Skip to main content
 
 
Splunk Lantern

Suspicious web traffic

 

Working as part of a fraud detection team, you need to be able to quickly identify when a customer’s account is taken over by a fraudster.

Some types of web traffic behaviour may indicate that fraud is occurring, for example, many different IP addresses attempting to log into a single account. This process walks you through how to find incidents like this.

Required data

Application data for banking transactions

Procedure

The information in this article applies to Splunk Enterprise Security (ES) versions 7.x. If you have upgraded to Splunk Enterprise Security version 8.x, some terminology and steps might not apply. For additional assistance on this use case with ES 8.x, Splunk Professional Services can help.

  1. Install and configure the Splunk App for Fraud Analytics, following the installation instructions.
  2. From the Incident Review tab in the top toolbar of Splunk Enterprise Security, sort by Urgency and find an incident to investigate, then click on the caret to the left of the Incident Title to expand it and view the risk rules associated with the incident.

    clipboard_e2a3ebca8e0f73fdbdfc499f1f070f5aa.png

  3. In the example below, you can see that several risk rules have been triggered related to login and IP address behavior.

    clipboard_eacbc4f45dac67cbef155a1857b692c5f.png

  4. Click on the Action caret next to the Investigate ATO notable, then click Click Here to Investigate to go to the Web Traffic Dashboard.

    clipboard_ebde127a58acc24fb6ff57d5c10aef805.png

  5. Review the Web Traffic Dashboard. Here you can see the user listed under Risk Object, in this example the user jnels9064. You can also see the Contributing Events, or the related risk rules, that triggered to make up this notable event.

    clipboard_ebe1699c7b29f25c9740381db8ceac179.pngclipboard_e3572a138c19034363d251a66bc2f5ccb.png

  6. Scroll down and click on the username in the username_tried field. In the example below, you can immediately see many IP addresses accessing this account from many different countries. The column for logged_in also has a value of 0 - for this web site, this indicates a failed login for all attempts.

    clipboard_e5568853c48b6452dd8a2d9a55ccfaca7.png

  7. At this stage you might want to investigate some of the IP addresses listed to see if attempts have been made to log into other accounts from that IP address. To do this, click on one of the IP addresses. In this example we click on the second IP address down, the IP address in the src_ip column below reading 31.184.194.91.

    clipboard_e164f0ea2ef697078e57d4e60266e7dcb.png

  8. In the Link Analysis example below you can see that this IP address is from St Petersburg in Russia, and it also tried to login to multiple other accounts, with all logins failed.

    clipboard_ec360ca94e72f9cff0cde386c2a3bc181.png

  9. At this point you will likely conclude that the IP address and attempted logins are all from a bad actor. You should talk to your InfoSec team about blocking this IP or adding it to a watch list.

Next steps

Now that you've completed this one, have a look at the other tutorials in the Detecting consumer bank account takeovers use case. In addition, this resource might help you understand and implement this guidance:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you would like assistance.