Splunk Enterprise Security

How to tune the Splunk App for Enterprise Security to prevent our web logs from being triggered as Personally Identifiable Information Detection?

infosecdb
Engager

Hi Everyone,

I am still learning Splunk and Enterprise Security and I am working on a problem with Splunk App for Enterprise Security alerting on hundreds of "Personally Identifiable Information Detected" events. ES is correctly identifying what looks like credit card data, however, what ES is identifying is part of the URL string &ranreq=0.4055620639119297 from our web logs. What would be the best way to tune these events so they are no longer trigger personally identifiable information detected events? Would it be best to build a regex that will match req=0. and disregard the log?

Any help would be appreciated.

Kind regards,
Al

RULE:

NOT sourcetype=stash | `get_integer_seq` | lookup luhn_lite_lookup integer_seq OUTPUTNEW pii,pii_clean | eval pii_length=len(pii_clean) | lookup iin_lookup iin as pii_clean,length as pii_length OUTPUTNEW iin_issuer | search iin_issuer=* | `get_event_id` | rename event_id as orig_event_id | eval orig_raw=_raw | fields - _raw | fields + orig_event_id,orig_raw,host,pii,iin_issuer | eval pii_hash=sha1(pii) | eval orig_time=_time

RAW EVENT:

aktrack.pubmatic.com/AdServer/AdDisplayTrackerServlet?operId=1&pubId=54495&siteId=61171&adId=127399&adServerId=1463&kefact=1.150000&kaxefact=1.150000&kadNetFrequecy=1&kadwidth=320&kadheight=50&kadsizeid=31&kltstamp=1444154121&indirectAdId=143315&adServerOptimizerId=1&ranreq=0.4055620639119297&kpbmtpfact=0.000000&dcId=2&tldId=0&passback=0&imprId=532AD7D9-A9AA-4901-9579-21D8E54FFADF&oid=532AD7D9-A9AA-4901-9579-21D8E54FFADF&ias=257&mobflag=2&modelid=97&osid=5&imprCap=1&pageURL=http:/www.fieldandstream.com/photos/gallery/hunting/deer-hunting/finding-deer-hunt/2009/10/ohio-crossbow-hunter-rents-helicopter-?image=17

balsa3d
New Member

this is useful thanks Dirkmeeuwsen

0 Karma

dirkmeeuwsen
Explorer

We had the same things happening and this was our thought process:

  • Try to narrow it down to specific traffic - You might care more about this if its in your DMZ compared to users' traffic logs
  • narrow it down to a specific direction of traffic where the source is external (or internal depending on your use case)
  • tweak the threshold that it fires on; only have it trigger if its above a certain count of events in a giving time frame
  • you may be able to use 'rex' in the search to do on-the-fly regex for that string (if you see that same string consistently)
  • disable it all together and revisit it later

I know it's not a definitive answer, but might help you make some decisions! Or help someone else with a similar issue.

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!