https://community.splunk.com/t5/Splunk-Search/PAN-data-in-indexes-How-to-tackle-them-to-avoid-non-compliance/m-p/261171#M189689 <P>see this<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Anonymizedata">http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Anonymizedata</A><BR /> Bye.<BR /> Giuseppe</P> Fri, 15 Jul 2016 14:23:29 GMT gcusello 2016-07-15T14:23:29Z https://community.splunk.com/t5/Splunk-Search/PAN-data-in-indexes-How-to-tackle-them-to-avoid-non-compliance/m-p/261170#M189688 <P>We have Splunk system collecting data from various sources (network, OS, application logs etc).<BR /> Unfortunately, some of these systems send PAN related data with unmasked credit card details, but we dont know where.<BR /> Is there a way to tackle these? We need to track they are sending PAN related data, but don't want to store that data (or store in hashed format).</P> <P>My only thought is<BR /> - create an index pci_secure_index with permission only to restricted users<BR /> - Index all data normally. But run scheduled search to detect PAN information. Collect these data and summary index to "pci_secure_index"<BR /> - Delete (delete) from the original index </P> <P>Is there a better approach? </P> <P>(PS: We tried the anonymise data approach to search for cc pattern in first 5000 characters, but the system almost went down to knees)</P> Tue, 29 Sep 2020 10:14:42 GMT https://community.splunk.com/t5/Splunk-Search/PAN-data-in-indexes-How-to-tackle-them-to-avoid-non-compliance/m-p/261170#M189688 koshyk 2020-09-29T10:14:42Z https://community.splunk.com/t5/Splunk-Search/PAN-data-in-indexes-How-to-tackle-them-to-avoid-non-compliance/m-p/261171#M189689 <P>see this<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Anonymizedata">http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Anonymizedata</A><BR /> Bye.<BR /> Giuseppe</P> Fri, 15 Jul 2016 14:23:29 GMT https://community.splunk.com/t5/Splunk-Search/PAN-data-in-indexes-How-to-tackle-them-to-avoid-non-compliance/m-p/261171#M189689 gcusello 2016-07-15T14:23:29Z https://community.splunk.com/t5/Splunk-Search/PAN-data-in-indexes-How-to-tackle-them-to-avoid-non-compliance/m-p/261172#M189690 <P>We tried the anonymise data approach to search for cc pattern in first 5000 characters, but the system almost went down to knees. The above link is good, if we are 100% sure or field where the PAN is coming. But incoming terrabytes of data with whole event scan is performance killer.</P> Fri, 15 Jul 2016 14:43:13 GMT https://community.splunk.com/t5/Splunk-Search/PAN-data-in-indexes-How-to-tackle-them-to-avoid-non-compliance/m-p/261172#M189690 koshyk 2016-07-15T14:43:13Z https://community.splunk.com/t5/Splunk-Search/PAN-data-in-indexes-How-to-tackle-them-to-avoid-non-compliance/m-p/261173#M189691 <P>If that's the case, deploy more indexers. I don't see any other ways.</P> Fri, 15 Jul 2016 21:09:16 GMT https://community.splunk.com/t5/Splunk-Search/PAN-data-in-indexes-How-to-tackle-them-to-avoid-non-compliance/m-p/261173#M189691 woodcock 2016-07-15T21:09:16Z https://community.splunk.com/t5/Splunk-Search/PAN-data-in-indexes-How-to-tackle-them-to-avoid-non-compliance/m-p/261174#M189692 <P>If you don't need real time, you could pre parse data with a script, and after index them in Splunk.<BR /> We did this for a customer that wanted to encrypt one field without lost it.<BR /> Bye.<BR /> Giuseppe </P> Sat, 16 Jul 2016 06:05:43 GMT https://community.splunk.com/t5/Splunk-Search/PAN-data-in-indexes-How-to-tackle-them-to-avoid-non-compliance/m-p/261174#M189692 gcusello 2016-07-16T06:05:43Z