The table below explains in detail the steps of a Splunk Enterprise or Splunk Cloud Platform search to help you alert on accounts that transfer money from different IP addresses. For more information, review the use case detecting wire transfer fraud.
Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.
Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.
||sourcetype=<wire transfer data source>||Search your wire transfer data.|
||convert timeformat="%Y/%m/%d %H:%M:%S" ctime(epoch) AS c_time
||Convert the time value in your lookup file to the specified format and name the converted time field c_time.|
||sort - _time
||Sort the results with the most recently occurring first.|
||eval amount=tostring(round(amount, 2),"commas")
||Round the amount value to two decimals places and add commas for better readability.|
||streamstats time_window=1m count(eval(action="authorized")) AS authorized_count list(FromAccount) AS FromAccount list(ToAccount) AS ToAccount list(amount) AS amount list(action) AS action list(c_time) AS time values(clientIP) AS clientIP dc(clientIP) ASclientIP_count BY customer
||Use a one minute time window to group transfers by customer and count the number of distinct client IPs used.|
||where clientIP_count>=2||Return results where more than one distinct client IP is counted.|
||fields - OpenDate epoch destIP _time, clientIP_count c_time authorized_count||Exclude the fields shown from the output.|