Skip to main content
Splunk Lantern

Riskiest ATM users

You might want to calculate risk scores for ATM users when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Finding out who are riskiest users can help determine whether their questionable transaction activity may be involved in fraud. For each ATM your company manages, you need to calculate a risk score for each user so you can create a watchlist of users to monitor.  

  1. Run the following search:
    |inputlookup <name of lookup file for ATM transaction information>
    |lookup <name of lookup file for ATM user risk scores> user OUTPUT score
    |stats sum(score) AS Risk_Score count BY user
    |sort - Risk_Score
    |head 5

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|inputlookup <name of lookup file for ATM transaction information> Search the data in your ATM transaction information lookup file.
|lookup <name of lookup file for ATM user risk scores> user OUTPUT score

Perform a lookup to get risk scores per user.

If your lookup file does not contain user and score columns, adjust the search to match the names in your lookup.

|stats sum(score) AS Risk_Score count BY user Sum the risk scores and counts for each user.
|sort - Risk_Score Sort the results with the highest risk score first.
|head 5 Return the 5 riskiest users.

Result

Create searches and alerts to watch the transactions that your risky users make. Be sure to take any steps necessary to meet compliance and procedural regulations.

  • Was this article helpful?