Splunk® App for PCI Compliance

Installation and Configuration Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Patch Service Status

This report collects data on the patch service on cardholder systems and uses the information from the antimalware solution to display a list of the systems within the PCI environment that are updating their signatures appropriately. Use this report to identify systems that have not updated their malware signatures as required.

The best antimalware software has limited effectiveness if it does not have current signatures or if it is not active in the network or on an individual's computer. The PCI DSS standard requires that the antimalware tools are current, which includes the signatures used to detect localized threats.

Relevant data sources

Relevant data sources for this report include patch service data (for example, linux_base, Splunk_TA_windows).

How to configure this report

1. Index service data from the systems monitored in Splunk Enterprise.

2. Map the service data to use the following Common Information Model fields:

  dest, app, StartMode

3. Tag the patch service data by applying a tag of automatic and update.

For example:
[app=wuauserv]
automatic = enabled
update = enabled

4. Set the should_update column of the assets table to true for any asset that should be evaluated for patch service status.

5. Configure the Interesting Services list to include the name of the service that should be evaluated and set the is_required field to true. Use the dest and dest_pci_domain fields to determine what systems should be evaluated.

Report description

The data in the Patch Service Status report is populated by an ad hoc search that runs against the pci_req6_summary summary index.

Pci-patch service status.png

The Endpoint - Services Tracker - Lookup Gen search runs on an offset 20 minute schedule and looks at minutes of data.

Schedule 55 0 * * * Runs on an offset 50 minute schedule.
Report Window -65m@m to -5m@m Looks at 60 minutes of data.

Note: The report window stops at 5 minutes ago because some data sources may not have provided complete data in a more recent time frame.

The PCI - 6.1 - Anomalous Update Service by System Count - Summary Gen runs on 55 minute cycle.

Useful searches/Troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that patch service data is available. sourcetype="*:Service" | stats count by app

Look for the name of the service that represents the patch product used in the customer environment

Returns patch service data.
Verify that fields are normalized and available as expected. sourcetype="*:Service" | table app, dest Returns a table of patch service status activity fields.
Verify that the service tracker file is populated as expected. | inputlookup append=T services_tracker Returns data in the services_tracker.
Verify that the Anomalous Update Service by System Count summary is created and has the expected data. `get_summary(pci_req6_summary,PCI - 6.1 - Anomalous Update Service by System Count - Summary Gen)` Returns data in the pci_req6_summary index.
Last modified on 26 October, 2015
PREVIOUS
Malware Signature Updates
  NEXT
System Patch Status

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters