Skip to main content
Splunk Lantern

User accessing multiple ATMs simultaneously

You might want to know when a user appears to be at two different ATMs almost simultaneously when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Users who withdraw from multiple ATMs at almost the same time are most likely committing fraud. You want to create an alert that will trigger when a unique user makes a transaction at two ATMs in different locations within a very short time period.

  1. Run the following search:
    |inputlookup <name of lookup file for ATM transaction information>
    |search action=withdrawal
    |eval amount=tostring(round(amount, 2),"commas")
    |streamstats time_window=1m dc(location) AS dc list(amount) AS amount list(location) AS location earliest(epoch) AS epoch latest(epoch) AS latest_epoch BY user
    |where dc>1
    |dedup user
    | eval first_time=strftime(epoch,"%m/%d/%y %H:%M:%S"),  last_time=strftime(latest_epoch,"%m/%d/%y %H:%M:%S")
    |table user amount action location first_time last_time

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|inputlookup <name of lookup file for ATM transaction information> Search the data in your ATM transaction information lookup file.
|search action=withdrawal

Search only withdrawal activity from the data in your lookup file.

If your lookup file does not contain a withdrawal column, adjust the search to match the names in your lookup.

|eval amount=tostring(round(amount, 2),"commas") Round the withdrawal amounts to two decimals places and add commas for better readability.
|streamstats time_window=1m dc(location) AS dc list(amount) AS amount list(location) AS location earliest(epoch) AS epoch latest(epoch) AS latest_epoch BY user Use a time window of 1 minute to find locations by user.
|where dc>1 Filter to results where the distinct location count is greater than 1.
|dedup user Remove duplicate user values.
| eval first_time=strftime(epoch,"%m/%d/%y %H:%M:%S"),  last_time=strftime(latest_epoch,"%m/%d/%y %H:%M:%S") Convert time into a readable string.
|table user amount action location first_time last_time Display the results in a table with columns in the order shown.

Result

Since users cannot be in two places as once, the results of this search provide a list of users you should investigate immediately. If you have Splunk Enterprise Security, the land speed violation use case provides additional information relevant to fraud related to multiple locations.

  • Was this article helpful?