Sourcetype=wire_transfer|lookup list_of_banned_regions dest_city_country OUTPUT is_suspicious|where amount>1000000 AND is_suspicious="yes" This would be suspicious as large wire transfers usually do not go in the middle of no where. Fellow Splunker Ed Jividen described a use case where a large amount of money is being transferred between two country regions where the destination is hardly populated. Let’s start with what I call fraud detected because of distance. I’ll spare the details of the data involved as any arbitrary timestamped event could be used. For each use case, I’ll try to provide a Splunk pseudo-search that can match the situation, which can be the beginning to designing an alert for the activity. To illustrate this point at first, I’ll provide some examples using financial services. To generalize the Mantas example, I’d propose that Splunk can be used for fraud detection, if it has access to the data that may suggest fraud and a subject matter expert has identified a pattern or statistical anomaly that can help detect it. However, in today’s Big Data world, the data is often in no particular structure and the urgency to analyze it is when events happen rather than wait for an extract, load, and translate process. Since money laundering happens over a period of time and the data involved was already in some database schema, this worked well. The software would load financial systems data into a database and run algorithms that they called “scenarios” to see if money laundering or other nefarious acts were committed. A few years ago, I used to work for an enterprise software company that used Mantas (which has since been acquired by Oracle) as a partner to detect money laundering activity. Let me describe a real-life fraud detector. The two textbook ways to detect fraud usually involve pattern matching or statistical anomalies (or a combination of each). Fraud here means using deceptive techniques for gains, which for the most part may be illegal. The answer is yes, but the question is broad and needs an understanding of the situation that needs to be detected before making a generalization. Returns: the maximum pause between events in a transaction.I sometimes get asked if Splunk can detect fraud. Has a gap of at least maxPause since its last even, it is ended and a new transaction begun. Such as "1m" for one minute or "20s" for twenty seconds. Public getMaxPause() maxPause is the maximum amount of time between two events in a transaction, specified as a string Returns: The maximum time that a transaction can span. When a transaction reaches this size, it is automatically ended and a new transaction Public getMaxSpan() maxSpan is the maximum amount of time (in a Splunk defined format, such as "1m" Public getObjectsToGroup() Returns: the names of the data model objects that should be unioned and split into transactions. Public getGroupByFields() Returns: the fields that will be used to group events into transactions.Ĭontiguous events with identical values of the fields named in this collection Methods inherited from class Ĭlone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait DataModelObjectĬontainsField, createLocalAccelerationJob, createLocalAccelerationJob, createPivotSpecification, getAutoExtractedFields, getCalculation, getCalculations, getConstraints, getDataModel, getDisplayName, getField, getFields, getLineage, getName, getParent, getParentName, getQuery, runQuery, runQuery, runQuery, runQuery MaxSpan is the maximum amount of time (in a Splunk defined format, such as "1m"įor one minute or "20s" for twenty seconds) that a single transaction can span. MaxPause is the maximum amount of time between two events in a transaction, specified as a string Object will appears as standard DataModelObject instances. That is, an object that wraps a Splunk transaction. Represents a datamodel object that inherits directly from BaseTransaction, Public class DataModelTransaction extends DataModelObject SUMMARY: NESTED | FIELD | CONSTR | METHODĬom.splunk.DataModelObject
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |