Rogue Wireless Access Point Protection
This report gathers data on unauthorized wireless access points found on the network. It uses the data generated by IDS/IPS systems, network scan results, or Network Access Control (NAC) logs to report on any rogue access device detections. Use this report to see any discovered rogue access devices and more deeply explore the network, user activity, or system activity to further investigate the access points.
Implementation and/or exploitation of wireless technology within a network is one of the most common paths for malicious users to gain access to the network and cardholder data. If a wireless device or network is installed without a company's knowledge, it can allow an attacker to easily and invisibly enter the network. PCI compliance requires that organizations test for the presence of wireless access devices on the network at least once every three months. More frequent testing is recommended.
Relevant data sources
Relevant data sources for this report include IDS/IPS systems, network scan results, or Network Access Control (NAC) logs.
How to configure this report
- Index wireless access detection data in Splunk platform.
- Map the wireless access detection data to the following Common Information Model fields:
dvc, ids_type, category, signature, severity, src, dest
. - Tag the successful synchronization data with "rogue", "wireless", "ids", and "attack".
Report description
The data in the Rogue Wireless Access Point Protection report is populated by the Intrusion Detection data model.
Useful searches for troubleshooting
Troubleshooting Task | Search/Action | Expected Result |
---|---|---|
Verify that you have rogue wireless access point data. | sourcetype=<expected_st> | Returns rogue wireless access point data. |
Verify that wireless access data from an IDS, network scan, or network scan is in Splunk platform. | tag=rogue tag=wireless tag=ids tag=attack | Returns rogue wireless access point protection data. |
Verify that fields are normalized and available at search time. | search tag=rogue tag=wireless tag=pci tag=ids tag=attack | _time,host,sourcetype,dvc,ids_type,category,signature, severity,src,dest,tag,vendor_product |
Returns rogue wireless access point protection data fields. |
Verify that the ids attack tracker file is populated. | | inputlookup ids_attack_tracker or `ids_attack_tracker` |
Returns data in the ids attack tracker. |
Vulnerability Scan Details | IDS/IPS Alert Activity |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2
Feedback submitted, thanks!