Endpoint Product Deployment
This report provides a summary and detail view of all PCI assets and the most current product versions installed. Use this report to identify any assets that are not using the current antimalware product versions and take appropriate measures to ensure these systems are updated. Review this report at least once per day. Review this report more frequently if you are collecting data from antimalware solutions more frequently.
PCI DSS requires that assets within the cardholder data environment have antimalware technology installed and working to protect against viruses, worms, trojans, and other malware-based threats. The best antimalware software has limited effectiveness if it does not have the current antivirus product versions.
Relevant data sources
Relevant data sources for this report include antivirus activity, endpoint version data, or endpoint product signature data. This report looks at endpoint protection deployment activity data produced by firewalls, routers, switches, and any other device that produces endpoint data.
How to configure this report
- Index endpoint product version data, signature data, or activity data from an antivirus or other endpoint protection software.
- Map the data to the following Common Information Model fields:
dest, product_version, vendor_product
. CIM-compliant add-ons for these data sources perform this step for you. - Tag the activity data with with "malware", "operation", and "attack".
Report description
The data in the Endpoint Product Deployment report is populated by a lookup that runs against the malware_operation_tracker
CSV file. This file is created by the Endpoint - Malware Operations Tracker - Lookup Gen
lookup.
Review each lookup generating search to learn more about the search schedule and time range.
Useful searches for troubleshooting
Troubleshooting Task | Search/Action | Expected Result |
---|---|---|
Verify that malware activity data is present. | tag=malware tag=attack | Returns malware activity data. |
Verify that malware activity data fields are normalized. | `malware` | table _time, host, action, category, signature, dest, dest_nt_domain, user, vendor_product | Returns a table of malware activity data fields. |
Verify that the endpoint operations tracker file has been populated as expected. | | inputlookup append=T malware_operations_tracker or |`malware_operations_tracker` |
Returns data in the endpoint product version tracker. |
Additional information
The following lookup is also used:
- Search:
Endpoint - Malware Operations Tracker - Lookup Gen
, which populates the lookupmalware_operations_tracker
and creates a CSV file,malware_operations_tracker.csv
.
Credit Card Data Found | Endpoint Product Versions |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2
Feedback submitted, thanks!