So this is the first post in many in solving PCI with Splunk. A couple years ago I was asked to solve the following requirement
Problem
11.1.b Verify that the methodology is adequate to detect and identify any unauthorized wireless access points, including at least the following:
- WLAN cards inserted into system components
- Portable or mobile devices attached to system components to create a wireless access point (for example, by USB, etc.)
Basically you need to be able to PROVE that someone didn't walk up install a wireless NIC on your server and do a quick ad-hoc dump of files.
The Assumption
For the most part Windows and Linux event logs solved the problem for us in previous years. We create alerting/Notables on that and we're set.
- We had to handhold the auditors through the logs
- But it made for poor reporting and wasn't really "aligned" to PCI as much as it was an after thought. The data lacked that PCI metadata.
- We also had the problem of spam from the alert and USB usage was common place. I as was our auditor were more concerned with Network activity.
Response -
In response to this ask I wrote this TA right here. I set out to solve the host wireless problem as fast as possible and as simple as possible.
https://splunkbase.splunk.com/app/3263/
Benefit -
- reduction in log spam
- Cleaner logs and easier to read logs
- Improved reporting and better self service in Splunk for our PCI team and auditors.
- Dedicated sourcetypes and inputs