Splunk® App for PCI Compliance

Installation and Configuration Manual

Rogue Wireless Access Point Protection

This report gathers data on unauthorized wireless access points found on the network. It uses the data generated by IDS/IPS systems, network scan results, or Network Access Control (NAC) logs to report on any rogue access device detections. Use this report to see any discovered rogue access devices and more deeply explore the network, user activity, or system activity to further investigate the access points.

Implementation and/or exploitation of wireless technology within a network is one of the most common paths for malicious users to gain access to the network and cardholder data. If a wireless device or network is installed without a company's knowledge, it can allow an attacker to easily and invisibly enter the network. PCI compliance requires that organizations test for the presence of wireless access devices on the network at least once every three months. More frequent testing is recommended.

Relevant data sources

Relevant data sources for this report include IDS/IPS systems, network scan results, or Network Access Control (NAC) logs.

How to configure this report

  1. Index wireless access detection data in Splunk platform.
  2. Map the wireless access detection data to the following Common Information Model fields: dvc, ids_type, category, signature, severity, src, dest.
  3. Tag the successful synchronization data with "rogue", "wireless", "ids", and "attack".

Report description

The data in the Rogue Wireless Access Point Protection report is populated by the Intrusion Detection data model.

Useful searches for troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that you have rogue wireless access point data. sourcetype=<expected_st> Returns rogue wireless access point data.
Verify that wireless access data from an IDS, network scan, or network scan is in Splunk platform. tag=rogue tag=wireless tag=ids tag=attack Returns rogue wireless access point protection data.
Verify that fields are normalized and available at search time. search tag=rogue tag=wireless tag=pci tag=ids tag=attack | _time,host,sourcetype,dvc,ids_type,category,signature,
severity,src,dest,tag,vendor_product
Returns rogue wireless access point protection data fields.
Verify that the ids attack tracker file is populated. | inputlookup ids_attack_tracker
or `ids_attack_tracker`
Returns data in the ids attack tracker.
Last modified on 14 February, 2022
Vulnerability Scan Details   IDS/IPS Alert Activity

This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0, 5.3.1, 5.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters