Monitoring for account abuse with the Splunk App for Behavioral Analytics
You work for a financial services company where customer accounts are occasionally misused for activities that violate your policies, such as money laundering, fraudulent transactions, or spamming. This kind of account abuse can harm your customers and damage your business's reputation. Your aim is to identify suspicious behaviors such as excessive transaction volumes, use of multiple accounts for transfers, and patterns indicative of mule accounts being used for illegal activities.
Account abuse occurs when an individual misuses their authorized access to an account to perform unauthorized or malicious activities. Unlike account takeover (ATO), which specifically involves unauthorized access by external actors, account abuse can encompass a broader range of activities.
Effective detection of account abuse is crucial for maintaining the integrity of financial services, protecting sensitive information, and ensuring compliance with regulatory standards. Detecting account abuse can be a significant challenge for fraud teams, as threat indicators and attacker tactics constantly evolve.
This article shows you how to use the Splunk App for Behavioral Profiling to create advanced techniques leveraging user behavioral analytics to stay ahead of emerging threats. For basic searches in the Splunk platform to create basic detection methods, see Monitoring for account abuse with the Splunk platform.
Prerequisites
- Splunk Enterprise version 9.x.x+ or higher / Splunk Cloud Platform version 9.xx + or higher
- Splunk App for Behavioral Profiling, which should be installed and configured
- Splunk Machine Learning Toolkit
- Python for Scientific Computing
- Sample Fraud data for Splunk App for Behavioral Profiling
Data required
- Application data for consumer financial applications
How to use Splunk software for this use case
The Splunk App for Behavioral Profiling introduces advanced machine learning models that analyze user behavior patterns. By building a baseline of normal activity for each user, the app flags deviations such as high transaction volumes, excessive privilege use, or interactions with multiple accounts.
Incorporating these techniques will help you proactively detect ATO attempts, reduce manual analysis, and enhance your overall fraud prevention strategy.
Make sure you use the correct index and added parameter values appropriate to your organization while defining your behavioral indicator search. You'll do this in step 2 of each process below.
High volume of transactions
An abnormally high transaction volume can indicate attempts to quickly move funds out of the account, especially if linked to fraud or unauthorized actions. Detecting these accounts early helps mitigate potential financial losses and enhances security for both the institution and the account holder.
- ► How to create a behavioral indicator search and anomaly scoring rule to detect high volumes of transactions
-
Creating a behavioral indicator search
- Select Guided Mode. Click Next.
- Select the index that holds your payment transactions. In this case, we're inputting
index
=payment_transactions
. - In Entity Field, select customer. In Other Fields, select _time, action, amount, customer, location, operation, os, and vendor. Verify the selection, and click Next.
- On the Define Indicator page, make the following selections:
- In Function, select count.
- In Function Field, select operation.
- In Split Timespan, select Yes.
- In Time Window, select 1h.
- Click Next.
- Provide a descriptive Name and a Description. Click Save.
- Verify your Behavioral Indicator configuration is correct. Click Submit.
- Verify that the Behavioral Indicator was successfully created.
Creating an anomaly scoring rule
- Under Entity Specific Rule select Mode: Machine Learning. Click Next.
- Select the previously created Behavioral Indicator. Select count(operation). Click Next.
- In Distribution Type select Auto, and in Threshold select .002. Click Next.
- In Scoring Method select Proportional. Set Scoring Value to 100. Click Next.
- Provide a descriptive Name, and a Description. Click Save.
- Verify your Anomaly Scoring Rule configuration is correct. Click Submit.
- Select Guided Mode. Click Next.
Multiple accounts interfacing frequently
Frequent transfers between specific accounts might signal "mule networks" where funds are passed to obscure the money trail. This procedure helps you can highlight accounts with unusually frequent interactions, helping fraud teams quickly assess and halt suspicious activity, particularly for financial services targeted by organized networks.
- ► How to create a behavioral indicator search and anomaly scoring rule to detect multiple accounts interfacing frequently
-
Creating a behavioral indicator search
- Select Guided Mode. Click Next.
- Select the index that holds your payment transactions. In this case, we're inputting
index=payment_transactions
. - In Entity Field, select customer, and in Other Fields select _time, action, customer, location, and vendor . Verify the selection, and click Next.
- On the Define Indicator page, make the following selections:
- In Function, select dc.
- In Function Field, select action, vendor.
- In Split Timespan, select Yes.
- In Time Window, select 1h.
- Click Next.
- Provide a descriptive Name and a Description. Click Save.
- Verify that your Behavioral Indicator configuration is correct. Click Submit.
- Verify that the Behavioral Indicator was successfully created.
Creating an anomaly scoring rule
- Under Entity Group Rule select Mode: Statistical. Click Next.
- Select the previously created Behavioral Indicator. Select dc(action). Click Next.
- For Std. Dev Threshold select 3. Click Next.
- In Scoring Method select Static. In Scoring Value select 100. Click Next.
- Provide a descriptive Name, and a Description. Click Save.
- Verify your Anomaly Scoring Rule configuration is correct. Click Submit.
- Select Guided Mode. Click Next.
Suspicious transaction patterns
Identifying transactions involving high-risk regions is essential for compliance and risk management, as certain countries are associated with higher levels of financial crime. This procedure allows financial institutions to pinpoint transactions with specific countries or IPs, helping prevent illicit activity and ensuring regulatory adherence.
- ► How to create a behavioral indicator search and anomaly scoring rule to detect unusual transaction patterns
-
Creating a behavioral indicator search
- Select Guided Mode. Click Next.
- Select the index that holds your payment transactions. In this case, we're inputting
index=payment_transactions
. - In Entity Field select customer, and in Other Fields select _time, action, amount, customer, location, and vendor. Verify the selection, and click Next.
- On the Define Indicator page, make the following selections:
- In Function, select dc.
- In Function Field, select action.
- In Split Timespan, select Yes.
- In Time Window select 1h.
- Click Next.
- Provide a descriptive Name and a Description. Click Save.
- Verify your Behavioral Indicator configuration is correct. Click Submit.
- Verify the Behavioral Indicator was successfully created.
Creating an anomaly scoring rule
- Under Entity Group Rule select Mode: Statistical. Click Next.
- Select the previously created Behavioral Indicator. Select dc(action). Click Next.
- For Std. Dev Threshold select 3. Click Next.
- In Scoring Method select Static. Set Scoring Value as 100. Click Next.
- Provide a descriptive Name, and a Description. Click Save.
- Verify your Anomaly Scoring Rule configuration is correct. Click Submit.
- Select Guided Mode. Click Next.
Next steps
Use your results to make recommendations to the rest of the security team about which accounts should be investigated for potential account takeover. Create reports based on these searches and schedule them to run at a regular cadence as needed. Be sure to follow any industry policies and regulations that are required for compliance.
To further advance your use cases, the Splunk Essentials for the Financial Services Industry app helps you automate the searches to detect financial crime. The app also provides more insight on how searches can be applied in your environment, how they work, the difficulty level, and what data can be valuable to run them successfully.
The Splunk App for Fraud Analytics provides Splunk Enterprise Security users with a number of other fraud detection solutions for financial services, such as account takeover and new account abuse.
The Splunk App for Behavioral Profiling is a collection of workflows which enable you to operationalize machine learning driven detection and scoring of behavioral anomalies at scale in complex environments, correlated to profile and highlight the entities which require investigation.
If you have questions about monitoring for account takeover in your environment, you can reach out to your Splunk account team or representative for comprehensive advice and assistance. You can contact your account team through the Contact Us page. For more in-depth support, consult Splunk On-Demand Services to access credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you would like assistance.
In addition, these resources might help you understand and implement this guidance:
- Use Case Explorer: Risk-based alerting
- Use case: Monitoring consumer bank accounts to maintain compliance
- Use case: Detecting credit card fraud
- Use case: Detecting wire transfer fraud
- Use case: Investigating interesting behavior patterns with risk-based alerting
- Use case: Monitoring new logins to financial applications
- Use case: Using modern methods of detecting financial crime
- Use case: Detecting multiple account login denials followed by authorization