|eval current_balance=tostring(round(current_balance, 2),"commas"), other_balance=tostring(round(other_balance, 2),"commas") |rename accountID AS current_accountID action AS current_action account_type AS current_account_type |where epoch>relative_time(prev_epoch, "+6mon")
|eval prev_epoch=strptime(last_touched, "%m/%d/%Y %H:%M:%S") Index=transacations sourcetype=account_opening This is not necessarily bad behavior, but it adds to the risk score of the customer. We are calling the Last Touched field as the first time they opened an account and then seeing which customers have taken at least 6 months to perform any action at the bank. Here is some SPL on first time seeing a customer after they’ve opened up an account. Let’s get into how Search Processing Language (SPL) can be used to implement this. Could this be an example of an account takeover or a holding position to further launder money? In either case, the first time seen is an important part of KYC. So, the first time seen for a transaction is 18 months after opening and it appears as if the customer decided to defund the account. This may give context, if they were rejected for KYC regulation reasons the first time they applied.Īnother example is the first time a customer performed a withdrawal action against the account, where the account was dormant after opening and almost all the money was withdrawn after 18 months. For instance, if a prospective customer is applying to create a new account, it is worth checking if they have applied before and the date of the first time they applied. the first time they performed a transaction against the accountĮach one of these are noteworthy events when taken into context.the first time they logged into an account.the first time the user tried to open an account.
For example, you can adjust thresholds to help discover new anomalies as new indicators of identity theft and synthetic identities arise.įirst time seen for an activity and outlier detection are two excellent data points to monitor. Check if the client or other household members have tried to open up accounts recently with the same FSI.Monitor client IPs of the applicant to see if they are within the vicinity of their home address (assuming they are not on a foreign VPN).If the synthetic identity checker goes through web server logs, regardless of channel, use the Splunk platform to:.Use Splunk Infrastructure Monitoring and Splunk APM to make sure the infrastructure and transactions for the synthetic accounts run without issues.
#FILE HASH CALCULATOR WINDOWS SPLUNK SUPPORT SOFTWARE#
The first step in knowing your customer is to check for synthetic identities or accounts to track for or possible money laundering, terrorist funding and whatever else a bad actor might try to accomplish. After collecting Personal Identifiable Information (PII) on your customers and implementing a synthetic identity checker, either off-the-shelf or custom-built, you can use Splunk software to do any of the following:
0 kommentar(er)
