I am getting CC issuer names (Visa, master, discover etc.) and also numbers and wondering if this is actual data or is the splunk enterprise app making this up by some combinations in the PII correlation search. Can some one help me on this
You will need to check the raw data that the PII correlation search is triggering on to see if the data is actually credit card data. If it isn't, you can either:
This correlation search was intended to run against data that you know could have credit card data (such as that in a particular index or a particular sourcetype). It usually isn't recommended to run it against all of your data.
Checking the raw events does not show up these numbers, its weird, how is Splunk making up all these hundreds of credit numbers from the raw data?
there is a lookup in ES that contains the first 4 digits of a CC and the issuer name to identify CC numbers. it's hard to say what is happening without knowing more about what you're seeing, and without knowing more about whether or not the search was modified.
Following is an example of an event we are getting from our DC (which has a splunk forwarder on it and is configured to read winevent>security logs) and ES shows credit/debit card number in event
08/05/2018 05:28:40 -0400, search_name="Audit - Personally Identifiable Information Detection - Rule", search_now=0.000, info_min_time=1533461040.000, info_max_time=1533461640.000, info_search_time=1533133791.725, orig_host="xx-xxdc01", iin_issuer="Diners Club Carte Blanche", orig_event_id="CBC12CAE-22A2-419F-93DB-BCC3CD1C57BF@@wineventlog@@7c0af42e1bc2ec59f7cecb1d07ea963d", orig_raw="08/05/2018 05:28:40 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=xxxx.corp.xxxx.com
TaskCategory=Logon
OpCode=Info
RecordNumber=63149956493
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-73361282-1014109674-949316387-76757
Account Name: xxxxxxxx
Account Domain: CORPORATE
Logon ID: 0x4D527BB3
Logon GUID: {5EBFB8A3-0187-8553-4803-2BCE019E11DD}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.xxxxx
Source Port: 50701
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
", orig_time=1533461320, pii="3-0187-8553-4803-2", pii_hash=6bad3a856887xxxxxxxxxxx, risk_object="xx1-xxc01", risk_object_type=system, risk_score=80
Thanks. Yes we are running it against the whole data (which i will change) but the data is coming from the expected source i.e. our Oracle servers which have some payment info files (but Oracle team suggests they encrypt the file before sending it to bank).
They are red-hat and we are taking everything from /var/log folder.