Splunk® App for PCI Compliance

User Manual

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

Search View Matrix

Correlations search thresholds

The following table lists the correlation searches with adjustable thresholds:

Correlation search Description Default
Endpoint - Active Unremediated Malware Infection Number of days that the device was unable to clean the infection 3
Endpoint - Anomalous New Services Number of new services 9
Endpoint - Anomalous New Processes Number of new processes 9
Endpoint - Anomalous User Account Creation Number of new processes in a 24 hr period 3
Access - Brute Force Access Behavior Detected Number of failures 6
Access - Excessive Failed Logins Number of authentication attempts 6
Endpoint - High Number of Infected Hosts Number of infected hosts 100
Endpoint - Host with Excessive Number of Listening Ports Number of listening ports 20
Endpoint - Host with Excessive Number of Processes Number of running processes 200
Endpoint - Host with Excessive Number of Services Number of running services 100
Endpoint - Host with Multiple Infections Total number of infections per host > 1
Endpoint - Old Malware Infection Number of days host had infection 30 days
Endpoint - Recurring Malware Infection Number of days that the device was re-infected 3 days
Network - Substantial Increase in an Event Number of events (self-baselines based on average) 3 St Dev.
Network - Substantial Increase in Port Activity (by destination) Number of targets (self-baselines based on average) 3 St Dev.
Network - Vulnerability Scanner Detection (by event) Number of unique events 25
Network - Vulnerability Scanner Detection (by targets) Number of unique targets 25

Visible searches

These searches support dashboard panels in the user interface.

It is not possible to disable PCI Compliance Posture, Incident Review, and Auditing in the Configure > Domains and Dashboards tool.

PCI Compliance & Incident Review dashboards

search \ dashboard pci compliance posture incident review
PCI - Notable Events X X
PCI - Notable Events History X
PCI - Compliance Status History X
PCI - Compliance Status History Summary Gen X
PCI - View Activity X

Requirement 1 Reports

search \ dashboard firewall rule activity network traffic activity prohibited services
Network - All Communication - Base X X
Network - Communication Rule Tracker - Lookup Gen X
Network - Communication Rule Tracker - Summary Gen X
Network - All Communication - Summary Gen X
PCI - Notable Events X X
PCI - Notable Events History X
Endpoint - Listening Ports Tracker - Lookup Gen X
Endpoint - Local Processes Tracker - Lookup Gen X
Endpoint - Services Tracker - Lookup Gen X

Requirement 2 Reports

search \ dashboard default account access insecure authentication attempts primary functions prohibited services system misconfigurations wireless network misconfigurations
Access - All Authentication - Base X X
PCI - Notable Events X X X X X
PCI - Notable Events History X
Access - All Authentication - Summary Gen X X
Access - Access App Tracker - Lookup Gen X X
Endpoint - Listening Ports Tracker - Lookup Gen X X
Endpoint - Local Processes Tracker - Lookup Gen X X
Endpoint - Services Tracker - Lookup Gen X X
Network - All IDS Attacks - Base X X
PCI - Interesting Event Daily Counts - Summary Gen X X
Network - Attack Tracker - Lookup Gen X X
Network - Vulnerability Signature Reference - Lookup Gen X X

Requirement 3 Reports

search \ dashboard credit card data found
Network - All IDS Attacks - Base X
Network - All IDS Attacks - Summary Gen X
PCI - Notable Events X

Requirement 4 Reports

search \ dashboard credit card data found
Network - All IDS Attacks - Base X
Network - All IDS Attacks - Summary Gen X
PCI - Notable Events X

Requirement 5 Reports

search \ dashboard endpoint product deployment endpoint product versions malware activity malware signature updates
Endpoint - All Malware - Base X
Endpoint - Malware Product Version Tracker - Lookup Gen X X X
Endpoint - Malware Signature Update Tracker - Lookup Gen X
Endpoint - All Malware - Summary Gen X
Endpoint - Malware Tracker - Lookup Gen X

Requirement 6 Reports

search \ dashboard default account access patch service status system patch status anomalous system uptime
PCI - 6.1 - Anomalous Update Service by System Count - Summary Gen X
Access - All Authentication - Base X
Access – All Authentication – Summary Gen X
Access - Access App Tracker - Lookup Gen X
PCI - Notable Events X X
Endpoint - System Update Tracker - Lookup Gen X
PCI - System Patch Status X
Endpoint - System Uptime Tracker - Lookup Gen X

Requirement 7 Reports

search \ dashboard pci resource access
Access - All Authentication - Base X
Access – All Authentication – Summary Gen X
Access - Access App Tracker - Lookup Gen X

Requirement 8 Reports

search \ dashboard default account access pci resource access
Access - All Authentication - Base X X
PCI - Notable Events X
Access – All Authentication – Summary Gen X X
Access - Access App Tracker - Lookup Gen X X

Requirement 10 Reports

search \ dashboard pci resource access pci asset logging endpoint changes system time synchronization privileged user activity
Access - All Authentication - Base X
Access – All Authentication – Summary Gen X
Access - Access App Tracker - Lookup Gen X
Endpoint - All Endpoint Changes - Summary Gen X
Endpoint - Time Sync Tracker - Lookup Gen X

Requirement 11 Reports

search \ dashboard endpoint changes vulnerability scan detail rogue wireless access point detection ids/ips alert activity
Endpoint - All Endpoint Changes - Summary Gen X
Network - All Vulnerabilities - Base X
Network - Vulnerability Tracker - Lookup Gen X
Network - All IDS Attacks - Base X X
PCI - Interesting Event Daily Counts - Summary Gen X
PCI - Notable Events X X
Network - Attack Tracker - Lookup Gen X
Network - Vulnerability Signature Reference - Lookup Gen X

Solution Audit Reports

search \ dashboard incident review audit suppression audit forwarder audit search audit view audit data protection
Threat - Suppressed Notables - Summary Gen X
Audit - Expected Views Tracker - Lookup Gen X
Audit - Host Event Count over Time - Summary Gen X
Audit - Correlated Event Tampering - Summary Gen X
Audit - Audit Tampering - Summary Gen X

Invisible searches

These are support searches and correlation searches that generate Notable Events, and are not directly used by dashboards.

  • Access - Account Deleted - Rule
  • Access - Brute Force Access Behavior Detected - Rule
  • Access - Cleartext Password At Rest - Rule
  • Access - Completely Inactive Account - Rule
  • Access - Default Account Usage - Rule
  • Access - Default Accounts At Rest - Rule
  • Access - Excessive Failed Logins - Rule
  • Access - Inactive Account Usage - Rule
  • Access - Insecure or Cleartext Authentication Detected - Rule
  • Audit - Anomalous Audit Trail Activity Detected - Rule
  • Audit - Expected Host Not Reporting - Rule
  • Audit - Personally Identifiable Information Detection - Rule
  • PCI - 6.1 - Anomalous Update Service Detected - Rule
  • PCI - 6.1 - High/Critical Update Missing - Rule
  • Endpoint - Recurring Malware Infection - Rule
  • PCI - 5.2 - Inactive Antivirus Client Detected - Rule
  • PCI - 2.2.1 - Multiple Primary Functions - Rule
  • PCI - 5.2 - Possible Outbreak Observed - Rule
  • PCI - 2.2.4 - Prohibited or Insecure Port Detected - Rule
  • PCI - 2.2.4 - Prohibited or Insecure Process Detected - Rule
  • PCI - 2.2.4 - Prohibited or Insecure Service Detected - Rule
  • Endpoint - Should Timesync Host Not Syncing - Rule
  • PCI - 1.1.4 - Asset Ownership Unspecified - Rule
  • PCI - 4.1 - Credit Card Data Transmitted in Clear - Rule
  • Network - Policy Or Configuration Change - Rule
  • PCI - 1.2.2 - Secure and synchronize router configuration files - Rule
  • PCI - 11.1 - Rogue Wireless Device - Rule
  • PCI - 2.2.2 - System Misconfigured - Rule
  • PCI - 2.2.3 - Unauthorized Wireless Device Detected - Rule
  • PCI - 1.3.3 - Unauthorized or Insecure Communication Permitted - Rule
  • PCI - 2.1.1 - Unencrypted Traffic on Wireless Network - Rule
  • Network - Vulnerability Scanner Detection (by event) - Rule
  • Network - Vulnerability Scanner Detection (by targets) - Rule
  • Threat - Watchlisted Events - Rule
Last modified on 26 October, 2015
Identity Correlation   Search macros

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters