Splunk® App for PCI Compliance

User Manual

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

Search View Matrix

Correlations search thresholds

Some correlation searches in the Splunk App for PCI Compliance use the Extreme Search framework in Splunk Enterprise Security. Other correlation searches use query-defined thresholds. See Extreme Search in the Splunk Enterprise Security User Manual for more. The following table lists the correlation searches with adjustable thresholds.

Correlation search Description Default
Access - Completely Inactive Account Number of days inactive 90
Access - Brute Force Access Behavior Detected Number of failures Uses Extreme search.
Context: failures_by_src_count_1h
Concept: greater than medium.
Endpoint - Anomalous New Services Number of new services 9
Endpoint - Anomalous New Processes Number of new processes 9
Access - Excessive Failed Logins Number of authentication attempts 6
Endpoint - Recurring Malware Infection Number of days that the device was re-infected 3 days
Endpoint - Possible Outbreak Observed Number of systems 10
Network - Substantial Increase in an Event Number of events (self-baselines based on average) Uses Extreme search.
Context: count_by_signature_1h
Concept: greater than medium.
Network - Substantial Increase in Port Activity (by destination) Number of targets (self-baselines based on average) Uses Extreme search.
Context: count_by_dest_port_1d
Concept: extreme.
Network - Vulnerability Scanner Detection (by event) Number of unique events 25
Network - Vulnerability Scanner Detection (by targets) Number of unique targets 25

Dashboard searches

These searches support dashboard panels in the user interface. Most dashboard panels are populated with data from data model acceleration, but some dashboards are populated by saved searches.

Requirement 1 Reports

Search or Dashboard Firewall Rule Activity Network Traffic Activity Prohibited Services
Network - Communication Rule Tracker - Lookup Gen X
Endpoint - Listening Ports Tracker - Lookup Gen X
Endpoint - Local Processes Tracker - Lookup Gen X
Endpoint - Services Tracker - Lookup Gen X

Requirement 2 Reports

Search or Dashboard Default Account Access Insecure Authentication Attempts Primary Functions Prohibited Services System Misconfigurations Wireless Network Misconfigurations Weak Encrypted Communication PCI System Inventory
Endpoint - Listening Ports Tracker - Lookup Gen X X X
Endpoint - Local Processes Tracker - Lookup Gen X X
Endpoint - Services Tracker - Lookup Gen X X

Requirement 3 Reports

The Intrusion Detection data model populates these dashboards.

Requirement 4 Reports

The Certificate data model populates these dashboards.

Requirement 5 Reports

The Malware data model populates these dashboards.

Requirement 6 Reports

The Performance and Authentication data models populate these dashboards.

Requirement 7 Reports

The Authentication data model populates these dashboards.

Requirement 8 Reports

The Authentication data model populates these dashboards.

Requirement 10 Reports

The Change Analysis, Authentication, and Performance data models populate these dashboards.

Requirement 11 Reports

The Change Analysis, Intrusion Detection, and Vulnerabilities data models populate these dashboards.

Invisible searches

These are support searches and correlation searches that generate Notable Events, and are not directly used by dashboards.

  • Access - Account Deleted - Rule
  • Access - Brute Force Access Behavior Detected - Rule
  • Access - Cleartext Password At Rest - Rule
  • Access - Completely Inactive Account - Rule
  • Access - Default Account Usage - Rule
  • Access - Default Accounts At Rest - Rule
  • Access - Excessive Failed Logins - Rule
  • Access - Inactive Account Usage - Rule
  • Access - Insecure or Cleartext Authentication Detected - Rule
  • Audit - Anomalous Audit Trail Activity Detected - Rule
  • Audit - Expected Host Not Reporting - Rule
  • Audit - Personally Identifiable Information Detection - Rule
  • PCI - 6.1 - Anomalous Update Service Detected - Rule
  • PCI - 6.1 - High/Critical Update Missing - Rule
  • Endpoint - Recurring Malware Infection - Rule
  • PCI - 5.2 - Inactive Antivirus Client Detected - Rule
  • PCI - 2.2.1 - Multiple Primary Functions - Rule
  • PCI - 5.2 - Possible Outbreak Observed - Rule
  • PCI - 2.2.4 - Prohibited or Insecure Port Detected - Rule
  • PCI - 2.2.4 - Prohibited or Insecure Process Detected - Rule
  • PCI - 2.2.4 - Prohibited or Insecure Service Detected - Rule
  • Endpoint - Should Timesync Host Not Syncing - Rule
  • PCI - 1.1.4 - Asset Ownership Unspecified - Rule
  • PCI - 4.1 - Credit Card Data Transmitted in Clear - Rule
  • Network - Policy Or Configuration Change - Rule
  • PCI - 1.2.2 - Secure and synchronize router configuration files - Rule
  • PCI - 11.1 - Rogue Wireless Device - Rule
  • PCI - 2.2.2 - System Misconfigured - Rule
  • PCI - 2.2.3 - Unauthorized Wireless Device Detected - Rule
  • PCI - 1.3.3 - Unauthorized or Insecure Communication Permitted - Rule
  • PCI - 2.1.1 - Unencrypted Traffic on Wireless Network - Rule
  • Network - Vulnerability Scanner Detection (by event) - Rule
  • Network - Vulnerability Scanner Detection (by targets) - Rule
  • Threat - Watchlisted Events - Rule
Last modified on 27 October, 2016
Identity Correlation   Search macros

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters