To meet PCI-DSS v4.0.1 requirement 10.2.1.1, which mandates that audit logs capture all individual user access to cardholder data, you can use the following Splunk queries. These queries are tailored separately for Windows and Linux servers:
For Windows Servers
index=your_index sourcetype=WinEventLog:Security
| search “EventCode=4624” OR “EventCode=4634” OR “EventCode=4663”
| stats count by user, host, _time
| rename user as “User”, host as “Host”, _time as “Time”, count as “Access Count”
For Linux Servers
index=your_index sourcetype=linux_secure
| search “sshd” OR “sudo” OR “su”
| stats count by user, host, _time
| rename user as “User”, host as “Host”, _time as “Time”, count as “Access Count”
Explanation of the Queries
Windows Servers Query:
index=your_index sourcetype=WinEventLog:Security: Searches the Windows Security Event Log.
search “EventCode=4624” OR “EventCode=4634” OR “EventCode=4663”: Filters for specific event codes related to logon, logoff, and object access.
stats count by user, host, _time: Aggregates the log entries by user, host, and time.
rename user as “User”, host as “Host”, _time as “Time”, count as “Access Count”: Renames the fields for readability.
Linux Servers Query:
index=your_index sourcetype=linux_secure: Searches the secure log for Linux.
search “sshd” OR “sudo” OR “su”: Filters for SSH, sudo, and su commands.
stats count by user, host, _time: Aggregates the log entries by user, host, and time.
rename user as “User”, host as “Host”, _time as “Time”, count as “Access Count”: Renames the fields for readability.
To meet PCI-DSS v4.0.1 requirement 10.2.1.2, which mandates that audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts, you can use the following Splunk queries. These queries are tailored separately for Windows and Linux servers:
For Windows Servers
index=your_index sourcetype=WinEventLog:Security
| search “EventCode=4624” OR “EventCode=4634” OR “EventCode=4672” OR “EventCode=4688”
| stats count by user, host, _time, EventCode
| rename user as “User”, host as “Host”, _time as “Time”, EventCode as “Event Code”, count as “Action Count”
For Linux Servers
index=your_index sourcetype=linux_secure
| search “sshd” OR “sudo” OR “su”
| stats count by user, host, _time, action
| rename user as “User”, host as “Host”, _time as “Time”, action as “Action”, count as “Action Count”
Explanation of the Queries
Windows Servers Query:
index=your_index sourcetype=WinEventLog:Security: Searches the Windows Security Event Log.
search “EventCode=4624” OR “EventCode=4634” OR “EventCode=4672” OR “EventCode=4688”: Filters for specific event codes related to logon, logoff, special privileges assigned, and process creation.
stats count by user, host, _time, EventCode: Aggregates the log entries by user, host, time, and event code.
rename user as “User”, host as “Host”, _time as “Time”, EventCode as “Event Code”, count as “Action Count”: Renames the fields for readability.
Linux Servers Query:
index=your_index sourcetype=linux_secure: Searches the secure log for Linux.
search “sshd” OR “sudo” OR “su”: Filters for SSH, sudo, and su commands.
stats count by user, host, _time, action: Aggregates the log entries by user, host, time, and action.
rename user as “User”, host as “Host”, _time as “Time”, action as “Action”, count as “Action Count”: Renames the fields for readability.
To meet PCI-DSS v4.0.1 requirement 10.2.1.3, which mandates that audit logs capture all access to audit logs, you can use the following Splunk queries. These queries are tailored separately for Windows and Linux servers:
For Windows Servers
index=your_index sourcetype=WinEventLog:Security
| search “EventCode=4663” OR “EventCode=4660”
| stats count by user, host, _time, EventCode
| rename user as “User”, host as “Host”, _time as “Time”, EventCode as “Event Code”, count as “Access Count”
For Linux Servers
index=your_index sourcetype=linux_secure
| search “audit”
| stats count by user, host, _time, action
| rename user as “User”, host as “Host”, _time as “Time”, action as “Action”, count as “Access Count”
Explanation of the Queries
Windows Servers Query:
index=your_index sourcetype=WinEventLog:Security: Searches the Windows Security Event Log.
search “EventCode=4663” OR “EventCode=4660”: Filters for specific event codes related to access to audit logs and object deletion.
stats count by user, host, _time, EventCode: Aggregates the log entries by user, host, time, and event code.
rename user as “User”, host as “Host”, _time as “Time”, EventCode as “Event Code”, count as “Access Count”: Renames the fields for readability.
Linux Servers Query:
index=your_index sourcetype=linux_secure: Searches the secure log for Linux.
search “audit”: Filters for audit-related entries.
stats count by user, host, _time, action: Aggregates the log entries by user, host, time, and action.
rename user as “User”, host as “Host”, _time as “Time”, action as “Action”, count as “Access Count”: Renames the fields for readability.
To meet PCI-DSS v4.0.1 requirement 10.2.1.4, which mandates that audit logs capture all invalid logical access attempts, you can use the following Splunk queries. These queries are tailored separately for Windows and Linux servers:
For Windows Servers
index=your_index sourcetype=WinEventLog:Security
| search “EventCode=4625” OR “EventCode=4771”
| stats count by user, host, _time, EventCode
| rename user as “User”, host as “Host”, _time as “Time”, EventCode as “Event Code”, count as “Invalid Access Count”
For Linux Servers
index=your_index sourcetype=linux_secure
| search “failed password” OR “authentication failure”
| stats count by user, host, _time, action
| rename user as “User”, host as “Host”, _time as “Time”, action as “Action”, count as “Invalid Access Count”
Explanation of the Queries
Windows Servers Query:
index=your_index sourcetype=WinEventLog:Security: Searches the Windows Security Event Log.
search “EventCode=4625” OR “EventCode=4771”: Filters for specific event codes related to failed logon attempts.
stats count by user, host, _time, EventCode: Aggregates the log entries by user, host, time, and event code.
rename user as “User”, host as “Host”, _time as “Time”, EventCode as “Event Code”, count as “Invalid Access Count”: Renames the fields for readability.
Linux Servers Query:
index=your_index sourcetype=linux_secure: Searches the secure log for Linux.
search “failed password” OR “authentication failure”: Filters for failed password attempts and authentication failures.
stats count by user, host, _time, action: Aggregates the log entries by user, host, time, and action.
rename user as “User”, host as “Host”, _time as “Time”, action as “Action”, count as “Invalid Access Count”: Renames the fields for readability.
To meet PCI-DSS v4.0.1 requirement 10.2.1.5, which mandates that audit logs capture all changes to identification and authentication credentials, including the creation of new accounts, elevation of privileges, and changes to accounts with administrative access, you can use the following Splunk queries. These queries are tailored separately for Windows and Linux servers:
For Windows Servers
index=your_index sourcetype=WinEventLog:Security
| search “EventCode=4720” OR “EventCode=4722” OR “EventCode=4723” OR “EventCode=4724” OR “EventCode=4725” OR “EventCode=4726” OR “EventCode=4738” OR “EventCode=4756” OR “EventCode=4757” OR “EventCode=4758” OR “EventCode=4767”
| stats count by user, host, _time, EventCode
| rename user as “User”, host as “Host”, _time as “Time”, EventCode as “Event Code”, count as “Change Count”
For Linux Servers
index=your_index sourcetype=linux_secure
| search “useradd” OR “usermod” OR “userdel” OR “passwd”
| stats count by user, host, _time, action
| rename user as “User”, host as “Host”, _time as “Time”, action as “Action”, count as “Change Count”
Explanation of the Queries
Windows Servers Query:
index=your_index sourcetype=WinEventLog:Security: Searches the Windows Security Event Log.
search “EventCode=4720” OR “EventCode=4722” OR “EventCode=4723” OR “EventCode=4724” OR “EventCode=4725” OR “EventCode=4726” OR “EventCode=4738” OR “EventCode=4756” OR “EventCode=4757” OR “EventCode=4758” OR “EventCode=4767”: Filters for specific event codes related to account creation, modification, deletion, and privilege changes.
stats count by user, host, _time, EventCode: Aggregates the log entries by user, host, time, and event code.
rename user as “User”, host as “Host”, _time as “Time”, EventCode as “Event Code”, count as “Change Count”: Renames the fields for readability.
Linux Servers Query:
index=your_index sourcetype=linux_secure: Searches the secure log for Linux.
search “useradd” OR “usermod” OR “userdel” OR “passwd”: Filters for commands related to user account creation, modification, deletion, and password changes.
stats count by user, host, _time, action: Aggregates the log entries by user, host, time, and action.
rename user as “User”, host as “Host”, _time as “Time”, action as “Action”, count as “Change Count”: Renames the fields for readability.
To meet PCI-DSS v4.0.1 requirement 10.2.1.6, which mandates that audit logs capture all initialization of new audit logs and all starting, stopping, or pausing of existing audit logs, you can use the following Splunk queries. These queries are tailored separately for Windows and Linux servers:
For Windows Servers
index=your_index sourcetype=WinEventLog:Security
| search “EventCode=1100” OR “EventCode=1102” OR “EventCode=1104”
| stats count by user, host, _time, EventCode
| rename user as “User”, host as “Host”, _time as “Time”, EventCode as “Event Code”, count as “Log Action Count”
For Linux Servers
index=your_index sourcetype=linux_audit
| search “auditd” OR “auditctl”
| stats count by user, host, _time, action
| rename user as “User”, host as “Host”, _time as “Time”, action as “Action”, count as “Log Action Count”
Explanation of the Queries
Windows Servers Query:
index=your_index sourcetype=WinEventLog:Security: Searches the Windows Security Event Log.
search “EventCode=1100” OR “EventCode=1102” OR “EventCode=1104”: Filters for specific event codes related to the initialization, clearing, and backup of audit logs.
stats count by user, host, _time, EventCode: Aggregates the log entries by user, host, time, and event code.
rename user as “User”, host as “Host”, _time as “Time”, EventCode as “Event Code”, count as “Log Action Count”: Renames the fields for readability.
Linux Servers Query:
index=your_index sourcetype=linux_audit: Searches the audit log for Linux.
search “auditd” OR “auditctl”: Filters for commands related to the audit daemon and audit control.
stats count by user, host, _time, action: Aggregates the log entries by user, host, time, and action.
rename user as “User”, host as “Host”, _time as “Time”, action as “Action”, count as “Log Action Count”: Renames the fields for readability.
To meet PCI-DSS v4.0.1 requirement 10.2.1.7, which mandates that audit logs capture all creation and deletion of system-level objects, you can use the following Splunk queries. These queries are tailored separately for Windows and Linux servers:
For Windows Servers
index=your_index sourcetype=WinEventLog:Security
| search “EventCode=4660” OR “EventCode=4663” OR “EventCode=5140” OR “EventCode=5141”
| stats count by user, host, _time, EventCode
| rename user as “User”, host as “Host”, _time as “Time”, EventCode as “Event Code”, count as “Object Change Count”
For Linux Servers
index=your_index sourcetype=linux_audit
| search “SYSCALL” “creat” OR “unlink” OR “unlinkat” OR “rmdir”
| stats count by user, host, _time, action
| rename user as “User”, host as “Host”, _time as “Time”, action as “Action”, count as “Object Change Count”
Explanation of the Queries
Windows Servers Query:
index=your_index sourcetype=WinEventLog:Security: Searches the Windows Security Event Log.
search “EventCode=4660” OR “EventCode=4663” OR “EventCode=5140” OR “EventCode=5141”: Filters for specific event codes related to object deletion, access, and file share creation/deletion.
stats count by user, host, _time, EventCode: Aggregates the log entries by user, host, time, and event code.
rename user as “User”, host as “Host”, _time as “Time”, EventCode as “Event Code”, count as “Object Change Count”: Renames the fields for readability.
Linux Servers Query:
index=your_index sourcetype=linux_audit: Searches the audit log for Linux.
search “SYSCALL” “creat” OR “unlink” OR “unlinkat” OR “rmdir”: Filters for system calls related to file creation and deletion.
stats count by user, host, _time, action: Aggregates the log entries by user, host, time, and action.
rename user as “User”, host as “Host”, _time as “Time”, action as “Action”, count as “Object Change Count”: Renames the fields for readability.