System Update Status
This report collects information on the patch status of cardholder systems and provides visibility into the current patch state for systems within the PCI cardholder data environment. Use this report to identify systems that are not patched according to policy.
Many attacks use widely published exploits that can be avoided if systems are patched appropriately. PCI DSS requires that systems and applications are protected by installing the latest vendor-supplied patches. Splunk software uses the data from your patch management solution to generate this report.
Relevant data sources
Relevant data sources for this report include patch activity data from the native operating system or a patch management tool such as Windows Update.
How to configure this report
- Index patch activity data from the systems to be monitored.
- Map the patch data to use the following Common Information Model fields:
signature_id,signature,status. CIM-compliant add-ons for these data sources perform this step for you.
- Tag the patch activity data with "update", and "status".
- Set the
should_updatecolumn of the assets table to true for any asset that should be evaluated for patch activity.
The data in the System Update Status report is populated by the Updates data model.
Useful searches for troubleshooting
|Troubleshooting Task||Search/Action||Expected Result|
|Verify that patch activity data is available in Splunk Enterprise.||tag=update tag=status||Returns system patch status data.|
|Verify that fields are normalized and available as expected.||tag=update tag=status | table signature_id, signature, status
|Returns a table of the system patch status data fields.|
|Verify that the system update tracker is populated as expected.||| `system_update_tracker`||Returns data in the system_update_tracker.|
Update Service Status
Anomalous System Uptime
This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.0.1, 5.0.2, 5.1.0
Feedback submitted, thanks!