Following is an example of an event we are getting from our DC (which has a splunk forwarder on it and is configured to read winevent>security logs) and ES shows credit/debit card number in event
08/05/2018 05:28:40 -0400, search_name="Audit - Personally Identifiable Information Detection - Rule", search_now=0.000, info_min_time=1533461040.000, info_max_time=1533461640.000, info_search_time=1533133791.725, orig_host="xx-xxdc01", iin_issuer="Diners Club Carte Blanche", orig_event_id="CBC12CAE-22A2-419F-93DB-BCC3CD1C57BF@@wineventlog@@7c0af42e1bc2ec59f7cecb1d07ea963d", orig_raw="08/05/2018 05:28:40 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=xxxx.corp.xxxx.com
TaskCategory=Logon
OpCode=Info
RecordNumber=63149956493
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-73361282-1014109674-949316387-76757
Account Name: xxxxxxxx
Account Domain: CORPORATE
Logon ID: 0x4D527BB3
Logon GUID: {5EBFB8A3-0187-8553-4803-2BCE019E11DD}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.xxxxx
Source Port: 50701
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
", orig_time=1533461320, pii="3-0187-8553-4803-2", pii_hash=6bad3a856887xxxxxxxxxxx, risk_object="xx1-xxc01", risk_object_type=system, risk_score=80
... View more