com String Extracted
IP_City IP address location: City New York String Extracted
IP_Country IP address location: Country USA String Extracted
IP_Region IP address location: Region New York String Extracted
IPADDRESS IP Address 123.45.6.78 String Extracted
NAME Claimant name John Smith String Extracted
SSN Social Security number 123-45-6789 String Extracted
SSN_NUM Social Security number, numbers only 123456789 String Extracted
TEL_NO Telephone number of a claimant 201-123-4567 String Extracted
accounts_num Number of distinct bank accounts associated with the Social Security number 5 Number Lookup
acct_shared_with Number of distinct Social Security numbers the bank account is shared with 4 Number Lookup
emails_norm Number of distinct emails given that email normalized is mapped to 7 Number Lookup
risk Text String Lookup

Medicine activity data model

The data model used for fraud detections over controlled substances and opioids in hospital environments. These fields are used in detections and within investigative dashboards. The actual data model might contain more fields for future detections and more advanced use cases.

Name Description Example Format Source
drug_control_level Level describing controlled substance 3 Number Extracted
user_id Hospital employee ID 2139846543 String Extracted
user_department Name of department Pharmacy String Extracted
user_title Job title of the user. Registered nurse String Extracted
med_order_id Document to administer medication 123098657 String Extracted
witness_id ID of a witness 5132-780946 String Extracted
transaction_name Name of transaction Issue: Standard String Extracted
transaction_type Type of transaction I-UN String Extracted
transaction_subtype Subtype of transaction I String Extracted
patient_id ID of a patient 435766543 String Extracted
drug_name_short Short name of medication OXYCODONE String Extracted
drug_name_long Long name of medication oxyCODONE HCL 10MG TABLET String Extracted
drug_is_opioid If it is an opioid or controlled substance 1 Number Extracted
witness_department Department of witness PWC-Psych String Extracted
witness_title Title of witness Staff nurse String Extracted
Last modified on 29 July, 2024
Workflow actions in Splunk App for Fraud Analytics   Interactive search panel visualization commands

This documentation applies to the following versions of Splunk® App for Fraud Analytics: 1.2.4

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters