• danielpwilson

PCI with Splunk - Wireless

Updated: Feb 8, 2019

So this is the first post in many in solving PCI with Splunk. A couple years ago I was asked to solve the following requirement


11.1.b Verify that the methodology is adequate to detect and identify any unauthorized wireless access points, including at least the following:

- WLAN cards inserted into system components

- Portable or mobile devices attached to system components to create a wireless access point (for example, by USB, etc.)

Basically you need to be able to PROVE that someone didn't walk up install a wireless NIC on your server and do a quick ad-hoc dump of files.

The Assumption

For the most part Windows and Linux event logs solved the problem for us in previous years. We create alerting/Notables on that and we're set.

- We had to handhold the auditors through the logs

- But it made for poor reporting and wasn't really "aligned" to PCI as much as it was an after thought. The data lacked that PCI metadata.

- We also had the problem of spam from the alert and USB usage was common place. I as was our auditor were more concerned with Network activity.

Response -

In response to this ask I wrote this TA right here. I set out to solve the host wireless problem as fast as possible and as simple as possible.

Benefit -

- reduction in log spam

- Cleaner logs and easier to read logs

- Improved reporting and better self service in Splunk for our PCI team and auditors.

- Dedicated sourcetypes and inputs

15 views0 comments

Recent Posts

See All

So I've been thinking today about how useful Splunk is on the "blue" side of the house. What about the Purple and Red side? What features would Splunk need to gain to add value to the other 2/3rds of