Lookups in Splunk App for Fraud Analytics
The Splunk App for Fraud Analytics includes various lookups used by some of the data models.
Fraud account data model lookup
The zipcode_geo lookup is used by the fraud_account data model to create latitude and longitude coordinates for zip codes. For more information on the zipcode_geo lookup, see Zip code geo CSV lookup.
Fraud unemployment insurance data model lookups
When looking at fraud detection in unemployment insurance, see the following examples to build a lookup file for fraud_ui that aggregates statistical information on social security numbers and bank accounts over a period of time.
Extracting location deception risk metadata
| from datamodel:fraud_ui
| search data_source IN (UI_SYS_ACCESS, CERTS)
| sort 0 + _time
| streamstats time_window=1h dc(IP_Country) as countries, dc(data_source) as sources by SSN
| where countries>1 AND sources>1
| dedup SSN
| lookup email_norm_info email_norm
| eval risk="Location Deception"
| table SSN risk email_norm emails_num
| outputlookup risky_ssns.csv
Extracting impersonation risk metadata
| inputlookup fraud_ui_claimant
| lookup fraud_ui_email SSN
| eval email_norm = coalesce(lower(replace(mvindex(split(EMAIL_ADDRESS, "@"),0), "(\.|\+[^@]*)", "") . "@" . mvindex(split(EMAIL_ADDRESS, "@"),1)), "---")
| where email_norm!="---"
| eval EMAIL_ADDRESS_lower=lower(EMAIL_ADDRESS)
| eventstats dc(EMAIL_ADDRESS_lower) as emails_num BY email_norm
| where emails_num>1
| eval risk="Impersonation"
| table SSN risk email_norm emails_num
| inputlookup append=true risky_ssns.csv
| outputlookup risky_ssns.csv