PCI - 1.2.3 - Unauthorized Wireless Device Detected - Rule Network - Vulnerability Scanner Detection (by targets) - Rule Network - Vulnerability Scanner Detection (by event) - Rule Network - Substantial Increase in Port Activity (By Destination) - Rule Network - Substantial Increase in an Event - Rule Network - Policy Or Configuration Change - Rule Identity - Activity from Expired User Identity - Rule The following correlation searches are used in PCI:Īccess - Brute Force Access Behavior Detected - RuleĪccess - Cleartext Password At Rest - RuleĪccess - Completely Inactive Account - RuleĪccess - Insecure Or Cleartext Authentication - RuleĪsset - Asset Ownership Unspecified - RuleĪudit - Anomalous Audit Trail Activity Detected - RuleĪudit - Expected Host Not Reporting - RuleĪudit - Personally Identifiable Information Detection - RuleĮndpoint - Anomalous New Processes - RuleĮndpoint - High Number of Hosts Not Updating Malware Signatures - RuleĮndpoint - Multiple Primary Functions Detected - RuleĮndpoint - Prohibited Process Detection - RuleĮndpoint - Prohibited Service Detection - RuleĮndpoint - Recurring Malware Infection - RuleĮndpoint - Should Timesync Host Not Syncing - Rule After you enable correlation searches, click "Back to PCI Compliance" in the menu bar.In the Actions column, click Enable to enable the searches that you want to enable.Locate the name of the correlation search you want to enable.Filter on a type of Correlation Search.installs with all correlation searches disabled so that you can choose the searches that are most relevant to your use cases. Configure correlation searches to update the settings associated with how they run.Įnable correlation searches to start running adaptive response actions and receiving notable events. The searches then aggregate the results of an initial search with functions in SPL, and take action in response to events that match the search conditions with an adaptive response action. When the search finds a pattern, it performs an adaptive response action such as creating a notable event.Ĭorrelation searches can search many types of data sources, including events from any security domain (access, identity, endpoint, network), asset lists, identity lists, threat intelligence, and other data in Splunk platform. In this case, the alert sends an email notification when it triggers.A correlation search scans multiple data sources for defined patterns. The following example shows the stanza for a saved search with its alert action settings. nf contains a stanza for each saved search. Open or create a local nf file at $SPLUNK_HOME/etc/system/local.įor apps, open or create the nf file in the application directory: $SPLUNK_HOME/etc/apps//local Example nf stanzaĪlerts use a saved search to look for events. Create or edit the stanza for the saved search.Open or create a nf file in the proper directory. Make changes to the files in the local directory. The files in the default directory must remain intact and in their original location. Never change or copy the configuration files in the default directory. Read Where you can place (or find) your modified configuration files in the Splunk Enterprise Admin Manual. You can have configuration files with the same name in your default, local, and app directories.Review the steps in How to edit a configuration file in the Splunk Enterprise Admin Manual. Only users with file system access, such as system administrators, can configure alerts using configuration files.Splunk Enterprise To configure alerts using the configuration files, follow these steps. You can't configure alerts using the configuration files. Splunk Cloud Platform Use the Splunk Web steps to configure alerts. For reference, see nf in the Splunk Enterprise Admin Manual. If you have Splunk Enterprise, you can configure alerts by editing nf. You can use Splunk Web to configure most alerts.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |