Credit Card Data Found
This report looks at credit card data, found in motion or at rest, from IDS, IPS, and DLP systems to provide visibility into potentially unauthorized transmissions of credit card data over the network or to unauthorized removable storage devices. Use this report to identify the source of the transmission so it can be further investigated and fixed.
The cardholder data environment should be monitored for unauthorized egress transmission of credit card data using IDS, IPS, and DLP based technologies. PCI requires that cardholder data be protected from unauthorized access or distribution.
Relevant data sources
Relevant data sources for this report include alerts from IDS, IPS, or DLP solutions and from the Splunk Luhn-based log evaluation.
How to configure this report
Make sure the activity data you are monitoring conforms to the Common Information Model.
1. Index DLP, IDS, IPS, or other data that indicates discovery of credit card data in Splunk Enterprise.
2. Map the data to the following Common Information Model fields:
src, dest, dvc, signature
3. Tag the relevant events with pii.
The data in the Unauthorized Credit Card Transmissions report is populated by an ad hoc search that runs against the
network_summary2 summary index. This index is created by the
Network - All IDS Attacks - Summary Gen - Summary Gen saved search, which is a post-process task of the
Network - All IDS Attacks - Base saved search.
This search runs on an offset 15 minute cycle and looks at 15 minutes of data.
|Schedule||10,25,40,55 * * * *||Runs on an offset 15 minute window.|
|Report Window||-20m@m to -5m@m||Looks at 15 minutes of data.|
Note: The report window stops at 5 minutes ago because some data sources may not have provided complete data in a more recent time frame.
|Troubleshooting Task||Search/Action||Expected Result|
|Verify that data is present.||`ids_attack` | search tag=pii||Returns all unauthorized credit card transmissions data.|
|Verify that fields are normalized and available.||`ids_attack` | search tag=pii | table src, dest, dvc, signature||Returns a list of events and the specific unauthorized credit card transmission fields.|
|Verify that the summary index is populated by the post-process saved search.||`get_summary(network_summary2,Network - All IDS Attacks - Summary Gen)` | search tag=pii||Returns data in the network_summary2 index.|
This report uses default source types that ship with windows TA + linux_base deployment package.
Access – All Authentication – Summary Genis a post-process task. You can find the details of this search in the
Wireless Network Misconfigurations
Endpoint Product Deployment
This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1