The table below explains in detail the steps of a Splunk Enterprise or Splunk Cloud Platform search to help you detect multiple login denials in a row followed by an authorization. For more information, review the use case detecting wire transfer fraud.
Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.
Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.
||sourcetype=<wire transfer data source>||Search your wire transfer data.|
||convert timeformat="%Y/%m/%d %H:%M:%S" ctime(epoch) AS c_time
||Convert the time value in your lookup file to the specified format and name the converted time field c_time.|
||sort - _time||Sort the results with the most recently occurring first.|
||streamstats time_window=1h count(eval(action="denied")) AS denied_count count(eval(action="authorized")) AS "authorized_count" latest(action) AS latest_action BY customer,FromAccount,ToAccount||Find in a 1 hour window at least 5 denies and one authorization for the same customer, from, and to account.|
||where denied_count>=5 and authorized_count>=1 and latest_action="authorized"||Return results where there are at least 5 denies, at least 1 authorized, and the latest action is authorized.|
||table _time, customer, FromAccount, ToAccount, amount, denied_count, authorized_count||Display the results in a table with columns in the order shown.|
||eval amount=tostring(round(amount, 2),"commas")||Round the amount value to two decimals places and add commas for better readability.|