Related Answers
Download topic as PDF
Search View Matrix
Correlations search thresholds
Some correlation searches in the Splunk App for PCI Compliance use the Extreme Search framework in Splunk Enterprise Security. Other correlation searches use query-defined thresholds. See Extreme Search in the Splunk Enterprise Security User Manual for more. The following table lists the correlation searches with adjustable thresholds.
| Correlation search | Description | Default |
|---|---|---|
| Access - Completely Inactive Account | Number of days inactive | 90 |
| Access - Brute Force Access Behavior Detected | Number of failures | Uses Extreme search. Context: failures_by_src_count_1h Concept: greater than medium. |
| Endpoint - Anomalous New Services | Number of new services | 9 |
| Endpoint - Anomalous New Processes | Number of new processes | 9 |
| Access - Excessive Failed Logins | Number of authentication attempts | 6 |
| Endpoint - Recurring Malware Infection | Number of days that the device was re-infected | 3 days |
| Endpoint - Possible Outbreak Observed | Number of systems | 10 |
| Network - Substantial Increase in an Event | Number of events (self-baselines based on average) | Uses Extreme search. Context: count_by_signature_1h Concept: greater than medium. |
| Network - Substantial Increase in Port Activity (by destination) | Number of targets (self-baselines based on average) | Uses Extreme search. Context: count_by_dest_port_1d Concept: extreme. |
| Network - Vulnerability Scanner Detection (by event) | Number of unique events | 25 |
| Network - Vulnerability Scanner Detection (by targets) | Number of unique targets | 25 |
Dashboard searches
These searches support dashboard panels in the user interface. Most dashboard panels are populated with data from data model acceleration, but some dashboards are populated by saved searches.
Requirement 1 Reports
| Search or Dashboard | Firewall Rule Activity | Network Traffic Activity | Prohibited Services |
|---|---|---|---|
| Network - Communication Rule Tracker - Lookup Gen | X | ||
| Endpoint - Listening Ports Tracker - Lookup Gen | X | ||
| Endpoint - Local Processes Tracker - Lookup Gen | X | ||
| Endpoint - Services Tracker - Lookup Gen | X |
Requirement 2 Reports
| Search or Dashboard | Default Account Access | Insecure Authentication Attempts | Primary Functions | Prohibited Services | System Misconfigurations | Wireless Network Misconfigurations | Weak Encrypted Communication | PCI System Inventory |
|---|---|---|---|---|---|---|---|---|
| Endpoint - Listening Ports Tracker - Lookup Gen | X | X | X | |||||
| Endpoint - Local Processes Tracker - Lookup Gen | X | X | ||||||
| Endpoint - Services Tracker - Lookup Gen | X | X |
Requirement 3 Reports
The Intrusion Detection data model populates these dashboards.
Requirement 4 Reports
The Certificate data model populates these dashboards.
Requirement 5 Reports
The Malware data model populates these dashboards.
Requirement 6 Reports
The Performance and Authentication data models populate these dashboards.
Requirement 7 Reports
The Authentication data model populates these dashboards.
Requirement 8 Reports
The Authentication data model populates these dashboards.
Requirement 10 Reports
The Change Analysis, Authentication, and Performance data models populate these dashboards.
Requirement 11 Reports
The Change Analysis, Intrusion Detection, and Vulnerabilities data models populate these dashboards.
Invisible searches
These are support searches and correlation searches that generate Notable Events, and are not directly used by dashboards.
- Access - Account Deleted - Rule
- Access - Brute Force Access Behavior Detected - Rule
- Access - Cleartext Password At Rest - Rule
- Access - Completely Inactive Account - Rule
- Access - Default Account Usage - Rule
- Access - Default Accounts At Rest - Rule
- Access - Excessive Failed Logins - Rule
- Access - Inactive Account Usage - Rule
- Access - Insecure or Cleartext Authentication Detected - Rule
- Audit - Anomalous Audit Trail Activity Detected - Rule
- Audit - Expected Host Not Reporting - Rule
- Audit - Personally Identifiable Information Detection - Rule
- PCI - 6.1 - Anomalous Update Service Detected - Rule
- PCI - 6.1 - High/Critical Update Missing - Rule
- Endpoint - Recurring Malware Infection - Rule
- PCI - 5.2 - Inactive Antivirus Client Detected - Rule
- PCI - 2.2.1 - Multiple Primary Functions - Rule
- PCI - 5.2 - Possible Outbreak Observed - Rule
- PCI - 2.2.4 - Prohibited or Insecure Port Detected - Rule
- PCI - 2.2.4 - Prohibited or Insecure Process Detected - Rule
- PCI - 2.2.4 - Prohibited or Insecure Service Detected - Rule
- Endpoint - Should Timesync Host Not Syncing - Rule
- PCI - 1.1.4 - Asset Ownership Unspecified - Rule
- PCI - 4.1 - Credit Card Data Transmitted in Clear - Rule
- Network - Policy Or Configuration Change - Rule
- PCI - 1.2.2 - Secure and synchronize router configuration files - Rule
- PCI - 11.1 - Rogue Wireless Device - Rule
- PCI - 2.2.2 - System Misconfigured - Rule
- PCI - 2.2.3 - Unauthorized Wireless Device Detected - Rule
- PCI - 1.3.3 - Unauthorized or Insecure Communication Permitted - Rule
- PCI - 2.1.1 - Unencrypted Traffic on Wireless Network - Rule
- Network - Vulnerability Scanner Detection (by event) - Rule
- Network - Vulnerability Scanner Detection (by targets) - Rule
- Threat - Watchlisted Events - Rule
|
PREVIOUS Identity Correlation |
NEXT Search macros |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1
Feedback submitted, thanks!