Endpoint Product Versions
This report provides a summary and detail view of all PCI assets and the most current product versions installed. Use this report to identify any assets that are not using the current antimalware product versions and take appropriate measures to ensure these systems are updated.
PCI DSS requires that assets within the cardholder data environment have antimalware technology installed and working to protect against viruses, worms, trojans, and other malware-based threats. The best antimalware software has limited effectiveness if it does not have the current antivirus product versions.
Review this report at least once per day, or more frequently if you are collecting data from antimalware solutions more frequently.
Relevant data sources
Relevant data sources for this report include endpoint engine version information, such as antivirus, endpoint protection, and others.
How to configure this report
- Index endpoint product version data from an antivirus software. Not all antivirus solutions provide this information in the log data.
- Map the data to the following Common Information Model fields:
dest, product_version, vendor_product. CIM-compliant add-ons for these data sources perform this step for you.
- Tag the activity data with "malware", "operations", and "attack".
The data in the Endpoint Product Versions report is populated by
malware_operations_tracker lookup. This lookup is created by the
Endpoint - Malware Operations Tracker - Lookup Gen saved search.
Review each lookup generating search to learn more about the search schedule and time range.
Useful searches for troubleshooting
|Troubleshooting Task||Search/Action||Expected Result|
|Verify that data is present.||tag=malware tag=operations||Returns endpoint application version activity data.|
|Verify that fields are normalized and available as expected.||tag=malware tag=operations | table dest, product_version, vendor||Returns a table of the endpoint application version fields.|
|Verify that the endpoint operations tracker file has been populated as expected.||| inputlookup append=T malware_operations_tracker
or | `malware_operations_tracker`
|Returns data in the malware_operations_tracker.|
Endpoint Product Deployment
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0