Data model definitions
Use the following tables for information on the various fields in the fraud related data models:
Fraud account data model
Name | Description | Example | Format | Source |
---|---|---|---|---|
acc_age
|
Age of the account (in days) | 107 | Number | Extracted |
acc_holder_dob
|
Date of birth | 05/25/1995 | String | Extracted |
acc_holder_first_name
|
FIrst name | John | String | Extracted |
acc_holder_last_name
|
Last name | Smith | String | Extracted |
acc_holder_middle
|
Middle initial | P | String | Extracted |
acc_status
|
Account status | Approve | String | Extracted |
addr_home_city
|
City of home address | Seattle | String | Extracted |
addr_home_state
|
State of home address | Washington | String | Extracted |
addr_home_zip
|
Zip Code of home address | 92017 | Number | Extracted |
addr_home_zip_lat
|
Latitude of zip code | String | Lookup | |
addr_home_zip_lon
|
Longitude of zip code | String | Lookup | |
deviceid
|
Device identifier | |||
direct_deposit
|
Destination account for funds | 12345678 | Number | Extracted |
email
|
Email address | john.smith@gmail.com | String | Extracted |
email_domain_root
|
Email address domain (root) | gmail | String | Eval Expression |
email_domain_tld
|
Email address domain (top level) | gmail.com | String | Eval Expression |
email_normalized
|
Email address (Includes the name) | johnsmith@gmail.com | String | Eval Expression |
host
|
Host of the data source | String | Inherited | |
http_accept
|
String | Extracted | ||
http_accept_language
|
String | Extracted | ||
http_content_type | String | Extracted | ||
http_method
|
API method (Post, Get, and so on) | String | Extracted | |
http_referer
|
Referring URL | String | Extracted | |
http_user_agent
|
Web browser identifier | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393 |
String | Extracted |
mmn
|
Mother's maiden name | Smith | String | Extracted |
occupation
|
Occupation | Janitor | String | Extracted |
password
|
Password | Hash of pwd | String | Eval Expression |
phone_home
|
Home phone number | 209-121-2398 | String | Extracted |
r_10
|
Deprecated | Number | Eval Expression | |
source
|
Source of the data source | String | Inherited | |
sourcetype
|
Sourcetype of the data source | String | Inherited | |
src_ip
|
IP address logged for the event | 123.10.10.234 | IPv4 | Extracted |
src_ip_City
|
City corresponding to the IP address | Los Angeles | String | Geo IP |
src_ip_Country
|
Country corresponding to the IP address | United States | String | Geo IP |
src_ip_lat
|
Latitude corresponding to the IP address | String | Geo IP | |
src_ip_lon
|
Longitude corresponding to the IP address | String | Geo IP | |
src_ip_Region
|
State or province corresponding to the IP address | Florida | String | Geo IP |
ssn
|
Social security number | 172-90-9201 | String | Extracted |
uniqueid
|
Credit, benefits application ID, or permanent user ID that supersedes SSN or username | String | Extracted | |
username
|
Username | barneysmith | String | Extracted |
Fraud web data model
Name | Description | Example | Format | Source |
---|---|---|---|---|
accept_language
|
Language accepted by the browser | String | Extracted | |
action
|
String | Extracted | ||
actions
|
String | Extracted | ||
bill_payments_num
|
Number | Extracted | ||
bytes_in
|
Number | Extracted | ||
bytes_in_total
|
Number | Extracted | ||
bytes_out
|
Number | Extracted | ||
bytes_out_total
|
Number | Extracted | ||
City
|
String | Extracted | ||
Countries_num
|
Number | Extracted | ||
Country
|
String | Extracted | ||
date_hour
|
Number | Extracted | ||
date_mday
|
Number | Extracted | ||
date_month
|
String | Extracted | ||
date_wday
|
String | Extracted | ||
date_year
|
Number | Extracted | ||
date_zone
|
Number | Extracted | ||
deposit_checks_num
|
Number | Extracted | ||
errors
|
Number | Extracted | ||
host
|
String | Inherited | ||
http_accept
|
String | Extracted | ||
http_accept_language
|
String | Extracted | ||
http_content_type
|
String | Extracted | ||
http_method
|
API method (Post, Get, and so on) | String | Extracted | |
http_referer
|
Referring URL | String | Extracted | |
http_user_agent | Browser identifier | String | Extracted | |
http_user_agents_num
|
Number | Extracted | ||
ip_16_subnet
|
String | Extracted | ||
ip_16_subnets
|
String | Extracted | ||
ip_16_subnets_num
|
Number | Extracted | ||
ip_subnet_16
|
String | Extracted | ||
ip_subnet_24
|
String | Extracted | ||
is_aggregator
|
Number | Extracted | ||
languages
|
String | Extracted | ||
logged_in
|
Number | Extracted | ||
logins_success_num
|
Number | Extracted | ||
money_movements_num
|
Number | Extracted | ||
r_10
|
deprecated | Number | Eval expression | |
r_100
|
Deprecated | Number | Eval expression | |
r_1000
|
Deprecated | Number | Eval expression | |
r_10000
|
Deprecated | Number | Eval expression | |
r_100000
|
Deprecated | Number | Eval expression | |
r_1000000
|
Deprecated | Number | Eval expression | |
Region
|
String | Extracted | ||
risk_exposure
|
Number | Extracted | ||
risk_exposure_r
|
Number | Extracted | ||
risk_level
|
Number | Extracted | ||
risk_level_r
|
Number | Extracted | ||
screen
|
String | Extracted | ||
screens
|
String | Extracted | ||
security_code_requests_num
|
Number | Extracted | ||
session_duration
|
Number | Extracted | ||
session_events_num
|
Number | Extracted | ||
session_id
|
Web session ID | String | Extracted | |
source
|
String | Inherited | ||
sourcetype
|
String | Inherited | ||
src_ip
|
Client IP address | 10.10.10.20 | String | Extracted |
src_ips_num
|
Number | Extracted | ||
status
|
Web page status | 400, 200, etc | Number | Extracted |
trade_securities_num
|
Number | Extracted | ||
uri
|
String | Extracted | ||
uri_path
|
String | Extracted | ||
username
|
Username | barneysmith | String | Extracted |
username_ex
|
String | Extracted | ||
username_tried
|
String | Extracted | ||
usernames
|
String | Extracted | ||
usernames_num
|
Number | Extracted |
Fraud anti money laundering data model
The data model for anti money laundering use cases.
Name | Description | Example | Format | Source |
---|---|---|---|---|
account
|
Unique identity of an account | 020-68723985 | String | Extracted |
amount
|
Transfer amount in default currency | 5000.00 | Number | Extracted |
amount_usd
|
Transfer amount in USD | 2500.00 | Number | Extracted |
country
|
Location of an account: Country | USA | String | Extracted |
currency
|
Currency of a transfer | US Dollar | String | Extracted |
direction
|
Direction of a transfer | In, Out | String | Extracted |
oth_account
|
Unique identity of other account | 650892343-32 | String | Extracted |
oth_bank
|
Bank ID of other account | 0375 | String | Extracted |
oth_country
|
Location of other account: Country | Italy | String | Extracted |
oth_currency
|
Default currency of other account | Euro | String | Extracted |
payment_format
|
Type of payment | Wire transfer | String | Extracted |
date_*
|
date_* variables calculated from _time | String, Number | Auto Calculated |
Fraud unemployment insurance data model
The data model for unemployment insurance fraud use cases. When looking at fraud detection in unemployment insurance, build a lookup file that aggregates statistical information on social security numbers and bank accounts over a period of time. See Fraud unemployment insurance data model lookups for more information.
Name | Description | Example | Format | Source |
---|---|---|---|---|
ADDR_ZIP
|
ZIP code of claimant address | 07675-1211 | String | Extracted |
data_source
|
Source of transaction | CERTS | String | Extracted |
date_*
|
date_* variables calculated from _time | String, Number | Auto calculated | |
email_norm
|
Normalized email address | alex@buttercupgames.com | String | Extracted |
IP_City
|
IP address location: City | New York | String | Extracted |
IP_Country
|
IP address location: Country | USA | String | Extracted |
IP_Region
|
IP address location: Region | New York | String | Extracted |
IPADDRESS
|
IP Address | 123.45.6.78 | String | Extracted |
NAME
|
Claimant name | John Smith | String | Extracted |
SSN
|
Social Security number | 123-45-6789 | String | Extracted |
SSN_NUM
|
Social Security number, numbers only | 123456789 | String | Extracted |
TEL_NO
|
Telephone number of a claimant | 201-123-4567 | String | Extracted |
accounts_num
|
Number of distinct bank accounts associated with the Social Security number | 5 | Number | Lookup |
acct_shared_with
|
Number of distinct Social Security numbers the bank account is shared with | 4 | Number | Lookup |
emails_norm
|
Number of distinct emails given that email normalized is mapped to | 7 | Number | Lookup |
risk | Text | String | Lookup |
Medicine activity data model
The data model used for fraud detections over controlled substances and opioids in hospital environments. These fields are used in detections and within investigative dashboards. The actual data model might contain more fields for future detections and more advanced use cases.
Name | Description | Example | Format | Source |
---|---|---|---|---|
drug_control_level
|
Level describing controlled substance | 3 | Number | Extracted |
user_id
|
Hospital employee ID | 2139846543 | String | Extracted |
user_department
|
Name of department | Pharmacy | String | Extracted |
user_title
|
Job title of the user. | Registered nurse | String | Extracted |
med_order_id
|
Document to administer medication | 123098657 | String | Extracted |
witness_id
|
ID of a witness | 5132-780946 | String | Extracted |
transaction_name
|
Name of transaction | Issue: Standard | String | Extracted |
transaction_type
|
Type of transaction | I-UN | String | Extracted |
transaction_subtype
|
Subtype of transaction | I | String | Extracted |
patient_id
|
ID of a patient | 435766543 | String | Extracted |
drug_name_short
|
Short name of medication | OXYCODONE | String | Extracted |
drug_name_long
|
Long name of medication | oxyCODONE HCL 10MG TABLET | String | Extracted |
drug_is_opioid
|
If it is an opioid or controlled substance | 1 | Number | Extracted |
witness_department
|
Department of witness | PWC-Psych | String | Extracted |
witness_title
|
Title of witness | Staff nurse | String | Extracted |
PREVIOUS Workflow actions in Splunk App for Fraud Analytics |
NEXT Interactive search panel visualization commands |
This documentation applies to the following versions of Splunk® App for Fraud Analytics: 1.2.4
Feedback submitted, thanks!