Splunk® App for PCI Compliance

Installation and Configuration Manual

Download manual as PDF

This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Download topic as PDF

Default Account Access

This report provides a six-month rolling view of attempts to access cardholder systems using default user accounts. This report looks at all activity by accounts categorized in the identity table with tag=default. A default list of accounts is provided in the identity table, which can be edited using the List and Lookups configuration page.

Relevant data sources

Relevant data sources for this report includes Windows Security, Unix SSH, and any other application, system, or device that produces authentication data. The report looks at data in the the Authentication data model.

How to configure this report

  1. Index authentication data from a device, application, or system in Splunk platform.
  2. Map the data to the following Common Information Model fields. host, action, app, src, src_user, dest, user. CIM-compliant add-ons for these data sources perform this step for you.
  3. Set the category column of the Identity table to default for all accounts that are considered default accounts.

Report description

The data in the Default Account Access report is populated by the Authentication data model.

Useful searches for troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that you have data from your network devices. sourcetype=<your_sourcetype_for_your_data> Returns data from your network devices.
Verify that authentication data is indexed in Splunk platform. tag=authentication
or `authentication`
Returns all default account activity data from your devices.
Verify that default user accounts are tagged properly. `default_user_accounts` Returns all a list of all default account activity.
Verify that authentication attempts for default users are returned. `default_user_accounts` `authentication` Returns a list of all default account authentication activity.
Verify that authentication data is normalized to the Common Information Model properly. `authentication` | fields sourcetype, action, app, src, src_user, dest, user Returns a list of events and the specific default account activity fields of data populated from your devices.

Additional information

The report displays all attempts from users in either the src_user or user fields.

The assets table includes user information for default accounts such as root, network service, and other accounts that can produce a lot of data. Customers might not want to include that data in the report. They can modify the assets table to exclude particular users.

PREVIOUS
Network Traffic Activity
  NEXT
Insecure Authentication Attempts

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters