This report collects information on system changes discovered on cardholder systems. It shows a list of all changes identified using Splunk FSChange, Splunk platform file integrity tools, and other change data captured within Splunk platform. Use this report to identify anomalous or unexpected changes to system objects, critical system files, configuration files, or content files that are being monitored.
PCI DSS requires that you monitor systems for changes to system level objects, critical system files, configuration files, or content files on systems within the cardholder data environment. Compare these files and objects periodically to ensure that the integrity of these files is preserved.
Relevant data sources
Relevant data sources for this report include change data, inclusive to file integrity changes such as fschange, OSSEC, Tripwire, and others.
How to configure this report
- Index endpoint change data in Splunk platform.
- Map the data to the following Common Information Model fields:
action, dest, object, object_category, object_path, status, user. CIM-compliant add-ons for these data sources perform this step for you.
- Tag the endpoint change data with "endpoint", and "change".
The data in the Endpoint Changes report is populated by the Change Analysis data model.
Useful searches for troubleshooting
|Troubleshooting Task||Search/Action||Expected Result|
|Verify that you have data from your network device(s).||sourcetype=<expected_st>||Returns data from your network device(s).|
|Verify that endpoint change data is being indexed in Splunk platform.||tag=endpoint tag=change||Returns endpoint change data.|
|Verify that fields are normalized and available as expected.||tag=endpoint tag=change | fillnull value=unknown action, dest, object, object_category, object_path, status, user
or `endpoint_change` | table action,dest,object,object_category,object_path,status,user
|Returns a table of endpoint change fields.|
PCI Resource Access
System Time Synchronization
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only