Splunk® App for PCI Compliance

Installation and Configuration Manual

Update Service Status

This report collects data on the patch service on cardholder systems and uses the information from the antimalware solution to display a list of the systems within the PCI environment that are updating their signatures appropriately. Use this report to identify systems that have not updated their malware signatures as required.

The best antimalware software has limited effectiveness if it does not have current signatures or if it is not active in the network or on an individual's computer. The PCI DSS standard requires that the antimalware tools are current, which includes the signatures used to detect localized threats.

Relevant data sources

Relevant data sources for this report include patch service data such as the Splunk Add-on for Unix and Linux or the Splunk Add-on for Microsoft Windows.

How to configure this report

  1. Index service data from the systems monitored in Splunk platform.
  2. Map the service data to use the following Common Information Model fields. dest, StartMode. CIM-compliant add-ons for these data sources perform this step for you.
  3. Tag the update service data by applying a tag of automatic and update.
  4. Set the should_update column of the assets table to true for any asset that should be evaluated for patch service status.
  5. Configure the Interesting Services list to include the name of the service that should be evaluated and set the is_required field to true. Use the dest and dest_pci_domain fields to determine what systems should be evaluated.

Report description

The data in the Update Service Status report is populated by by a lookup against the services_tracker CSV. This tracker is populated by the Endpoint – Services Tracker - Lookup Gen saved search.

Review each lookup generating search to learn more about the search schedule and time range.

Useful searches for troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that patch service data is available. sourcetype="*:Service" | stats count by dest

Look for the name of the service that represents the patch product used in the customer environment

Returns patch service data.
Verify that fields are normalized and available as expected. sourcetype="*:Service" | table, dest Returns a table of patch service status activity fields.
Verify that the service tracker file is populated as expected. | inputlookup append=T services_tracker Returns data in the services_tracker.
Last modified on 14 February, 2022
Malware Signature Updates   System Update Status

This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0, 5.3.1, 5.3.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters