Splunk Enterprise Security

Getting hundreds of credit card numbers from Splunk PII corelation search in enterprise security, wondering if this is false positive or do we actually collect these CC numbers inadvertently

hrithiktej
Communicator

I am getting CC issuer names (Visa, master, discover etc.) and also numbers and wondering if this is actual data or is the splunk enterprise app making this up by some combinations in the PII correlation search. Can some one help me on this

0 Karma

LukeMurphey
Champion

You will need to check the raw data that the PII correlation search is triggering on to see if the data is actually credit card data. If it isn't, you can either:

  1. Modify the search to exclude the given data (such as restricting the search to particular indexes or sourcetypes)
  2. Disable the correlation search

This correlation search was intended to run against data that you know could have credit card data (such as that in a particular index or a particular sourcetype). It usually isn't recommended to run it against all of your data.

hrithiktej
Communicator

Checking the raw events does not show up these numbers, its weird, how is Splunk making up all these hundreds of credit numbers from the raw data?

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

there is a lookup in ES that contains the first 4 digits of a CC and the issuer name to identify CC numbers. it's hard to say what is happening without knowing more about what you're seeing, and without knowing more about whether or not the search was modified.

0 Karma

hrithiktej
Communicator

Following is an example of an event we are getting from our DC (which has a splunk forwarder on it and is configured to read winevent>security logs) and ES shows credit/debit card number in event

08/05/2018 05:28:40 -0400, search_name="Audit - Personally Identifiable Information Detection - Rule", search_now=0.000, info_min_time=1533461040.000, info_max_time=1533461640.000, info_search_time=1533133791.725, orig_host="xx-xxdc01", iin_issuer="Diners Club Carte Blanche", orig_event_id="CBC12CAE-22A2-419F-93DB-BCC3CD1C57BF@@wineventlog@@7c0af42e1bc2ec59f7cecb1d07ea963d", orig_raw="08/05/2018 05:28:40 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=xxxx.corp.xxxx.com
TaskCategory=Logon
OpCode=Info
RecordNumber=63149956493
Keywords=Audit Success
Message=An account was successfully logged on.

Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Impersonation Level: Impersonation

New Logon:
Security ID: S-1-5-21-73361282-1014109674-949316387-76757
Account Name: xxxxxxxx
Account Domain: CORPORATE
Logon ID: 0x4D527BB3
Logon GUID: {5EBFB8A3-0187-8553-4803-2BCE019E11DD}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name: -
Source Network Address: 10.xxxxx
Source Port: 50701

Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

", orig_time=1533461320, pii="3-0187-8553-4803-2", pii_hash=6bad3a856887xxxxxxxxxxx, risk_object="xx1-xxc01", risk_object_type=system, risk_score=80

0 Karma

hrithiktej
Communicator

Thanks. Yes we are running it against the whole data (which i will change) but the data is coming from the expected source i.e. our Oracle servers which have some payment info files (but Oracle team suggests they encrypt the file before sending it to bank).

They are red-hat and we are taking everything from /var/log folder.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.