Re: What happens when a user is found that is not ...

jdunlea_splunk · ‎05-28-2014

In relation to Splunk for PCI Compliance, what happens when Splunk finds a user in the events which is not listed in identities.csv? Is this user auto-categorized as "unknown user" or something similar?

jcoates_splunk · ‎05-28-2014

that depends on context, since it's all search time. This might help:
http://docs.splunk.com/Documentation/PCI/latest/User/AssetandIdentityCorrelation
http://docs.splunk.com/Documentation/PCI/latest/User/IdentityManagement
http://docs.splunk.com/Documentation/PCI/latest/Install/Identities

jcoates_splunk · ‎05-29-2014

I'd definitely agree on the first part, the second part I'm not positive about. It's worth checking, and certainly worth a custom correlation search (something like | authentication user="*" user_bunit!="*")

jdunlea_splunk · ‎05-29-2014

I see what you mean. But as a basic rule, is it fair to say that any user which is "allowed" access to the PCI network, should be listed as such in the identities.csv? Any user which is found in the events that is NOT in this identities.csv file will be treated accordingly dependending on the DSS requirement and PCI report that the unidentified user was found in. Is that right?

What happens when a user is found that is not in identities.csv?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)