I am still learning Splunk and Enterprise Security and I am working on a problem with Splunk App for Enterprise Security alerting on hundreds of "Personally Identifiable Information Detected" events. ES is correctly identifying what looks like credit card data, however, what ES is identifying is part of the URL string
&ranreq=0.4055620639119297 from our web logs. What would be the best way to tune these events so they are no longer trigger personally identifiable information detected events? Would it be best to build a regex that will match
req=0. and disregard the log?
Any help would be appreciated.
NOT sourcetype=stash | `get_integer_seq` | lookup luhn_lite_lookup integer_seq OUTPUTNEW pii,pii_clean | eval pii_length=len(pii_clean) | lookup iin_lookup iin as pii_clean,length as pii_length OUTPUTNEW iin_issuer | search iin_issuer=* | `get_event_id` | rename event_id as orig_event_id | eval orig_raw=_raw | fields - _raw | fields + orig_event_id,orig_raw,host,pii,iin_issuer | eval pii_hash=sha1(pii) | eval orig_time=_time
We had the same things happening and this was our thought process:
I know it's not a definitive answer, but might help you make some decisions! Or help someone else with a similar issue.