Splunk® App for Fraud Analytics

User Guide

Lookups in Splunk App for Fraud Analytics

The Splunk App for Fraud Analytics includes various lookups used by some of the data models.

Fraud account data model lookup

The zipcode_geo lookup is used by the fraud_account data model to create latitude and longitude coordinates for zip codes. For more information on the zipcode_geo lookup, see Zip code geo CSV lookup.

Fraud unemployment insurance data model lookups

When looking at fraud detection in unemployment insurance, see the following examples to build a lookup file for fraud_ui that aggregates statistical information on social security numbers and bank accounts over a period of time.

Extracting location deception risk metadata

| from datamodel:fraud_ui
| search data_source IN (UI_SYS_ACCESS, CERTS)
| sort 0 + _time
| streamstats time_window=1h dc(IP_Country) as countries, dc(data_source) as sources by SSN
| where countries>1 AND sources>1
| dedup SSN
| lookup email_norm_info email_norm
| eval risk="Location Deception"
| table SSN risk email_norm emails_num
| outputlookup risky_ssns.csv

Extracting impersonation risk metadata

| inputlookup fraud_ui_claimant
| lookup fraud_ui_email SSN
| eval email_norm = coalesce(lower(replace(mvindex(split(EMAIL_ADDRESS, "@"),0), "(\.|\+[^@]*)", "") . "@" . mvindex(split(EMAIL_ADDRESS, "@"),1)), "---")
| where email_norm!="---"
| eval EMAIL_ADDRESS_lower=lower(EMAIL_ADDRESS)
| eventstats dc(EMAIL_ADDRESS_lower) as emails_num BY email_norm
| where emails_num>1
| eval risk="Impersonation"
| table SSN risk email_norm emails_num
| inputlookup append=true risky_ssns.csv
| outputlookup risky_ssns.csv

Extracting shared bank accounts risk metadata

index=main source IN (DEPOS*)
| fillnull value="---"
| dedup SSN DD_ACCT_NUM DD_ACCT_ABA_NO
| eventstats dc(SSN) as acct_shared_with BY DD_ACCT_NUM
| where acct_shared_with>3
| lookup risky_ssns2.csv SSN
| stats max(acct_shared_with) as acct_shared_with, dc(DD_ACCT_NUM) as accounts_num, first(email*) as email* by SSN
| eval email_norm = coalesce(email_norm, lower(replace(mvindex(split(EMAIL_ADDRESS, "@"),0), "(\.|\+[^@]*)", "") . "@" . mvindex(split(EMAIL_ADDRESS, "@"),1)))
| eval risk="Shared Bank Account"
| inputlookup append=true risky_ssns.csv
| eventstats first(email*) as email*, first(acc*) as acc* by SSN
| table SSN risk acc* EM* em*
| outputlookup risky_ssns.csv
Last modified on 16 November, 2023
Correlation searches in Splunk App for Fraud Analytics   Workflow actions in Splunk App for Fraud Analytics

This documentation applies to the following versions of Splunk® App for Fraud Analytics: 1.2.4

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters