Splunk Enterprise Security

Getting hundreds of credit card numbers from Splunk PII corelation search in enterprise security, wondering if this is false positive or do we actually collect these CC numbers inadvertently


I am getting CC issuer names (Visa, master, discover etc.) and also numbers and wondering if this is actual data or is the splunk enterprise app making this up by some combinations in the PII correlation search. Can some one help me on this

0 Karma


You will need to check the raw data that the PII correlation search is triggering on to see if the data is actually credit card data. If it isn't, you can either:

  1. Modify the search to exclude the given data (such as restricting the search to particular indexes or sourcetypes)
  2. Disable the correlation search

This correlation search was intended to run against data that you know could have credit card data (such as that in a particular index or a particular sourcetype). It usually isn't recommended to run it against all of your data.


Checking the raw events does not show up these numbers, its weird, how is Splunk making up all these hundreds of credit numbers from the raw data?

0 Karma

Splunk Employee
Splunk Employee

there is a lookup in ES that contains the first 4 digits of a CC and the issuer name to identify CC numbers. it's hard to say what is happening without knowing more about what you're seeing, and without knowing more about whether or not the search was modified.

0 Karma


Following is an example of an event we are getting from our DC (which has a splunk forwarder on it and is configured to read winevent>security logs) and ES shows credit/debit card number in event

08/05/2018 05:28:40 -0400, search_name="Audit - Personally Identifiable Information Detection - Rule", search_now=0.000, info_min_time=1533461040.000, info_max_time=1533461640.000, info_search_time=1533133791.725, orig_host="xx-xxdc01", iin_issuer="Diners Club Carte Blanche", orig_event_id="CBC12CAE-22A2-419F-93DB-BCC3CD1C57BF@@wineventlog@@7c0af42e1bc2ec59f7cecb1d07ea963d", orig_raw="08/05/2018 05:28:40 AM
SourceName=Microsoft Windows security auditing.
Keywords=Audit Success
Message=An account was successfully logged on.

Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Impersonation Level: Impersonation

New Logon:
Security ID: S-1-5-21-73361282-1014109674-949316387-76757
Account Name: xxxxxxxx
Account Domain: CORPORATE
Logon ID: 0x4D527BB3
Logon GUID: {5EBFB8A3-0187-8553-4803-2BCE019E11DD}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name: -
Source Network Address: 10.xxxxx
Source Port: 50701

Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

", orig_time=1533461320, pii="3-0187-8553-4803-2", pii_hash=6bad3a856887xxxxxxxxxxx, risk_object="xx1-xxc01", risk_object_type=system, risk_score=80

0 Karma


Thanks. Yes we are running it against the whole data (which i will change) but the data is coming from the expected source i.e. our Oracle servers which have some payment info files (but Oracle team suggests they encrypt the file before sending it to bank).

They are red-hat and we are taking everything from /var/log folder.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...