Skip to main content
Splunk Lantern

ATM withdrawal near threshold

You might want to know which ATM users make transactions close to a government-defined threshold when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

In many countries, if a transaction is over a specified limit, it must be reported to the government. To slip under the radar, suspicious users may keep their transactions just under the limit. Users who consistently make ATM transactions just below the government threshold might be trying to hide their activity. You want to report on these transactions to decide if certain users require further investigation.  

  1. Run the following search:
    |inputlookup <name of lookup file for ATM transaction information>
    |where amount>9800 AND amount<10000
    |table _time user action amount
    |eval amount=tostring(round(amount, 2),"commas")

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|inputlookup <name of lookup file for ATM transaction information> Search the data in your ATM transaction information lookup file.
|where amount>9800 AND amount<10000
 
Define your suspicious values as a minimum withdrawal of $9,801 and a maximum of beneath the threshold, in this case, $10,000.
|table _time user action amount
 
Display the results in a table with columns in the order shown.
|eval amount=tostring(round(amount, 2),"commas") Round the withdrawal amounts to two decimals places and add commas for better readability.

Result

Run this search on a regular schedule to evaluate activity and track suspicious users over time. Users who slip multiple transactions in a short amount of time just under government detection may be participating in money laundering schemes.

  • Was this article helpful?