Splunk® App for PCI Compliance

User Manual

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

Updates to detection rules and reports by requirements

The following table lists updates to the detection rules and reports by requirements for PCI DSS 3.2 to PCI DSS 4.0 governance controls, effective from March 2024.

PCI requirement Detection rule or report updated DSS 3.2 DSS4.0
Requirement 1 Network - Policy Or Configuration Change - Rule 1.1.1 1.2.1,1.2.2
Asset - Asset Ownership Unspecified - Rule 1.1.4 1.1.4
Network - Network Device Rebooted - Rule 1.2.2 1.2.2
PCI - Unauthorized Wireless Device Detected - Rule 1.2.3 1.3.1, 1.3.2
PCI - Unauthorized or Insecure Communication Permitted - Rule 1.2.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5 1.2.8
Network Traffic Activity Report 1.1.3, 1.2.1, 1.3* 1.2.1
Prohibited Services Report 1.1.5 & 2.2.2 1.2.5
Requirement 2 Weak Encrypted Communication Detected - Rule 2.2.3, 2.3.0 2.3.1
System Misconfigured - Rule 2.2.2, 2.2.3, 2.2.4 2.2.4
Prohibited or Insecure Port Detected - Rule 2.2.4 2.2.4
Access - Default Account Usage - Rule 2.1.0 2.2.2
Access - Default Accounts At Rest - Rule 2.1.0 2.2.2
Access - Insecure Or Cleartext Authentication - Rule 2.3.0 2.3.1
Endpoint - Multiple Primary Functions Detected - Rule 2.2.1 2.2.3
Endpoint - Prohibited Process Detection - Rule 2.2.2, 2.2.4 2.2.4
Endpoint - Prohibited Service Detection - Rule 2.2.2, 2.2.4 2.2.4
Default Access Account Report 2.1, 6.3.1*, 8.5.8 2.2.2*
Primary Functions Report 2.2.1 2.2.3
Prohibited Services Report 1.1.5, 2.2.2 1.2.5
System Misconfigurations Report 2.2.3, 2.2.4 2.2.4
Weak Encrypted Communication Report 2.2.3, 2.3, 4.1 2.3.1, 4.1
Wireless Network Misconfigurations Report 2.1.1, 4.1.1, 1.1.1 4.2.1, 4.1*
Requirement 3 PCI - Credit Card Data Transmitted In Clear - Rule 3.3.0 3.4.1
Audit - Personally Identifiable Information Detection - Rule 3.4.d 3.5.1, 3.5.1.1
Credit Card Data Found Report 3.3, 4.1, 4.2 3.4*, 4.1*, 4.2*
Requirement 4 PCI - Unencrypted Traffic on Wireless Network - Rule 4.1.1 4.1, 4.2.1
PCI - Weak Encrypted Communication Detected - Rule 4.1 4.1
PCI - Credit Card Data Transmitted In Clear - Rule 4.1 4.2.1, 4.2.2, 4.1, 4.2
Endpoint - Prohibited Process Detection - Rule 4.2 4.1
Endpoint - Prohibited Service Detection - Rule 4.1 4.1
Weak Encrypted Communication Report 2.2.3, 2.3, 4.1 2.3.1, 4.1
Credit Card Data Found Report 3.3, 4.1, 4.2 3.4*, 4.1*, 4.2*
Requirement 5 Anomalous New Processes - Rule 5.1.2 5.1
Anomalous New Services - Rule 5.1.2 5.1
Substantial Increase in an Event - Rule 5.1.2 5.1
Requirement 6 PCI - Anomalous Update Service Detected - Rule 6.1 6.2.4
PCI - High/Critical Update Missing - Rule 6.1 6.2.4
Access - Brute Force Access Behavior Detected - Rule 6.2.4
Access - Default Account Usage - Rule 6.3.1 6.3.1
Access - Excessive Failed Logins - Rule 6.2.4
Access - Inactive Account Usage - Rule 6.2.4
Default Access Account Report
Update Service Status Report
Requirement 8 Completely Inactive Account - Rule 8.1.4 8.2.6
Activity from Expired User Identity - Rule 8.2.5.a
Default Access Account Report 2.1, 6.3.1* , 8.5.8 2.2.2*
Requirement 10 PCI - Expected Host Not Reporting - Rule 10.1 10.2.1, 10.2.1.3
Audit - Anomalous Audit Trail Activity Detected - Rule 10.2.6 10.6
Audit - Expected Host Not Reporting - Rule 10.1 10.2.1, 10.2.1.3
Endpoint - Should Timesync Host Not Syncing - Rule 10.4 10.4.1, 10.6.1
Requirement 11 PCI - Rogue Wireless Device - Rule 11.1 11.2.1
Rogue Wireless Access Point Detection 11.1 11.2.1
Last modified on 19 March, 2024
Detection rules for PCI compliance monitoring   FAQ

This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.3.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters