PCI System Inventory
This report provides visibility into software that is running on PCI assets. Monitor this report on a daily basis to ensure that no unexpected services or applications are being run. Unexpected software components should be investigated further.
Maintaining a current list of all software components running in the PCI compliant environment enables an organization to define risk exposure and devise adequate controls. Without an automated inventory, some system components could be inadvertently excluded from the organization's configuration standards.
Relevant data sources
Relevant data sources for this report include service, process, and port data such as the Splunk Add-on for Unix and Linux or the Splunk Add-on for Microsoft Windows.
How to configure this report
- Index process, service, and/or port data in Splunk platform.
- Map the data to the following Common Information Model fields. Map services fields to
dest, StartMode
. Map process fields todest,process
. Map port fields todest,dest_port,transport
. CIM-compliant add-ons for these data sources perform this step for you.
Report description
The data in the 'PCI Inventory' report is populated by three services_tracker lookups. One lookup is generated by the Endpoint - Local Processes - Lookup Gen
saved search, a second by the Endpoint - Services Tracker - Lookup Gen
saved search, and the third by the Endpoint - Listening Ports Tracker- Lookup Gen
saved search. The localprocesses_tracker, services_tracker macros correlate process data with the asset and identity tables to pull in additional information.
This report includes three searches: Endpoint - Local Processes - Lookup Gen
, Endpoint - Services Tracker - Lookup Gen
, and Endpoint - Listening Ports Tracker- Lookup Gen
.
Useful searches for troubleshooting
Troubleshooting Task | Search/Action | Expected Result |
---|---|---|
Verify that service, process, and/or port information has been indexed. |
|
Returns data from service, process, and/or port. For example, sourcetype=WMI:Service. |
Verify that the service data has been normalized at search time correctly. |
|
Returns a table of all service events. |
Verify that the process data has been normalized at search time correctly. |
|
Returns a table of local process data. |
Verify that the port data has been normalized at search time correctly. |
|
Returns a table of port data. |
Verify that the service tracker file is getting created correctly. |
|
Returns data in the service tracker |
Verify that the process tracker file is getting created correctly. |
|
Returns local processes data. |
Verify that the port tracker file is getting created correctly. |
|
Returns data in the port tracker. |
Verify that the Interesting Services, Interesting Processes, and/or Interesting Ports lookups are populated with expected prohibited values. | Open the relevant lists in Configure > Data Enrichment > Lists and Lookups and verify that the is_prohibited column is set to “true/false”.
|
Additional information
This report uses default source types that ship with the Splunk add-on for *nix and the Splunk add-on for Windows.
Tracker files for this report are located:
$SPLUNK_HOME/etc/apps/SA-EndpointProtection/lookups/listeningports_tracker.csv
$SPLUNK_HOME/etc/apps/SA-EndpointProtection/lookups/services_tracker.csv
$SPLUNK_HOME/etc/apps/SA-EndpointProtection/lookups/localprocesses_tracker.csv
Insecure Authentication Attempts | Primary Functions |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2
Feedback submitted, thanks!