Skip to main content
Splunk Lantern

Wire transfers into suspicious or banned countries

Financial institutions are banned from doing business with certain countries. You might want to monitor attempted user transactions with such countries to help with doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Large amounts of money being transferred into certain countries can indicate fraud. You want to correlate user activity with your list of banned and suspicious countries. 

To optimize the search shown below, you should specify an index and a time range.  You may also need to adjust fields to match what is available in your data source. 

  1. Run the following search:
    |sourcetype=<wire transfer data source>
    | eval _time=strptime(_time, "%Y/%m/%d %H:%M:%S")
    |sort - _time
    |eval is_suspicious="no"
    |lookup <name of lookup file of suspicious countries> ip AS destIP OUTPUT is_suspicious
    |where is_suspicious="yes" AND amount>10000
    |iplocation destIP
    |rename Country AS destCountry
    |table _time, customer, FromAccount, ToAccount, action, amount, destCountry, destIP
    |eval amount=tostring(round(amount, 2),"commas")

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|sourcetype=<wire transfer data source> Search your wire transfer data.
| eval _time=strptime(_time, "%Y/%m/%d %H:%M:%S")
 

Convert the time to a UNIX timestamp. 

|sort - _time
 
Sort the results with the most recently occurring first.
|eval is_suspicious="no"
 
Create the "is_suspicious" field and set it to a value of "no".
|lookup <name of lookup file of suspicious countries> ip AS destIP OUTPUT is_suspicious
 

Search the countries in your suspicious country lookup file to find any matches for countries in the wire transfer lookup file, based on the destination IP address.

You can use a country name instead, depending on the data in your lookup files. In this case, you will not need the |iplocation destIP line of this search.

|where is_suspicious="yes" AND amount>10000 Return results where the country is suspicious and the amount transferred is greater than 10,000.
|iplocation destIP
 
Extract the country name from the destination IP address.
|rename Country AS destCountry Rename the fields as shown for better readability.
|table _time, customer, FromAccount, ToAccount, action, amount, destCountry, destIP Display the results in a table with columns in the order shown.
|eval amount=tostring(round(amount, 2),"commas") Round the amount value to two decimals places and add commas for better readability.

Result

This search outputs a report of large transfers going into suspicious or banned countries. Regularly report on all large amounts transferred to suspicious countries. Users who transfer large funds to suspicious countries may have had their accounts taken over. By finding this suspicious behavior early, fraud may be avoided.