Splunk® App for PCI Compliance

User Manual

Reports

The Splunk App for PCI Compliance provides a variety of built-in reports for areas of PCI compliance. The reports are organized by PCI DSS requirement. Some reports apply to more than one requirement and appear in more than one place. Use these reports show compliance in each of the PCI DSS requirement areas.

Requirement 1 - Network Traffic

Firewall Rule Activity

Use this report to track activity related to the firewall rules. Use the filters to modify the search results.

The Activity by Month panel shows activities in the timeline view based on the filters provided. In the timeline view, you can customize the search or save the search to view the same results at a later time.

To configure this report see Firewall Rule Activity in the Splunk App for PCI Compliance Installation and Configuration Manual.

Network Traffic Activity

Use this report to capture network traffic activity. Use the filters to modify the search results.

The Traffic By Source And Destination Domain panel shows all traffic events over time grouped by all source and destination domains.

The Recent Notable Events - Last 24 Hours panel shows the notable events for the last 24 hours by time, rule name, system, status group, and owner.

The Traffic Detail panel shows activities in the timeline view based on the filters provided. In the timeline view, you can customize the search or save the search to view the same results at a later time.

The Recent Risk Modifiers panel shows risk object details, source, annotations, annotation frameworks, and risk score by timestamp.

To configure this report see Network Traffic Activity in the Splunk App for PCI Compliance Installation and Configuration Manual.

Prohibited Services

Use this report to review host ports, processes, and services . Use the filters to modify the search results.

The Recent Notable Events By Status (Last 30 Days) panel shows the notable events by status group for the last 30 days.

The Recent Notable Events - Last 24 Hours panel shows the notable events for the last 24 hours by time, rule name, system, status group, and owner.

The Service Details panel shows events in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

The Recent Risk Modifiers panel shows risk object details, source, annotations, annotation frameworks, and risk score by timestamp.

To configure this report see Prohibited Services in the Splunk App for PCI Compliance Installation and Configuration Manual.

Requirement 2 - Default Configurations

Default Account Access

Use this report to report on default account access in your PCI compliance environment. Use the filters to modify the search results.

The Default Account Access Over Time panel shows a count of authentication sources and destinations.

The Recent Notable Events - Last 24 Hours panel shows the notable events for the last 24 hours by time, rule name, system, status group, and owner.

The Default Account Access Details panel shows all events in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search. Customize the search or save the search to view the same results at a later time.

The Recent Risk Modifiers panel shows risk object details, source, annotations, annotation frameworks, and risk score by timestamp.

To configure this report see Default Account Access in the Splunk App for PCI Compliance Installation and Configuration Manual.

Insecure Authentication Attempts

Use this report to track insecure authentication attempts. Use the filters to modify the search results.

The Insecure Authentication Attempts panel shows events in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

To configure this report see Insecure Authentication Attempts in the Splunk App for PCI Compliance Installation and Configuration Manual.

PCI System Inventory

Use this report to maintain an inventory of software components running in the PCI compliant environment. Use the filters such as Asset and Category to modify the search results.

In the System Inventory panel, use the Resource selector to view results by Ports, Processes, or Services. This panel shows events in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

To configure this report see PCI System Inventory in the Splunk App for PCI Compliance Installation and Configuration Manual.

Primary Functions

Use this report to identify systems where multiple primary functions may be running or where unexpected services could be in use. Use the filters to modify the search results.

The Primary Function Summary panel shows the number of events over time grouped by the function.

The Recent Notable Events - Last 24 Hours panel shows the notable events for the last 24 hours by time, rule name, system, status group, and owner.

The Primary Function Details panel shows events in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

The Recent Risk Modifiers panel shows risk object details, source, annotations, annotation frameworks, and risk score by timestamp.

To configure this report see Primary Functions in the Splunk App for PCI Compliance Installation and Configuration Manual.

Prohibited Services

Use this report to monitor prohibited services that may be running in your environment. Use the filters to modify the search results.

The Notable Events By Status (Last 30 Days) panel shows the notable events by status group for the last 30 days.

The Recent Notable Events - Last 24 Hours panel shows the notable events for the last 24 hours by time, rule name, system, status group, and owner.

The Service Details panel shows events in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

The Recent Risk Modifiers panel shows risk object details, source, annotations, annotation frameworks, and risk score by timestamp.

To configure this report see Prohibited Services in the Splunk App for PCI Compliance Installation and Configuration Manual.

System Misconfigurations

Use this report to track the configuration of systems in your environment. Use the filters to modify the search results.

The Systems With Misconfigurations (Last 90 Days) panel shows the count of misconfigured systems over last 90 days on a time chart.

The Recent Notable Events - Last 24 Hours panel shows the notable events for the last 24 hours by time, rule name, system, status group, and owner.

The System Misconfiguration Details panel shows events in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

The Recent Risk Modifiers panel shows risk object details, source, annotations, annotation frameworks, and risk score by timestamp.

To configure this report see System Misconfigurations in the Splunk App for PCI Compliance Installation and Configuration Manual.

Weak Encrypted Communication

Use this report to track communication between source and destination that use SSL or early TLS encryption protocols in your environment. Use the filters to modify the search results.

The Weak Encrypted Communication (By SSL Version) panel shows a count of events that use encryption grouped by SSL or TLS version.

The Recent Notable Events - Last 24 Hours panel shows the notable events for the last 24 hours by time, rule name, system, status group, and owner.

The Weak Encrypted Communication Detail panel shows all events in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

The Recent Risk Modifiers panel shows risk object details, source, annotations, annotation frameworks, and risk score by timestamp.

To configure this report see Weak Encrypted Communication in the Splunk App for PCI Compliance Installation and Configuration Manual.

Wireless Network Misconfigurations

Use this report to track wireless usage in your environment. Use the filters to modify the search results.

The Wireless Misconfigurations Summary (Last 90 Days) panel shows the count of misconfigured wireless systems over last 90 days on a time chart.

The Recent Notable Events - Last 24 Hours panel shows the notable events for the last 24 hours by time, rule name, system, status group, and owner.

The Wireless Misconfigurations Details panel shows all events in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

The Recent Risk Modifiers panel shows risk object details, source, annotations, annotation frameworks, and risk score by timestamp.

To configure this report see Wireless Misconfigurations in the Splunk App for PCI Compliance Installation and Configuration Manual.

Requirement 3 - Protect Data at Rest

Credit Card Data Found

Use this report to monitor any credit card data that might be found on systems in your environment. Use the filters to modify the search results.

The Credit Card Transmission Event Summary (By Source) shows the number of events over time grouped by the source.

The Recent Notable Events - Last 24 Hours panel shows the notable events for the last 24 hours by time, rule name, system, status group, and owner.

The Credit Card Transmission Events Details panel shows the results from this panel in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

The Recent Risk Modifiers panel shows risk object details, source, annotations, annotation frameworks, and risk score by timestamp.

To configure this report see Credit Card Data Found in the Splunk App for PCI Compliance Installation and Configuration Manual.

Requirement 4 - Protect Data In Motion

Weak Encrypted Communication

Use this report to track communication between source and destination that use SSL or early TLS encryption protocols in your environment. Use the filters to modify the search results.

The Weak Encrypted Communication (By SSL Version) panel shows a count of events that use encryption grouped by SSL or TLS version.

The Recent Notable Events - Last 24 Hours panel shows the notable events for the last 24 hours by time, rule name, system, status group, and owner.

The Weak Encrypted Communication Detail panel shows all events in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

The Recent Risk Modifiers panel shows risk object details, source, annotations, annotation frameworks, and risk score by timestamp.


Credit Card Data Found

Use this report to monitor any credit card data that might be found on systems in your environment. Use the filters to modify the search results.

Credit Card Transmission Event Summary (By Source) shows the number of events over time grouped by the source.

The Recent Notable Events - Last 24 Hours panel shows the notable events for the last 24 hours by time, rule name, system, status group, and owner.

The Credit Card Transmission Events Details panel shows the results from this panel in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

The Recent Risk Modifiers panel shows risk object details, source, annotations, annotation frameworks, and risk score by timestamp.

To configure this report see Credit Card Data Found in the Splunk App for PCI Compliance Installation and Configuration Manual.

Requirement 5 - Anti-malware Protection

Endpoint Product Deployment

Use this report to track software products deployed in your PCI compliance environment. Use the filters to modify the search results.

The Missing Antivirius and the Disabled Antivirius panels show results in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

To configure this report see Endpoint Product Deployment in the Splunk App for PCI Compliance Installation and Configuration Manual.

Endpoint Product Versions

Use this report to track product versions of software deployed in your PCI compliance environment. Use the filters to modify the search results.

The Summary panel shows a table of vendor products and versions.

The Details panel shows the results in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

To configure this report see Endpoint Product Versions in the Splunk App for PCI Compliance Installation and Configuration Manual.

Malware Activity

Use this report to track malware that might exist in your deployment. Use the filters to modify the search results.

The dashboard consists of a single panel which shows the results in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

To configure this report see Malware Activity in the Splunk App for PCI Compliance Installation and Configuration Manual.

Malware Signature Updates

Use this report to track and identify malware signature updates. Use the filters to modify the search results.

The Anti-malware Signature Summary panel shows a table of vendor products and versions.

The Recent Notable Events - Last 24 Hours panel shows the notable events for the last 24 hours by time, rule name, system, status group, and owner.

At the bottom of list of events in the Anti-malware Signature Details panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

The Recent Risk Modifiers panel shows risk object details, source, annotations, annotation frameworks, and risk score by timestamp.

To configure this report see Malware Signature Updates in the Splunk App for PCI Compliance Installation and Configuration Manual.

Requirement 6 - Patch Update Protection

Anomalous System Uptime

Use this report to track systems that have gone offline and then come back online. Use the filters to modify the search results.

The Anomalous System Uptime panel shows results in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

To configure this report see Anomalous System Update in the Splunk App for PCI Compliance Installation and Configuration Manual.

Default Account Access

Use this report to track the access to the default accounts in your PCI compliance environment.

The Default Account Access Over Time panel shows the count of authentication over 30 minute spans.

The Recent Notable Events - Last 24 Hours panel shows the notable events for the last 24 hours by time, rule name, system, status group, and owner.

The Default Account Access Details panel shows results in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

The Recent Risk Modifiers panel shows risk object details, source, annotations, annotation frameworks, and risk score by timestamp.

To configure this report see Default Account Access in the Splunk App for PCI Compliance Installation and Configuration Manual.

Update Service Status report

Use this report to verify the status of your software patch updates. Use the filters to modify the search results.

The Anomalous Update Service By System Count (Last 90 Days) panel shows the count of anomalous updates over last 90 days on a time chart.

The Recent Notable Events - Last 24 Hours panel shows the notable events for the last 24 hours by time, rule name, system, status group, and owner.

The Service Details panel shows the results in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

The Recent Risk Modifiers panel shows risk object details, source, annotations, annotation frameworks, and risk score by timestamp.

To configure this report see Update Service Status in the Splunk App for PCI Compliance Installation and Configuration Manual.

System Update Status

Use this report to track the status of any system patches. Use the filters to modify the search results.

The System Update Status panel shows the results in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

To configure this report see System Update Status in the Splunk App for PCI Compliance Installation and Configuration Manual.

Requirement 7 - Access Monitoring

PCI Command History

Use this report to track commands run on PCI resources. Use the filters to modify the search results.

The PCI Command History panel shows the results in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

To configure this report see PCI Command History in the Splunk App for PCI Compliance Installation and Configuration Manual.

PCI Resource Access

Use this report to track any access to PCI resources. Use the filters to modify the search results.

The PCI Resource Access Details panel shows results in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

To configure this report see PCI Resource Access in the Splunk App for PCI Compliance Installation and Configuration Manual.

Requirement 8 - Activity Accountability

Default Account Access

Use this report to report on access to default accounts in your PCI compliance environment.

The Default Account Access Over Time panel shows the count of authentication over 30 minute spans.

The Recent Notable Events - Last 24 Hours panel shows the notable events for the last 24 hours by time, rule name, system, status group, and owner.

The Default Account Access Details panel shows results in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

The Recent Risk Modifiers panel shows risk object details, source, annotations, annotation frameworks, and risk score by timestamp.

To configure this report see Default Account Access in the Splunk App for PCI Compliance Installation and Configuration Manual.

PCI Resource Access

Use this report to track any access to PCI resources. Use the filters to modify the search results.

The PCI Resource Access Details panel shows results in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

To configure this report see PCI Resource Access in the Splunk App for PCI Compliance Installation and Configuration Manual.

Requirement 10 - Cardholder Data Access

Endpoint Changes

Use this report to monitor any endpoint changes. Use the filters to modify the search results.

The Endpoint Changes panel shows results in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

To configure this report see Endpoint Changes in the Splunk App for PCI Compliance Installation and Configuration Manual.

PCI Asset Logging

Use this report to track activity related to PCI resources. Use the filters to modify the search results.

At the bottom of the PCI Resource Logging panel, click "View full results" to open the results from this panel in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

To configure this report see PCI Asset Logging in the Splunk App for PCI Compliance Installation and Configuration Manual.

PCI Resource Access

Use this report to track any access to PCI resources. Use the filters to modify the search results.

The PCI Resource Access Details panel shows results in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

To configure this report see PCI Resource Access in the Splunk App for PCI Compliance Installation and Configuration Manual.

Privileged User Activity

Use this report to monitor any data activity that includes a privileged user account in your PCI compliance environment. You can use the filters in the report to modify the search results.

For example, if you look at the past 24 hours for user "buttercup", category "cardholder", and domain "dmz", the search would return any activity by "buttercup" in the "dmz" domain involving "cardholder" category data.

The Privileged User Activity panel shows results in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

To configure this report see Privileged User Activity in the Splunk App for PCI Compliance Installation and Configuration Manual.

System Time Synchronization

Use this report to monitor system time synchronizations. Use the filters to modify the search results.

The System Time Synchronization Details panel shows results in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

To configure this report see System Time Synchronization in the Splunk App for PCI Compliance Installation and Configuration Manual.

Requirement 11 - Vulnerability Testing

Endpoint Changes

Use this report to monitor any endpoint changes.

The Endpoint Changes panel shows results in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

To configure this report see Endpoint Changes in the Splunk App for PCI Compliance Installation and Configuration Manual.

Rogue Wireless Access Point Protection

Use this report to monitor any unauthorized wireless access in your PCI compliance environment. Use the filters to modify the search results.

The Rogue Device History (Last 90 Days) panel shows the count of rogue devices over last 90 days on a time chart.

The Recent Notable Events - Last 24 Hours panel shows the notable events for the last 24 hours by time, rule name, system, status group, and owner.

The Rogue Device Details panel shows results in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

The Recent Risk Modifiers panel shows risk object details, source, annotations, annotation frameworks, and risk score by timestamp.

To configure this report see Rogue Wireless Access Point Protection in the Splunk App for PCI Compliance Installation and Configuration Manual.

Vulnerability Scan Details

Use this report to track vulnerability scans from your environment. Use the filters to modify the search results.

All vulnerabilities include a Common Vulnerabilities and Exposures (CVE) identifier used to define the specific vulnerability. CVEs are unique, common identifiers for publicly known information security vulnerabilities. The Vulnerability Scan report can be filtered on the CVE, and includes a column listing the CVE.

The report also includes a Common Vulnerability Scoring System (CVSS) number that can also be used as a filter. This is a number that indicates the severity of a computer system's security vulnerabilities. The number attempts to establish a measure of how much concern a vulnerability warrants, compared to other vulnerabilities.

The Vulnerability Details panel shows results in the timeline view. In the timeline view, you can customize the search or save the search to view the same results at a later time.

To configure this report see Vulnerability Scan Details in the Splunk App for PCI Compliance Installation and Configuration Manual.

IDS/IPS Alert Activity

Use this report to track intrusion detection system or intrusion prevention system activity in your environment.

The IDS/IPS Alert Activity Over Time panel shows a count of intrusion detection alerts by severity.

The Recent Notable Events - Last 24 Hours panel shows the notable events for the last 24 hours by time, rule name, system, status group, and owner.

The IDS/IPS Alert Activity Details panel shows all events in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search. Customize the search or save the search to view the same results at a later time.

The Recent Risk Modifiers panel shows risk object details, source, annotations, annotation frameworks, and risk score by timestamp.

To configure this report see IDS/IPS Alert Activity in the Splunk App for PCI Compliance Installation and Configuration Manual.

Last modified on 14 February, 2022
Scorecards   Audit dashboards

This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0, 5.3.1, 5.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters