Splunk® App for PCI Compliance

User Manual

Download manual as PDF

Download topic as PDF

Search View Matrix

Correlation search thresholds

Some correlation searches in the Splunk App for PCI Compliance use the Extreme Search framework from Splunk Enterprise Security. Other correlation searches use search-defined thresholds. See How Splunk Enterprise Security uses extreme search in Administer Splunk Enterprise Security for more.

Dashboard searches

These searches support dashboard panels in the user interface. Most dashboard panels are populated with data from data model acceleration, but some dashboards are populated by saved searches.

Requirement 1 Reports

Search or Dashboard Firewall Rule Activity Network Traffic Activity Prohibited Services
Network - Communication Rule Tracker - Lookup Gen X
Endpoint - Listening Ports Tracker - Lookup Gen X
Endpoint - Local Processes Tracker - Lookup Gen X
Endpoint - Services Tracker - Lookup Gen X

Requirement 2 Reports

Search or Dashboard Default Account Access Insecure Authentication Attempts Primary Functions Prohibited Services System Misconfigurations Wireless Network Misconfigurations Weak Encrypted Communication PCI System Inventory
Endpoint - Listening Ports Tracker - Lookup Gen X X X
Endpoint - Local Processes Tracker - Lookup Gen X X
Endpoint - Services Tracker - Lookup Gen X X

Requirement 3 Reports

The Intrusion Detection data model populates these dashboards.

Requirement 4 Reports

The Certificate data model populates these dashboards.

Requirement 5 Reports

The Malware data model populates these dashboards.

Requirement 6 Reports

The Performance and Authentication data models populate these dashboards.

Requirement 7 Reports

The Authentication data model populates these dashboards.

Requirement 8 Reports

The Authentication data model populates these dashboards.

Requirement 10 Reports

The Change Analysis, Authentication, and Performance data models populate these dashboards.

Requirement 11 Reports

The Change Analysis, Intrusion Detection, and Vulnerabilities data models populate these dashboards.

Searches that create notable events

Many of the searches in the Splunk App for PCI Compliance create notable events and are not used by dashboards.

  • Access - Account Deleted - Rule
  • Access - Brute Force Access Behavior Detected - Rule
  • Access - Cleartext Password At Rest - Rule
  • Access - Completely Inactive Account - Rule
  • Access - Default Account Usage - Rule
  • Access - Default Accounts At Rest - Rule
  • Access - Excessive Failed Logins - Rule
  • Access - Inactive Account Usage - Rule
  • Access - Insecure or Cleartext Authentication Detected - Rule
  • Audit - Anomalous Audit Trail Activity Detected - Rule
  • Audit - Expected Host Not Reporting - Rule
  • Audit - Personally Identifiable Information Detection - Rule
  • PCI - 6.1 - Anomalous Update Service Detected - Rule
  • PCI - 6.1 - High/Critical Update Missing - Rule
  • Endpoint - Recurring Malware Infection - Rule
  • PCI - 5.2 - Inactive Antivirus Client Detected - Rule
  • PCI - 2.2.1 - Multiple Primary Functions - Rule
  • PCI - 5.2 - Possible Outbreak Observed - Rule
  • PCI - 2.2.4 - Prohibited or Insecure Port Detected - Rule
  • PCI - 2.2.4 - Prohibited or Insecure Process Detected - Rule
  • PCI - 2.2.4 - Prohibited or Insecure Service Detected - Rule
  • Endpoint - Should Timesync Host Not Syncing - Rule
  • PCI - 1.1.4 - Asset Ownership Unspecified - Rule
  • PCI - 4.1 - Credit Card Data Transmitted in Clear - Rule
  • Network - Policy Or Configuration Change - Rule
  • PCI - 1.2.2 - Secure and synchronize router configuration files - Rule
  • PCI - 11.1 - Rogue Wireless Device - Rule
  • PCI - 2.2.2 - System Misconfigured - Rule
  • PCI - 2.2.3 - Unauthorized Wireless Device Detected - Rule
  • PCI - 1.3.3 - Unauthorized or Insecure Communication Permitted - Rule
  • PCI - 2.1.1 - Unencrypted Traffic on Wireless Network - Rule
  • Network - Vulnerability Scanner Detection (by event) - Rule
  • Network - Vulnerability Scanner Detection (by targets) - Rule
  • Network - Substantial Increase in an Event - Rule
  • Threat - Watchlisted Events - Rule
  • Privileged Authentication Without Multifactor Detected
PREVIOUS
Asset and Identity Correlation
  NEXT
Search macros

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.1.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters