Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to tune the Splunk App for Enterprise Security to prevent our web logs from being triggered as Personally Identifiable Information Detection?

infosecdb
Engager
‎10-07-2015 12:15 PM

Hi Everyone,

I am still learning Splunk and Enterprise Security and I am working on a problem with Splunk App for Enterprise Security alerting on hundreds of "Personally Identifiable Information Detected" events. ES is correctly identifying what looks like credit card data, however, what ES is identifying is part of the URL string &ranreq=0.4055620639119297 from our web logs. What would be the best way to tune these events so they are no longer trigger personally identifiable information detected events? Would it be best to build a regex that will match req=0. and disregard the log?

Any help would be appreciated.

Kind regards,
Al

RULE:

NOT sourcetype=stash | `get_integer_seq` | lookup luhn_lite_lookup integer_seq OUTPUTNEW pii,pii_clean | eval pii_length=len(pii_clean) | lookup iin_lookup iin as pii_clean,length as pii_length OUTPUTNEW iin_issuer | search iin_issuer=* | `get_event_id` | rename event_id as orig_event_id | eval orig_raw=_raw | fields - _raw | fields + orig_event_id,orig_raw,host,pii,iin_issuer | eval pii_hash=sha1(pii) | eval orig_time=_time

RAW EVENT:

aktrack.pubmatic.com/AdServer/AdDisplayTrackerServlet?operId=1&pubId=54495&siteId=61171&adId=127399&adServerId=1463&kefact=1.150000&kaxefact=1.150000&kadNetFrequecy=1&kadwidth=320&kadheight=50&kadsizeid=31&kltstamp=1444154121&indirectAdId=143315&adServerOptimizerId=1&ranreq=0.4055620639119297&kpbmtpfact=0.000000&dcId=2&tldId=0&passback=0&imprId=532AD7D9-A9AA-4901-9579-21D8E54FFADF&oid=532AD7D9-A9AA-4901-9579-21D8E54FFADF&ias=257&mobflag=2&modelid=97&osid=5&imprCap=1&pageURL=http:/www.fieldandstream.com/photos/gallery/hunting/deer-hunting/finding-deer-hunt/2009/10/ohio-crossbow-hunter-rents-helicopter-?image=17
Reply

balsa3d
New Member
‎09-29-2019 10:12 PM

this is useful thanks Dirkmeeuwsen

0 Karma
Reply

dirkmeeuwsen
Explorer
‎10-19-2015 12:21 PM

We had the same things happening and this was our thought process:

  • Try to narrow it down to specific traffic - You might care more about this if its in your DMZ compared to users' traffic logs
  • narrow it down to a specific direction of traffic where the source is external (or internal depending on your use case)
  • tweak the threshold that it fires on; only have it trigger if its above a certain count of events in a giving time frame
  • you may be able to use 'rex' in the search to do on-the-fly regex for that string (if you see that same string consistently)
  • disable it all together and revisit it later

I know it's not a definitive answer, but might help you make some decisions! Or help someone else with a similar issue.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...