All Apps and Add-ons

Splunk for PCI Compliance App not creating notable event

marcoscala
Builder

Hi!
I'm implementing the Splunk App for PCI Compliance and I have problem with notable events not being created for excessive failed login on a custom sourcetype with a custom "app=sam"

The corresponding search (Access - Excessive Failed Logins - Rule) recognizes correctly the events and the events are also placed in the "access_summary" index ("index=access_summary app=sam count>50" returns my excessive failed logins). But no Notable event has been created in the "index=notable" ("index=notable app=sam" doesn't return any event)

The original events produce the requested fields: host,action,app,src,src_user,dest,user

Any ideas?

Thanks,
Marco Scala

0 Karma

israelgutierrez
Path Finder

Hello What we found was that the search was in Real Time and the Limits.conf have a limit number of searches so the new real-time search was out of that Limit, the PCI APP have several real-time searches so it is very easy to reach the limit in limits.conf When we modify that limit everything was fine, at least that solve our problem

0 Karma

matthieu_araman
Communicator

Hello,

I don't know for PCI app but if it's like ES, I think you should verify that your logs are tagged following CIM (not just the fields) then wait a bit (like 30 minutes) until the PCI app find them to be able to generate events and retest ?

0 Karma

marcoscala
Builder

Thanks Matthieu,
I also implemented ES and was fine. I'm not working on that project any more, and I remember that the logs were tagged following CIM, otherwise the Correlational Rule doesn't recognize them and apply.

Marco

0 Karma

msmapper
Path Finder

Has anyone found an answer to this question? I am running into the same issue. The data appears to be there if I look at the events returned in Verbose mode but in the table view or in Smart mode, the results are zero.

0 Karma

israelgutierrez
Path Finder

Have you been resolved this?

Sadly I see very few activity on PCI Compliance APP questions

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...