Auditing with the Splunk App for PCI Compliance

Use Case 1: Requirement 10

The first use case is the PCI DSSv4 requirement 10, which requires organizations to “Log and Monitor all access to System Components and Cardholder Data”. The sub-requirements for this part of PCI are:

1. Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented.
2. Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
3. Audit logs are protected from destruction and unauthorized modifications.
4. Audit logs are reviewed to identify anomalies or suspicious activity.
5. Audit log history is retained and available for analysis.
6. Time-synchronization mechanisms support consistent time settings across all systems.
7. Failures of critical security control systems are detected, reported, and responded to promptly.

The Splunk App for PCI Compliance opens to the Compliance Posture page (Figure 1).

In the bottom pane, click a requirement (in this case R10 - Cardholder Data Access, as shown in Figure 1) to be redirected to the PCI Scorecard for Requirement 10 (shown in Figure 2).

The five links shown within the highlighted box display the sub-requirements with a link to the corresponding reports for each. The table also indicates whether the report has been reviewed. You can also access these reports by navigating to Reports → R10 - Cardholder Data Access and then the desired report. The report displays the assets in the environment and whether the systems should synchronize time.

Click the value in the New field (in this case 1, as shown in Figure 2) in the “Compliance Status - Last 24 Hours” panel to be redirected to the “Incident Review” page. This page displays the non-compliant system for the specific PCI requirement.

Click > to open contextual information surrounding the incident (shown in Figure 3). Context includes a description of the failure and information on the system that failed the PCI requirement. In addition, the contextual information displays both the PCI and MITRE ATT&CK mappings for the PCI deficiency.

The testing procedure for Requirement 10.4.1 is to “Examine system configuration settings for acquiring, distributing, and storing the correct time to verify the settings are configured in accordance with all elements specified in this requirement.” The Splunk App for PCI Compliance app brings greater efficiency when responding to audit inquiries. Additionally, the app allows you to demonstrate governance over the specific PCI requirement.

Use Case 2: Requirement 5

The second use case is the PCI DSSv4 requirement 5, which requires organizations to “Protect all systems and networks from malicious software”. The sub-requirements are:

1. Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood.
2. Malicious software (malware) is prevented, or detected and addressed.
3. Anti-malware mechanisms and processes are active, maintained, and monitored.
4. Anti-phishing mechanisms protect users against phishing attacks.

The intent of requirement 5 is to implement controls so that malware (trojans, bots, ransomware, etc) is blocked or detected and remediated.

Below is the “PCI Scorecard: Requirement 5” page. This page lists four different views and whether the views have been reviewed. Just as in Figure 3, the page also shows the notable events that have been generated and their current status.

Click the value in the New field (in this case 4, as shown in Figure 4) in the “Compliance Status - Last 24 Hours” panel to be redirected to the “Incident Review” page. There, you can see any Notables, which, in the case of framework compliance, are essentially potential PCI violations detected by the Splunk App for PCI Compliance.

Expand the event to see all the relevant data around the violation. In this case, the violation is due to some type of malfunction with the client’s antivirus agent.