Splunk Search

PAN data in indexes. How to tackle them to avoid non-compliance?

koshyk
Super Champion

We have Splunk system collecting data from various sources (network, OS, application logs etc).
Unfortunately, some of these systems send PAN related data with unmasked credit card details, but we dont know where.
Is there a way to tackle these? We need to track they are sending PAN related data, but don't want to store that data (or store in hashed format).

My only thought is
- create an index pci_secure_index with permission only to restricted users
- Index all data normally. But run scheduled search to detect PAN information. Collect these data and summary index to "pci_secure_index"
- Delete (delete) from the original index

Is there a better approach?

(PS: We tried the anonymise data approach to search for cc pattern in first 5000 characters, but the system almost went down to knees)

0 Karma

gcusello
Legend

If you don't need real time, you could pre parse data with a script, and after index them in Splunk.
We did this for a customer that wanted to encrypt one field without lost it.
Bye.
Giuseppe

0 Karma

woodcock
Esteemed Legend

If that's the case, deploy more indexers. I don't see any other ways.

0 Karma

gcusello
Legend
0 Karma

koshyk
Super Champion

We tried the anonymise data approach to search for cc pattern in first 5000 characters, but the system almost went down to knees. The above link is good, if we are 100% sure or field where the PAN is coming. But incoming terrabytes of data with whole event scan is performance killer.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...