Splunk® App for PCI Compliance

User Manual

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

Reports

The Splunk App for PCI Compliance provides a variety of built-in reports for areas of PCI compliance. The reports are organized by PCI DSS requirement. Some reports apply to more than one requirement and appear in more than one place. Use these reports show compliance in each of the PCI DSS requirement areas.

Requirement 1 - Network Traffic

Firewall Rule Activity

Use this report to track activity related to the firewall rules. Use the filters to modify the search results.

In the Activity by Month panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "Firewall Rule Activity" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

Network Traffic Activity

Use this report to capture network traffic activity. Use the filters to modify the search results.

In the Traffic Detail panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "Network Traffic Activity" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

Prohibited Services

Use this report to review host ports, processes, and services . Use the filters to modify the search results.

In the Service Details panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "Prohibited Services" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

Requirement 2 - Default Configurations

Default Account Access

Use this report to report on default account access in your PCI compliance environment. Use the filters to modify the search results.

In the Default Account Access Details panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "Default Account Access" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

Insecure Authentication Attempts

Use this report to track insecure authentication attempts. Use the filters to modify the search results.

In the Insecure Authentication Attempts panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "Insecure Authentication Attempts" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

PCI System Inventory

Use this report to maintain an inventory of software components running in the PCI compliant environment. Use the filters such as Asset and Category to modify the search results.

In the System Inventory panel, use the Resource selector to view results by Ports, Processes, or Services. At the bottom, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "PCI System Inventory" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

Primary Functions

Use this report to identify systems where multiple primary functions may be running or where unexpected services could be in use. Use the filters to modify the search results.

In the Primary Function Details panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "Primary Functions" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

Prohibited Services

Use this report to monitor prohibited services that may be running in your environment. Use the filters to modify the search results.

In the Service Details panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "Prohibited Services" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

System Misconfigurations

Use this report to track the configuration of systems in your environment. Use the filters to modify the search results.

In the System Misconfiguration Details panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "System Misconfigurations" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

Wireless Network Misconfigurations

Use this report to track wireless usage in your environment. Use the filters to modify the search results.

In the Wireless Misconfigurations Details panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "Wireless Misconfigurations" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

Requirement 3 - Protect Data at Rest

Credit Card Data Found

Use this report to monitor any credit card data that might be found on systems in your environment. Use the filters to modify the search results.

In the Credit Card Transmission Details panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "Credit Card Data Found" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

Requirement 4 - Protect Data In Motion

Credit Card Data Found

Use this report to monitor any credit card data being transmitted within your PCI compliance environment.Use the filters to modify the search results.

In the Credit Card Transmission Details panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "Credit Card Data Found" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

Requirement 5 - Anti-malware Protection

Endpoint Product Deployment

Use this report to track software products deployed in your PCI compliance environment. Use the filters to modify the search results.

In either the Missing Antivirius or the Disabled Antivirius panels, click "View full results" to open the results from these panels in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "Endpoint Product Deployment" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

Endpoint Product Versions

Use this report to track product versions of software deployed in your PCI compliance environment. Use the filters to modify the search results.

At the bottom of the Details panel, click "View full results" to open the results in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "Endpoint Product Versions" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

Malware Activity

Use this report to track malware that might exist in your deployment. Use the filters to modify the search results.

At the bottom of the panel listing the events, click "View full results" to open the results in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "Malware Activity" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

Malware Signature Updates

Use this report to track and identify malware signature updates. Use the filters to modify the search results.

At the bottom of list of events in the Anti-malware Signature Details panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "Malware Signature Updates" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

Requirement 6 - Patch Update Protection

Anomalous System Uptime

Use this report to track systems that have gone offline and then come back online. Use the filters to modify the search results.

At the bottom of the listings in the Anomalous System Uptime panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "Anomalous System Update" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

Default Account Access

Use this report to track the access to the default accounts in your PCI compliance environment.

To configure this report see "Default Account Access" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

Patch Service Status report

Use this report to verify the status of your software patch updates. Use the filters to modify the search results.

At the bottom of the listings the Service Details panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "Patch Service Status" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

System Patch Status

Use this report to track the status of any system patches. Use the filters to modify the search results.

In the System Patch Status panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "System Patch Status" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

Requirement 7 - Access Monitoring

PCI Command History

Use this report to track commands run on PCI resources. Use the filters to modify the search results.

At the bottom of the PCI Command History panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "PCI Command History" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

PCI Resource Access

Use this report to track any access to PCI resources. Use the filters to modify the search results.

At the bottom of the PCI Resource Access Details panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "PCI Resource Access" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

Requirement 8 - Activity Accountability

Default Account Access

Use this report to report on access to default accounts in your PCI compliance environment.

To configure this report see "Default Account Access" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

PCI Resource Access

Use this report to track any access to PCI resources. Use the filters to modify the search results.

At the bottom of the PCI Resource Access Details panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "PCI Resource Access" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

Requirement 10 - Cardholder Data Access

Endpoint Changes

Use this report to monitor any endpoint changes. Use the filters to modify the search results.

At the bottom of the Endpoint Changes panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "Endpoint Changes" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

PCI Asset Logging

Use this report to track activity related to PCI resources. Use the filters to modify the search results.

At the bottom of the PCI Resource Logging panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "PCI Asset Logging" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

PCI Resource Access

Use this report to track any access to PCI resources. Use the filters to modify the search results.

At the bottom of the PCI Resource Access Details panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "PCI Resource Access" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

Privileged User Activity

Use this report to monitor any data activity that includes a privileged user account in your PCI compliance environment. You can use the filters in the report to modify the search results.

For example, if you look at the past 24 hours for user "philjackson", category "cardholder", and domain "dmz", the search would return any activity by "philjackson" in the "dmz" domain involving "cardholder" category data.

At the bottom of the Privileged User Activity panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "Privileged User Activity" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

System Time Synchronization

Use this report to monitor system time synchronizations. Use the filters to modify the search results.

At the bottom of the System Time Synchronization Details panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "System Time Synchronization" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

Requirement 11 - Vulnerability Testing

Endpoint Changes

Use this report to monitor any endpoint changes.

To configure this report see "Endpoint Changes" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

Rogue Wireless Access Point Protection

Use this report to monitor any unauthorized wireless access in your PCI compliance environment. Use the filters to modify the search results.

At the bottom of the Rogue Device Details panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "Rogue Wireless Access Point Protection" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

Vulnerability Scan Details

Use this report to track vulnerability scans from your environment. Use the filters to modify the search results.

All vulnerabilities include a Common Vulnerabilities and Exposures (CVE) identifier (for example "CVE-1999-0067"), used to define the specific vulnerability. CVEs are unique, common identifiers for publicly known information security vulnerabilities. The Vulnerability Scan report can be filtered on the CVE, and includes a column listing the CVE.

The report also includes a Common Vulnerability Scoring System (CVSS) number that can also be used as a filter. This is a number that indicates the severity of a computer system's security vulnerabilities. The number attempts to establish a measure of how much concern a vulnerability warrants, compared to other vulnerabilities.

At the bottom of the Vulnerability Details panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

To configure this report see "Vulnerability Scan Details" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

IDS/IPS Alert Activity

Use this report to track intrusion detection system or intrusion prevention system activity in your environment.

To configure this report see "IDS/IPS Alert Activity" in the "Reports" section of the Splunk App for PCI Compliance Installation and Configuration Manual.

Last modified on 26 October, 2015
Scorecards   Audit dashboards

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters