Insecure Authentication Attempts
This reports looks at attempts to access cardholder systems using insecure protocols and services. Use this report to identify the source of the insecure authentication attempts so they can be evaluated and eliminated if they pose a risk to the cardholder system.
If remote administration is not done with secure authentication and encrypted communications, sensitive administrative or operational level information like administrator passwords could be revealed to an eavesdropper. PCI DSS requires that you use only secure technologies to log into cardholder systems.
Relevant data sources
Relevant data sources for this report include any device that produces clear text or other insecure authentication activity, such as Windows Security, telnet, and others.
How to configure this report
- Index authentication data from a device, application, or system in Splunk platform.
- Map the data to the following Common Information Model fields:
host, action, app, src, src_user, dest, user. CIM-compliant add-ons for these data sources perform this step for you.
- Tag authentication messages that pass credentials in the clear or are considered insecure with either "cleartext" or "insecure".
The data in the Insecure Authentication Attempts report is populated by the Authentication data model.
Useful searches for troubleshooting
|Troubleshooting Task||Search/Action||Expected Result|
|Verify that authentication data is returned.||tag=authentication
|Returns all authentication activity data from your network device(s).|
|Verify that clear text authentication attempts are returned.||tag=cleartext tag=insecure||Returns all clear text authentication data.|
|Verify that insecure authentication attempts are returned.||tag=authentication tag=insecure||Returns all insecure authentication attempts.|
|Verify that all insecure and clear text authentication data is normalized to the Common Information Model properly.||`authentication` | tags outputfield=tag | table _time,host,action,app,src,src_user,dest,user,tag||Returns a table of the authentication fields.|
Windows login events with
LoginType=8 are often seen in this report. These login events are clear text login attempts. Other examples include telnet login events, rsh, rexec, and so on.
Default Account Access
PCI System Inventory
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2