Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need help with modifying a correlation search

infosecdb
Engager
‎10-13-2015 12:42 PM

Hi everyone I'm new to Splunk and I would appreciate some help finding a solution to my problem.

Here is some background to my question. A Splunk rule "Audit - Personally Identifiable Information Detection - Rule" is detecting URL's which it thinks contain credit card numbers, for example, "adServerOptimizerId=1&ranreq=0.4055620639119297" however, we have determined the alerts were false positives. How would I modify the correlation search to tell Splunk which 4 firewall web traffic logs splunk should look at.

I'm a little hesitant to modify this myself.
Thanks!

NOT sourcetype=stash | `get_integer_seq` | lookup luhn_lite_lookup integer_seq OUTPUTNEW pii,pii_clean | eval pii_length=len(pii_clean) | lookup iin_lookup iin as pii_clean,length as pii_length OUTPUTNEW iin_issuer | search iin_issuer=* | `get_event_id` | rename event_id as orig_event_id | eval orig_raw=_raw | fields - _raw | fields + orig_event_id,orig_raw,host,pii,iin_issuer | eval pii_hash=sha1(pii) | eval orig_time=_time
0 Karma
Reply

jstoner_splunk
Splunk Employee
Splunk Employee
‎08-25-2016 09:52 AM

Depending on how you isolate those 4 firewall web traffic logs will drive how you edit this. If you want, you could use IPs, or sourcetype, host or source depending on how your system is built. Because you are not using a data model in this correlation search, you will need to keep in mind that something like src might not actually be called src, it might be s_ip or source_ip or some other key value. Some examination of that will be needed.

In the example below, I added 2 sourcetypes to the correlation search that allowed us to narrow the data that was looked at before the rest of the commands were run. This could be IP or hostname instead of sourcetype.

(sourcetype=bluecoat* OR sourcetype=ccnumbers)  NOT sourcetype=stash | `get_integer_seq` | lookup luhn_lite_lookup integer_seq OUTPUTNEW pii,pii_clean | eval pii_length=len(pii_clean) | lookup iin_lookup iin as pii_clean,length as pii_length OUTPUTNEW iin_issuer | search iin_issuer=* | `get_event_id` | rename event_id as orig_event_id | eval orig_raw=_raw | fields - _raw | fields + orig_event_id,orig_raw,host,pii,iin_issuer | eval pii_hash=sha1(pii) | eval orig_time=_time

If I want to run this in a search window to evaluate my search ahead of deploying, I can also add sourcetype, ip address field names or whatever else viewable by adding those fields into the |fields + section of the search so those values can show when the log is expanded.

0 Karma
Reply

sheamus69
Communicator
‎08-19-2016 01:53 AM

As far as I can tell, this alert is incredibly noisy and 100% unreliable.

Having just run it's core search for a test all I could discern is that it's best to not use it.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...