This report looks at malware activity data on cardholder systems produced by antimalware solutions or any other device that produces malware activity data. It looks at data from IDS, IPS, and DLP systems, to provide visibility into potentially unauthorized transmissions of credit card data over the network or to unauthorized removable storage devices.
Use this report to identify the source of the transmission so it can be further investigated and fixed. The cardholder data environment should be monitored for unauthorized transmission of credit card data using IDS, IPS, and DLP based technologies. PCI requires that cardholder data be protected from unauthorized access or distribution.
Relevant data sources
Relevant data sources include alerts from IDS, IPS, or DLP solutions and alerts from the Luhn-based algorithm detection method implemented in the Splunk Enterprise Security framework and used by the Splunk App for PCI Compliance.
How to configure this report
Make sure the activity data you are monitoring conforms to the malware sections of the Common Information Model.
- Index malware activity data from antivirus software in Splunk platform.
- Map the data to the following Common Information Model fields:
action, category, signature, dest, dest_nt_domain, user, file_name, file_path, file_hash. CIM-compliant add-ons for these data sources perform this step for you.
- Tag the activity data with "malware" and "attack".
The data in the Malware Activity report is populated by is populated by the Malware data model.
Useful searches for troubleshooting
|Troubleshooting Task||Search/Action||Expected Result|
|Verify that data is present.||tag=malware tag=attack||Returns malware activity data.|
|Verify that fields are normalized and available as expected.||`malware` | table _time,host,action,category,signature,dest,
|Returns a table of events and the specific malware activity fields for malware activity data.|
Endpoint Product Versions
Malware Signature Updates
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only