Hi everyone I'm new to Splunk and I would appreciate some help finding a solution to my problem. Here is some background to my question. A Splunk rule "Audit - Personally Identifiable Information Detection - Rule" is detecting URL's which it thinks contain credit card numbers, for example, "adServerOptimizerId=1&ranreq=0.4055620639119297" however, we have determined the alerts were false positives. How would I modify the correlation search to tell Splunk which 4 firewall web traffic logs splunk should look at. I'm a little hesitant to modify this myself. Thanks! NOT sourcetype=stash | `get_integer_seq` | lookup luhn_lite_lookup integer_seq OUTPUTNEW pii,pii_clean | eval pii_length=len(pii_clean) | lookup iin_lookup iin as pii_clean,length as pii_length OUTPUTNEW iin_issuer | search iin_issuer=* | `get_event_id` | rename event_id as orig_event_id | eval orig_raw=_raw | fields - _raw | fields + orig_event_id,orig_raw,host,pii,iin_issuer | eval pii_hash=sha1(pii) | eval orig_time=_time ... View more

Hi Everyone, I am still learning Splunk and Enterprise Security and I am working on a problem with Splunk App for Enterprise Security alerting on hundreds of "Personally Identifiable Information Detected" events. ES is correctly identifying what looks like credit card data, however, what ES is identifying is part of the URL string &ranreq=0.4055620639119297 from our web logs. What would be the best way to tune these events so they are no longer trigger personally identifiable information detected events? Would it be best to build a regex that will match req=0. and disregard the log? Any help would be appreciated. Kind regards, Al RULE: NOT sourcetype=stash | `get_integer_seq` | lookup luhn_lite_lookup integer_seq OUTPUTNEW pii,pii_clean | eval pii_length=len(pii_clean) | lookup iin_lookup iin as pii_clean,length as pii_length OUTPUTNEW iin_issuer | search iin_issuer=* | `get_event_id` | rename event_id as orig_event_id | eval orig_raw=_raw | fields - _raw | fields + orig_event_id,orig_raw,host,pii,iin_issuer | eval pii_hash=sha1(pii) | eval orig_time=_time RAW EVENT: aktrack.pubmatic.com/AdServer/AdDisplayTrackerServlet?operId=1&pubId=54495&siteId=61171&adId=127399&adServerId=1463&kefact=1.150000&kaxefact=1.150000&kadNetFrequecy=1&kadwidth=320&kadheight=50&kadsizeid=31&kltstamp=1444154121&indirectAdId=143315&adServerOptimizerId=1&ranreq=0.4055620639119297&kpbmtpfact=0.000000&dcId=2&tldId=0&passback=0&imprId=532AD7D9-A9AA-4901-9579-21D8E54FFADF&oid=532AD7D9-A9AA-4901-9579-21D8E54FFADF&ias=257&mobflag=2&modelid=97&osid=5&imprCap=1&pageURL=http:/www.fieldandstream.com/photos/gallery/hunting/deer-hunting/finding-deer-hunt/2009/10/ohio-crossbow-hunter-rents-helicopter-?image=17 ... View more

Hi Everyone, I am trying to concoct a regular expression in the Splunk App for Enterprise Security to find all SCCM logs that contain dest_name="CN . The results of the search will be sent to an alternate SIEM solution. The search criteria will begin with dest_name="CN The characters after CN can be any character, any case, and numeral. For example: dest_name="CNWSNCHHHD001" or dest_name="CNWSEC91CD199". The remaining characters can be any character or number Log example: "09-01-2015 11:18:59" timestamp=1441120739267, vendor_product="SystemCenterEndpointProtection", type="SecurityIncident", resourceid=67132131, dest_name="CNWSNCHHHD001", dest_nt_domain="REDACTED", detectiontime=1441120739267, actiontime=1441120750000, product_version="4.5.0216.0", detectionid="{REDACTED}", detection_source="realtime", user="REDACTED", target_process="REDACTED", file_path="REDACTED", signature="Virus:DOS/JackTheRipper", severity="Severe", category="Virus", action_type="quarantine", action="deferred", action_result="false", action_error_code=-2147024846, pending_action="noaction" (Also, sourcetype should be from sccm:malware) Any assistance to what I may be doing wrong would be greatly appreciated. Thanks, Al Wever ... View more