Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Search information

Does Splunk App for Enterprise Security use Internet threat lists?

The Splunk App for Enterprise Security performs daily downloads of threat lists that are used to support the following correlation rules:

   Network - Internet Proxy Server Activity - Rule
   Network - Known Web Attacker Activity - Rule
   Network - LogMeIn Activity - Rule
   Network - PirateBay Activity - Rule
   Network - RapidShare Activity - Rule
   Network - SANS Block List Activity - Rule
   Network - Spyware Activity - Rule
   Network - Tor Router Activity - Rule

See "Configure threat lists" in the Splunk App for Enterprise Security Installation and Configuration Manual for more information about threat lists.

Does Splunk App for Enterprise Security detect Personally Identifiable Information?

The Splunk App for Enterprise Security provides a correlation search, Audit - Personally Identifiable Information Detection - Rule, to look for Personally Identifiable Information (PII) within log data. The search identify suspect integer sequences that could be credit card numbers, then passes them to the Luhn algorithm and an Issuer Identification Number (IIN) lookup to confirm before generating a notable event.

Note: This search is turned off by default in order to avoid inadvertent testing of integer sequences that match the format but are known not to be suspect. To enable the search, ensure that it will only review data where suspect integer sequences are possible.

The Luhn algorithm is used to validate identification numbers. Most commonly, it is used for credit card numbers. It is used to determine if numbers that look like credit card numbers actually are credit card numbers.

The issuers list matches credit card numbers (which match the Luhn algorithm) with the organization that has issued them.

The Luhn algorithm search can be tuned by copying the [luhn_lookup] section from default/transforms.conf to local/transforms.conf in $SPLUNK_HOME/etc/apps/SA-AuditAndDataProtection/ and tuning the external_cmd field. The separators, minStrength, maxStrength, and offset are settings that help improve the detection of suspect sequences.

  • separators specify what type of special characters may separate integer sequences
  • minStrength tells the script to ignore any sequences that are not at least X integers in length
  • maxStrength tells the script to ignore any sequences that exceed X integers in length
  • offset tells the script to ignore the first X characters in its integer sequence evaluation
Last modified on 27 November, 2013
Notable events
Search View matrix

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters