Splunk® App for PCI Compliance

Installation and Configuration Manual

System Update Status

This report collects information on the patch status of cardholder systems and provides visibility into the current patch state for systems within the PCI cardholder data environment. Use this report to identify systems that are not patched according to policy.

Many attacks use widely published exploits that can be avoided if systems are patched appropriately. PCI DSS requires that systems and applications are protected by installing the latest vendor-supplied patches. Splunk software uses the data from your patch management solution to generate this report.

Relevant data sources

Relevant data sources for this report include patch activity data from the native operating system or a patch management tool such as Windows Update.

How to configure this report

  1. Index patch activity data from the systems to be monitored.
  2. Map the patch data to use the following Common Information Model fields: signature_id,signature,status. CIM-compliant add-ons for these data sources perform this step for you.
  3. Tag the patch activity data with "update", and "status".
  4. Set the should_update column of the assets table to true for any asset that should be evaluated for patch activity.

Report description

The data in the System Update Status report is populated by the Updates data model.

Useful searches for troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that patch activity data is available in Splunk Enterprise. tag=update tag=status Returns system patch status data.
Verify that fields are normalized and available as expected. tag=update tag=status | table signature_id, signature, status
or `system_update`
Returns a table of the system patch status data fields.
Verify that the system update tracker is populated as expected. | `system_update_tracker` Returns data in the system_update_tracker.
Last modified on 14 February, 2022
Update Service Status   Anomalous System Uptime

This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0, 5.3.1, 5.3.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters