You might want a count of how many wire transfers a customer completes in a given time period when doing the following:
In order to execute this procedure in your environment, the following data, services, or apps are required:
- Splunk Enterprise or Splunk Cloud Platform
- Business service data of wire transfer data
Compromised accounts are a large concern in your financial services organization. In order to help protect your users, you want to report on the number of large transfers that clients have completed in a one hour time span. Excessive transfers might indicate fraud.
To optimize the search shown below, you should specify an index and a time range. You may also need to adjust fields to match what is available in your data source.
- Run the following search:
|sourcetype=<wire transfer data source>
|sort - _time
|eval amount=tostring(round(amount, 2),"commas")
|streamstats time_window=1h count(eval(action="authorized")) AS authorized_count list(FromAccount) AS FromAccount list(ToAccount) AS ToAccount list(amount) AS amount list(action) AS action list(_time) AS time BY customer
|fields - OpenDate epoch clientIP destIP _time
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
||sourcetype=<wire transfer data source>||Search your wire transfer data.|
||sort - _time
||Sort the results with the most recently occurring first.|
||eval amount=tostring(round(amount, 2),"commas")
||Round the amount value to two decimals places and add commas for better readability.|
||streamstats time_window=1h count(eval(action="authorized")) AS authorized_count list(FromAccount) AS FromAccount list(ToAccount) AS ToAccount list(amount) AS amount list(action) AS action list(_time) AS time BY customer
||Use a one hour time window to group transfers by customer and count the number of distinct transfers as authorized_count.|
||Return results where the authorized count is greater than 7.|
||fields - OpenDate epoch clientIP destIP _time||Exclude the fields shown from the output.|
The output of this search allows you to report on a large number of transfers by the same customer in an one hour span so you can check if any are fraudulent. Investigate customers this search identifies according to your institutions standard operating procedures and regulations.