Patch Service Status
This report collects data on the patch service on cardholder systems and uses the information from the antimalware solution to display a list of the systems within the PCI environment that are updating their signatures appropriately. Use this report to identify systems that have not updated their malware signatures as required.
The best antimalware software has limited effectiveness if it does not have current signatures or if it is not active in the network or on an individual's computer. The PCI DSS standard requires that the antimalware tools are current, which includes the signatures used to detect localized threats.
Relevant data sources
Relevant data sources for this report include patch service data (for example, linux_base, Splunk_TA_windows).
How to configure this report
1. Index service data from the systems monitored in Splunk Enterprise.
2. Map the service data to use the following Common Information Model fields:
dest, app, StartMode
3. Tag the patch service data by applying a tag of automatic and update.
- For example:
- automatic = enabled
- update = enabled
4. Set the
should_update column of the assets table to true for any asset that should be evaluated for patch service status.
5. Configure the Interesting Services list to include the name of the service that should be evaluated and set the
is_required field to true. Use the
dest_pci_domain fields to determine what systems should be evaluated.
The data in the Patch Service Status report is populated by an ad hoc search that runs against the
pci_req6_summary summary index.
The Endpoint - Services Tracker - Lookup Gen search runs on an offset 20 minute schedule and looks at minutes of data.
|Schedule||55 0 * * *||Runs on an offset 50 minute schedule.|
|Report Window||-65m@m to -5m@m||Looks at 60 minutes of data.|
Note: The report window stops at 5 minutes ago because some data sources may not have provided complete data in a more recent time frame.
The PCI - 6.1 - Anomalous Update Service by System Count - Summary Gen runs on 55 minute cycle.
|Troubleshooting Task||Search/Action||Expected Result|
|Verify that patch service data is available.|| sourcetype="*:Service" | stats count by app
Look for the name of the service that represents the patch product used in the customer environment
|Returns patch service data.|
|Verify that fields are normalized and available as expected.||sourcetype="*:Service" | table app, dest||Returns a table of patch service status activity fields.|
|Verify that the service tracker file is populated as expected.||| inputlookup append=T services_tracker||Returns data in the services_tracker.|
|Verify that the Anomalous Update Service by System Count summary is created and has the expected data.||`get_summary(pci_req6_summary,PCI - 6.1 - Anomalous Update Service by System Count - Summary Gen)`||Returns data in the pci_req6_summary index.|
Malware Signature Updates
System Patch Status
This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1