Splunk® App for PCI Compliance

Installation and Configuration Manual

Insecure Authentication Attempts

This reports looks at attempts to access cardholder systems using insecure protocols and services. Use this report to identify the source of the insecure authentication attempts so they can be evaluated and eliminated if they pose a risk to the cardholder system.

If remote administration is not done with secure authentication and encrypted communications, sensitive administrative or operational level information like administrator passwords could be revealed to an eavesdropper. PCI DSS requires that you use only secure technologies to log into cardholder systems.

Relevant data sources

Relevant data sources for this report include any device that produces clear text or other insecure authentication activity, such as Windows Security, telnet, and others.

How to configure this report

  1. Index authentication data from a device, application, or system in Splunk platform.
  2. Map the data to the following Common Information Model fields: host, action, app, src, src_user, dest, user. CIM-compliant add-ons for these data sources perform this step for you.
  3. Tag authentication messages that pass credentials in the clear or are considered insecure with either "cleartext" or "insecure".

Report description

The data in the Insecure Authentication Attempts report is populated by the Authentication data model.

Useful searches for troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that authentication data is returned. tag=authentication
or `authentication`
Returns all authentication activity data from your network device(s).
Verify that clear text authentication attempts are returned. tag=cleartext tag=insecure Returns all clear text authentication data.
Verify that insecure authentication attempts are returned. tag=authentication tag=insecure Returns all insecure authentication attempts.
Verify that all insecure and clear text authentication data is normalized to the Common Information Model properly. `authentication` | tags outputfield=tag | table _time,host,action,app,src,src_user,dest,user,tag Returns a table of the authentication fields.

Additional information

Windows login events with LoginType=8 are often seen in this report. These login events are clear text login attempts. Other examples include telnet login events, rsh, rexec, and so on.

Last modified on 14 February, 2022
Default Account Access   PCI System Inventory

This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0, 5.3.1, 5.3.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters