Splunk® App for PCI Compliance

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

Prohibited Services

This report looks at prohibited services data produced by the services_tracker lookup. It reports on systems with prohibited services installed and running. Compromises often happen because of unused or insecure service and ports on systems within the cardholder environment or systems that have a communication path to cardholder systems.

These services and ports can have known vulnerabilities. A security hardening policy should be defined that clearly defines what services and protocols are allowed to run on each system. Organizations should test those systems periodically to ensure that they are patched appropriately and unauthorized services are disabled.

Relevant data sources

Relevant data sources for this report include service, process, and port data such as the Splunk Add-on for Unix and Linux or the Splunk Add-on for Microsoft Windows.

How to configure this report

  1. Index process, service, or port data in Splunk platform.
  2. Map the data to the following Common Information Model fields. Map services fields to dest, StartMode. Map process fields to dest, process. Map port fields: dest,dest_port,transport. CIM-compliant add-ons for these data sources perform this step for you.
  3. Configure the is_prohibited column in the Interesting [ports|processes|ports] lists with any service, process, or port considered prohibited.

Report description

The data in the Prohibited Services report is populated by three services_tracker lookups. One lookup is generated by the Endpoint - Local Processes Tracker - Lookup Gen saved search, a second by the Endpoint - Services Tracker - Lookup Gen saved search, and the third by the Endpoint - Listening Ports Tracker- Lookup Gen saved search. The `localprocesses_tracker`, `services_tracker` macros correlate process data with the asset and identity tables to pull in additional information.

This report includes three searches: Endpoint - Local Processes - Lookup Gen, Endpoint - Services Tracker - Lookup Gen, and Endpoint - Listening Ports Tracker- Lookup Gen.

Review each lookup generating search to learn more about the search schedule and time range.

Useful searches for troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that service, process, and/or port information has been indexed. sourcetype=<expected_st> Returns data from service, process, and/or port. For example, sourcetype=WMI:Service.
Verify that the service data has been normalized at search time correctly. sourcetype="*Service" | table dest, StartMode
or `service` | table dest, StartMode
Returns a table of all service events.
Verify that the process data has been normalized at search time correctly. sourcetype="*:LocalProcess" | table dest, process Returns a table of local process data.
Verify that the port data has been normalized at search time correctly. tag=listening tag=port | table dest,dest_port,transport
or `listeningports` | table dest,dest_port,transport
Returns a table of port data.
Verify that the service tracker file is getting created correctly. | inputlookup append=T services_tracker
or `services_tracker`
Returns data in the service tracker.
Verify that the process tracker file is getting created correctly. | inputlookup append=T localprocesses_tracker
or | `localprocesses_tracker`
Returns local processes data.
Verify that the port tracker file is getting created correctly. | inputlookup append=T localprocesses_tracker
or `listeningports_tracker`
Returns data in the port tracker.
Verify that the Interesting Services, Interesting Processes, and/or Interesting Ports lookups are populated with expected prohibited values. Open the lists in Configure > Content Management and click Interesting [ ports | processes | services ] and verify that the is_prohibited column is set to true.

Additional information

This report uses default source types that ship with the Splunk Add-on for Unix and Linux and the Splunk Add-on for Microsoft Windows.

Tracker files for this report are located:

  • $SPLUNK_HOME/etc/apps/SA-EndpointProtection/lookups/listeningports_tracker.csv
  • $SPLUNK_HOME/etc/apps/SA-EndpointProtection/lookups/services_tracker.csv
  • $SPLUNK_HOME/etc/apps/SA-EndpointProtection/lookups/localprocesses_tracker.csv
Last modified on 02 May, 2019
Primary Functions   System Misconfigurations

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters