You might want to know which ATM users make transactions close to a government-defined threshold when doing the following:
In order to execute this procedure in your environment, the following data, services, or apps are required:
In many countries, if a transaction is over a specified limit, it must be reported to the government. To slip under the radar, suspicious users may keep their transactions just under the limit. Users who consistently make ATM transactions just below the government threshold might be trying to hide their activity. You want to report on these transactions to decide if certain users require further investigation.
- Run the following search:
|inputlookup <name of lookup file for ATM transaction information>
|where amount>9800 AND amount<10000
|table _time user action amount
|eval amount=tostring(round(amount, 2),"commas")
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
||inputlookup <name of lookup file for ATM transaction information>||Search the data in your ATM transaction information lookup file.|
||where amount>9800 AND amount<10000
||Define your suspicious values as a minimum withdrawal of $9,801 and a maximum of beneath the threshold, in this case, $10,000.|
||table _time user action amount
||Display the results in a table with columns in the order shown.|
||eval amount=tostring(round(amount, 2),"commas")||Round the withdrawal amounts to two decimals places and add commas for better readability.|
Run this search on a regular schedule to evaluate activity and track suspicious users over time. Users who slip multiple transactions in a short amount of time just under government detection may be participating in money laundering schemes.