How long does a fraud investigation take

Real-time fraud detection

This example scenario is relevant for organizations that need to analyze data in real time to detect fraudulent transactions or other anomalous activity.

One possible area of ‚Äč‚Äčapplication is the detection of fraudulent credit card activity or cell phone calls. Traditional online analytics systems can take several hours to transform and analyze the data to identify anomalous activity.

With fully managed Azure services like Event Hubs and Stream Analytics, companies don't have to manage individual servers while reducing costs and benefiting from Microsoft's expertise in cloud-based data collection and real-time analysis. This scenario is specifically about detecting fraudulent activity. For other data analytics, see the list of available Azure Analytics services if needed.

This example is part of a larger computing architecture and strategy. Additional options for this aspect of an overall architecture are discussed later in this article.

Relevant use cases

Other relevant use cases include:

  • Detect fraudulent cell phone calls in telecommunications scenarios
  • Identify fraudulent credit card transactions for banks
  • Identify fraudulent purchases in retail or e-commerce scenarios


This scenario involves the back-end components of a pipeline for real-time analytics. The data runs through the scenario as follows:

  1. Cell phone call metadata is sent from the source system to an Azure Event Hubs instance.
  2. A Stream Analytics job starts and receives data from the Event Hub source.
  3. The Stream Analytics job runs a predefined query to transform the input data stream and analyze it based on a fraudulent transaction algorithm. This query uses a scrolling window to divide the data stream into different time units.
  4. The Stream Analytics job writes the transformed data stream representing detected fraudulent calls to an output sink in Azure Blob Storage.


  • Azure Event Hubs is a real-time streaming platform and event collection service that can receive and process millions of events per second. Event Hubs can process and store events, data or telemetry data generated by distributed software and distributed devices. In this scenario, Event Hubs receives all call metadata to be analyzed for fraudulent activity.
  • Azure Stream Analytics is an event processing engine that can analyze large amounts of data streamed from devices and other sources. Extracting information from data streams is also supported to identify patterns and relationships. These patterns can trigger further downstream action. In this scenario, Stream Analytics transforms the input stream from Event Hubs to identify fraudulent calls.
  • Blob storage is used in this scenario to store the results of the Stream Analytics job.



Numerous technology options are available for real-time capture of messages, data storage, data flow processing and storage of analytical data as well as for analyzes and reports. For an overview of these options, their features, and key selection criteria, see Big Data Architectures: Real-Time Processing in the Azure Data Architecture Guide.

Various machine learning services in Azure can also generate more complex algorithms for fraud detection. For an overview of these options, see Choosing a machine learning technology in Azure in the Azure data architecture guide.


Azure Monitor offers uniform user interfaces for the comprehensive monitoring of various Azure services. For more information, see Monitoring Azure Applications and Resources. Event Hubs and Stream Analytics are each linked to Azure Monitor.


The components of this scenario are designed for hyperscale acquisition as well as for highly parallelized real-time analyzes. Azure Event Hubs is highly scalable and can receive and process millions of events per second with little latency. Event Hubs can automatically upscale the number of throughput units if necessary. Azure Stream Analytics can analyze large amounts of streaming data from a variety of sources. You can upscale Stream Analytics by increasing the number of streaming units allocated to complete your streaming job.

For general information on developing scalable solutions, see the performance efficiency checklist in the Azure Architecture Center.


Azure Event Hubs uses an authentication and security model to protect data based on a combination of shared access signature (SAS) tokens and event publishers. An event publisher defines a virtual endpoint for an event hub. The publisher can only be used to send messages to an event hub. It is not possible to receive messages from a publisher.

For general information about designing secure solutions, see the Azure security documentation.


For general information about building robust solutions, see Designing reliable Azure applications.

Deploy the scenario

This in-depth tutorial shows you how to manually deploy the individual components of the scenario. The tutorial also includes a .NET client application that you can use to generate sample call metadata and send it to an Event Hub instance.


To determine the operating costs for this scenario, all services are preconfigured in the cost calculator. If you want to know what the costs are for your specific use case, adapt the corresponding variables to your anticipated amount of data.

Based on the expected data traffic volume, we have created three exemplary cost profiles:

  • Small: processing one million events per month through a single standard streaming unit.
  • Medium: Processing 100 million events over five standard streaming units per month.
  • Large: Processing of 999 million events over 20 standard streaming units per month.

Associated resources

For more complex fraud detection scenarios, using a machine learning model can be beneficial. For information on machine learning server scenarios, see Fraud Detection. Further solution templates with Machine Learning Server can be found under Solution templates for Machine Learning Server and Microsoft R Server 9.1 / 9.2.