Skip to main content
 
 
Splunk Lantern

Deployment Guide: Set up the environment for SFA

 

The following steps should be taken prior to installing and configuring the Splunk App for Fraud Analytics:

Install the Splunk App for Fraud Analytics

Install the Splunk_Fraud_Analytics.tar.gz file you previously downloaded, on the Splunk Enterprise Security search head, in 'apps'. There are two methods to do this:

  • tar -xzvf Splunk_Fraud_Analytics.tar.gz
  • Manage apps > Install app

Configure the Splunk App for Fraud Analytics

  1. To display the Splunk App for Fraud Analytics in Splunk Enterprise Security:
    1. Within Enterprise Security, select Configure > General > Navigation.
    2. Click Add a New Collection.
    3. Click Add Existing.
    4. In the Select an App dropdown, select Fraud_Analytics_Splunk.
    5. In the Select a Collection dropdown, select Fraud Analytics.
    6. Click Save.
    7. Click Save again for the Edit Navigation page.
  2. To add fraud as a security domain in Splunk Enterprise Security:
    1. Install the Splunk App for Lookup File Editing (if not already done).
    2. Open the Lookup Editor app from the Splunk Enterprise apps dropdown.
    3. Filter by Security.
    4. Open security_domains.csv.
    5. Add fraud for the security_domain and label columns.
    6. Click Save Lookup.
  3. To edit fraud source macros:
    1. Edit the macro indexes_fraud_web to include the correct indexes and data sources for the business service data most closely aligned to the fraud_web data model included with the Splunk App for Fraud Analytics.
    2. Edit the macro datasources_fraud_account to include the correct indexes and data sources for the business service data most closely aligned to the fraud_account data model included with the Splunk App for Fraud Analytics.
  4. Configure other applicable fraud related macros such as high_value_accounts (list of VIP accounts). This macro is a comma separated list of "VIP" accounts. We recommend creating a separate lookup of these VIPs and utilizing the lookup where the macro is called in the applicable correlation searches.
  5. To configure Splunk Enterprise Security to display additional fields, as provided by the Splunk App for Fraud Analytics:
    1. Within Enterprise Security, select Configure > Incident Management > Incident Review Settings.
    2. Scroll to Incident Review - Table and Event Attributes and use the following table to add the appropriate fields.
      Field Label
      risk_score_total Risk Score Total
      AF__DD01 Investigate ------>
      AF__DD02 Investigate ------>
      AF__DD03 Investigate ------>
      AF__DD04 Investigate ------>
      AF__DD05 Investigate ------>
    3. When finished, click Save and then exit.

If you need additional guidance, see the Splunk App for Fraud Analytics User Guide in Splunk Docs.