Splunk® App for PCI Compliance

Release Notes

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

Release Notes for the Splunk App for PCI Compliance

Splunk App for PCI Compliance version 4.4.0 includes the following enhancements.

New Feature or Enhancement Description
PCI Scorecards include both risk and notable events New panels include Risk Modifiers by Severity and Risk Modifiers over Time in all the scorecards. See Scorecards in the Splunk App for PCI Compliance User Manual.
PCI Reports include the Recent Risk Modifiers panel The following reports include the new panel:
  • Prohibited Services
  • Network Traffic Activity
  • Default Account Access
  • Primary Functions
  • System Misconfigurations
  • Weak Encrypted Communication
  • Wireless Network Misconfigurations
  • Credit Card Data found
  • Malware Signature Updates
  • Update Service Status
  • Rogue Wireless Access Point Detection
  • IDS/IPS Alert Activity

See Reports in the Splunk App for PCI Compliance User Manual.

MITRE ATT&CK annotations in correlation searches for PCI The following MITRE ATT&CK annotations are pre-populated in the specified correlation searches:
  • Unauthorized or Insecure Communication Permitted - T1048, T1011
  • Prohibited or Insecure Port Detected - T1043, T1065
  • Weak Encrypted Communication Detected - T1022, T1001, T1032
  • Anomalous Update Service Detected - T1197, T1066
  • Privileged Authentication Without Multifactor Detected - T1111
Notable events disabled by default in correlation searches for PCI The following correlation searches that are used in PCI now have notable events disabled by default:
  • Access - Account Deleted - Rule
  • Access - Brute Force Access Behavior Detected - Rule
  • Access - Cleartext Password At Rest - Rule
  • Access - Default Account Usage - Rule
  • Access - Default Accounts At Rest - Rule
  • Audit - Anomalous Audit Trail Activity Detected - Rule
  • Endpoint - Should Timesync Host Not Syncing - Rule
  • Endpoint - High Number of Hosts Not Updating Malware Signatures - Rule
  • Network - Network Device Rebooted - Rule
  • Network - Substantial Increase in an Event - Rule
  • Network - Substantial Increase in Port Activity (By Destination) - Rule
  • Asset - Asset Ownership Unspecified - Rule

When you upgrade the PCI app, the savedsearches.conf file will be updated in the default directory. You need to recreate the notable alert in the correlation searches after upgrading the app.

To create a notable event, see Create a notable event in the Splunk App for PCI Compliance User Manual.

Default risk factor for PCI Source Enable the default risk factors designed for specific conditions to dynamically assign risk scores to risk objects and effectively isolate threats using Splunk App for PCI Compliance. See Use default risk factors in Splunk App for PCI Compliance in the Splunk App for PCI Compliance User Manual.
Governance lookups against risk events Two new fields are added to the data model in apps/SA-ThreatIntelligence/package/default/data/models/Risk.json for PCI governance values. The fields are governance and control. See Risk Analysis in the Splunk Developer Guide.
The Splunk App for PCI Compliance (for Splunk Enterprise) includes a behavior change for consistency in case-sensitive matching Reverse lookups are now case insensitive, so that the behavior is consistent with | search logic in the search bar. The lookup stanzas in transforms.conf are revised to include the flag for reverse_lookup_honor_case_sensitive_match = false.

The Splunk App for PCI Compliance (for Splunk Enterprise) includes framework improvements from the Splunk Enterprise Security framework.

Starting with version 6.1.x, Splunk Enterprise Security is supported on Python3 and requires a minimum of Splunk Enterprise 8.0.x. See Python with Splunk Enterprise Security in the Splunk Enterprise Python 3 Migration manual.

The installer package size is >500MB, which is larger than the default upload limit for installing apps from the SplunkWeb UI. See Install the Splunk App for PCI Compliance in the Installation and Configuration Manual.

Compatibility

See Install prerequisites in the Installation and Upgrade Manual for information about the Splunk App for PCI Compliance and compatibility with the Splunk platform and Splunk Enterprise Security.

Support

Last modified on 10 November, 2020
  Splunk App for PCI Compliance Fixed Issues

This documentation applies to the following versions of Splunk® App for PCI Compliance: 4.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters