Primary Functions
This report looks at cardholder systems that have multiple primary functions active. The data in the Primary Functions report is generated from a lookup file (assets.csv
) populated by the user. This report looks at process data, service data, and port/protocol data to determine what functions are running on a system and displays them in the result. Use this report to identify systems where multiple primary functions might be running or where unexpected services could be in use.
Systems within the PCI cardholder environment should be implemented with only a single primary function to prevent functions that require different security levels from coexisting on the same server. The PCI requirement ensures that your system configuration standards and related processes minimize the potential for introducing security weaknesses to the system.
Relevant data sources
Relevant data sources for this report include service, process, and port data such as the Splunk Add-on for Unix and Linux or the Splunk Add-on for Microsoft Windows.
How to configure this report
- Index process, service, and/or port data in Splunk platform.
- Map the data to the following Common Information Model fields. Map services fields to
dest, StartMode
. Map process fields todest, process
. Map port fields:dest,dest_port,transport
. CIM-compliant add-ons for these data sources perform this step for you. - Configure the Primary Functions list with the functions desired.
Report description
The data in the Primary Functions report is populated by three lookups. One lookup is generated by the Endpoint - Local Processes - Lookup Gen
saved search, a second by the Endpoint - Services Tracker - Lookup Gen
saved search, and the third by the Endpoint - Listening Ports Tracker- Lookup Gen
saved search. The localprocesses_tracker, services_tracker macros correlate process data with the asset and identity tables to pull in additional information.
This report includes three searches: Endpoint - Local Processes - Lookup Gen
, Endpoint - Services Tracker - Lookup Gen
, and Endpoint - Listening Ports Tracker- Lookup Gen
.
Review each lookup generating search to learn more about the search schedule and time range.
The primary functions list can be found at Configure > Content Management and clicking the Primary Functions lookup. The primary functions CSV can be found at $SPLUNK_HOME/etc/apps/SA-EndpointProtection/lookups/primary_functions.csv
.
Useful searches for troubleshooting
Troubleshooting Task | Search/Action | Expected Result |
---|---|---|
Verify that service, process, and/or port information has been indexed. | sourcetype=<expected_st> | Returns data from your expected source type. |
Verify that the service data has been normalized at search time correctly. | Windows: sourcetype="*Services" | table dest, StartMode or Nix: sourcetype="Unix:Service" | table dest, start_mode |
Returns a table of service data. |
Verify that the process data has been normalized at search time correctly. | sourcetype="*:LocalProcess" | table dest, process | Returns a table of process data. |
Verify that the port data has been normalized at search time correctly. | tag=listening tag=port | table dest,dest_port,transport or `listeningports` | table dest,dest_port,transport |
Returns a table of port data. |
Verify that the service tracker file is getting created correctly. | | inputlookup append=T services_tracker or | `services_tracker` |
Returns data in the services tracker file. |
Verify that the process tracker file is getting created correctly. | | inputlookup append=T localprocesses_tracker or | `localprocesses_tracker` |
Returns data in the process tracker file. |
Verify that the port tracker file is getting created correctly. | | inputlookup append=T listeningports_tracker or | `listeningports_tracker` |
Returns data in the port tracker file. |
Verify that the primary functions tracker is created correctly. | `primary_functions_tracker` | Returns data in the primary functions tracker. |
Additional information
This report uses default source types that ship with the Splunk add-on for Windows and the Splunk add-on for *nix.
Tracker files for this report are located:
$SPLUNK_HOME/etc/apps/SA-EndpointProtection/lookups/listeningports_tracker.csv
$SPLUNK_HOME/etc/apps/SA-EndpointProtection/lookups/services_tracker.csv
$SPLUNK_HOME/etc/apps/SA-EndpointProtection/lookups/localprocesses_tracker.csv
PCI System Inventory | Prohibited Services |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2
Feedback submitted, thanks!