Scenario: You work for a large bank with hundreds of ATMs, each with thousands of users. For government compliance reasons and to protect your customers, you need to monitor these ATMs for signs of suspicious activity. You want to evaluate potential risk of ATM fraud by performing analyses that help to indicate outliers and anomalies of fraudulent behaviors or transactions. You also need to make recommendations to the rest of the security team about which users should be investigated for potentially fraudulent activity.
To succeed in implementing this use case, you need the following dependencies, resources, and information.
- People: Security analyst, threat hunter
- Technologies: Splunk Enterprise or Splunk Cloud Platform
- Data: Business service data for ATM transactions
- A CSV or KV lookup file of ATM user risk scores, already loaded into your deployment
Your sourcetypes may not have the same fields as the ones demonstrated in the sample searches. Adjust field names as needed to match your environment.
How to use Splunk software for this use case
Depending on what information you have available, you might find it useful to identify some or all of the following:
- Most frequent ATM users
- ATM withdrawal testing
- Riskiest ATM users
- User accessing multiple ATMs simultaneously
- ATM withdrawal near threshold
Use the results of these searches to make recommendations to the rest of the security team about which users should be investigated for potentially fraudulent activity. Be sure to follow any industry policies and regulations that are required for compliance.
The searches in this guide are also included in the Splunk Essentials for the Financial Services Industry app, which provides more information about how to implement them successfully in your financial services maturity journey. In addition, this Splunk resource might help you understand and implement this use case: