cancel
Showing results for 
Search instead for 
Did you mean: 
dendin
Level 7
Report Inappropriate Content
Message 1 of 8

siem event log pci compliance

Hi,

I'm a new SIEM user. I have a question, please.

We have ESM 9.4.0 and I need to generate administrator activity report for PCI 10.2.2 compliance. Can someone please pointing to the right directions?

Thank you for your attention.

Regards,

Terry

7 Replies

Re: siem event log pci compliance

might be better to post in

exbrit
Level 21
Report Inappropriate Content
Message 3 of 8

Re: siem event log pci compliance

Moved to SIEM - Moderator

ddd671
Level 9
Report Inappropriate Content
Message 4 of 8

Re: siem event log pci compliance

I'm not sure this is the answer as we are not required to follow PCI in my business, but there are a number of pre-built queries in the compliance section.  One of them may suit.  You can view them by selecting the view:

compliance-PCI-<pick-em>

dendin
Level 7
Report Inappropriate Content
Message 5 of 8

Re: siem event log pci compliance

Hi,

Thank you for the response.

Here is what I did to get the PCI data in CSV format:

System Properties -> Reports

Add a new report with the following criteria

          5. Choose a predefined query to include with this report

                        PCI – Administrator Actions (Win)

            6. (Optional)

                        Devices           PCI Servers

This will provide the Windows server administrator activities on the “top level”. It means you don’t actually getting details of what the administrator’s action taken. For example, one of the entries on the report indicated:

Special privileges assigned to new logon.

This is not telling me what privilege was assigned to whom. I checked many other predefined queries and none of them provide details or anywhere I can drilldown getting additional information.

Any ideas?

Thanks,

Terry

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 8

Re: siem event log pci compliance

The original event may not have that information included and only includes the line "Special privileges assigned to new logon"

I don't see the Report Layout that you had mentioned, but are you able to find the original event in the dashboard? If you do find that event, you can click on the menu > Event Drilldown > Events

If you can find it there and view the list of events, you would be able to see all of the fields that are populated. It may be that a different field has the information you're looking for or the other scenarios might be that the only information you're getting is "Special privileges assigned to new logon"

If you do see that information in a separate field, we should be able to create a report around that.

ddd671
Level 9
Report Inappropriate Content
Message 7 of 8

Re: siem event log pci compliance

Ahh...I think I understand.  I had a similar problem when setting up reporting for FISMA compliance.  I could see the event "A user was added to a security group" but not what user or what group. I came to the conclusion that the data I wanted wasn't parsed from the source log, and therefore the SIEM couldn't report on it.  In our business we ended up running this report from Microsoft SCOM and not the SIEM.

-Dave

stew
Level 7
Report Inappropriate Content
Message 8 of 8

Re: siem event log pci compliance

In order to report on "All Actions Taken by an Admin" you first need to identify what that looks like in your source systems.  I would think that some customization needs to be done to get this information in a meaningful way.

-Stewart