Splunk Enterprise Security

Getting hundreds of credit card numbers from Splunk PII corelation search in enterprise security, wondering if this is false positive or do we actually collect these CC numbers inadvertently


I am getting CC issuer names (Visa, master, discover etc.) and also numbers and wondering if this is actual data or is the splunk enterprise app making this up by some combinations in the PII correlation search. Can some one help me on this

0 Karma


You will need to check the raw data that the PII correlation search is triggering on to see if the data is actually credit card data. If it isn't, you can either:

  1. Modify the search to exclude the given data (such as restricting the search to particular indexes or sourcetypes)
  2. Disable the correlation search

This correlation search was intended to run against data that you know could have credit card data (such as that in a particular index or a particular sourcetype). It usually isn't recommended to run it against all of your data.


Checking the raw events does not show up these numbers, its weird, how is Splunk making up all these hundreds of credit numbers from the raw data?

0 Karma

Splunk Employee
Splunk Employee

there is a lookup in ES that contains the first 4 digits of a CC and the issuer name to identify CC numbers. it's hard to say what is happening without knowing more about what you're seeing, and without knowing more about whether or not the search was modified.

0 Karma


Following is an example of an event we are getting from our DC (which has a splunk forwarder on it and is configured to read winevent>security logs) and ES shows credit/debit card number in event

08/05/2018 05:28:40 -0400, search_name="Audit - Personally Identifiable Information Detection - Rule", search_now=0.000, info_min_time=1533461040.000, info_max_time=1533461640.000, info_search_time=1533133791.725, orig_host="xx-xxdc01", iin_issuer="Diners Club Carte Blanche", orig_event_id="CBC12CAE-22A2-419F-93DB-BCC3CD1C57BF@@wineventlog@@7c0af42e1bc2ec59f7cecb1d07ea963d", orig_raw="08/05/2018 05:28:40 AM
SourceName=Microsoft Windows security auditing.
Keywords=Audit Success
Message=An account was successfully logged on.

Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Impersonation Level: Impersonation

New Logon:
Security ID: S-1-5-21-73361282-1014109674-949316387-76757
Account Name: xxxxxxxx
Account Domain: CORPORATE
Logon ID: 0x4D527BB3
Logon GUID: {5EBFB8A3-0187-8553-4803-2BCE019E11DD}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name: -
Source Network Address: 10.xxxxx
Source Port: 50701

Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

", orig_time=1533461320, pii="3-0187-8553-4803-2", pii_hash=6bad3a856887xxxxxxxxxxx, risk_object="xx1-xxc01", risk_object_type=system, risk_score=80

0 Karma


Thanks. Yes we are running it against the whole data (which i will change) but the data is coming from the expected source i.e. our Oracle servers which have some payment info files (but Oracle team suggests they encrypt the file before sending it to bank).

They are red-hat and we are taking everything from /var/log folder.

0 Karma
Get Updates on the Splunk Community!

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...