title: PCI-DSS 10.2 - Audit Trail Monitoring
id: GENERATE-NEW-UUID
status: stable
description: |
  Implements PCI-DSS requirement 10.2 automated audit trails for security events.
  Monitors critical security-relevant events required by PCI-DSS.
references:
    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
author: Your Name
date: 2024/01/20
modified: 2024/01/20
tags:
    - pci-dss.10.2.1  # Access to cardholder data
    - pci-dss.10.2.2  # Administrative actions
    - pci-dss.10.2.4  # Invalid access attempts
    - pci-dss.10.2.5  # Authentication mechanism use
    - pci-dss.10.2.7  # System-level object creation/deletion
logsource:
    category: authentication  # Adjust based on specific requirement
    product: windows
detection:
    selection_failed_logon:
        EventID: 4625  # Failed logon (10.2.4)
    selection_admin_logon:
        EventID: 4624  # Successful logon
        TargetUserName|contains:  # Administrative accounts (10.2.2)
            - 'admin'
            - 'Administrator'
    selection_account_mgmt:
        EventID:  # Account management (10.2.5, 10.2.7)
            - 4720  # Account created
            - 4722  # Account enabled
            - 4724  # Password reset
            - 4726  # Account deleted
            - 4738  # Account changed
    condition: selection_failed_logon or selection_admin_logon or selection_account_mgmt
falsepositives:
    - Legitimate administrative activity must be logged per PCI-DSS
level: medium
fields:
    - ComputerName
    - TargetUserName
    - WorkstationName
    - IpAddress
    - Timestamp

# PCI-DSS 10.2 Requirements:
#
# 10.2.1 - All individual user accesses to cardholder data
# 10.2.2 - All actions taken by individuals with root or administrative privileges
# 10.2.3 - Access to all audit trails
# 10.2.4 - Invalid logical access attempts
# 10.2.5 - Use of identification and authentication mechanisms
# 10.2.6 - Initialization of audit logs
# 10.2.7 - Creation and deletion of system-level objects
#
# Additional PCI-DSS Detection Rules:
#
# File Access to Cardholder Data (10.2.1):
# logsource:
#     category: file_event
# detection:
#     selection:
#         TargetFilename|contains: '\cardholder-data\'
#
# Service Creation (10.2.7):
# logsource:
#     category: process_creation
# detection:
#     selection:
#         Image|endswith: '\sc.exe'
#         CommandLine|contains: 'create'