Splunk® App for PCI Compliance

User Manual

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

Search View Matrix

Correlation search thresholds

Some correlation searches in the Splunk App for PCI Compliance use the Extreme Search framework in Splunk Enterprise Security. Other correlation searches use query-defined thresholds. See Extreme Search in the Splunk Enterprise Security User Manual for more.

Dashboard searches

These searches support dashboard panels in the user interface. Most dashboard panels are populated with data from data model acceleration, but some dashboards are populated by saved searches.

Requirement 1 Reports

Search or Dashboard Firewall Rule Activity Network Traffic Activity Prohibited Services
Network - Communication Rule Tracker - Lookup Gen X
Endpoint - Listening Ports Tracker - Lookup Gen X
Endpoint - Local Processes Tracker - Lookup Gen X
Endpoint - Services Tracker - Lookup Gen X

Requirement 2 Reports

Search or Dashboard Default Account Access Insecure Authentication Attempts Primary Functions Prohibited Services System Misconfigurations Wireless Network Misconfigurations Weak Encrypted Communication PCI System Inventory
Endpoint - Listening Ports Tracker - Lookup Gen X X X
Endpoint - Local Processes Tracker - Lookup Gen X X
Endpoint - Services Tracker - Lookup Gen X X

Requirement 3 Reports

The Intrusion Detection data model populates these dashboards.

Requirement 4 Reports

The Certificate data model populates these dashboards.

Requirement 5 Reports

The Malware data model populates these dashboards.

Requirement 6 Reports

The Performance and Authentication data models populate these dashboards.

Requirement 7 Reports

The Authentication data model populates these dashboards.

Requirement 8 Reports

The Authentication data model populates these dashboards.

Requirement 10 Reports

The Change Analysis, Authentication, and Performance data models populate these dashboards.

Requirement 11 Reports

The Change Analysis, Intrusion Detection, and Vulnerabilities data models populate these dashboards.

Searches that create notable events

Many of the searches in the Splunk App for PCI Compliance create notable events and are not used by dashboards.

  • Access - Account Deleted - Rule
  • Access - Brute Force Access Behavior Detected - Rule
  • Access - Cleartext Password At Rest - Rule
  • Access - Completely Inactive Account - Rule
  • Access - Default Account Usage - Rule
  • Access - Default Accounts At Rest - Rule
  • Access - Excessive Failed Logins - Rule
  • Access - Inactive Account Usage - Rule
  • Access - Insecure or Cleartext Authentication Detected - Rule
  • Audit - Anomalous Audit Trail Activity Detected - Rule
  • Audit - Expected Host Not Reporting - Rule
  • Audit - Personally Identifiable Information Detection - Rule
  • PCI - 6.1 - Anomalous Update Service Detected - Rule
  • PCI - 6.1 - High/Critical Update Missing - Rule
  • Endpoint - Recurring Malware Infection - Rule
  • PCI - 5.2 - Inactive Antivirus Client Detected - Rule
  • PCI - 2.2.1 - Multiple Primary Functions - Rule
  • PCI - 5.2 - Possible Outbreak Observed - Rule
  • PCI - 2.2.4 - Prohibited or Insecure Port Detected - Rule
  • PCI - 2.2.4 - Prohibited or Insecure Process Detected - Rule
  • PCI - 2.2.4 - Prohibited or Insecure Service Detected - Rule
  • Endpoint - Should Timesync Host Not Syncing - Rule
  • PCI - 1.1.4 - Asset Ownership Unspecified - Rule
  • PCI - 4.1 - Credit Card Data Transmitted in Clear - Rule
  • Network - Policy Or Configuration Change - Rule
  • PCI - 1.2.2 - Secure and synchronize router configuration files - Rule
  • PCI - 11.1 - Rogue Wireless Device - Rule
  • PCI - 2.2.2 - System Misconfigured - Rule
  • PCI - 2.2.3 - Unauthorized Wireless Device Detected - Rule
  • PCI - 1.3.3 - Unauthorized or Insecure Communication Permitted - Rule
  • PCI - 2.1.1 - Unencrypted Traffic on Wireless Network - Rule
  • Network - Vulnerability Scanner Detection (by event) - Rule
  • Network - Vulnerability Scanner Detection (by targets) - Rule
  • Network - Substantial Increase in an Event - Rule
  • Threat - Watchlisted Events - Rule
Last modified on 12 April, 2017
Asset and Identity Correlation   Search macros

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.3.0, 3.3.1, 3.3.2, 3.3.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters