This documentation does not apply to the most recent version of Splunk® App for PCI Compliance.
For documentation on the most recent version, go to the latest release.
Dashboard Requirements Matrix
In order to be displayed in the Splunk App for PCI Compliance dashboards, data must conform to the requirements specified in these tables. The tags, fields, and source types required by each dashboard and panel are shown. When certain fields are omitted, they are automatically replaced with default values (such as unknown). The rest of the data must still meet the source type and tag requirements for the dashboards.
Note: By default, the tags in the "Tags" column use an AND unless specifically defined.
R1: Network Traffic
| Name | Fields | Tags |
|---|---|---|
| Firewall Rule Activity | ||
| Activity by Month | rule,dvc,vendor_product | network, communicate |
| Network Traffic Activity | ||
| Traffic by Source and Destination Domain | action,src,dest,transport,dest_port | network, communicate |
| Recent Notable Events | Depends on notable events created by correlation searches | |
| Traffic Detail | action,src,dest,transport,dest_port | network, communicate |
| Prohibited Services | ||
| Notable Events by Status (Last 30 days) | Depends on notable events created by correlation searches | |
| Recent Notable Events | Depends on notable events created by correlation searches | |
| Service Details * Since this is based on the assets list and the interesting processes lookup, these lists need to be populated to make this scorecard work. |
dest,app | sourcetype="*:LocalProcesses" OR sourcetype=ps |
R2: Default Configurations
| Name | Fields | Tags |
|---|---|---|
| Default Account Access | ||
| Default Account Access over Time Accounts will only appear here if the account is a default account as defined by the identities lookup (and has a category of default).
|
action,app,src,src_user,dest,user | authentication (excluding events with action=success and a user field ending in $) |
| Recent Notable Events | Depends on notable events created by correlation searches | |
| Default Account Access Details Accounts will only appear here if the account is a default account as defined by the identities lookup (has a category of default). |
action,app,src,src_user,dest,user | authentication (excluding events with action=success and a user field ending in $) |
| Insecure Authentication Attempts | ||
| Insecure Authentication Attempts | action,app,src,src_user,dest,user | authentication (excluding events with action=success and a user field ending in $) |
| Primary Functions | ||
| Primary Function Summary Based is based on the primary functions and assets lookups. These will be needed to use this dashboard. |
function | (listening, port) or (sourcetype=":Service") or (sourcetype=":LocalProcesses" OR sourcetype=ps) |
| Recent Notable Events | Depends on notable events created by correlation searches | |
| Primary Function Details Based is based on the primary functions and assets lookups. These will be needed to use this dashboard. |
ip mac nt_host dns owner category pci_domain process service port function | (listening, port) or (sourcetype=":Service") or (sourcetype=":LocalProcesses" OR sourcetype=ps) |
| Prohibited Services | ||
| Notable Events by Status (Last 30 days) | Depends on notable events created by correlation searches | |
| Recent Notable Events | Depends on notable events created by correlation searches | |
| Service Details Uses information from the assets list, interesting services, interesting processes lookups |
ip mac nt_host dns owner category pci_domain process service port | (listening, port) or (sourcetype=":Service") or (sourcetype=":LocalProcesses" OR sourcetype=ps) |
| System Misconfigurations | ||
| Systems With Misconfigurations (Last 90 days) | dest | misconfiguration AND (ids attack) OR (network vulnerability report) |
| Recent Notable Events | Depends on notable events created by correlation searches | |
| System Misconfiguration Details | dest signature | misconfiguration AND (ids attack) OR (network vulnerability report) |
| Wireless Network Misconfigurations | ||
| Wireless Misconfigurations Summary (Last 90 days) |
dest | misconfiguration AND (ids attack) OR (network vulnerability report) |
| Recent Notable Events | Depends on notable events created by correlation searches | |
| Wireless Misconfigurations Detail | ndest signature | misconfiguration AND (ids attack) OR (network vulnerability report) |
R3: Protect Data at Rest
| Name | Fields | Tags |
|---|---|---|
| Credit Card Data Found | ||
| Credit Card Transmission Event Summary (by source) | src | network ids attack pii |
| Recent Notable Events | Depends on notable events created by correlation searches | |
| Credit Card Transmission Event Details | dvc, signature, src, dest | network ids attack pii |
R4: Protect Data in Motion
| Name | Fields | Tags |
|---|---|---|
| Credit Card Data Found | ||
| Credit Card Transmission Event Summary (by source) | src | network ids attack pii |
| Recent Notable Events | Depends on notable events created by correlation searches | |
| Credit Card Transmission Event Details | dvc, signature, src, dest | network ids attack pii |
R5: Anti-malware Protection
| Name | Fields | Tags |
|---|---|---|
| Endpoint Product Deployment | ||
| Missing Antivirus This panel uses the contents of the asset lookup and shows hosts that have not reported activity, indicating that they have malware protection (such as a signature update). |
ip mac nt_host dns owner requires_av category pci_domain | (endpoint application version) OR (endpoint application signature update) |
| Disabled Antivirus This panel uses the contents of the asset lookup and show systems that have not reported activity indicative of having working anti-virus protection (such as signature updates). |
ip mac nt_host dns owner requires_av category pci_domain | (endpoint application version) OR (endpoint application signature update) |
| Endpoint Product Versions | ||
| Summary | dest, product_version, vendor_product | (endpoint application version) OR (endpoint application signature update) |
| Details | vendor_product, product_version, dest, dest_category, dest_pci_domain | (endpoint application version) OR (endpoint application signature update) |
| Malware Activity | ||
| Malware Signature Updates | ||
| Anti-malware Signature Summary | signature_version dest vendor_product | (endpoint application version) OR (endpoint application signature update) |
| Recent Notable Events | Depends on notable events created by correlation searches | |
| Anti-malware Signature Details Relies on the contents of the assets lookup. |
dest vendor_product signature_version | (endpoint application version) OR (endpoint application signature update) |
R6: Patch Update Protection
| Name | Fields | Tags |
|---|---|---|
| Anomalous System Uptime | ||
| Anomalous System Uptime This panel users assets the lookup. |
SystemUpTime | uptime |
| Default Account Access | ||
| Default Account Access over Time Accounts will only appear here if the account is a default account as defined by the identities lookup (for example,has a category of default). |
action,app,src,src_user,dest,user | authentication (excluding events with action=success and a user field ending in $) |
| Recent Notable Events | Depends on notable events created by correlation searches | |
| Default Account Access Details Accounts will only appear here if the account is a default account as defined by the identities lookup (has a category of default). |
Fields: action,app,src,src_user,dest,user | authentication (excluding events with action=success and a user field ending in $) |
| Patch Service Status | ||
| Anomalous Update Service by System Count (Last 90 days) This panel uses the assets lookup. Hosts need to have is_required set to true and dest_should_update set to true. Furthermore, the interesting_services_lookup is also used to identified patch services. |
dest | Tags/Sourcetype: sourcetype="*:Service" tag::app=update |
| Recent Notable Events | Depends on notable events created by correlation searches | |
| Service Details This panel uses the assets lookup and the interesting services lookup. |
Fields: StartMode dest | Tags/Sourcetype: sourcetype="*:Service" tag::app=update |
| System Patch Status | ||
| System Patch Status This panel uses the assets lookup and the interesting services lookup. |
StartMode dest | Tags/Sourcetype: sourcetype="*:Service" tag::app=update |
R7: Access Monitoring
| Name | Fields | Tags |
|---|---|---|
| PCI Resource Access | ||
| user, action, app, src, src_user | authentication (excluding events with action=success and a user field ending in $) | |
R8: Activity Accountability
| Default Account Access | ||
|---|---|---|
| Default Account Access over Time Accounts will only appear here if the account is a default account as defined by the identities lookup (has a category of default). |
action,app,src,src_user,dest,user | authentication (excluding events with action=success and a user field ending in $) |
| Recent Notable Events | Depends on notable events created by correlation searches | |
| Default Account Access Details Accounts will only appear here if the account is a default account as defined by the identities lookup (has a category of default). |
action,app,src,src_user,dest,user | authentication (excluding events with action=success and a user field ending in $) |
| PCI Resource Access | ||
| user, action, app, src, src_user | authentication (excluding events with action=success and a user field ending in $) | |
R10: Cardholder Data
| Name | Fields | Tags |
|---|---|---|
| Endpoint Changes | ||
| Endpoint Changes | action, status, object_category, object, object_path, dest, user | endpoint change |
| PCI Asset Logging | ||
| PCI Resource Logging This panel works off the assets list. |
src | None necessary |
| PCI Resource Access | ||
| user, action, app, src, src_user | authentication (excluding events with action=success and a user field ending in $) | |
| Privileged User Activity | ||
| Privileged User Activity | ||
| event_id host sourcetype src_user user eventtype | privileged | |
| System Time Synchronization | ||
| System Time Synchronization Details This panel relies on the asset and identities lookups. |
dest | time synchronize |
R11: Vulnerability Testing
| Name | Fields | Tags |
|---|---|---|
| Endpoint Changes | ||
| Endpoint Changes | action, status, object_category, object, object_path, dest, user | endpoint change |
| Rogue Wireless Access Point Detection | ||
| Rogue Device History (Last 90 days) | dest | (ids attack rogue wireless) OR (network vulnerability report rogue wireless) |
| Recent Notable Events | Depends on notable events created by correlation searches | |
| Rogue Device Details | signature,dest,vendor_product | (ids attack rogue wireless) OR (network vulnerability report rogue wireless) |
| Vulnerability Report | ||
| cvss, severity, signature, dest | network vulnerability | |
| IDS/IPS Alert Activity | ||
| IDS/IPS Alert Activity over Time | severity | ids attack |
| Recent Notable Events | Depends on notable events created by correlation searches | |
| IDS/IPS Alert Activity Details | ids_type, severity, signature, src, dest | ids attack |
Audit
Incident Review Audit
| Panel | Tags | Fields |
|---|---|---|
| Review Activity by Reviewer over Time | default OR privileged | |
| Notable Events by Status | default OR privileged | |
| Top Reviewers | default OR privileged | |
| Recent Review Activity | default OR privileged |
Suppression Audit
| Panel | Tags | Fields |
|---|---|---|
| Currently Suppressed Events (Last 24 hours) | ||
| Suppressed Notable Event History | ||
| Suppression Management Activity | ||
| Expired Suppressions |
Forwarder Audit
| Panel | Tags | Fields |
|---|---|---|
| Host Event Count over Time | _time, app, view, user, host | |
| Hosts Not Reporting | host, user | |
| Splunkd Resource Utilization | _time, host | |
| Splunkd Anomalous StartMode | anomalous, avail, check, default, os, privileged, process, report, should_timesync, should_update |
Search Audit
| Panel | Tags | Fields |
|---|---|---|
| Search Activity by Type | default OR privileged | |
| Search Activity by user | user | |
| Search Activity by Expense | user |
View Audit
| Panel | Tags | Fields |
|---|---|---|
| Splunk App for Enterprise Security View Activity | ||
| Expanded View Activity | privileged OR default | |
| Expected View Scorecard | ||
| Recent Web Service Errors |
Data Protection
| Panel | Tags | Fields |
|---|---|---|
| Data Protection | ||
| Protecting Correlated Events with Event Hashing | ||
| Tampered Correlated Events | ||
| Protecting Event Data with IT Data Signing | ||
| Verifying Data Integrity Using IT Data Signing | id, date, _time, ip_address, host_name, MAC_address | |
| Protecting Splunk's Audit Data with Audit Signing | ||
| Verifying Splunk's Audit Data | gap, validity |
Resources
Identity Center
The Identity Center contents are based upon the identity list lookup file.
| Panel | Tags | Fields |
|---|---|---|
| Identities by Priority | priority | |
| Identities by Business Unit | bunit | |
| Identities by Category | category | |
| Identities |
Asset Center
The Asset Center contents are based upon the asset list lookup file.
| Panel | Tags | Fields |
|---|---|---|
| Assets by Priority | priority | |
| Assets by Business Unit | bunit | |
| Assets by Category | category | |
| Asset Information |
Last modified on 06 August, 2015
| FAQ | Common Information Model Field Reference |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1
Download manual
Feedback submitted, thanks!