-- RISK 152
-- DROP TABLE team_kingkong.tpap_risk152_breaches;
-- CREATE TABLE team_kingkong.tpap_risk152_breaches AS
INSERT INTO team_kingkong.tpap_risk152_breaches
with tpap_base as
(
SELECT DISTINCT B.*, C.category
, IF(D.upi_subtype IS NOT NULL, D.upi_subtype, IF(C.category = 'LITE_MANDATE', 'UPI_LITE_MANDATE', '')) AS upi_subtype
FROM
(SELECT txn_id,
MAX(CASE WHEN participant_type = 'PAYER' THEN vpa END) AS payer_vpa,
MAX(CASE WHEN participant_type = 'PAYEE' THEN vpa END) AS payee_vpa,
MAX(DATE(created_on)) as txn_date,
MAX(amount) AS txn_amount,
MAX(created_on) AS txn_time
FROM switch.txn_participants_snapshot_v3
WHERE DATE(dl_last_updated) BETWEEN DATE(DATE'2025-01-01' - INTERVAL '1' DAY) AND DATE'2025-01-31'
AND DATE(created_on) BETWEEN DATE(DATE'2025-01-01' - INTERVAL '1' DAY) AND DATE'2025-01-31'
GROUP BY 1)B
inner join
(select txn_id, category
from switch.txn_info_snapshot_v3
where DATE(dl_last_updated) BETWEEN DATE(DATE'2025-01-01' - INTERVAL '1' DAY) AND DATE'2025-01-31'
and DATE(created_on) BETWEEN DATE(DATE'2025-01-01' - INTERVAL '1' DAY) AND DATE'2025-01-31'
and upper(status) = 'SUCCESS' AND category = 'VPA2VPA') C
on B.txn_id = C.txn_id
INNER JOIN
(SELECT txnid
, regexp_replace(cast(json_extract(request, '$.evaluationType') as varchar), '"', '') AS upi_subtype
FROM tpap_hss.upi_switchv2_dwh_risk_data_snapshot_v3
WHERE DATE(dl_last_updated) BETWEEN DATE(DATE'2025-01-01' - INTERVAL '1' DAY) AND DATE'2025-01-31'
AND (lower(regexp_replace(cast(json_extract(request, '$.requestPayload.payerVpa') as varchar), '"', '')) LIKE '%@paytm%'
or lower(regexp_replace(cast(json_extract(request, '$.requestPayload.payerVpa') as varchar), '"', '')) like '%@pt%')
AND json_extract_scalar(response, '$.action_recommended') <> 'BLOCK'
AND regexp_replace(cast(json_extract(request, '$.requestPayload.payerType') AS varchar),'"','') = 'PERSON'
AND regexp_replace(cast(json_extract(request, '$.requestPayload.payeeType') AS varchar),'"','') = 'PERSON'
AND lower(regexp_replace(cast(json_extract(request, '$.requestPayload.payerVpa') as varchar), '"', '')) NOT IN ('7068069067@ptyes', 'onpaytmgas@paytm', '7068069067@ptsbi', '7068069067@pthdfc', '7068069067@paytm', '7068069067@ptaxis', 'jio@citibank')
AND regexp_replace(cast(json_extract(request, '$.evaluationType') as varchar), '"', '') = 'UPI_TRANSACTION')D
ON B.txn_id = D.txnid
WHERE ((payer_vpa LIKE '%@paytm%') OR (payer_vpa LIKE '%@pt%'))
AND payee_vpa LIKE '%@%'
)
SELECT *, 'upi_p2p_multiple_senders' AS rule_name, 'payer cnt & txn threshold breach' as breach_reason FROM
(SELECT t1.payer_vpa,
t1.payee_vpa,
t1.txn_id,
t1.txn_amount,
t1.category,
t1.upi_subtype,
t1.txn_time,
t1.txn_date,
COUNT(t2.txn_id) AS prior_txns_last_24h,
70 as txn24hr_threshold,
COUNT(DISTINCT IF(t1.payer_vpa <> t2.payer_vpa, t2.payer_vpa, NULL)) AS prior_payers_last_24h,
50 AS payer24hr_threshold
FROM tpap_base t1
INNER JOIN tpap_base t2
ON t1.payee_vpa = t2.payee_vpa
AND t2.txn_time BETWEEN (t1.txn_time - INTERVAL '86400' SECOND) AND t1.txn_time -- 24 hrs
AND t1.txn_id <> t2.txn_id
GROUP BY t1.payer_vpa, t1.payee_vpa, t1.txn_id, t1.txn_amount, t1.category, t1.upi_subtype, t1.txn_time, t1.txn_date)
WHERE (prior_txns_last_24h >= txn24hr_threshold) AND (prior_payers_last_24h >= payer24hr_threshold);
Preview:
downloadDownload PNG
downloadDownload JPEG
downloadDownload SVG
Tip: You can change the style, width & colours of the snippet with the inspect tool before clicking Download!
Click to optimize width for Twitter