Scribd
Upload
137 views6 pages

SIEM Use-Cases Pertaining To PCI DSS V3

This document outlines 22 use cases for a SIEM pertaining to PCI DSS compliance and maps them to specific PCI requirements. It provides details on detecting unauthorized network access, insecure services, traffic monitoring, anti-virus issues, identifying vulnerable systems, unauthorized access to data, user account monitoring and privileged user activity logging. Log sources like firewalls, antivirus and Active Directory are mapped to the relevant PCI requirements addressed by each use case.

Uploaded by

Moazzam Ch
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
137 views6 pages

SIEM Use-Cases Pertaining To PCI DSS V3

This document outlines 22 use cases for a SIEM pertaining to PCI DSS compliance and maps them to specific PCI requirements. It provides details on detecting unauthorized network access, insecure services, traffic monitoring, anti-virus issues, identifying vulnerable systems, unauthorized access to data, user account monitoring and privileged user activity logging. Log sources like firewalls, antivirus and Active Directory are mapped to the relevant PCI requirements addressed by each use case.

Uploaded by

Moazzam Ch
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 6

SIEM USE-CASES PERTAINING T

# Scenario Threat

Unapproved network connections to/from


1 your critical assets Unauthorized access

2 Usage of insecure protocols/services Unauthorized access,


interception of traffic

Limit inbound/outbound traffic to/from


3 DMZ Harmful traffic

4 Limit unauthorized services Unauthorized services

5 Anti-virus protection disabled Spread of Malware

6 Anti-virus updates disabled Spread of Malware

7 Identify most vulnerable systems Exploitation of vulnerabilities

8 Detect all the default accounts Unauthorized access

9 Unauthorized access to confidential data Unauthorized access, disclosure


of confidential data

Detect addition, deletion, and


10 modification of user IDs, credentials, Unauthorized access
and other identifier objects.

Revoke access for any terminated users.


11 Unauthorized access

12 Detect rogue accounts Rogue accounts

13 Monitored vendor access accounts N/A


14 Detect bruteforce attack Unauthorized access

15 Detect usage of shared accounts Unaccountability

16 Copying and moving of sensitive data Disclosure of information

17 Modification to critical files Modification

18 Record individual access to sensitive data Disclosure of information

Actions taken by any individual with root or


19 administrative privileges are logged. Misuse of privileges

20 Creation and deletion of system level Unauthorized modifications


objects

21 Stopping or pausing of audit logs Unable to track

22 Access to audit/log files should be recorded. Modification


SIEM USE-CASES PERTAINING TO PCI DSS V3

Use Case Rule

Detect all the unapproved/unauthorized network


connections to/from your critical IT assets and Group all the connections by dst
coorelate with the rules documented in your change port and include your critical assets
management process. in the filter

Detect all the insecure services, ports and protocols Group by application/port

Verify that a DMZ is implemented to limit inbound Analyse flow data from your DMZ
traffic to only system components that provide firewall and check for
authorized publicly accessible services, protocols, and inbound/outbound traffic not
ports. destined for legitimate servers.

Look for the services that should not be present on the Group by applications
machines
Detect when anti-virus protection is disabled on the Include qid 'protection disabled'
machines

Detect when agents are not receiving any updates Search for qid that is related to old
database or old signatures
Identify all the vulnerable systems running in the Integrate VM with an exiting SIEM
organization solution
Create a list of default accounts and
Identify all the systems using default accounts check for authentication events
related to those accounts

Create a list of all the users who are


authorized to use/access the
Detect unauthorized access to confidential data confidential data. If a user is not
listed in that list and has accessed
the data then the rule should
trigger

Detect addition, deletion, and modification of user IDs, Include qids that are related to
credentials, and other identifier objects. addition, deletion and modification
of users in the rule.

Create a list of terminated


Detect any authentication event made by or for employees and look for
terminated users authentication events related to/for
those users

When not a single event is detected within 60 days define a time frame of 60 days and
from the same user. look for the authentication events
for the same user.

Create a list of all the vendor


Vendor remote access accounts should be monitored accounts and look for the
while being used. authentication and access events
made by those users.
Create a rule to detect repeated
Detect bruteforce attack login attempts made within short
time interval.

Alert when a privileged account is shared between two Look for authentication events
or more employees. made for the same username by
diff ip addresses.

Enable auditing on the files which


are confidential and look for the
Alert when a user is trying to copy or move a sensitve events which are related to copy or
document. move or integrate DLP solution with
SIEM.

Enable auditing on the critical files


Detect when a user is trying to modify any critical file. and look for the events which are
related to modification or copying
or integrate FIM solution with SIEM.

Enable auditing on the sensitive file


Access to sensitive data should be recorded. and look for access related events.

Define the privileged users in the


Detect all the actions taken by any individual with root privileged users building block and
or administrative privileges. look for the actions taken by those
users.

Enable auditing and search for the


events related to creation and
Alert when system-level objects, such as database deletion of system-level objects and
tables or stored procedures, are created or deleted. then include those events in the
rule.

Define the hosts in the compliance


definition BBs and
Alert when audit services are stopped on a compliance verify that the events for the audit
host. service stopped for your host are in
the Auditing Stopped building
block.

Alert when someone is trying to access the audit/log Enable auditing on the audit file
file of any application/system. and check for the access related
events.
Log Source(s) Requirement(s) Mapping

Routers, switches and firewalls PCI Requirement # 1.1.1, 1.2.1

Routers, switches and firewalls PCI Requirement # 1.1.6

Routers, switches and firewalls PCI Requirement # 1.3.1, 1.3.2

Routers, switches and firewalls PCI Requirement # 2.2.5

Antivirus PCI Requirement # 5.1, 5.3

Antivirus PCI Requirement # 5.2

VM Solution PCI Requirement # 6.1

Any system PCI Requirement # 6.3.1, 6.4.4

Server storing confidential data, PCI Requirement # 7


Databases

Active Directory, Database, PCI Requirement # 8.1.2, 12.5.4,


Network Devices 10.2.5

Active Directory, Applications,


Databases PCI Requirement # 8.1.3

Active Directory PCI Requirement # 8.1.4

VPN, Systems PCI Requirement # 8.1.5


Active Directory, Database PCI Requirement # 8.1.6. 10.2.4

Active Directory PCI Requirement # 8.5

Server storing confidential data, PCI Requirement # 12.3.10


DLP

Any system PCI Requirement # 11.5

Server storing confidential data PCI Requirement # 10.2.1

Active Directory, Applications,


Databases PCI Requirement # 10.2.2

Databases PCI Requirement # 10.2.7

Systems, Databases, Applications PCI Requirement # 10.2.6

Application Servers PCI Requirement # 10.2.3

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy