Skip to main content
Splunk Lantern

Riskiest ATM users

You might want to calculate risk scores for ATM users when doing the following:


In order to execute this procedure in your environment, the following data, services, or apps are required:


Finding out who are riskiest users can help determine whether their questionable transaction activity may be involved in fraud. For each ATM your company manages, you need to calculate a risk score for each user so you can create a watchlist of users to monitor.  

To optimize the search shown below, you should specify a time range.  You may also need to adjust fields to match what is available in your data source. 

  1. Run the following search:
    |sourcetype=<ATM transaction data source>
    |lookup <name of lookup file for ATM user risk scores> user OUTPUT score
    |stats sum(score) AS Risk_Score count BY user
    |sort - Risk_Score
    |head 5

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|sourcetype=<ATM transaction data source> Search your ATM transaction data.
|lookup <name of lookup file for ATM user risk scores> user OUTPUT score

Perform a lookup to get risk scores per user.

If your lookup file does not contain user and score columns, adjust the search to match the names in your lookup.

|stats sum(score) AS Risk_Score count BY user Sum the risk scores and counts for each user.
|sort - Risk_Score Sort the results with the highest risk score first.
|head 5 Return the 5 riskiest users.


Create searches and alerts to watch the transactions that your risky users make. Be sure to take any steps necessary to meet compliance and procedural regulations.

  • Was this article helpful?