Splunk Enterprise Security

Need help with modifying a correlation search

infosecdb
Engager

Hi everyone I'm new to Splunk and I would appreciate some help finding a solution to my problem.

Here is some background to my question. A Splunk rule "Audit - Personally Identifiable Information Detection - Rule" is detecting URL's which it thinks contain credit card numbers, for example, "adServerOptimizerId=1&ranreq=0.4055620639119297" however, we have determined the alerts were false positives. How would I modify the correlation search to tell Splunk which 4 firewall web traffic logs splunk should look at.

I'm a little hesitant to modify this myself.
Thanks!

NOT sourcetype=stash | `get_integer_seq` | lookup luhn_lite_lookup integer_seq OUTPUTNEW pii,pii_clean | eval pii_length=len(pii_clean) | lookup iin_lookup iin as pii_clean,length as pii_length OUTPUTNEW iin_issuer | search iin_issuer=* | `get_event_id` | rename event_id as orig_event_id | eval orig_raw=_raw | fields - _raw | fields + orig_event_id,orig_raw,host,pii,iin_issuer | eval pii_hash=sha1(pii) | eval orig_time=_time
0 Karma

jstoner_splunk
Splunk Employee
Splunk Employee

Depending on how you isolate those 4 firewall web traffic logs will drive how you edit this. If you want, you could use IPs, or sourcetype, host or source depending on how your system is built. Because you are not using a data model in this correlation search, you will need to keep in mind that something like src might not actually be called src, it might be s_ip or source_ip or some other key value. Some examination of that will be needed.

In the example below, I added 2 sourcetypes to the correlation search that allowed us to narrow the data that was looked at before the rest of the commands were run. This could be IP or hostname instead of sourcetype.

(sourcetype=bluecoat* OR sourcetype=ccnumbers)  NOT sourcetype=stash | `get_integer_seq` | lookup luhn_lite_lookup integer_seq OUTPUTNEW pii,pii_clean | eval pii_length=len(pii_clean) | lookup iin_lookup iin as pii_clean,length as pii_length OUTPUTNEW iin_issuer | search iin_issuer=* | `get_event_id` | rename event_id as orig_event_id | eval orig_raw=_raw | fields - _raw | fields + orig_event_id,orig_raw,host,pii,iin_issuer | eval pii_hash=sha1(pii) | eval orig_time=_time

If I want to run this in a search window to evaluate my search ahead of deploying, I can also add sourcetype, ip address field names or whatever else viewable by adding those fields into the |fields + section of the search so those values can show when the log is expanded.

0 Karma

sheamus69
Communicator

As far as I can tell, this alert is incredibly noisy and 100% unreliable.

Having just run it's core search for a test all I could discern is that it's best to not use it.

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...