Splunk® App for PCI Compliance

Installation and Configuration Manual

PCI System Inventory

This report provides visibility into software that is running on PCI assets. Monitor this report on a daily basis to ensure that no unexpected services or applications are being run. Unexpected software components should be investigated further.

Maintaining a current list of all software components running in the PCI compliant environment enables an organization to define risk exposure and devise adequate controls. Without an automated inventory, some system components could be inadvertently excluded from the organization's configuration standards.

Relevant data sources

Relevant data sources for this report include service, process, and port data such as the Splunk Add-on for Unix and Linux or the Splunk Add-on for Microsoft Windows.

How to configure this report

  1. Index process, service, and/or port data in Splunk platform.
  2. Map the data to the following Common Information Model fields. Map services fields to dest, StartMode. Map process fields to dest,process. Map port fields to dest,dest_port,transport. CIM-compliant add-ons for these data sources perform this step for you.

Report description

The data in the 'PCI Inventory' report is populated by three lookups. One lookup is generated by the Endpoint - Local Processes - Lookup Gen saved search, a second by the Endpoint - Services Tracker - Lookup Gen saved search, and the third by the Endpoint - Listening Ports Tracker- Lookup Gen saved search. The localprocesses_tracker, services_tracker macros correlate process data with the asset and identity tables to pull in additional information.

This report includes three searches: Endpoint - Local Processes - Lookup Gen, Endpoint - Services Tracker - Lookup Gen, and Endpoint - Listening Ports Tracker- Lookup Gen.

Useful searches for troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that service, process, and/or port information has been indexed.


Returns data from service, process, and/or port. For example, sourcetype=WMI:Service.
Verify that the service data has been normalized at search time correctly.

sourcetype="*:Service" | table dest, StartMode

`service` | table dest, StartMode

Returns a table of all service events.
Verify that the process data has been normalized at search time correctly.

sourcetype="*:LocalProcesses" | table dest, process

Returns a table of local process data.
Verify that the port data has been normalized at search time correctly.

tag=listening tag=port | table dest,dest_port,transport

| `listeningports` | table dest,dest_port,transport

Returns a table of port data.
Verify that the service tracker file is getting created correctly.

| inputlookup append=T services_tracker

| `services_tracker`

Returns data in the service tracker
Verify that the process tracker file is getting created correctly.

| inputlookup append=T localprocesses_tracker

| `localprocesses_tracker`

Returns local processes data.
Verify that the port tracker file is getting created correctly.

| inputlookup append=T listeningports_tracker

| `listeningports_tracker`

Returns data in the port tracker.
Verify that the Interesting Services, Interesting Processes, and/or Interesting Ports lookups are populated with expected prohibited values. Open the relevant lists in Configure > Content Management and verify that the is_prohibited column is set to "true/false".

Additional information

This report uses default source types that ship with the Splunk add-on for *nix and the Splunk add-on for Windows.

Tracker files for this report are located:

  • $SPLUNK_HOME/etc/apps/SA-EndpointProtection/lookups/listeningports_tracker.csv
  • $SPLUNK_HOME/etc/apps/SA-EndpointProtection/lookups/services_tracker.csv
  • $SPLUNK_HOME/etc/apps/SA-EndpointProtection/lookups/localprocesses_tracker.csv
Last modified on 14 February, 2022
Insecure Authentication Attempts   Primary Functions

This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0, 5.3.1, 5.3.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters