Splunk® App for PCI Compliance

Installation and Configuration Manual

IDS/IPS Alert Activity

Intrusion detection and/or prevention systems (IDS/IPS) compare inbound and outbound network traffic against known signatures and/or behaviors of thousands of compromise types (hacker tools, Trojans and other malware). This report collects data on unauthorized wireless access points found on the network and provides a summarized view of the intrusion activity involving an asset in the PCI domain. Use this report to identify attack trends and behavior that could indicate a more significant threat.

Intrusion detection and/or prevention systems can be configured to either alert or stop the intrusion attempt. Without a proactive approach to unauthorized activity detection using these tools, attacks on (or misuse of) PCI resources could go unnoticed in real time. PCI requires that the alerts generated by these tools be monitored so that attempted intrusions can be stopped before they happen.

Relevant data sources

Relevant data sources for this report include IDS/IPS systems, network scan results, or Network Access Control (NAC) logs.

How to configure this report

  1. Index IDS/IPS alert data in Splunk platform.
  2. Map the IDS/IPS data to the following Common Information Model fields: dvc, ids_type, category, signature, severity, src, dest. CIM-compliant add-ons for these data sources perform this step for you.
  3. Tag the successful synchronization data with "ids" and "attack".

Report description

The data in the IDS/IPS report is populated by the Intrusion Detection data model.

Useful searches for troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that IDS/IPS data has been indexed in Splunk platform. tag=ids tag=attack
or `ids_attack`
Returns IDS/IPS data.
Verify that fields are normalized and available at search time. `ids_attack` | tags outputfield=tag | table _time, host, sourcetype, dvc, ids_type, category, signature, severity, src, dest, tag, vendor_product Returns a table of IDS/IPS data fields.
Last modified on 14 February, 2022
Rogue Wireless Access Point Protection   Configure correlation searches

This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0, 5.3.1, 5.3.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters