Splunk® App for PCI Compliance

Installation and Configuration Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Acrobat logo Download topic as PDF

Endpoint Changes

This report collects information on system changes discovered on cardholder systems. It shows a list of all changes identified using Splunk FSChange, Splunk software file integrity tools, and other change data captured within Splunk software. Use this report to identify anomalous or unexpected changes to system objects, critical system files, configuration files, or content files that are being monitored.

PCI DSS requires that you monitor systems for changes to system level objects, critical system files, configuration files, or content files on systems within the cardholder data environment. Compare these files and objects periodically to ensure that the integrity of these files is preserved.

Relevant data sources

Relevant data sources for this report include change data, inclusive to file integrity changes (fschange, OSSEC, Tripwire, and so on).

How to configure this report

1. Index endpoint change data in Splunk Enterprise.

2. Map the data to the following Common Information Model fields:

 action, dest, object, object_category, object_path, status, user

3. Tag the endpoint change data with endpoint and change.

Report description

The data in the Endpoint Changes report is populated by a search that runs against the endpoint_summary summary index. This index is created by the Endpoint - All Endpoint Changes - Summary Gen saved search. This information is combined with information in the assets table to produce the report.

Pci-PCI endpoint changes.png

This search runs on an offset 15-minute schedule and looks at 15 minutes of data.

Schedule 10,25,40,55 * * * * Runs on a 15-minute offset schedule.
Report window -20m@m to -5m@m Looks at 15 minutes of data.

Note: The report window stops at 5 minutes ago because some data sources might not have provided complete data in a more recent time frame.

Useful searches/Troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that you have data from your network device(s). sourcetype=<expected_st> Returns data from your network device(s).
Verify that endpoint change data is being indexed in Splunk Enterprise. tag=endpoint tag=change Returns endpoint change data.
Verify that fields are normalized and available as expected. tag=endpoint tag=change | fillnull value=unknown action, dest, object, object_category, object_path, status, user
or `endpoint_change` | table action,dest,object,object_category,object_path,status,user
Returns a table of endpoint change fields.
Verify that the endpoint change summary index is populated. `get_summary(endpoint_summary,Endpoint - All Endpoint Changes - Summary Gen)` Returns data in the endpoint_summary index.

Additional information

Last modified on 26 October, 2015
PCI Resource Access
System Time Synchronization

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters