Splunk® App for PCI Compliance

Installation and Configuration Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Acrobat logo Download topic as PDF

Endpoint Product Versions

This report provides a summary and detail view of all PCI assets and the most current product versions installed. Use this report to identify any assets that are not using the current antimalware product versions and take appropriate measures to ensure these systems are updated.

PCI DSS requires that assets within the cardholder data environment have antimalware technology installed and working to protect against viruses, worms, trojans, and other malware-based threats. The best antimalware software has limited effectiveness if it does not have the current antivirus product versions.

Review this report at least once per day, or more frequently if you are collecting data from antimalware solutions more frequently.

Relevant data sources

Relevant data sources for this report include endpoint engine version information (antivirus, HIPS, endpoint protection, and so on).

How to configure this report

1. Index endpoint product version data from an antivirus software.

Note: Not all anti-virus (AV) solutions provide this information in the log data.

2. Map the data to the following Common Information Model fields:

 dest, product_version, vendor_product

3. Tag the activity data with endpoint, application, and version.

Report description

The data in the Endpoint Product Versions report is populated by malware_product_version_tracker lookup. This lookup is created by the Endpoint - Malware Product Version Tracker - Lookup Gen saved search.

Pci-endpoint Product Versions report.png

This search runs on an offset 15 minute cycle and looks at 15 minutes of data.

Schedule 10,30,50 * * * * Runs on a 15 minute offset window.
Report window -25m@m to -5m@m Looks at 15 minutes of data.

Note: The report window stops at 5 minutes ago because some data sources may not have provided complete data in a more recent time frame.

Useful searches/Troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that data is present. tag=endpoint tag=application tag=version Returns endpoint application version activity data.
Verify that fields are normalized and available as expected. tag=endpoint tag=application tag=version | table dest, product_version, vendor_product Returns a table of the endpoint application version fields.
Verify that the endpoint product version tracker file has been populated as expected. | inputlookup append=T malware_product_version_tracker
or | `malware_product_version_tracker`
Returns data in the malware_product_version_tracker.

Additional information

  • The Access – All Authentication – Summary Gen is a post-process task. You can find the details of this search in the $SPLUNK_HOME/etc/apps/SA-AccessProtection/default/postprocess.conf file.
Last modified on 26 October, 2015
Endpoint Product Deployment
Malware Activity

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters