Privileged User Activity
This report shows raw events associated with privileged user activity and provides you with a report of all administrative activity. Use this report to evaluate privileged user accounts and review the activity to identify potential security threats that can lead to potential cardholder data compromise.
Accounts with increased privileges, such as the administrator and root accounts, can have an impact on the security or operational functionality of a system. PCI DSS requires that all actions taken by individuals using administrative credentials be monitored for misuse and abuse.
Relevant data sources
Relevant data sources for this report include any data that includes a privileged user account reference.
How to configure this report
- Index privileged activity from all systems, applications, and devices.
- Add a category of privileged to all privileged user identities in the identity table.
- Tag specific events as being privileged using "privileged", and "authentication".
The data in the Privileged User Activity report is populated by the identity table.
Useful searches and Troubleshooting
|Troubleshooting Task||Search/Action||Expected Result|
|Verify that you have data from your system, application, or device.||sourcetype=<expected_st>||Returns data from your systems, applications, and/or devices.|
|Verify that all privileged activity is returned.||tag=privileged||Returns privileged user activity data.|
|Verify that all privileged user activity fields are populated.||tag=privileged | table event_id host sourcetype src_user user eventtype||Returns a list of events and privileged user activity fields of data.|
System Time Synchronization
PCI Asset Logging
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1