Splunk® App for PCI Compliance

Installation and Configuration Manual

Privileged User Activity

This report shows raw events associated with privileged user activity and provides you with a report of all administrative activity. Use this report to evaluate privileged user accounts and review the activity to identify potential security threats that can lead to potential cardholder data compromise.

Accounts with increased privileges, such as the administrator and root accounts, can have an impact on the security or operational functionality of a system. PCI DSS requires that all actions taken by individuals using administrative credentials be monitored for misuse and abuse.

Relevant data sources

Relevant data sources for this report include any data that includes a privileged user account reference.

How to configure this report

  1. Index privileged activity from all systems, applications, and devices.
  2. Add a category of privileged to all privileged user identities in the identity table.
  3. Tag specific events as being privileged using "privileged", and "authentication".

Report description

The data in the Privileged User Activity report is populated by the identity table.

Useful searches and Troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that you have data from your system, application, or device. sourcetype=<expected_st> Returns data from your systems, applications, and/or devices.
Verify that all privileged activity is returned. tag=privileged Returns privileged user activity data.
Verify that all privileged user activity fields are populated. tag=privileged | table event_id host sourcetype src_user user eventtype Returns a list of events and privileged user activity fields of data.
Last modified on 14 February, 2022
System Time Synchronization   PCI Asset Logging

This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0, 5.3.1, 5.3.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters