All Apps and Add-ons

What happens when a user is found that is not in identities.csv?

jdunlea_splunk
Splunk Employee
Splunk Employee

In relation to Splunk for PCI Compliance, what happens when Splunk finds a user in the events which is not listed in identities.csv? Is this user auto-categorized as "unknown user" or something similar?

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

I'd definitely agree on the first part, the second part I'm not positive about. It's worth checking, and certainly worth a custom correlation search (something like | authentication user="*" user_bunit!="*")

0 Karma

jdunlea_splunk
Splunk Employee
Splunk Employee

I see what you mean. But as a basic rule, is it fair to say that any user which is "allowed" access to the PCI network, should be listed as such in the identities.csv? Any user which is found in the events that is NOT in this identities.csv file will be treated accordingly dependending on the DSS requirement and PCI report that the unidentified user was found in. Is that right?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...