Monitoring for new account fraud with the Splunk App for Fraud Analytics

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

If you have not already installed the Splunk App for Fraud Analytics, complete the steps in the deployment guide and then come back to this article.

The information in this article applies to Splunk Enterprise Security (ES) versions 7.x. If you have upgraded to Splunk Enterprise Security version 8.x, some terminology and steps might not apply. For additional assistance on this use case with ES 8.x, Splunk Professional Services can help.

Analysts need to be able to identify new customer accounts that are potentially fraudulent. The Splunk App for Fraud Analytics ships with out-of-the-box use cases that address both new account and account takeover fraud, along with limited support for some additional fraud use cases. This process will address how to detect the new account fraud use case within the out-of-the-box constraints of the application.

Identify the risk rules applicable to new account fraud

After performing the initial configuration of the Splunk App for Fraud Analytics, as described in the deployment guide, navigate to Enterprise Security > Configure > Content Management.
Filter on the following:
- Type: Correlation Search
- App: Fraud Analytics for Splunk
- Filter: 'NewAcct'
The following results should appear:
Examine the SPL for each of the applicable searches to determine data source requirements. Currently, all detections applicable to new account fraud require data from the fraud_account data model. If you add new detections that require another data type, this should be noted for future steps.

Review and prepare data for compliance with the fraud_account data model

Click here to the see the data model definitions.

The fraud_account data model focuses on account details such as SSN, email, address, or account holder, and allows analysts to search for anomalous accounts that could potentially be fraudulent. The data could be in the form of web or other application-like data, but focuses on data fields rather than specific data types. So, theoretically, both the fraud_account and fraud_web data models could leverage the same source type. The difference is how they focus different lenses on this data through specific fields within the data models.

Review the applicable data fields for the fraud_account data model by navigating to Settings > Data Models > fraud_account. The fraud_account data model applicable fields can be seen in the table in Splunk Docs.

While the above fields are all of the fields available to you through the fraud_account data model, similar to how most Splunk Enterprise Security detections work, you won’t need to normalize to every single field. You only need to normalize to the fields applicable to the new account risk rules described in the previous step, and for the applicable dashboards included with the application. Following are the fields required for successful implementation of the included detections and dashboards.

Fields required for risk rule implementation

Risk Rule	Required Fields	Combined Required Fields
RR-Fraud-NewAcct-dotted gmail - one or more dots	`email` `email_domain_root` `email_normalized`	`email` `email_domain_root` `email_normalized` `password` `phone_home` `src_ip` `src_ip_Country` `src_ip_lat` `src_ip_lon` `username` `zip_lat` `zip_lon`
RR-Fraud-NewAcct-duplicated dotted gmail	`username` `email_normalized`
RR-Fraud-NewAcct-email-velocity	`username` `email`
RR-Fraud-NewAcct-IP Country NOT USA	`src_ip_Country`
RR-Fraud-NewAcct-IP-Zip-distance over 1000km USA IP	`src_ip_lat` `src_ip_lon` `zip_lat` `zip_lon` `src_ip_Country`
RR-Fraud-NewAcct-shared bank acct	`username` `src_ip`
RR-Fraud-NewAcct-shared IP address	`username` `src_ip`
RR-Fraud-NewAcct-shared passwords	`username` `password`
RR-Fraud-NewAcct-shared phone number	`username` `phone_home`

Fields required for dashboard implementation

Dashboard	Panel	Required Fields	Combined Required Fields
Financial Fraud > Customer Accounts Analysis	Customer account investigation (usernames)	`username` `src_ip` `phone_home` `email` `email_normalized` `email_domain_root` `direct_deposit` `password` `addr_home_city` `src_ip_Country` `http_user_agent`	`username` `src_ip` `phone_home` `email` `email_normalized` `email_domain_root` `direct_deposit` `password` `addr_home_city` `src_ip_Country` `http_user_agent`

Identify the fields within the applicable dataset, and normalize those to the fraud_account data model.
If you need to adjust out-of-the-box risk rules based on your unique requirements, keep note of any additional fields that need to be normalized to the fraud_account data model and incorporated into the detection.

Enable the risk rules and risk notable applicable to new account fraud

Enable the Risk Rules identified in the first step in this process by navigating to Enterprise Security > Configure > Content Management, and first filtering for the new account fraud risk rules.
- Type: Correlation Search
- App: Fraud Analytics for Splunk
- Filter: NewAcct
Enable all of these rules through the Content Management user interface.
Enable the following Risk Notable: Notable-Fraud -- New Account risk threshold exceeded.

Next steps

If you want more step-by-step guidance about how to implement this use case by walking through a sample scenario, see the New account fraud article.

After you have implemented this new account fraud use case, you might be interested in other ways to protect your financial services organization and its customers. Return to the fraud detection and prevention deployment guide for instructions on implementing additional use cases.

Finally, if you would like more hands-on assistance with this or any other fraud detection and protection use case, Splunk Professional Services can help. Find more information here or reach out directly to sales.