10 – Track and Monitor Access to Cardholder Data
Select > > >> > Reports or Dashboards > .
PCI Requirement 10 focuses on tracking changes to user accounts and groups to detect and prevent data breaches within the cardholder data environment (CDE). Malicious users might create groups or accounts to grant them access to sensitive data, then delete their changes to hide their activity.
To assess your enterprise's compliance with this requirement, use the following dashboard and reports:
| Dashboards | Reports |
|---|---|
|
Administrative Authorization Changes Anonymous User Activity in CDE Clock Synchronization Problems File Creations Deletions Modifications Successful Administrative Logins |
Reports all user accounts created. The table provides results by IP address or host name of the system, as well as the name of the new account.
Reports all user accounts that have been deleted. The table provides results by name of the account that made the change, IP address or host name of the system, and event name for the deleted account.
Reports all user accounts that have been modified. The table provides results by the type of modification, name of the changed account, the account that made the change, and the IP address or host name of the system.
Reports all actions, except logins, made by administrative users. The table provides results by the user name, device event class, number of events, and when the change occurred.
Administrative Authorization Changes
Reports all changes authorized by administrative users. The table provides results by the source and target user, the number of changes, and when the change occurred.
Anonymous User Activity in CDE
Reports all logins to the CDE by anonymous users. The table provides details about the user, the affected host, the number of attempted logins, and when the most recent event occurred.
By default, the report includes all users who log in to the CDE because the variable isUserNameAnonymous is set to yes. To make the report more specific, in the logical model, enter the list of anonymous users for the variable isUserNameAnonymous, as shown in the example. For more information, see the Solutions Guide for ArcSight Compliance Pack for PCI.
Reports the audit logs cleared by user. The table provides results by the user, the affected host, the number of events, and when the most recent event occurred.
Clock Synchronization Problems
Reports the number of assets with clock synchronization issues over time. In SSL, clocks are used for certificate validation. A malicious user could modify the server or client clock to disregard dates in certificates. Then that user will be able to impersonate the server forever even if the certificate expires. The table provides details about the affected asset and when the most recent event occurred.
Reports events in which the source, such as user, address, device or hostname, cannot be identified. The table provides results by the anomaly's name, the number of events, and when the most recent event occurred.
Reports failed actions, except logins, by administrative users. The table provides results by the target user and host, device event class, the affected product, the number of failed attempts, and when the most recent event occurred.
Reports the number of failed logins by administrative users. The table provides results by the target host, administrative user, and the number of failed attempts.
Reports the number of failed logins by user. The table provides results by the target host, administrative user, and the number of failed attempts.
File Creations Deletions Modifications
Reports the file creations, deletions, and modifications by host. The table provides results by the asset, the type of activity, outcome of the activity, the number of events, and when the most recent event occurred.
Provides, in charts and a table, an overview of firewall events. You can view a trend of firewall events overtime, the number of times a firewall rule has been hit, the firewalls by vendor, and products reporting the events.
Reports all events recorded by the IDSs in your enterprise. The table provides results by the IDS device, the type of event, the number of events, and when the most recent event occurred.
Reports all failures associated with information systems. The table provides results by the target asset, the type of failure, the device vendor, and the number of failure events.
Successful Administrative Logins
Reports all successful logins by administrative users. The table provides results by the target asset, the user, and the number of logins.
Reports all successful logins within the CDE. The table provides results by the target asset, the user, the number of logins, and when the most recent login occurred.
Reports all successful logins by user. The table provides results by the target asset, the user, the number of logins, and when the most recent login occurred.
Successful User Logins by Host
Reports all successful user logins by host. The table provides results by the target asset, the user, the number of logins, and when the most recent login occurred.
Reports all user groups created. The table provides results by the event, the new user group, and the user who created the account.
Reports all user groups deleted. The table provides results by the event, the user group deleted, and the user who deleted the account.