PCI Resource Access
This report collects data on access attempts to PCI resources in the cardholder data environment and provides the compliance manager with visibility into all authentication attempts. Use this report to identify access attempts by users to ensure that access to cardholder data is legitimate.
You should limit access to resources in the PCI cardholder data environment to only those whose jobs require such access. This limits the risk that an account with access to cardholder data is compromised. PCI DSS requires that all authentication attempts to systems, applications, and devices in the cardholder data environment be monitored for appropriate and legitimate access.
Relevant data sources
Relevant data sources for this report include authentication data from any system, application, or device in the cardholder data environment.
How to configure this report
- Index all authentication attempts to applications, systems, or devices into Splunk platform.
- Map the data to the following Common Information Model fields:
host,action,app,src,src_user,dest,user
. CIM-compliant add-ons for these data sources perform this step for you. - Tag the authentication data with "authentication".
- Add the pci category to all PCI assets in the asset table.
Report description
The data in the PCI Resource Access report is populated by the Authentication data model.
Useful searches for troubleshooting
Troubleshooting Task | Search/Action | Expected Result |
---|---|---|
Verify that you have data from your system, application, or device. | sourcetype=<expected_st> | Returns data from your network device, or devices. |
Verify that the authentication data is tagged correctly. | tag=authentication or `authentication` |
Returns authentication data. |
Verifty that fields are normalized and available as expected. | `authentication` | table _time, host, action, app, src, src_user, dest, user | Returns a table of authentication data fields. |
Additional information
- The report displays all attempts from users in either the
src_user
oruser
fields. - The identity table includes service accounts that appear as users, such as
root
, andnetwork service
. - Remove the accounts entirely from the identity table in Configure > Content Management and opening the Identities lookup.
PCI Command History | Endpoint Changes |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2
Feedback submitted, thanks!