Skip to main content
Splunk Lantern

Wire transfers from multiple client IP addresses

You might want to alert on accounts that transfer money from different IP addresses when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Compromised accounts are a large concern in your financial services organization. In order to look for signs of compromise and help protect your users, you want to report regularly on the IP addresses users are transferring money from. 

To optimize the search shown below, you should specify an index and a time range.  You may also need to adjust fields to match what is available in your data source. 

  1. Run the following search:|sourcetype=<wire transfer data source>
    |convert timeformat="%Y/%m/%d %H:%M:%S" ctime(epoch) AS c_time
    |sort - _time
    |eval amount=tostring(round(amount, 2),"commas")
    |streamstats time_window=1m count(eval(action="authorized")) AS authorized_count list(FromAccount) AS FromAccount list(ToAccount) AS ToAccount list(amount) AS amount list(action) AS action list(c_time) AS time values(clientIP) AS clientIP dc(clientIP) ASclientIP_count BY customer
    |where clientIP_count>=2
    |fields - OpenDate epoch destIP _time, clientIP_count c_time authorized_count

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|sourcetype=<wire transfer data source> Search your wire transfer data.
|convert timeformat="%Y/%m/%d %H:%M:%S" ctime(epoch) AS c_time
 
Convert the time value in your lookup file to the specified format and name the converted time field c_time.
|sort - _time
 
Sort the results with the most recently occurring first.
|eval amount=tostring(round(amount, 2),"commas")
 
Round the amount value to two decimals places and add commas for better readability.
|streamstats time_window=1m count(eval(action="authorized")) AS authorized_count list(FromAccount) AS FromAccount list(ToAccount) AS ToAccount list(amount) AS amount list(action) AS action list(c_time) AS time values(clientIP) AS clientIP dc(clientIP) ASclientIP_count BY customer
 
Use a one minute time window to group transfers by customer and count the number of distinct client IPs used.
|where clientIP_count>=2 Return results where more than one distinct client IP is counted.
|fields - OpenDate epoch destIP _time, clientIP_count c_time authorized_count Exclude the fields shown from the output.

Result

You should regularly run reports that test for the counts of IPs customers have been using in a short amount of time. This will help detect unusual behavior, such as using two client IPs to transfer funds in a short amount of time. It may indicate compromised accounts. Investigate customers this search identifies according to your institutions standard operating procedures and regulations.