Splunk® App for PCI Compliance

Installation and Configuration Manual

Endpoint Changes

This report collects information on system changes discovered on cardholder systems. It shows a list of all changes identified using Splunk FSChange, Splunk platform file integrity tools, and other change data captured within Splunk platform. Use this report to identify anomalous or unexpected changes to system objects, critical system files, configuration files, or content files that are being monitored.

PCI DSS requires that you monitor systems for changes to system level objects, critical system files, configuration files, or content files on systems within the cardholder data environment. Compare these files and objects periodically to ensure that the integrity of these files is preserved.

Relevant data sources

Relevant data sources for this report include change data, inclusive to file integrity changes such as fschange, OSSEC, Tripwire, and others.

How to configure this report

  1. Index endpoint change data in Splunk platform.
  2. Map the data to the following Common Information Model fields: action, dest, object, object_category, object_path, status, user. CIM-compliant add-ons for these data sources perform this step for you.
  3. Tag the endpoint change data with "endpoint", and "change".

Report description

The data in the Endpoint Changes report is populated by the Change Analysis data model.

Useful searches for troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that you have data from your network device(s). sourcetype=<expected_st> Returns data from your network device(s).
Verify that endpoint change data is being indexed in Splunk platform. tag=endpoint tag=change Returns endpoint change data.
Verify that fields are normalized and available as expected. tag=endpoint tag=change | fillnull value=unknown action, dest, object, object_category, object_path, status, user
or `endpoint_change` | table action,dest,object,object_category,object_path,status,user
Returns a table of endpoint change fields.
Last modified on 14 February, 2022
PCI Resource Access   System Time Synchronization

This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0, 5.3.1, 5.3.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters