Deployment Guide: Set up the environment for SFA
The following steps should be taken prior to installing and configuring the Splunk App for Fraud Analytics:
- Ensure all prerequisites are met.
- Install the Splunk App for Lookup File Editing, if not already complete.
- Download and stage the Splunk_Fraud_Analytics.tar.gz file.
Install the Splunk App for Fraud Analytics
Install the Splunk_Fraud_Analytics.tar.gz file you previously downloaded, on the Splunk Enterprise Security search head, in 'apps'. There are two methods to do this:
- tar -xzvf Splunk_Fraud_Analytics.tar.gz
- Manage apps > Install app
Configure the Splunk App for Fraud Analytics
- To display the Splunk App for Fraud Analytics in Splunk Enterprise Security:
- Within Enterprise Security, select Configure > General > Navigation.
- Click Add a New Collection.
- Click Add Existing.
- In the Select an App dropdown, select Fraud_Analytics_Splunk.
- In the Select a Collection dropdown, select Fraud Analytics.
- Click Save.
- Click Save again for the Edit Navigation page.
- To add fraud as a security domain in Splunk Enterprise Security:
- Install the Splunk App for Lookup File Editing (if not already done).
- Open the Lookup Editor app from the Splunk Enterprise apps dropdown.
- Filter by Security.
- Open security_domains.csv.
- Add fraud for the security_domain and label columns.
- Click Save Lookup.
- To edit fraud source macros:
- Edit the macro
indexes_fraud_web
to include the correct indexes and data sources for the business service data most closely aligned to the fraud_web data model included with the Splunk App for Fraud Analytics. - Edit the macro
datasources_fraud_account
to include the correct indexes and data sources for the business service data most closely aligned to the fraud_account data model included with the Splunk App for Fraud Analytics.
- Edit the macro
- Configure other applicable fraud related macros such as
high_value_accounts
(list of VIP accounts). This macro is a comma separated list of "VIP" accounts. We recommend creating a separate lookup of these VIPs and utilizing the lookup where the macro is called in the applicable correlation searches. - To configure Splunk Enterprise Security to display additional fields, as provided by the Splunk App for Fraud Analytics:
- Within Enterprise Security, select Configure > Incident Management > Incident Review Settings.
- Scroll to Incident Review - Table and Event Attributes and use the following table to add the appropriate fields.
Field Label risk_score_total
Risk Score Total AF__DD01 Investigate ------> AF__DD02 Investigate ------> AF__DD03 Investigate ------> AF__DD04 Investigate ------> AF__DD05 Investigate ------> - When finished, click Save and then exit.
If you need additional guidance, see the Splunk App for Fraud Analytics User Guide in Splunk Docs.