Search
  • danielpwilson

PCI with Splunk - Wireless

Updated: Feb 8, 2019


So this is the first post in many in solving PCI with Splunk. A couple years ago I was asked to solve the following requirement


Problem

11.1.b Verify that the methodology is adequate to detect and identify any unauthorized wireless access points, including at least the following:

- WLAN cards inserted into system components

- Portable or mobile devices attached to system components to create a wireless access point (for example, by USB, etc.)

Basically you need to be able to PROVE that someone didn't walk up install a wireless NIC on your server and do a quick ad-hoc dump of files.


The Assumption

For the most part Windows and Linux event logs solved the problem for us in previous years. We create alerting/Notables on that and we're set.

- We had to handhold the auditors through the logs

- But it made for poor reporting and wasn't really "aligned" to PCI as much as it was an after thought. The data lacked that PCI metadata.

- We also had the problem of spam from the alert and USB usage was common place. I as was our auditor were more concerned with Network activity.


Response -

In response to this ask I wrote this TA right here. I set out to solve the host wireless problem as fast as possible and as simple as possible.

https://splunkbase.splunk.com/app/3263/


Benefit -

- reduction in log spam

- Cleaner logs and easier to read logs

- Improved reporting and better self service in Splunk for our PCI team and auditors.

- Dedicated sourcetypes and inputs








14 views0 comments

Recent Posts

See All

Do you need to dedup when using stats?

I had to do some casual counting of sourcetypes today. In the process I was trying to decide if I needed to dedup before going to stats. It seemed to me a dedup would, in theory, pass less data to sta

How do I learn Splunk administration?

Had an old coworker hit me up a week ago. He took a job as a SOC analyst where part of his job is going to be supporting Splunk. He's a smart guy but Splunk is more complex than it looks. Given I've a