Splunk® App for PCI Compliance

User Manual

Updates to detection rules and reports by requirements

The following table lists updates to the detection rules and reports by requirements for PCI DSS 3.2.1 to PCI DSS 4.0 governance controls, effective from March 2024.

PCI requirement Detection rule or report updated PCI DSS 3.2.1 PCI DSS 4.0
Requirement 1 Network - Policy Or Configuration Change - Rule 1.1.1 1.2.1,1.2.2
Asset - Asset Ownership Unspecified - Rule 1.1.4 1.1.4
Network - Network Device Rebooted - Rule 1.2.2 1.2.2
PCI - Unauthorized Wireless Device Detected - Rule 1.2.3 1.3.1, 1.3.2
PCI - Unauthorized or Insecure Communication Permitted - Rule 1.2.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5 1.2.8
Network Traffic Activity Report 1.1.3, 1.2.1, 1.3* 1.2.1
Prohibited Services Report 1.1.5 & 2.2.2 1.2.5
Inbound traffic from untrusted network to trusted network - Rule 1.4.2
Requirement 2 Weak Encrypted Communication Detected - Rule 2.2.3, 2.3.0 2.3.1
System Misconfigured - Rule 2.2.2, 2.2.3, 2.2.4 2.2.4
Prohibited or Insecure Port Detected - Rule 2.2.4 2.2.4
Access - Default Account Usage - Rule 2.1.0 2.2.2
Access - Default Accounts At Rest - Rule 2.1.0 2.2.2
Access - Insecure Or Cleartext Authentication - Rule 2.3.0 2.3.1
Endpoint - Multiple Primary Functions Detected - Rule 2.2.1 2.2.3
Endpoint - Prohibited Process Detection - Rule 2.2.2, 2.2.4 2.2.4
Endpoint - Prohibited Service Detection - Rule 2.2.2, 2.2.4 2.2.4
Default Access Account Report 2.1, 6.3.1*, 8.5.8 2.2.2*
Primary Functions Report 2.2.1 2.2.3
Prohibited Services Report 1.1.5, 2.2.2 1.2.5
System Misconfigurations Report 2.2.3, 2.2.4 2.2.4
Weak Encrypted Communication Report 2.2.3, 2.3, 4.1 2.3.1, 4.1
Wireless Network Misconfigurations Report 2.1.1, 4.1.1, 1.1.1 4.2.1, 4.1*
Requirement 3 PCI - Credit Card Data Transmitted In Clear - Rule 3.3.0 3.4.1
Audit - Personally Identifiable Information Detection - Rule 3.4.d 3.5.1, 3.5.1.1
Credit Card Data Found Report 3.3, 4.1, 4.2 3.4*, 4.1*, 4.2*
Requirement 4 PCI - Unencrypted Traffic on Wireless Network - Rule 4.1.1 4.1, 4.2.1
PCI - Weak Encrypted Communication Detected - Rule 4.1 4.1
PCI - Credit Card Data Transmitted In Clear - Rule 4.1 4.2.1, 4.2.2, 4.1, 4.2
Endpoint - Prohibited Process Detection - Rule 4.2 4.1
Endpoint - Prohibited Service Detection - Rule 4.1 4.1
Weak Encrypted Communication Report 2.2.3, 2.3, 4.1 2.3.1, 4.1
Credit Card Data Found Report 3.3, 4.1, 4.2 3.4*, 4.1*, 4.2*
Requirement 5 Anomalous New Processes - Rule 5.1.2 5.1
Anomalous New Services - Rule 5.1.2 5.1
Substantial Increase in an Event - Rule 5.1.2 5.1
Intrusion detection data is not ingested in the last 1 hour - Rule 5.3.4
Anti-malware scan incomplete or did not run - Rule 5.3.2c
Anti-malware data or definitions that are NOT up to date - Rule 5.3.1b
Disabled anti-malware on host - Rule 5.3.2b
Anti-malware scan results not found for host - Rule 5.3.2.1b
Anti-malware disabled on host with removable electronic media connected - Rule 5.3.3b
Anti-malware solution(s) not detected on system - Rule 5.2.1a

5.2.3c

Requirement 6 PCI - Anomalous Update Service Detected - Rule 6.1 6.2.4
PCI - High/Critical Update Missing - Rule 6.1 6.2.4
Access - Brute Force Access Behavior Detected - Rule 6.2.4
Access - Default Account Usage - Rule 6.3.1 6.3.1
Access - Excessive Failed Logins - Rule 6.2.4
Access - Inactive Account Usage - Rule 6.2.4
Default Access Account Report
Detects open critical vulnerabilities in the last 30 days - Rule
No vulnerability logging with patch info in last 7 days - Rule 6.4.1

Medium and low security in more than 30 days - Rule

6.3.3.a
Open High Vulnerabilities in the last 60 days - Rule 6.3
Open Critical Vulnerabilities in the last 30 days - Rule 6.3
Web data was not logged in last 7 days - Rule 6.4.2
Update Service Status Report - Rule
Requirement 8 Completely Inactive Account - Rule 8.1.4 8.2.6
Activity from Expired User Identity - Rule 8.2.5.a
Default Access Account Report 2.1, 6.3.1* , 8.5.8 2.2.2*
Addition of user IDs without approvals - Rule 8.2.4
Modification of user IDs without approvals - Rule 8.2.4
Deletion of user IDs without approvals - Rule 8.2.4
Sample set of users showing password changes for every 90 days - Rule 8.3.10.1
All Authentication without multi-factor - Rule 8.3
User account lockout after 10 invalid login attempt - Rule 8.3.4a
MFA replay attack detected - Rule 8.5
Access to CDE without MFA/2FA (Alert) - Rule 8.4.1a

8.4.2b

Requirement 10 PCI - Expected Host Not Reporting - Rule 10.1 10.2.1, 10.2.1.3
Audit - Anomalous Audit Trail Activity Detected - Rule 10.2.6 10.6
Audit - Expected Host Not Reporting - Rule 10.1 10.2.1, 10.2.1.3
Endpoint - Should Timesync Host Not Syncing - Rule 10.4 10.4.1, 10.6.1
Data logging for all the listed solution in last 6 hrs - Rule 10.7
PCI Admin Audit Report
Requirement 11 PCI - Rogue Wireless Device - Rule 11.1 11.2.1
Rogue Wireless Access Point Detection 11.1 11.2.1
Vulnerability scan is older than 3 months - Rule 11.3.1
Open High Vulnerabilities in the last 60 days - Rule 11.3
Open Critical Vulnerabilities in the last 30 days - Rule
Detects open critical vulnerabilities in the last 30 days - Rule 11.3
Vulnerability Operations Report
New panel Vulnerability by Severity added to the dashboard Vulnerability Scan Details.
Last modified on 25 March, 2024
Detection rules for PCI compliance monitoring   FAQ

This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.3.1, 5.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters