Update Service Status
This report collects data on the patch service on cardholder systems and uses the information from the antimalware solution to display a list of the systems within the PCI environment that are updating their signatures appropriately. Use this report to identify systems that have not updated their malware signatures as required.
The best antimalware software has limited effectiveness if it does not have current signatures or if it is not active in the network or on an individual's computer. The PCI DSS standard requires that the antimalware tools are current, which includes the signatures used to detect localized threats.
Relevant data sources
Relevant data sources for this report include patch service data such as the Splunk Add-on for Unix and Linux or the Splunk Add-on for Microsoft Windows.
How to configure this report
- Index service data from the systems monitored in Splunk platform.
- Map the service data to use the following Common Information Model fields.
dest, StartMode
. CIM-compliant add-ons for these data sources perform this step for you. - Tag the update service data by applying a tag of automatic and update.
- Set the
should_update
column of the assets table to true for any asset that should be evaluated for patch service status. - Configure the Interesting Services list to include the name of the service that should be evaluated and set the
is_required
field to true. Use thedest
anddest_pci_domain
fields to determine what systems should be evaluated.
Report description
The data in the Update Service Status report is populated by by a lookup against the services_tracker CSV. This tracker is populated by the Endpoint – Services Tracker - Lookup Gen saved search.
Review each lookup generating search to learn more about the search schedule and time range.
Useful searches for troubleshooting
Troubleshooting Task | Search/Action | Expected Result |
---|---|---|
Verify that patch service data is available. | sourcetype="*:Service" | stats count by dest Look for the name of the service that represents the patch product used in the customer environment |
Returns patch service data. |
Verify that fields are normalized and available as expected. | sourcetype="*:Service" | table, dest | Returns a table of patch service status activity fields. |
Verify that the service tracker file is populated as expected. | | inputlookup append=T services_tracker | Returns data in the services_tracker. |
Malware Signature Updates | System Update Status |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2
Feedback submitted, thanks!