You might want to calculate risk scores for ATM users when doing the following:
In order to execute this procedure in your environment, the following data, services, or apps are required:
Finding out who are riskiest users can help determine whether their questionable transaction activity may be involved in fraud. For each ATM your company manages, you need to calculate a risk score for each user so you can create a watchlist of users to monitor.
To optimize the search shown below, you should specify a time range. You may also need to adjust fields to match what is available in your data source.
- Run the following search:
|sourcetype=<ATM transaction data source>
|lookup <name of lookup file for ATM user risk scores> user OUTPUT score
|stats sum(score) AS Risk_Score count BY user
|sort - Risk_Score
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
||sourcetype=<ATM transaction data source>||Search your ATM transaction data.|
||lookup <name of lookup file for ATM user risk scores> user OUTPUT score||
Perform a lookup to get risk scores per user.
If your lookup file does not contain user and score columns, adjust the search to match the names in your lookup.
||stats sum(score) AS Risk_Score count BY user||Sum the risk scores and counts for each user.|
||sort - Risk_Score||Sort the results with the highest risk score first.|
||head 5||Return the 5 riskiest users.|
Create searches and alerts to watch the transactions that your risky users make. Be sure to take any steps necessary to meet compliance and procedural regulations.