Does Splunk App for Enterprise Security use Internet threat lists?
The Splunk App for Enterprise Security performs daily downloads of threat lists that are used to support the following correlation rules:
Network - Internet Proxy Server Activity - Rule Network - Known Web Attacker Activity - Rule Network - LogMeIn Activity - Rule Network - PirateBay Activity - Rule Network - RapidShare Activity - Rule Network - SANS Block List Activity - Rule Network - Spyware Activity - Rule Network - Tor Router Activity - Rule
Does Splunk App for Enterprise Security detect Personally Identifiable Information?
The Splunk App for Enterprise Security provides a correlation search,
Audit - Personally Identifiable Information Detection - Rule, to look for Personally Identifiable Information (PII) within log data. The search identify suspect integer sequences that could be credit card numbers, then passes them to the Luhn algorithm and an Issuer Identification Number (IIN) lookup to confirm before generating a notable event.
Note: This search is turned off by default in order to avoid inadvertent testing of integer sequences that match the format but are known not to be suspect. To enable the search, ensure that it will only review data where suspect integer sequences are possible.
The Luhn algorithm is used to validate identification numbers. Most commonly, it is used for credit card numbers. It is used to determine if numbers that look like credit card numbers actually are credit card numbers.
The issuers list matches credit card numbers (which match the Luhn algorithm) with the organization that has issued them.
The Luhn algorithm search can be tuned by copying the
[luhn_lookup] section from
$SPLUNK_HOME/etc/apps/SA-AuditAndDataProtection/ and tuning the
external_cmd field. The
offset are settings that help improve the detection of suspect sequences.
- separators specify what type of special characters may separate integer sequences
- minStrength tells the script to ignore any sequences that are not at least X integers in length
- maxStrength tells the script to ignore any sequences that exceed X integers in length
- offset tells the script to ignore the first X characters in its integer sequence evaluation
Search View matrix
This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1