Skip to main content
Skip table of contents

PCI DSS 4.0 User Guide – Investigations


Investigations can further assist in gathering vital information about security events, and provide basic information about an environment and the processes and activities within it. PCI DSS 4.0 investigations can be part of a change control process in identifying configuration changes and trying to understand the nature of them to determine whether they are appropriate, along with their implications for PCI DSS 4.0 compliance.

Investigations can also be run to leverage defined user lists and examine any suspicious or potentially malicious activities surrounding accounts within the environment. Custom investigations can be configured in addition to those included within this module.

Log Requirements

The CCF: Vulnerability Detail and other investigations related to potential malicious activity cover all log sources in your environment, but specifically require logs from network security systems such as anti-malware systems, security enforcing devices, and vulnerability detection systems. After they are configured correctly, investigations allow IT and security operations to not only deep dive into potential security events, but also to learn more about and continuously improve your overall compliance and cyber security program.

Further, with an emphasis on managing third-party access within your environment, vendor-related investigations are applied against all log sources across the environment that administer access to these accounts. The vendor account investigations look to deep dive into authentication and access activities within the environment to augment related PCI DSS 4.0 control objectives.

Sample Knowledge Base Content

Investigation Name

Investigation ID

CCF: Compromises Detected Inv

690

CCF: Config/Policy Change Inv

675

CCF: Malware Detected Inv

677

CCF: Patch Activity Inv

678

CCF: Signature Activity Inv

681

CCF: Social Media Inv

695

CCF: Suspicious Users Inv

685

CCF: Use of Non-Encrypted Protocols Inv

686

CCF: Vulnerability Detected Inv

684

Recommended Actions

Investigations are used to pull additional details from log sources related to events of interest. The PCI DSS Detail Investigations can be used to monitor potential malicious activity to assist in reducing the mean time to detection (MTTD) and learn about vulnerabilities or exposure points within the environment. IT Security Operations and Management should look to leverage these investigations as a learning mechanism and a means to gather vulnerability data in order to implement controls to reduce the risk exposure.

On the vendor account side, IT Security Operations and Management should use these investigations to deep dive into vendor account activity within the environment to better understand ‘normal’ third-party activities and identify when these accounts go beyond their scope of operations within your environment. These investigations can also be used in access management to validate access within the environment against periodic reviews of third-party accounts.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.