Splunk® App for PCI Compliance

Installation and Configuration Manual

Download manual as PDF

Download topic as PDF

IDS/IPS Alert Activity

Intrusion detection and/or prevention systems (IDS/IPS) compare inbound and outbound network traffic against known signatures and/or behaviors of thousands of compromise types (hacker tools, Trojans and other malware). This report collects data on unauthorized wireless access points found on the network and provides a summarized view of the intrusion activity involving an asset in the PCI domain. Use this report to identify attack trends and behavior that could indicate a more significant threat.

Intrusion detection and/or prevention systems can be configured to either alert or stop the intrusion attempt. Without a proactive approach to unauthorized activity detection using these tools, attacks on (or misuse of) PCI resources could go unnoticed in real time. PCI requires that the alerts generated by these tools be monitored so that attempted intrusions can be stopped before they happen.

Relevant data sources

Relevant data sources for this report include IDS/IPS systems, network scan results, or Network Access Control (NAC) logs.

How to configure this report

  1. Index IDS/IPS alert data in Splunk platform.
  2. Map the IDS/IPS data to the following Common Information Model fields: dvc, ids_type, category, signature, severity, src, dest. CIM-compliant add-ons for these data sources perform this step for you.
  3. Tag the successful synchronization data with "ids" and "attack".

Report description

The data in the IDS/IPS report is populated by the Intrusion Detection data model.

Useful searches for troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that IDS/IPS data has been indexed in Splunk platform. tag=ids tag=attack
or `ids_attack`
Returns IDS/IPS data.
Verify that fields are normalized and available at search time. `ids_attack` | tags outputfield=tag | table _time, host, sourcetype, dvc, ids_type, category, signature, severity, src, dest, tag, vendor_product Returns a table of IDS/IPS data fields.
PREVIOUS
Rogue Wireless Access Point Protection
  NEXT
Configure correlation searches

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters