Correlation searches in Splunk App for Fraud Analytics
Splunk App for Fraud Analytics contains the following categories of pre-configured and customizable correlation searches:
RR-Fraud*
: Risk incident rule that write results to the risk index.Notable-Fraud*
: Creates notables and write results to the notable index.
The correlation searches scan multiple data sources for defined fraud patterns and performs workflow actions when patterns are identified and the notable events match search conditions.
You can adjust the following correlation searches to limit search time range and schedules. See Configure correlation searches in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual for more information on how to adjust correlation searches.
Correlation search name | Correlation search action | Description | ||
---|---|---|---|---|
RR-Fraud-NewAcct-dotted gmail - one or more dots
|
Writes to the risk index | Searches Gmail addresses that include one or more dots in the email. This help to identify multiple email addresses that point to the same mailbox and assign them a risk score.
Periods in the Gmail address are ignored, which enabled fraudsters to register multiple email addresses that point to a single mailbox. For example: johnasmith=john.asmith=john.a.smith.
| ||
RR-Fraud-NewAcct-duplicate dotted gmail
|
Writes to the risk index | Searches duplicate emails after normalizing the Gmail address and identifying duplicate addresses. Periods in the Gmail address are ignored, which enables fraudsters to reposition the dot in the Gmail address and register multiple email addresses that point to the same mailbox. For example: john.smith=joh.nsmith | ||
RR-Fraud-NewAcct-email-velocity
|
Writes to the risk index | Searches for email addresses that are used by multiple accounts. | ||
RR-Fraud-NewAcct-IP Country NOT USA
|
Writes to the risk index | Searches for IP addresses originating from countries other than the United States that may indicate fraud. This search can be customized for specific countries. | ||
RR-Fraud-NewAcct-IP-Zip-distance over 1000km USA IP
|
Writes to the risk index | Searches by zip code to trace the geo-location of IP addresses originating at a distance greater than 1000 kilometers. | ||
RR-Fraud-NewAcct-shared bank acct
|
Writes to the risk index | Searches for duplicate deposit accounts or email addresses. The risk weight of these searches is lower since this might represent a legitimate scenario. | ||
RR-Fraud-NewAcct-shared IP address
|
Writes to the risk index | Searches for duplicate IP addresses used across multiple accounts for potential fraud. | ||
RR-Fraud-NewAcct-shared passwords
|
Writes to the risk index | Searches for duplicate passwords used across multiple accounts for potential fraud, especially if complex passwords are required. | ||
RR-Fraud-NewAcct-shared phone number
|
Writes to the risk index | Searches for duplicate phone numbers used across multiple accounts for potential fraud. | ||
RR-Fraud -- Excessive Logins - group behavior
|
Writes to the risk index | Searches for excessive login attempts over time, including higher login count that indicates potential account compromise. | ||
RR-Fraud -- Brute force attack on user
|
Writes to the risk index | Searches for multiple failed logins across multiple usernames and IP addresses that indicates potential fraud through password guessing or testing a list of compromised accounts. | ||
RR-Fraud -- Country of login doesn't match browser language
|
Writes to the risk index | Searches for native languages from specific countries that were left enabled on browsers accidentally. This may indicate potential account hacking attempts, especially in English speaking countries. | ||
RR-Fraud -- IP hitting multiple user accounts
|
Writes to the risk index | Searches for an IP address that attempts to log in with multiple usernames and might indicate potential fraud. | ||
RR-Fraud -- Significant edit user profile followed by quick money movement
|
Writes to the risk index | Searches for a combination of events such as password change to block legitimate users followed by abnormal money movements, which might indicate potential fraud. | ||
RR-Fraud -- Successful logins from different regions
|
Writes to the risk index | Searches for login attempts from different geographical regions in a short time period that might indicate potential account takeover. | ||
RR-Fraud -- Successful logins from multiple IP addresses
|
Writes to the risk index | Searches for successful logins of one user account from different IP addresses in a short time period that might indicate potential account takeover. | ||
RR-Fraud -- Suspicious attempts to login to high value accounts
|
Writes to the risk index | Searches for login attempts and successful logins against a predefined VIP type account. High numbers of failed logins followed by successful logins to VIP accounts can be high risk indicators of fraud. | ||
Notable-Fraud -- Risk Threshold Exceeded For User - all channels
|
Writes to the notable index | Searches based on the total risk score of the user as defined in the risk index. Creates a notable when the sum of the risk scores is greater than 20.
Additionally, searches based on rule type. This search contains risk incident rules from multiple data models. If multiple rules are triggered from multiple categories, the risk score might be low. However, the associated risk can still be high because the rules pertain to different categories. Using this correlation search requires business knowledge to accurately evaluate risk.
For example: | ||
Notable-Fraud -- Suspicious Behavior with Risk Exposure
|
Writes to the risk index and the notable index | Searches for a sequence of events such as a combination of money movement, logins, and profile changes. Risk scores associated with such risk notables is high. | ||
Notable-Fraud -- Possible Account Takeover Attack
|
Notable - Writes to the notable index | eval severity=case(risk_score_sum<20,"low", risk_score_sum<30,"medium", risk_score_sum<40,"high", risk_score_sum>=40,"critical") | ||
Notable-Fraud -- New Account risk threshold exceeded
|
Writes to the notable index | Searches for account creation events based on the total score in the risk index and creates a notable where the sum of the risk score is greater than 20.
This search takes noisy alerts that create false positives and combines them to provide more meaningful notable events so that threshold numbers can be tuned accordingly. For example: | ||
Notable-Fraud -- AML - Accounts exhibiting Fan In Fan Out Money Laundering Pattern - Rule
|
Writes to the notable index | Searches for the Fan in/Fan out money laundering pattern, which is one of the most sophisticated and frequently used money laundering patterns. | ||
Notable-Fraud -- AML - Excessive staying below reporting threshold
|
Writes to the notable index | Searches for an excessive number of transactions just below the reporting threshold, which might indicate attempts to evade reporting. | ||
Notable-Fraud -- AML - Accounts exhibiting anomalous behavior in transaction amounts - Rule
|
Writes to the notable index | Searches for large variations in transfer amounts over time as large anomalies in transfer amounts over time might indicate money laundering activities. | ||
Notable-Fraud -- AML - Accounts with suspicious transfers to sanctioned countries - Rule
|
Writes to the notable index | Searches for accounts engaged in money transaction with either sanctioned countries or countries on a gray list, which might indicate illegal, terror financing, and fraudulent activity. | ||
Notable-Fraud -- UI - SSNs with impersonation risk
|
Writes to the notable index | Searches for evasive uses of identity in emails to conceal fraudulent claims. For example, changing email addresses with control characters to mislead the email recipient as to the identity of the email account owner. | ||
Notable-Fraud -- UI - SSNs with Location Deception risk
|
Writes to the notable index | Searches for unusual usage of VPNs to conceal the true location of a claimant. This can detect suspicious usage of VPNs and other location services during claim submissions. | ||
Notable-Fraud -- UI - SSNs with shared bank accounts
|
Writes to the notable index | Searches for an unusual relationship between different social security numbers (SSN) and bank accounts. This can detect an anomalous velocity relationship between bank accounts and different SSNs. | ||
Notable-Fraud -- MEDS - Attempts to forcefully access opioids
|
Writes to the notable index | Searches for suspicious forceful attempts to access opioids within secure storage spaces. This can detect "possible forced entry" transactions within a secure storage cabinet system, which is a possible attempt to circumvent controls. | ||
Notable-Fraud -- MEDS - Excessive number of anomalous transactions
|
Writes to the notable index | Searches for an unusual quantity of NULL transactions that exceeds the normal. An excessive number of NULL transactions by hospital employees might signify an attempt to bypass controlled access to opioids. | ||
Notable-Fraud -- MEDS - Possible witness collusion while discarding opioids
|
Writes to the notable index | Searches for a possible witness collusion during an opioid discard procedure. This can indicate an unusual relationship between a user and witness during the opioid discard procedure. |
Recommended types of data sources for fraud detection | Lookups in Splunk App for Fraud Analytics |
This documentation applies to the following versions of Splunk® App for Fraud Analytics: 1.2.4
Feedback submitted, thanks!