Enterprise Security Archives -

Detect Credit Card Numbers using Luhn Algorithm

Description Detect if any log file in Splunk contains Credit Card numbers.

index=* ((source IN("*.log","*.bak","*.txt", "*.csv","/tmp*","/temp*","c:\tmp*")) OR (tag=web dest_content=*))
| eval comment="Match against the simple CC regex to narrow down the events in the lookup" 
| rex max_match=1 "[\"\s\'\,]{0,1}(?<CCMatch>[\d.\-\s]{11,24})[\"\s\'\,]{0,1}"
| where isnotnull(CCMatch) 
| eval comment="Apply the LUHN algorithm to see if the CC number extracted is valid" 
| eval cc=tonumber(replace(CCMatch,"[ -\.]",""))
| eval comment="Lower min to 11 to find additional CCs which may pick up POSIX timestamps as well."
| where len(cc)>=14 AND len(cc)<=16
| eval cc=printf("%024d", cc)
| eval ccd=split(cc,"") 
| foreach 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 [
| eval ccd_reverse=mvappend(ccd_reverse,mvindex(ccd,<<FIELD>>))
]
| rename ccd_reverse AS ccd
| eval cce=mvappend(mvindex(ccd,0),mvindex(ccd,2),mvindex(ccd,4),mvindex(ccd,6),mvindex(ccd,8),mvindex(ccd,10),mvindex(ccd,12),mvindex(ccd,14),mvindex(ccd,16),mvindex(ccd,18),mvindex(ccd,20),mvindex(ccd,22),mvindex(ccd,24)) 
| eval cco=mvappend(mvindex(ccd,1),mvindex(ccd,3),mvindex(ccd,5),mvindex(ccd,7),mvindex(ccd,9),mvindex(ccd,11),mvindex(ccd,13),mvindex(ccd,15),mvindex(ccd,17),mvindex(ccd,19),mvindex(ccd,21),mvindex(ccd,23)) 
| eval cco2=mvmap(cco,cco*2) 
| eval cco2HT10=mvfilter(cco2>9) 
| eval cco2LT10=mvfilter(cco2<=9) 
| eval cco2LH10dt=mvmap(cco2HT10,cco2HT10-9) 
| fillnull value=0 cco2LT10 cco2LH10dt 
| eventstats sum(cce) as t1 sum(cco2LT10) as t2 sum(cco2LH10dt) as t3 BY cc 
| eval totalChecker=t1+t2+t3 
| eval CCIsValid=if((totalChecker%10)=0,"true","false")
| fields - cc ccd cce cco cco2 cco2HT10 cco2LT10 cco2LH10dt t1 t2 t3 totalChecker raw time
| where CCIsValid="true"
| eval comment="Find the field where we found the CC number" 
| foreach _raw * 
[
| eval CCStringField=if("<<FIELD>>"!="CCMatch" AND like('<<FIELD>>',"%".CCMatch."%"),"<<FIELD>>",CCStringField)
 ] 
| table _time CCMatch CCStringField source sourcetype host src dest http_user_agent

index=* ((source IN("*.log","*.bak","*.txt", "*.csv","/tmp*","/temp*","c:\tmp*")) OR (tag=web dest_content=*))

| eval comment="Match against the simple CC regex to narrow down the events in the lookup"

| rex max_match=1 "[\"\s\'\,]{0,1}(?<CCMatch>[\d.\-\s]{11,24})[\"\s\'\,]{0,1}"

| where isnotnull(CCMatch)

| eval comment="Apply the LUHN algorithm to see if the CC number extracted is valid"

| eval cc=tonumber(replace(CCMatch,"[ -\.]",""))

| eval comment="Lower min to 11 to find additional CCs which may pick up POSIX timestamps as well."

| where len(cc)>=14 AND len(cc)<=16

| eval cc=printf("%024d", cc)

| eval ccd=split(cc,"")

| foreach 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 [

| eval ccd_reverse=mvappend(ccd_reverse,mvindex(ccd,<<FIELD>>))

]

| rename ccd_reverse AS ccd

| eval cce=mvappend(mvindex(ccd,0),mvindex(ccd,2),mvindex(ccd,4),mvindex(ccd,6),mvindex(ccd,8),mvindex(ccd,10),mvindex(ccd,12),mvindex(ccd,14),mvindex(ccd,16),mvindex(ccd,18),mvindex(ccd,20),mvindex(ccd,22),mvindex(ccd,24))

| eval cco=mvappend(mvindex(ccd,1),mvindex(ccd,3),mvindex(ccd,5),mvindex(ccd,7),mvindex(ccd,9),mvindex(ccd,11),mvindex(ccd,13),mvindex(ccd,15),mvindex(ccd,17),mvindex(ccd,19),mvindex(ccd,21),mvindex(ccd,23))

| eval cco2=mvmap(cco,cco*2)

| eval cco2HT10=mvfilter(cco2>9)

| eval cco2LT10=mvfilter(cco2<=9)

| eval cco2LH10dt=mvmap(cco2HT10,cco2HT10-9)

| fillnull value=0 cco2LT10 cco2LH10dt

| eventstats sum(cce) as t1 sum(cco2LT10) as t2 sum(cco2LH10dt) as t3 BY cc

| eval totalChecker=t1+t2+t3

| eval CCIsValid=if((totalChecker%10)=0,"true","false")

| fields - cc ccd cce cco cco2 cco2HT10 cco2LT10 cco2LH10dt t1 t2 t3 totalChecker raw time

| where CCIsValid="true"

| eval comment="Find the field where we found the CC number"

| foreach _raw *

[

| eval CCStringField=if("<<FIELD>>"!="CCMatch" AND like('<<FIELD>>',"%".CCMatch."%"),"<<FIELD>>",CCStringField)

]

| table _time CCMatch CCStringField source sourcetype host src dest http_user_agent

Continue Reading →

CrowdStrike Audit Event Correlation

Summary CrowdStrike creates logs in JSON format and sends 2 different datasets to the same sourcetype; security events from their detection tools and audit events from their management tool. These audit tools contain analyst data about when they mark events as true positive, and withing CrowdStrike these are joined with the security event itself. To […]

Continue Reading →

Listing incident review and the closing comments

index=_audit sourcetype="incident_review"
| table rule_name comment status
| rename rule_name as "Notable Event" comment as "Closing Comment" status as Status
| eval Status=if(Status=5,"Closed",if(Status=2,"In Progress","Not assigned"))
| dedup "Closing Comment"

index=_audit sourcetype="incident_review"

| table rule_name comment status

| rename rule_name as "Notable Event" comment as "Closing Comment" status as Status

| eval Status=if(Status=5,"Closed",if(Status=2,"In Progress","Not assigned"))

| dedup "Closing Comment"

Continue Reading →

List all ES Correlation Searches

Enterprise Security/ Fun Stuff & Helpful Hints
akhamis
16 0

| rest splunk_server=local count=0 /services/saved/searches 
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") 
| rex field=action.customsearchbuilder.spec "datamodel\\\":\s+\\\"(?<Data_Model>\w+)" 
| rex field=action.customsearchbuilder.spec "object\\\":\s+\\\"(?<Dataset>\w+)" 
| rename
    action.correlationsearch.label as Search_Name
    title as Rule_Name
    eai:acl.app as Application_Context
    request.ui_dispatch_app as UI_Dispatch_Context
    description as Description
    Data_Model as Guided_Mode:Data_Model
    Dataset as Guided_Mode:Dataset
    action.customsearchbuilder.enabled as Guided_Mode
    action.customsearchbuilder.spec as Guided_Mode:Search_Logic
    search as Search
    dispatch.earliest_time as Earliest_Time
    dispatch.latest_time as Latest_Time
    cron_schedule as Cron_Schedule
    schedule_window as Schedule_Window
    schedule_priority as Schedule_Priority
    alert_type as Trigger_Conditions:Trigger_Alert_When
    alert_comparator as Trigger_Conditions:Alert_Comparator
    alert_threshold as Trigger_Conditions:Alert_Threshold
    alert.suppress.period as Throttling:Window_Duration
    alert.suppress.fields as Throttling:Fields_To_Group_By
    action.notable.param.rule_title as Notable:Title
    action.notable.param.rule_description as Notable:Description
    action.notable.param.security_domain as Notable:Security_Domain
    action.notable.param.severity as Notable:Severity
    action.notable.param.default_owner as Notable:Default_Owner
    action.notable.param.default_status as Notable:Default_Status
    action.notable.param.drilldown_name as Notable:Drill-down_Name
    action.notable.param.drilldown_search as Notable:Drill-down_Search
    action.notable.param.drilldown_earliest_offset as Notable:Drill-down_Earliest_Offset
    action.notable.param.drilldown_latest_offset as Notable:drill-down_Latest_Offset
    action.notable.param.next_steps as Notable:Next_Steps
    action.risk.param._risk_score as Risk_Analysis:Risk_Score
    action.risk.param._risk_object as Risk_Analysis:Risk_Object_Field
    action.risk.param._risk_object_type as Risk_Analysis:Risk_Object_Type 
| eval Guided_Mode:Enabled = if(Guided_Mode == 1, "Yes", "No") 
| eval Real-time_Scheduling_Enabled = if(realtime_schedule == 1, "Yes", "No") 
| table
    disabled 
    Search_Name,
    Rule_Name,
    Application_Context,
    UI_Dispatch_Context,
    Description,
    Guided_Mode:Enabled,
    Guided_Mode:Data_Model,
    Guided_Mode:Dataset,
    Guided_Mode:Search_Logic,
    Search,
    Earliest_Time,
    Latest_Time,
    Cron_Schedule,
    Real-time_Scheduling_Enabled,
    Schedule_Window,
    Schedule_Priority,
    Trigger_Conditions:Trigger_Alert_When,
    Trigger_Conditions:Alert_Comparator,
    Trigger_Conditions:Alert_Threshold,
    Throttling:Window_Duration,
    Throttling:Fields_To_Group_By,
    Notable:Title,
    Notable:Description,
    Notable:Security_Domain,
    Notable:Severity,
    Notable:Default_Owner,
    Notable:Default_Status,
    Notable:Drill-down_Name,
    Notable:Drill-down_Search,
    Notable:Drill-down_Earliest_Offset,
    Notable:drill-down_Latest_Offset,
    Notable:Next_Steps,
    Risk_Analysis:Risk_Score,
    Risk_Analysis:Risk_Object_Field,
    Risk_Analysis:Risk_Object_Type

| rest splunk_server=local count=0 /services/saved/searches

| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]")

| rex field=action.customsearchbuilder.spec "datamodel\\\":\s+\\\"(?<Data_Model>\w+)"

| rex field=action.customsearchbuilder.spec "object\\\":\s+\\\"(?<Dataset>\w+)"

| rename

action.correlationsearch.label as Search_Name

title as Rule_Name

eai:acl.app as Application_Context

request.ui_dispatch_app as UI_Dispatch_Context

description as Description

Data_Model as Guided_Mode:Data_Model

Dataset as Guided_Mode:Dataset

action.customsearchbuilder.enabled as Guided_Mode

action.customsearchbuilder.spec as Guided_Mode:Search_Logic

search as Search

dispatch.earliest_time as Earliest_Time

dispatch.latest_time as Latest_Time

cron_schedule as Cron_Schedule

schedule_window as Schedule_Window

schedule_priority as Schedule_Priority

alert_type as Trigger_Conditions:Trigger_Alert_When

alert_comparator as Trigger_Conditions:Alert_Comparator

alert_threshold as Trigger_Conditions:Alert_Threshold

alert.suppress.period as Throttling:Window_Duration

alert.suppress.fields as Throttling:Fields_To_Group_By

action.notable.param.rule_title as Notable:Title

action.notable.param.rule_description as Notable:Description

action.notable.param.security_domain as Notable:Security_Domain

action.notable.param.severity as Notable:Severity

action.notable.param.default_owner as Notable:Default_Owner

action.notable.param.default_status as Notable:Default_Status

action.notable.param.drilldown_name as Notable:Drill-down_Name

action.notable.param.drilldown_search as Notable:Drill-down_Search

action.notable.param.drilldown_earliest_offset as Notable:Drill-down_Earliest_Offset

action.notable.param.drilldown_latest_offset as Notable:drill-down_Latest_Offset

action.notable.param.next_steps as Notable:Next_Steps

action.risk.param._risk_score as Risk_Analysis:Risk_Score

action.risk.param._risk_object as Risk_Analysis:Risk_Object_Field

action.risk.param._risk_object_type as Risk_Analysis:Risk_Object_Type

| eval Guided_Mode:Enabled = if(Guided_Mode == 1, "Yes", "No")

| eval Real-time_Scheduling_Enabled = if(realtime_schedule == 1, "Yes", "No")

| table

disabled

Search_Name,

Rule_Name,

Application_Context,

UI_Dispatch_Context,

Description,

Guided_Mode:Enabled,

Guided_Mode:Data_Model,

Guided_Mode:Dataset,

Guided_Mode:Search_Logic,

Search,

Earliest_Time,

Latest_Time,

Cron_Schedule,

Real-time_Scheduling_Enabled,

Schedule_Window,

Schedule_Priority,

Trigger_Conditions:Trigger_Alert_When,

Trigger_Conditions:Alert_Comparator,

Trigger_Conditions:Alert_Threshold,

Throttling:Window_Duration,

Throttling:Fields_To_Group_By,

Notable:Title,

Notable:Description,

Notable:Security_Domain,

Notable:Severity,

Notable:Default_Owner,

Notable:Default_Status,

Notable:Drill-down_Name,

Notable:Drill-down_Search,

Notable:Drill-down_Earliest_Offset,

Notable:drill-down_Latest_Offset,

Notable:Next_Steps,

Risk_Analysis:Risk_Score,

Risk_Analysis:Risk_Object_Field,

Risk_Analysis:Risk_Object_Type

Continue Reading →

Sourcetype: Enterprise Security

Detect Credit Card Numbers using Luhn Algorithm

CrowdStrike Audit Event Correlation

Listing incident review and the closing comments

List all ES Correlation Searches