Getting hundreds of credit card numbers from Splun...

hrithiktej · ‎08-02-2018

I am getting CC issuer names (Visa, master, discover etc.) and also numbers and wondering if this is actual data or is the splunk enterprise app making this up by some combinations in the PII correlation search. Can some one help me on this

LukeMurphey · ‎08-02-2018

You will need to check the raw data that the PII correlation search is triggering on to see if the data is actually credit card data. If it isn't, you can either:

Modify the search to exclude the given data (such as restricting the search to particular indexes or sourcetypes)
Disable the correlation search

This correlation search was intended to run against data that you know could have credit card data (such as that in a particular index or a particular sourcetype). It usually isn't recommended to run it against all of your data.

hrithiktej · ‎08-02-2018

Checking the raw events does not show up these numbers, its weird, how is Splunk making up all these hundreds of credit numbers from the raw data?

smoir_splunk · ‎08-02-2018

there is a lookup in ES that contains the first 4 digits of a CC and the issuer name to identify CC numbers. it's hard to say what is happening without knowing more about what you're seeing, and without knowing more about whether or not the search was modified.

hrithiktej · ‎08-06-2018

Following is an example of an event we are getting from our DC (which has a splunk forwarder on it and is configured to read winevent>security logs) and ES shows credit/debit card number in event

08/05/2018 05:28:40 -0400, search_name="Audit - Personally Identifiable Information Detection - Rule", search_now=0.000, info_min_time=1533461040.000, info_max_time=1533461640.000, info_search_time=1533133791.725, orig_host="xx-xxdc01", iin_issuer="Diners Club Carte Blanche", orig_event_id="CBC12CAE-22A2-419F-93DB-BCC3CD1C57BF@@wineventlog@@7c0af42e1bc2ec59f7cecb1d07ea963d", orig_raw="08/05/2018 05:28:40 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=xxxx.corp.xxxx.com
TaskCategory=Logon
OpCode=Info
RecordNumber=63149956493
Keywords=Audit Success
Message=An account was successfully logged on.

Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Impersonation Level: Impersonation

New Logon:
Security ID: S-1-5-21-73361282-1014109674-949316387-76757
Account Name: xxxxxxxx
Account Domain: CORPORATE
Logon ID: 0x4D527BB3
Logon GUID: {5EBFB8A3-0187-8553-4803-2BCE019E11DD}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name: -
Source Network Address: 10.xxxxx
Source Port: 50701

Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

", orig_time=1533461320, pii="3-0187-8553-4803-2", pii_hash=6bad3a856887xxxxxxxxxxx, risk_object="xx1-xxc01", risk_object_type=system, risk_score=80

hrithiktej · ‎08-02-2018

Thanks. Yes we are running it against the whole data (which i will change) but the data is coming from the expected source i.e. our Oracle servers which have some payment info files (but Oracle team suggests they encrypt the file before sending it to bank).

They are red-hat and we are taking everything from /var/log folder.

Getting hundreds of credit card numbers from Splunk PII corelation search in enterprise security, wondering if this is false positive or do we actually collect these CC numbers inadvertently

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!