The table below explains in detail the steps of a Splunk Enterprise or Splunk Cloud Platform search to help you monitor attempted user transactions with countries that you are banned from conducting transactions with. For more information, review the use case detecting wire transfer fraud.
Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.
Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.
||sourcetype=<wire transfer data source>||Search your wire transfer data.|
|| eval _time=strptime(_time, "%Y/%m/%d %H:%M:%S")
Convert the time to a UNIX timestamp.
||sort - _time
||Sort the results with the most recently occurring first.|
||Create the "is_suspicious" field and set it to a value of "no".|
||lookup <name of lookup file of suspicious countries> ip AS destIP OUTPUT is_suspicious
Search the countries in your suspicious country lookup file to find any matches for countries in the wire transfer lookup file, based on the destination IP address.
You can use a country name instead, depending on the data in your lookup files. In this case, you will not need the |iplocation destIP line of this search.
||where is_suspicious="yes" AND amount>10000||Return results where the country is suspicious and the amount transferred is greater than 10,000.|
||Extract the country name from the destination IP address.|
||rename Country AS destCountry||Rename the fields as shown for better readability.|
||table _time, customer, FromAccount, ToAccount, action, amount, destCountry, destIP||Display the results in a table with columns in the order shown.|
||eval amount=tostring(round(amount, 2),"commas")||Round the amount value to two decimals places and add commas for better readability.|