You might need to monitor for credit card customer unusual spending behavior when doing the following:
In order to execute this procedure in your environment, the following data, services, or apps are required:
You work at a financial institution in the fraud department. You know that a common sign of fraud is when a customer starts spending large amounts of money in categories they don't usually shop in. For example, if a customer never uses their card for travel but suddenly buys a $2,000 airplane ticket, you would be concerned. You want to run a regular report to monitor for this behavior.
To optimize the search shown below, you should specify a time range. You may also need to adjust fields to match what is available in your data source.
- Run the following search:
| sourcetype=<customer information data source>
| eval _time=strptime('_time',"%Y/%m/%d %H:%M:%S")
| sort - _time
| lookup <name of lookup file of categorized spending>
| streamstats window=1 list(category) AS category BY customer
| where (amount > 1000)
| makemv delim="|" categories
| eval match=if(match(categories,category),1,0)
| where (match == 0)
| eval amount=tostring(round(amount,2),"commas")
| table customer, _time, amount, categories, category, action
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|| sourcetype=<customer information data source>||Search only your business service data for customer information.|
|| eval _time=strptime('_time',"%Y/%m/%d %H:%M:%S")||Parse the time stamp into a UNIX time value .|
|| sort - _time||Sort the results from oldest to newest.|
|| lookup <name of lookup file of categorized spending>||Search a lookup file of categorized spending by customer that you have previously uploaded into your Splunk deployment.|
|| streamstats window=1 list(category) AS category BY customer||Report cumulative category statistics in one-minute increments, renaming the fields as shown and grouped by customer|
|| where (amount > 1000)||Return only events where the amount spent is greater than 1,000.|
|| makemv delim="|" categories||Split the "categories" value of your results into multiple values using the "|" as the delimter.|
|| eval match=if(match(categories,category),1,0)||If the spending categories for the results returned match categories the customer normally spends on, according to the lookup, assign the match field a value of 1. Otherwise, assign a value of 0.|
|| where (match == 0)||Filter results to only those with a value of 0.|
|| eval amount=tostring(round(amount,2),"commas")||Convert the monetary value to a string rounded to two values, using a comma when needed.|
|| table customer, _time, amount, categories, category, action||Display the results in a table with columns in the order shown.|
Use the results of this report to investigate. You can also make this an alert that instantly notifies the customer. Use a lookup to get the customer's email or text message contact.