Financial institutions are banned from doing business with certain countries. You might want to monitor attempted user transactions with such countries to help with doing the following:
In order to execute this procedure in your environment, the following data, services, or apps are required:
Large amounts of money being transferred into certain countries can indicate fraud. You want to correlate user activity with your list of banned and suspicious countries.
To optimize the search shown below, you should specify an index and a time range.
- Run the following search:
|inputlookup <name of lookup file for wire transfer information>
| eval _time=strptime(_time, "%Y/%m/%d %H:%M:%S")
|sort - _time
|lookup <name of lookup file of suspicious countries> ip AS destIP OUTPUT is_suspicious
|where is_suspicious="yes" AND amount>10000
|rename Country AS destCountry
|table _time, customer, FromAccount, ToAccount, action, amount, destCountry, destIP
|eval amount=tostring(round(amount, 2),"commas")
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
||inputlookup <name of lookup file for wire transfer information>||Search the data in your wire transfer information lookup file.|
|| eval _time=strptime(_time, "%Y/%m/%d %H:%M:%S")
Convert the time to a UNIX timestamp.
||sort - _time
||Sort the results with the most recently occurring first.|
||Create the "is_suspicious" field and set it to a value of "no".|
||lookup <name of lookup file of suspicious countries> ip AS destIP OUTPUT is_suspicious
Search the countries in your suspicious country lookup file to find any matches for countries in the wire transfer lookup file, based on the destination IP address.
You can use a country name instead, depending on the data in your lookup files. In this case, you will not need the |iplocation destIP line of this search.
||where is_suspicious="yes" AND amount>10000||Return results where the country is suspicious and the amount transferred is greater than 10,000.|
||Extract the country name from the destination IP address.|
||rename Country AS destCountry||Rename the fields as shown for better readability.|
||table _time, customer, FromAccount, ToAccount, action, amount, destCountry, destIP||Display the results in a table with columns in the order shown.|
||eval amount=tostring(round(amount, 2),"commas")||Round the amount value to two decimals places and add commas for better readability.|
This search outputs a report of large transfers going into suspicious or banned countries. Regularly report on all large amounts transferred to suspicious countries. Users who transfer large funds to suspicious countries may have had their accounts taken over. By finding this suspicious behavior early, fraud may be avoided.