Updates to detection rules and reports by requirements
The following table lists updates to the detection rules and reports by requirements for PCI DSS 3.2.1 to PCI DSS 4.0 governance controls, effective from March 2024.
| PCI requirement | Detection rule or report updated | PCI DSS 3.2.1 | PCI DSS 4.0 |
|---|---|---|---|
| Requirement 1 | Network - Policy Or Configuration Change - Rule | 1.1.1 | 1.2.1,1.2.2 |
| Asset - Asset Ownership Unspecified - Rule | 1.1.4 | 1.1.4 | |
| Network - Network Device Rebooted - Rule | 1.2.2 | 1.2.2 | |
| PCI - Unauthorized Wireless Device Detected - Rule | 1.2.3 | 1.3.1, 1.3.2 | |
| PCI - Unauthorized or Insecure Communication Permitted - Rule | 1.2.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5 | 1.2.8 | |
| Network Traffic Activity Report | 1.1.3, 1.2.1, 1.3* | 1.2.1 | |
| Prohibited Services Report | 1.1.5 & 2.2.2 | 1.2.5 | |
| Inbound traffic from untrusted network to trusted network - Rule | 1.4.2 | ||
| Requirement 2 | Weak Encrypted Communication Detected - Rule | 2.2.3, 2.3.0 | 2.3.1 |
| System Misconfigured - Rule | 2.2.2, 2.2.3, 2.2.4 | 2.2.4 | |
| Prohibited or Insecure Port Detected - Rule | 2.2.4 | 2.2.4 | |
| Access - Default Account Usage - Rule | 2.1.0 | 2.2.2 | |
| Access - Default Accounts At Rest - Rule | 2.1.0 | 2.2.2 | |
| Access - Insecure Or Cleartext Authentication - Rule | 2.3.0 | 2.3.1 | |
| Endpoint - Multiple Primary Functions Detected - Rule | 2.2.1 | 2.2.3 | |
| Endpoint - Prohibited Process Detection - Rule | 2.2.2, 2.2.4 | 2.2.4 | |
| Endpoint - Prohibited Service Detection - Rule | 2.2.2, 2.2.4 | 2.2.4 | |
| Default Access Account Report | 2.1, 6.3.1*, 8.5.8 | 2.2.2* | |
| Primary Functions Report | 2.2.1 | 2.2.3 | |
| Prohibited Services Report | 1.1.5, 2.2.2 | 1.2.5 | |
| System Misconfigurations Report | 2.2.3, 2.2.4 | 2.2.4 | |
| Weak Encrypted Communication Report | 2.2.3, 2.3, 4.1 | 2.3.1, 4.1 | |
| Wireless Network Misconfigurations Report | 2.1.1, 4.1.1, 1.1.1 | 4.2.1, 4.1* | |
| Requirement 3 | PCI - Credit Card Data Transmitted In Clear - Rule | 3.3.0 | 3.4.1 |
| Audit - Personally Identifiable Information Detection - Rule | 3.4.d | 3.5.1, 3.5.1.1 | |
| Credit Card Data Found Report | 3.3, 4.1, 4.2 | 3.4*, 4.1*, 4.2* | |
| Requirement 4 | PCI - Unencrypted Traffic on Wireless Network - Rule | 4.1.1 | 4.1, 4.2.1 |
| PCI - Weak Encrypted Communication Detected - Rule | 4.1 | 4.1 | |
| PCI - Credit Card Data Transmitted In Clear - Rule | 4.1 | 4.2.1, 4.2.2, 4.1, 4.2 | |
| Endpoint - Prohibited Process Detection - Rule | 4.2 | 4.1 | |
| Endpoint - Prohibited Service Detection - Rule | 4.1 | 4.1 | |
| Weak Encrypted Communication Report | 2.2.3, 2.3, 4.1 | 2.3.1, 4.1 | |
| Credit Card Data Found Report | 3.3, 4.1, 4.2 | 3.4*, 4.1*, 4.2* | |
| Requirement 5 | Anomalous New Processes - Rule | 5.1.2 | 5.1 |
| Anomalous New Services - Rule | 5.1.2 | 5.1 | |
| Substantial Increase in an Event - Rule | 5.1.2 | 5.1 | |
| Intrusion detection data is not ingested in the last 1 hour - Rule | 5.3.4 | ||
| Anti-malware scan incomplete or did not run - Rule | 5.3.2c | ||
| Anti-malware data or definitions that are NOT up to date - Rule | 5.3.1b | ||
| Disabled anti-malware on host - Rule | 5.3.2b | ||
| Anti-malware scan results not found for host - Rule | 5.3.2.1b | ||
| Anti-malware disabled on host with removable electronic media connected - Rule | 5.3.3b | ||
| Anti-malware solution(s) not detected on system - Rule | 5.2.1a 5.2.3c | ||
| Requirement 6 | PCI - Anomalous Update Service Detected - Rule | 6.1 | 6.2.4 |
| PCI - High/Critical Update Missing - Rule | 6.1 | 6.2.4 | |
| Access - Brute Force Access Behavior Detected - Rule | 6.2.4 | ||
| Access - Default Account Usage - Rule | 6.3.1 | 6.3.1 | |
| Access - Excessive Failed Logins - Rule | 6.2.4 | ||
| Access - Inactive Account Usage - Rule | 6.2.4 | ||
| Default Access Account Report | |||
| Detects open critical vulnerabilities in the last 30 days - Rule | |||
| No vulnerability logging with patch info in last 7 days - Rule | 6.4.1 | ||
|
Medium and low security in more than 30 days - Rule |
6.3.3.a | ||
| Open High Vulnerabilities in the last 60 days - Rule | 6.3 | ||
| Open Critical Vulnerabilities in the last 30 days - Rule | 6.3 | ||
| Web data was not logged in last 7 days - Rule | 6.4.2 | ||
| Update Service Status Report - Rule | |||
| Requirement 8 | Completely Inactive Account - Rule | 8.1.4 | 8.2.6 |
| Activity from Expired User Identity - Rule | 8.2.5.a | ||
| Default Access Account Report | 2.1, 6.3.1* , 8.5.8 | 2.2.2* | |
| Addition of user IDs without approvals - Rule | 8.2.4 | ||
| Modification of user IDs without approvals - Rule | 8.2.4 | ||
| Deletion of user IDs without approvals - Rule | 8.2.4 | ||
| Sample set of users showing password changes for every 90 days - Rule | 8.3.10.1 | ||
| All Authentication without multi-factor - Rule | 8.3 | ||
| User account lockout after 10 invalid login attempt - Rule | 8.3.4a | ||
| MFA replay attack detected - Rule | 8.5 | ||
| Access to CDE without MFA/2FA (Alert) - Rule | 8.4.1a 8.4.2b | ||
| Requirement 10 | PCI - Expected Host Not Reporting - Rule | 10.1 | 10.2.1, 10.2.1.3 |
| Audit - Anomalous Audit Trail Activity Detected - Rule | 10.2.6 | 10.6 | |
| Audit - Expected Host Not Reporting - Rule | 10.1 | 10.2.1, 10.2.1.3 | |
| Endpoint - Should Timesync Host Not Syncing - Rule | 10.4 | 10.4.1, 10.6.1 | |
| Data logging for all the listed solution in last 6 hrs - Rule | 10.7 | ||
| PCI Admin Audit Report | |||
| Requirement 11 | PCI - Rogue Wireless Device - Rule | 11.1 | 11.2.1 |
| Rogue Wireless Access Point Detection | 11.1 | 11.2.1 | |
| Vulnerability scan is older than 3 months - Rule | 11.3.1 | ||
| Open High Vulnerabilities in the last 60 days - Rule | 11.3 | ||
| Open Critical Vulnerabilities in the last 30 days - Rule | |||
| Detects open critical vulnerabilities in the last 30 days - Rule | 11.3 | ||
| Vulnerability Operations Report | |||
| New panel Vulnerability by Severity added to the dashboard Vulnerability Scan Details. |
Last modified on 25 March, 2024
| Detection rules for PCI compliance monitoring | FAQ |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.3.1, 5.3.2
Download manual
Feedback submitted, thanks!