You might need to see which users conduct the most transactions on your ATMs when doing the following:
In order to execute this procedure in your environment, the following data, services, or apps are required:
Users that use the ATM more than most average users may have questionable motives or have their credentials stolen. You want to see who those users are so you can set up alerts to watch their accounts for any suspicious activity.
- Run the following search:
|inputlookup <name of lookup file for ATM transaction information>
|lookup <name of lookup file for ATM user risk scores> user OUTPUT score
|stats sum(score) AS Risk_Score count BY user
|eventstats avg(count) AS avg stdev(count) AS stdev
|sort - count
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
||inputlookup <name of lookup file for ATM transaction information>||Search the data in your ATM transaction information lookup file.|
||lookup <name of lookup file for ATM user risk scores> user OUTPUT score||
Perform a lookup to get risk scores per user.
If your lookup file does not contain user and score columns, adjust the search to match the names in your lookup.
||stats sum(score) AS Risk_Score count BY user||Sum the risk scores and counts for each user.|
||eventstats avg(count) AS avg stdev(count) BY stdev||Calculate the average count and standard deviation for each user.|
||where count>(avg+stdev*3.5)||Compare the count of users' access to the average count and some multiple of standard deviation of all users, in this example, 3.5.|
||sort - count||Sort the results with the highest transaction account first.|
Counting access and comparing to average counts plus some multiple of standard deviation can find risky users, because for some reason, these users are using the ATM most. Compare this to users' risk scores to see if they need to be put on a watchlist.