On my search results, I need to hide some specific events from the output? Currently I am running a search to find if there are any credit card data available in the logs. I am using luhn lookup to fetch the results. But, this is creating 100's of false positive alerts a day. Mostly the false positive results are generated based on the session id or support id which we knows for sure, they are false positive.
As a solution, I have extracted the session id and support id and assigned it to a variable named CARD using regex. Then i have used that variable to check whether its a false positive or not? If false positive dont display the result.
Here is my logic, could you please correct my logic as it is not working?
Note: session id and support id is 18-20 alphanumeric. say u8956742397238567a. So if the digits matches PAN logic, then it will triggers the false positive alerts.
rex field=orig_raw "\sessiond_id:\s<[a-z]?(?\d+) [a-z]?>" | eval falsepositive = if (PAN == CARD, "0" ,"1") | where falsepositive = "0"
Why not just do something like this:
index=*
| regex _raw = "(?\d{4}-\d{4}-\d{4}-\d{4})|\d{16}"
| "rex max_match=0 "(?<PotentialCCN>(?\d{4}-\d{4}-\d{4}-\d{4})|\d{16})"
| table _raw "Support id" "Session id" And Any Other Field That Looks Like A CCN HERE
| mvexpand PotentialCCN
| eval FALSE_POSITIVE=case(PotentialCCN = 'Support id', 1,
PotentialCCN = 'Session id', 1,
...,
true(), 0)
| search FALSE_POSITIVE=0