Skip to main content
Splunk Lantern

Number of wire transfers exceeds threshold

You might want a count of how many wire transfers a customer completes in a given time period when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Compromised accounts are a large concern in your financial services organization. In order to help protect your users, you want to report on the number of large transfers that clients have completed in a one hour time span. Excessive transfers might indicate fraud.

To optimize the search shown below, you should specify an index and a time range. 

  1. Run the following search:|inputlookup <name of lookup file for wire transfer information>
    |sort - _time
    |eval amount=tostring(round(amount, 2),"commas")
    |streamstats time_window=1h count(eval(action="authorized")) AS authorized_count list(FromAccount) AS FromAccount list(ToAccount) AS ToAccount list(amount) AS amount list(action) AS action list(_time) AS time BY customer
    |where authorized_count>=7
    |fields - OpenDate epoch clientIP destIP _time

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|inputlookup <name of lookup file for wire transfer information> Search the data in your wire transfer information lookup file.
|sort - _time
 
Sort the results with the most recently occurring first. 
|eval amount=tostring(round(amount, 2),"commas")
 
Round the amount value to two decimals places and add commas for better readability.
|streamstats time_window=1h count(eval(action="authorized")) AS authorized_count list(FromAccount) AS FromAccount list(ToAccount) AS ToAccount list(amount) AS amount list(action) AS action list(_time) AS time BY customer
 
Use a one hour time window to group transfers by customer and count the number of distinct transfers as authorized_count.
|where authorized_count>=7
 
Return results where the authorized count is greater than 7.
|fields - OpenDate epoch clientIP destIP _time Exclude the fields shown from the output.

Result

The output of this search allows you to report on a large number of transfers by the same customer in an one hour span so you can check if any are fraudulent. Investigate customers this search identifies according to your institutions standard operating procedures and regulations.