To meet PCI-DSS v4.0.1 requirement 10.2.1.1, which mandates that audit logs capture all individual user access to cardholder data, you can use the following Splunk queries. These queries are tailored separately for Windows and Linux servers: For Windows Servers index=your_index sourcetype=WinEventLog:Security | search “EventCode=4624” OR “EventCode=4634” OR “EventCode=4663” | stats count by user, host, _time…