You might want to alert on accounts that transfer money from different IP addresses when doing the following:
In order to execute this procedure in your environment, the following data, services, or apps are required:
- Splunk Enterprise or Splunk Cloud Platform
- Business service data of wire transfer data
Compromised accounts are a large concern in your financial services organization. In order to look for signs of compromise and help protect your users, you want to report regularly on the IP addresses users are transferring money from.
To optimize the search shown below, you should specify an index and a time range. You may also need to adjust fields to match what is available in your data source.
- Run the following search:
|sourcetype=<wire transfer data source>
|convert timeformat="%Y/%m/%d %H:%M:%S" ctime(epoch) AS c_time
|sort - _time
|eval amount=tostring(round(amount, 2),"commas")
|streamstats time_window=1m count(eval(action="authorized")) AS authorized_count list(FromAccount) AS FromAccount list(ToAccount) AS ToAccount list(amount) AS amount list(action) AS action list(c_time) AS time values(clientIP) AS clientIP dc(clientIP) ASclientIP_count BY customer
|fields - OpenDate epoch destIP _time, clientIP_count c_time authorized_count
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
||sourcetype=<wire transfer data source>||Search your wire transfer data.|
||convert timeformat="%Y/%m/%d %H:%M:%S" ctime(epoch) AS c_time
||Convert the time value in your lookup file to the specified format and name the converted time field c_time.|
||sort - _time
||Sort the results with the most recently occurring first.|
||eval amount=tostring(round(amount, 2),"commas")
||Round the amount value to two decimals places and add commas for better readability.|
||streamstats time_window=1m count(eval(action="authorized")) AS authorized_count list(FromAccount) AS FromAccount list(ToAccount) AS ToAccount list(amount) AS amount list(action) AS action list(c_time) AS time values(clientIP) AS clientIP dc(clientIP) ASclientIP_count BY customer
||Use a one minute time window to group transfers by customer and count the number of distinct client IPs used.|
||where clientIP_count>=2||Return results where more than one distinct client IP is counted.|
||fields - OpenDate epoch destIP _time, clientIP_count c_time authorized_count||Exclude the fields shown from the output.|
You should regularly run reports that test for the counts of IPs customers have been using in a short amount of time. This will help detect unusual behavior, such as using two client IPs to transfer funds in a short amount of time. It may indicate compromised accounts. Investigate customers this search identifies according to your institutions standard operating procedures and regulations.