Splunk® App for PCI Compliance

Installation and Configuration Manual

Download manual as PDF

This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Download topic as PDF

PCI System Inventory

This report provides visibility into software that is running on PCI assets. Monitor this report on a daily basis to ensure that no unexpected services or applications are being run. Unexpected software components should be investigated further.

Maintaining a current list of all software components running in the PCI compliant environment enables an organization to define risk exposure and devise adequate controls. Without an automated inventory, some system components could be inadvertently excluded from the organization's configuration standards.

Relevant data sources

Relevant data sources for this report include Service, Process, and Port data (Splunk_TA_nix, Splunk_TA_windows).

How to configure this report

1. Index process, service, and/or port data in Splunk Enterprise.

2. Map the data to the following [[Documentation:Splunk:Knowledge:UnderstandandusetheCommonInformationModelCommon Information Model]] fields:

Services fields: dest, app, StartMode
Process fields: dest, app, PercentProcessorTime, UsedMBytes
Port fields: dest,dest_port,transport

Note: Splunk_TA_nix and Splunk_TA_Windows do this already.

Report description

The data in the 'PCI Inventory' report is populated by three services_tracker lookups. One lookup is generated by the Endpoint - Local Processes - Lookup Gen saved search, a second by the Endpoint - Services Tracker - Lookup Gen saved search, and the third by the Endpoint - Listening Ports Tracker- Lookup Gen saved search. The localprocesses_tracker, services_tracker macros correlate process data with the asset and identity tables to pull in additional information.

This report includes three searches: Endpoint - Local Processes - Lookup Gen, Endpoint - Services Tracker - Lookup Gen, and Endpoint - Listening Ports Tracker- Lookup Gen.

Useful searches/Troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that service, process, and/or port information has been indexed. sourcetype=<expected_st> Returns data from service, process, and/or port. For example, sourcetype=WMI:Service.
Verify that the service data has been normalized at search time correctly. sourcetype=“*Service” | table dest, app, StartMode
or `service` | table dest, app, StartMode
Returns a table of all service events.
Verify that the process data has been normalized at search time correctly. sourcetype="*:LocalProcesses“ | table dest, app, PercentProcessorTime, UsedMBytes Returns a table of local process data.
Verify that the port data has been normalized at search time correctly. tag=listening tag=port | table dest,dest_port,transport
or | `listeningports` | table dest,dest_port,transport.
Returns a table of port data.
Verify that the service tracker file is getting created correctly. | inputlookup append=T services_tracker
or `services_tracker`
Returns data in the service tracker
Verify that the process tracker file is getting created correctly. | inputlookup append=T services_tracker
or | `localprocesses_tracker`
Returns local processes data.
Verify that the port tracker file is getting created correctly. | inputlookup append=T localprocesses_tracker
or `listeningports_tracker`
Returns data in the port tracker.
Verify that the Interesting Services, Interesting Processes, and/or Interesting Ports lookups are populated with expected prohibited values. Open the lists in Configure > Lists and Lookups > Interesting [ ports | processes | services ] and verify that the is_prohibited column is set to “true”.

Additional information

This report uses default source types that ship with windows TA + linux TA deployment package.

Tracker files for this report are located:

  • $SPLUNK_HOME/etc/apps/SA-EndpointProtection/lookups/listeningports_tracker.csv
  • $SPLUNK_HOME/etc/apps/SA-EndpointProtection/lookups/services_tracker.csv
  • $SPLUNK_HOME/etc/apps/SA-EndpointProtection/lookups/localprocesses_tracker.csv
Last modified on 26 October, 2015
Insecure Authentication Attempts
Primary Functions

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters