Skip to main content
Registration for .conf24 is open! Join us June 11-14 in Las Vegas.
Splunk Lantern

Suspicious session behavior


Working as part of a fraud detection team, you need to be able to quickly identify when a customer’s account is taken over by a fraudster.

Some types of session behaviour may indicate that fraud is occurring, for example, a string of actions taken by a user such as a failed login, followed by a successful login, then a profile edit, then money movement. This process walks you through how to find incidents like this.

Required data

Business service data for banking transactions


  1. Install and configure the Splunk App for Fraud Analytics, following the installation instructions.
  2. From the Incident Review tab in the top toolbar of Splunk Enterprise Security, sort by Risk Score and find an incident to investigate. Click on the caret to the left of the Incident Title to view the risk rules associated with the incident. In the example below, user libby_moribayed85 is selected. There is only one rule that contributed to the risk score total for this user that is listed as Suspicious Behavior. This behavior alone is enough to warrant a high risk score, so it should be investigated.
  3. Click on the Action caret then Click Here to Investigate



  4. This takes you to the Fraud Risk Exposure Analysis dashboard. Scroll down to the Detailed Investigation Link Analysis section, click on the user libby_moribayed85, then click a session_id.


  5. To the right of this area you can then view a string of actions taken by this user - a failed login, followed by a successful login, then a profile edit, then money movement. This pattern of behavior is considered highly suspicious and is the basis for the “suspicious behavior” risk rule triggered in this example.


  6. Scrolling up to the Link Analysis panel you can see a number of graphs to show the timing for events, which can help you understand them better.

  7. Scrolling below the Link Analysis panel you can see a velocity analysis with the risk listed in a dollar amount. This is based on transactional data (not visible in the dashboard) relating to how much money was moved, and the risk calculated based on business risk. These panels expose other high risk user activities that may have occurred at the same time. Because fraudsters are usually not content with just a single victim and attack and they usually try many at one time, you can use this information to identify additional attempts.

  8. Finally, if you want to see more detail on the behavior you've identified, you can scroll down to the Detailed Portal Activity panel and paste in the username of interest to get a view of the web logs.


Next steps

These resources might help you understand and implement this guidance:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at if you require assistance.