Axon PCI DSS Compliance User Guide
The following documented support for the PCI DSS content bundle utilizes the mapping and controls for PCI DSS version 4.0. Additional support and updates to content will be made while bundle is available.
Overview
Support for PCI DSS compliance in Axon includes a combination of searches, lists, dashboards, and reports that allow users to monitor defined activities, produce reports, and provide evidence to assessors and auditors as needed. The basis for data gathering in Axon is saved searches. Saved Searches allow a user to filter and surface specific activities that need to be monitored in dashboards or reported to management and assessors. This data is further refined by the usage of framework-specific LogRhythm System Lists. These lists are specific to customer environments and must be updated to include systems and users that are in-scope for the given compliance mandate. Dashboards allow analysts and/or management to monitor compliance focused activity on a recurring basis to look for anomalous behavior, system health, and environmental trends. Reports are PDF formatted exports of search data that can be scheduled by customers. Reports can be utilized by management and assessors to review activity, provide a population of data for testing, and provide evidence of management reviews as necessary. Where data would be best provided in a spreadsheet format, CSV exports can be run directly from the Search Page.
Getting Started
Update Compliance System Lists
System lists are published without any list items so that you can populate them with values that apply to your organization. Many of the searches included in this bundle are configured to use compliance focused system lists to outline the scope of your PCI environment and surface that data within dashboards and reports. For scoping guidance, refer to Guidance for PCI DSS Scoping and Network Segmentation in the PCI DSS document library.
Follow the Edit Lists workflow to populate the compliance system lists with values. List data should be reviewed and updated annually at a minimum.
Validate Dashboard Output and Search Data
Once system lists have been updated with appropriate users and log sources, data should be populated within the dashboard widgets and underlying searches. It is recommended to review dashboards and all related searches to ensure data is being returned as expected. Customers should refer to the “Tuning Guidance” section within the searches and dashboards tables when modifying search and widget parameters. If logs are not being surfaced by searches due to an unexpected common event assignment, custom log source policies can be built in the Policy Builder. If the log source policy is LogRhythm created, use the Resource Center to submit a parsing request for updates to existing log sources.
Schedule Reports
Now that searches and dashboards have been validated, reports can be scheduled from the saved searches. It is recommended that all searches within this bundle be scheduled to run on a recurring basis, but can be run ad-hoc if desired. Review the Recommended Scheduling column in the Reports table below during setup and customize as needed.
Searches
The below table contains all the searches included in this content bundle, object types the search supports, list requirements, and optional tuning guidance.
Search Name | Purpose of Search | Supporting Object Types | List Required * | Tuning Guidance |
|---|---|---|---|---|
PCI - Anti-Malware Audit Activity | Data to show that audit log data for anti-malware solution is captured and retained. | Report | Yes | If data returned in search includes more systems than desired, search criteria can be narrowed to a single log source. |
PCI - Authentication Failures | Data to verify that all attempted authentication requests to CDE are captured and retained. | Report | Yes | N/A |
PCI - Axon Audit Logs | Data to verify that access to all audit logs is captured. | Report Dashboard | No | N/A |
PCI - Cardholder Data Environment Access | Data verify that all individual user access to cardholder data is logged. | Report | Yes | N/A |
PCI - Cardholder Data Environment Activity | Data to verify that all activities taken place within system components and cardholder data is logged. | Report | Yes | N/A |
PCI - Common Event Health | Data to help customers ensure that their audit data will be complete and accurate. Searches are largely based on common events and logs without assigned events could be missing from searches. | Report Dashboard | Optional | This search can be updated to exclude log sources that are known to not generate a common event or are not in-scope for PCI. |
PCI - Elevated Privileges | Data to verify that all elevations of privileges are captured and retained. | Report Dashboard | Optional | This search could be updated to exclude logged systems that are not in-scope for PCI or system and service accounts by using a custom list. |
PCI - Firewall Activity | Data can confirm that traffic and behavior matches expected activity and rule out anomalous activity. | Report Dashboard | Yes | If data returned in search includes more systems than desired, search criteria can be narrowed to a specific log source. |
PCI - Firewall Configuration Changes | This search is meant to surface changes to firewall configurations which can be used to evidence that changes to network security controls follow a documented procedure. | Report Dashboard | Yes | If data returned in search includes more systems than desired, search filter can be narrowed to a specific log source. |
PCI - Malware Activity | Data related to potential malware to evidence effectiveness of anti-malware solutions. | Report Dashboard | Optional | N/A |
PCI - Network Security Controls Access | Data can confirm that systems or files containing network security controls and configurations are protected from unauthorized access. | Report Dashboard | Yes | If data returned in search includes more systems than desired, search filter can be narrowed to a specific log source. |
PCI - New Accounts | Data to verify that all newly created accounts are captured and retained. | Report | Optional | N/A |
PCI - Physical Security Activity | Data to verify that physical security logs are captured and retained. | Report Dashboard | Yes | N/A |
PCI - Privileged Account Activity | Data to verify that all privileged account activities are logged within system components, cardholder data, and systems in relation to PCI. | Report Dashboard | Yes | List ‘PCI - Privileged Users’ should be reviewed frequently to ensure all privileged account activity is captured by these searches. |
PCI - Privileged Account Modification | Data to verify all privileged account modifications are captured and retained. | Report | Yes | List ‘PCI - Privileged Users’ should be reviewed frequently to ensure all privileged account activity is captured by these searches. |
PCI - Security Controls Monitoring | Data to verify that security monitoring (intrusion detection and prevention techniques) and alerts are in place. | Report Dashboard | Optional | If a sub-set of LogRhythm Threat Detection analytics are being used, a custom list could be used to exclude the other analytics. For tuning guidance related to analytics rules, refer to the MITRE ATT&CK Module. |
PCI - Shared Account Activity | Data to show shared account authentication activity to demonstrate to management/auditors that use of shared accounts is limited. | Report Dashboard | Yes | List ‘PCI - Shared Accounts’ should be reviewed frequently to ensure all privileged account activity is captured by these searches. |
PCI - System and Service Account Activity | Data to verify that system and service account activity is logged and aligns with principles of least privilege. | Report Dashboard | Yes | List ‘PCI - System and Service Accounts’ should be reviewed frequently to ensure all privileged account activity is captured by these searches. |
PCI - System-Level Object Activity | Data to demonstrate that all system-level object creation and deletion is captured. | Report Dashboard | Optional | This search could be updated to focus on specific systems and/or file locations by using a custom list. If a FIM solution is in place to monitor this activity, it is highly recommended that this search be updated to either utilize that log source specifically or tuned for events it generates |
PCI - Third-Party Activity | Data to show all third-party access and activity during a period of time. | Report Dashboard | Yes | List ‘PCI - Third-Party Users’ should be reviewed frequently to ensure all privileged account activity is captured by these searches. |
* Searches can be modified to remove the list requirement, especially if all logged users and systems are in-scope for a given framework. Please note that searches are based on common event activity and without list filtering could become noisy and/or include more data than is necessary.
LogRhythm System Lists
The below table contains all the lists that are utilized in this content bundle. Each list has a specific purpose and what searches utilize that list as well as examples of systems and users that should be included.
List Name | Purpose of List | Examples | Linked Search |
|---|---|---|---|
PCI - Cardholder Data Systems | This list should be populated with systems that contain Cardholder Data in your environment. | Any systems containing data, including databases. | PCI - Authentication Failures PCI - Cardholder Data Environment Access PCI - Cardholder Data Environment Activity PCI - Common Event Health |
PCI - Physical Security Systems | This list should be populated with physical security systems (badge/card readers & door access). | Any system used to authenticate access to physical locations. | PCI - Physical Security Activity PCI - Common Event Health |
PCI - Network Security Systems | This list should be populated with production network security systems. | Firewalls, intrusion detection/prevention, malware detection/prevention, network access control, remote access, virtual private network, and vulnerability scanning. | PCI - Firewall Configuration Changes PCI - Firewall Activity PCI - Anti-Malware Audit Activity PCI - Network Security Control Access PCI - Common Event Health |
PCI - Privileged Users | This list should be populated with all privileged accounts and updated accordingly based on periodic reviews. | Any user with privileged access to production systems. | PCI - Privileged Account Activity PCI - Privileged Account Modification |
PCI - Third-Party Users | This list should be populated with contractors, vendors, other third-party members. | Any users that are considered contractors, vendors, or third-parties to your organization. | PCI - Third-Party Activity |
PCI - Shared Accounts | This list should be populated with any user accounts that have been identified as shared accounts. | Any accounts that multiple people have access to should be listed. | PCI - Shared Account Activity |
PCI - System & Service Accounts | This list should be populated with default, service, and automation accounts. | Any accounts that are default to a system, service, or automation accounts. | PCI - System and Service Account Activity |
Reports
The below table contains all the recommended Reports for this content bundle.
Customers must enable reporting in the Saved Search for these reports to be produced on a recurring basis.
Search Name | PCI-DSS Controls | Use of Report | Recommended Audience | Recommended Scheduling * |
|---|---|---|---|---|
PCI - Anti-Malware Audit Activity | 5.3.4, 10.2.2 | This report will contain log data of anti-malware solution which can be reviewed by management or provided to auditors for evidence of captured and retained log data. | Management & Auditors | Quarterly |
PCI - Cardholder Data Environment Activity | 10.2.1, 10.2.2 | This report will capture data to verify that all activities taking place within system components and cardholder data is logged and can be reviewed by management or provided to auditors for evidence of CDE log activity. | Management & Auditors | Quarterly |
PCI - Cardholder Data Environment Access | 8.2.1, 10.2.1.1, 10.2.2 | This report will contain data to verify that all individual user access to cardholder data is logged. Report can be used by management for periodic reviews or provided to auditors for evidence of all access to the CDE. | Management & Auditors | Quarterly |
PCI - Elevated Privileges | 10.2.1.5, 10.2.2 | This report will contain data to verify that all elevations of privileges are captured and retained. This report can be used by analysts for reviewing and investigating anomalous usage of elevated privileges. Report can also be used by management for periodic reviews and auditors for proof of evidence and retention. | Management, Analysts, & Auditors | Quarterly |
PCI - Authentication Failures | 10.2.1.4, 10.2.2 | This report will contain data to verify that all invalid authentication attempts are captured and retained. This report can be used by analysts for reviewing and investigating anomalous authentication activity. Report can also be used by management for periodic reviews and auditors for evidence of logging and retention. | Management, Analysts, & Auditors | Quarterly |
PCI - Firewall Activity | 1.2.5, 10.2.2 | This report will contain data to confirm that traffic and behavior matches expected activity. This report can be used by analysts for monitoring activity that is not approved. Report can also be used by management for periodic reviews and auditors for proof of logging and that data aligns with system configurations. | Management, Analysts, & Auditors | Quarterly |
PCI - Firewall Configuration Changes | 1.2.2, 10.2.2 | This report will contain changes to firewall configurations. This report can be used by analysts for reviewing and investigating unusual configuration change activity. Report can also be used by management for periodic reviews and auditors for evidence that changes follow documented procedures and/or population of changes for auditors to verify via testing. | Management, Analysts, & Auditors | Quarterly |
PCI - Common Event Health | 10.2.1.6, 10.2.2 | This report will contain data to help customers ensure that their audit data will be complete and accurate. Searches are largely based on common events and logs without assigned events could be missing from searches. Report can be used by management for periodic reviews and auditors for helping support that report data is complete and accurate. | Management & Auditors | Monthly |
PCI - Axon Audit Logs | 10.2.1.3, 10.2.2, 10.3.1 | This report will contain data to verify that access to all audit logs is captured. This report can be used by management for periodic reviews of activity in the Axon environment and auditors for proof of evidence and retention of logging audit data. | Management & Auditors | Quarterly |
PCI - Malware Activity | 5.2.2, 5.3.2, 10.2.2 | This report will contain data related to potential malware to evidence effectiveness of anti-malware solutions. This report can be used by analysts for monitoring malware activity. Report can also be used by management for periodic reviews of malware activity and mitigation and auditors for evidence of logging. | Management, Analysts, & Auditors | Quarterly |
PCI - Network Security Controls Access | 1.2.8, 10.2.2 | This report will contain data to confirm that network security files are protected from unauthorized access. This report can be used by analysts for reviewing and investigating anomalous access to network security control environments and file configurations. Report can also be used by management for periodic reviews and auditors for evidence of logging. | Management, Analysts, & Auditors | Quarterly |
PCI - New Accounts | 10.2.1.5, 10.2.2 | This report will contain data to verify that all newly created accounts are captured and retained. This report can also be used by management for periodic reviews and auditors for proof of logging of new users. | Management & Auditors | Quarterly |
PCI - Physical Security Activity | 9.2.1.1, 9.4.1.2, 10.2.2 | This report will contain data to verify that physical security logs are captured and retained. This report can be used by analysts for reviewing Physical Access to to sensitive areas within a Cardholder Data Environment. Report can also be used by management for periodic reviews and auditors for evidence of logging. | Management, Analysts, & Auditors | Monthly |
PCI - Privileged Account Activity | 10.2.1.2, 10.2.2 | This report will contain data verify that all privileged account activities are logged within system components, cardholder data, and systems in relation to PCI. This report can be used by analysts for reviewing and investigating anomalous privileged activity. Report can also be used by management for periodic reviews and auditors for evidence of logging or to verify via testing. | Management, Analysts, & Auditors | Monthly |
PCI - Privileged Account Modification | 10.2.1.5, 10.2.2 | This report will contain data to verify all privileged account modifications. This report can also be used by management for periodic reviews and auditors for proof of logging. | Management & Auditors | Quarterly |
PCI - Security Controls Monitoring | 10.2.2, 10.7.2, 11.5.1 | This report will contain data to verify that security monitoring (intrusion detection and prevention techniques) and alerts are in place. This report can be used by analysts for reviewing and investigating anomalous usage of elevated privileges. Report can also be used by management for periodic reviews and auditors for evidence of logging or to verify via testing. | Management, Analysts, & Auditors | Quarterly |
PCI - Shared Account Activity | 8.2.2, 10.2.2 | This report will contain data to show shared account activity to demonstrate to management/auditors that use of shared accounts is limited. This report can be used by analysts for reviewing and investigating anomalous usage of shared accounts privileges. Report can also be used by management for periodic reviews and auditors to demonstrate limited usage. | Management, Analysts, & Auditors | Quarterly |
PCI - System and Service Account Activity | 7.2.5, 10.2.2 | This report will contain data to verify that system and service account activity is logged and aligns with principles of least privilege. This report can be used by analysts for reviewing activity that is anomalous for the related system and service accounts privileges. Report can also be used by management for periodic reviews and auditors for evidence of accounts being limited to their privileges. | Management, Analysts, & Auditors | Quarterly |
PCI - System-Level Object Activity | 10.2.1.7, 10.2.2, 11.5.2 | This report will contain data to demonstrate that all system-level object creation and deletion is captured. This report can be used by analysts for reviewing for creation, deletion, and modification. Unexpected changes to these files can compromise system security. Report can also be used by management for periodic reviews and auditors for evidence that no files were changed. | Management, Analysts, & Auditors | Quarterly |
PCI - Third-Party Activity | 8.2.7, 10.2.2 | This report will contain data to show all third-party access and activity during a period of time. This report can be used by analysts for reviewing and investigating anomalous third-party activity. Report can also be used by management for periodic reviews and auditors for evidence of captured third-party activity. | Management, Analysts, & Auditors | Quarterly |
* PCI DSS does not prescribe a specific review period for most controls. The frequency of periodic reviews should be determined by the entity as appropriate for the size and complexity of their environment. As such, these are recommendations based on an average review schedule.
Dashboards
The two dashboards contained in this bundle are targeted at different users of the Axon platform. The PCI DSS - Analyst dashboard is intended for power users of the Axon platform performing active monitoring and what data they might need to utilize during the course of their work. The PCI DSS - Management dashboard is intended for users that might not be in Axon on a day-to-day basis but need to get an understanding of the platform health and activities being performed on the platform. Widgets and the underlying searches from either dashboard can be incorporated and used by any Axon user to fit their needs. The default time period for the management dashboard is the last 7 days worth of log data and the analyst dashboard is the last 24 hours of data. It is recommended that analysts and management use the date and time picker to evaluate multiple time periods for which the dashboard displays results throughout monitoring.
The below tables contain details of the two dashboards. Each widget and the underlying search are listed with tuning guidance for customers to optimize their dashboard deployment.
PCI DSS - Analyst Dashboard Widgets
Search Name | PCI-DSS Controls | Use of Widget | Widget Type | Tuning Guidance |
|---|---|---|---|---|
PCI - Elevated Privileges | 10.2.1.5 | Audit Logs for elevations of privileges are required to be captured and maintained. This widget should be monitored for anomalous usage of elevated privileges. | Bar Chart | Widget metrics are set to view origin account name and the target host. Adjust chart primary and sub metric dependent upon log source parsing and desired field information. |
PCI - Firewall Activity | 1.2.5 | Firewall services, protocols, and ports should have a defined and approved business need. Monitor this widget for activity that is not approved. | Tree Map | Widget metrics are set to view Network Protocol Name and the target host IP Port. Adjust chart primary and sub metric dependent upon log source parsing and desired field information. |
PCI - Firewall Configuration Changes | 1.2.2 | Firewall configurations should be approved and managed with change control process. Monitor this dashboard for unusual configuration change activity. | Trend Chart | Widget metric shows the trend in a linear curved graph to indicate trends of configuration changes to firewall. If additional detail of activity is needed, change widget style to bar chart and add metrics. |
PCI - Malware Activity | 5.3.2 | Anti-malware solutions should periodically scan, detect, block, and remove known malware. Monitor this widget for malware activity. | Donut Chart | Widget metrics are set to view Threat Severity and Policy Name to indicate priority of threat and policy affected. Adjust chart primary and sub metric dependent upon log source parsing and desired field information. |
PCI - Network Security Controls Access | 1.2.8 | Monitor this widget for users that should not have access to network control systems or network configuration files and investigate unfamiliar users. | Bar Chart | Widget metrics are set to view origin account name and the target host. Adjust chart primary and sub metric dependent upon log source parsing and desired field information. |
PCI - Physical Security Activity | 9.2.1.1 | Physical Access to sensitive areas within a Cardholder Data Environment are to be monitored. | Bar Chart | Widget metric is set to view origin account name. If Physical Security log source contains entry and exit data adjust sub metric to include this field information. |
PCI - Privileged Account Activity | 10.2.1.2 | Privileged account activity is required to be captured and retained. Monitor this widget for anomalous behavior. | Donut Chart | Widget metrics are set to view origin account name and common event. Adjust chart primary and sub metric dependent upon log source parsing and desired field information. |
PCI - Security Controls Monitoring | 11.5.1 | Monitor this widget for activity that could indicate compromise. Visit LogRhythm Threat Detection Rules for more information on Threat Detection Analytics by LogRhythm. | Bar Chart | Widget metrics are set to view origin account name and the target host. Adjust chart primary and sub metric dependent upon log source parsing and desired field information. |
PCI - Shared Account Activity | 8.2.2 | Shared Accounts should only be used when necessary on an exception basis. This widget should be monitored for anomalous levels of shared account activity. | Trend Chart | Widget metric shows the trend in a linear curved graph to indicate trends of shared account activity. If additional detail of activity is needed, change widget style to bar chart and add metrics. |
PCI - System and Service Account Activity | 7.2.5 | System and Service Accounts should be limited to least privilege. This widget should be monitored for activity that is anomalous for the related system and service accounts privileges. | Bar Chart | Widget metrics are set to view origin account name and the common event. Adjust chart primary and sub metric dependent upon log source parsing and desired field information. |
PCI - System-Level Object Activity | 10.2.1.7 | Critical Files and System-Level Objects should be monitored for creation, deletion, and modification. Unexpected changes to these files can compromise system security. | Bar Chart | Widget metrics are set to view Target Host Name and the common event. Adjust chart primary and sub metric dependent upon log source parsing and desired field information. |
PCI - Third-Party Activity | 8.2.7 | Third-Party Activity in PCI environments should be monitored for unexpected activity. | Bar Chart | Widget metrics are set to view origin account name and the common event. Adjust chart primary and sub metric dependent upon log source parsing and desired field information. |
Management Dashboard Widgets
Search Name | PCI-DSS Controls | Use of Widget | Widget Type | Tuning Guidance |
|---|---|---|---|---|
PCI - Axon Audit Logs | 10.3.1 | Audit Logs should capture all access to audit data and read access to that data should be limited to those with job-related need. Monitor these widgets for unexpected users and activity taken. | Bar Chart Donut Chart | The donut chart widget is set to view origin account name and the action command statement to showcase users taking actions and actions being taken. The bar chart widget is set to view action type and the action command statement to showcase what types of Axon Objects are having actions taken on them. Adjust chart primary and sub metric for desired field information within Audit Logs. |
PCI - Common Event Health | 10.2.1.6 | The basis for all compliance searches utilizes the common event schema. Logs without event assignment could become excluded from widgets and/or reports. Monitor these widgets for logs and log sources without event assignment and correct as needed. | Trend Chart Bar Chart | The trend chart widget shows the trend in a linear curved graph to indicate trends of logs without common event assignment. The bar chart widget is set to view log source type and the log source to showcase what types of log sources do not have event assignment and what specific log sources of that type do not have common even assignment. Adjust chart primary and sub metric for desired field information. |
Additional Axon Support
The below sections contain additional product features and functionality that can help customers support their PCI DSS compliance.
Log Integrity, Availability, & Security
Users of Axon do not have the capability to delete log data from the application interface, ensuring the integrity of logs collected. Additionally, LogRhythm issues a SOC 2, Type 2 report for the Axon Platform that includes controls relevant to the Security, Availability, and Confidentiality of customer data. This inability to modify log data and SOC 2 attestation supports PCI DSS controls 10.3.2 and 10.3.3 related to Audit Log integrity, availability, and security. Customers interested in reviewing the Axon SOC 2 attestation can request access to a copy through their account representative.
Log Retention
LogRhythm Axon licensing options allow customers to fit their personal log retention needs. PCI DSS control 10.4.3 requires that businesses retain audit log history for at least 12 months, with at least three months of data immediately available for analysis. To ensure this PCI requirement is met, customers should confirm their licensing Time-to-Live (TTL) options with their account representative.
Scheduled Reporting to Automate Log Review
LogRhythm’s comprehensive reporting capabilities provide the flexibility of custom and pre-configured reports. The Schedule Reporting feature allows you regularly capture data from the Dashboard or from specific searches and deliver a report to selected recipients. Scheduled Reporting supports PCI DSS control 10.4.1.1 by automating the delivery of the reports in this bundle that provide the normalized and filtered data for completing log reviews.
Case Management
The Axon Case Management feature is a collaborative forensic tool for creating cases to track and document suspicious logs that are believed to be related to the same threat. The ability to create, own, and update cases, as well as to collaborate on cases that are created and owned by others, is available to all Axon users by default. Case Management supports PCI DSS control 10.4.3 by facilitating the review process for exceptions and anomalies.