Splunk Enterprise Security

How to tune the Splunk App for Enterprise Security to prevent our web logs from being triggered as Personally Identifiable Information Detection?

infosecdb
Engager

Hi Everyone,

I am still learning Splunk and Enterprise Security and I am working on a problem with Splunk App for Enterprise Security alerting on hundreds of "Personally Identifiable Information Detected" events. ES is correctly identifying what looks like credit card data, however, what ES is identifying is part of the URL string &ranreq=0.4055620639119297 from our web logs. What would be the best way to tune these events so they are no longer trigger personally identifiable information detected events? Would it be best to build a regex that will match req=0. and disregard the log?

Any help would be appreciated.

Kind regards,
Al

RULE:

NOT sourcetype=stash | `get_integer_seq` | lookup luhn_lite_lookup integer_seq OUTPUTNEW pii,pii_clean | eval pii_length=len(pii_clean) | lookup iin_lookup iin as pii_clean,length as pii_length OUTPUTNEW iin_issuer | search iin_issuer=* | `get_event_id` | rename event_id as orig_event_id | eval orig_raw=_raw | fields - _raw | fields + orig_event_id,orig_raw,host,pii,iin_issuer | eval pii_hash=sha1(pii) | eval orig_time=_time

RAW EVENT:

aktrack.pubmatic.com/AdServer/AdDisplayTrackerServlet?operId=1&pubId=54495&siteId=61171&adId=127399&adServerId=1463&kefact=1.150000&kaxefact=1.150000&kadNetFrequecy=1&kadwidth=320&kadheight=50&kadsizeid=31&kltstamp=1444154121&indirectAdId=143315&adServerOptimizerId=1&ranreq=0.4055620639119297&kpbmtpfact=0.000000&dcId=2&tldId=0&passback=0&imprId=532AD7D9-A9AA-4901-9579-21D8E54FFADF&oid=532AD7D9-A9AA-4901-9579-21D8E54FFADF&ias=257&mobflag=2&modelid=97&osid=5&imprCap=1&pageURL=http:/www.fieldandstream.com/photos/gallery/hunting/deer-hunting/finding-deer-hunt/2009/10/ohio-crossbow-hunter-rents-helicopter-?image=17

balsa3d
New Member

this is useful thanks Dirkmeeuwsen

0 Karma

dirkmeeuwsen
Explorer

We had the same things happening and this was our thought process:

  • Try to narrow it down to specific traffic - You might care more about this if its in your DMZ compared to users' traffic logs
  • narrow it down to a specific direction of traffic where the source is external (or internal depending on your use case)
  • tweak the threshold that it fires on; only have it trigger if its above a certain count of events in a giving time frame
  • you may be able to use 'rex' in the search to do on-the-fly regex for that string (if you see that same string consistently)
  • disable it all together and revisit it later

I know it's not a definitive answer, but might help you make some decisions! Or help someone else with a similar issue.

Get Updates on the Splunk Community!

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...