Endpoint Changes
This report collects information on system changes discovered on cardholder systems. It shows a list of all changes identified using Splunk FSChange, Splunk software file integrity tools, and other change data captured within Splunk software. Use this report to identify anomalous or unexpected changes to system objects, critical system files, configuration files, or content files that are being monitored.
PCI DSS requires that you monitor systems for changes to system level objects, critical system files, configuration files, or content files on systems within the cardholder data environment. Compare these files and objects periodically to ensure that the integrity of these files is preserved.
Relevant data sources
Relevant data sources for this report include change data, inclusive to file integrity changes (fschange, OSSEC, Tripwire, and so on).
How to configure this report
1. Index endpoint change data in Splunk Enterprise.
2. Map the data to the following Common Information Model fields:
action, dest, object, object_category, object_path, status, user
3. Tag the endpoint change data with endpoint and change.
Report description
The data in the Endpoint Changes report is populated by a search that runs against the endpoint_summary summary index. This index is created by the Endpoint - All Endpoint Changes - Summary Gen
saved search. This information is combined with information in the assets table to produce the report.
This search runs on an offset 15-minute schedule and looks at 15 minutes of data.
Schedule | 10,25,40,55 * * * * | Runs on a 15-minute offset schedule. |
Report window | -20m@m to -5m@m | Looks at 15 minutes of data. |
Note: The report window stops at 5 minutes ago because some data sources might not have provided complete data in a more recent time frame.
Useful searches/Troubleshooting
Troubleshooting Task | Search/Action | Expected Result |
---|---|---|
Verify that you have data from your network device(s). | sourcetype=<expected_st> | Returns data from your network device(s). |
Verify that endpoint change data is being indexed in Splunk Enterprise. | tag=endpoint tag=change | Returns endpoint change data. |
Verify that fields are normalized and available as expected. | tag=endpoint tag=change | fillnull value=unknown action, dest, object, object_category, object_path, status, user or `endpoint_change` | table action,dest,object,object_category,object_path,status,user |
Returns a table of endpoint change fields. |
Verify that the endpoint change summary index is populated. | `get_summary(endpoint_summary,Endpoint - All Endpoint Changes - Summary Gen)` | Returns data in the endpoint_summary index. |
Additional information
PCI Resource Access | System Time Synchronization |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1
Feedback submitted, thanks!