zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
gh-agentsecops-secopsagentkit/skills/incident-response/detection-sigma/assets/compliance-rules/pci-dss-monitoring.yml
Zhongwei Li ff1f4bd119 Initial commit
2025-11-29 17:51:02 +08:00

73 lines
2.3 KiB
YAML
Raw Permalink Blame History

title: PCI-DSS 10.2 - Audit Trail Monitoring
id: GENERATE-NEW-UUID
status: stable
description: |
Implements PCI-DSS requirement 10.2 automated audit trails for security events.
Monitors critical security-relevant events required by PCI-DSS.
references:
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
author: Your Name
date: 2024/01/20
modified: 2024/01/20
tags:
- pci-dss.10.2.1 # Access to cardholder data
- pci-dss.10.2.2 # Administrative actions
- pci-dss.10.2.4 # Invalid access attempts
- pci-dss.10.2.5 # Authentication mechanism use
- pci-dss.10.2.7 # System-level object creation/deletion
logsource:
category: authentication # Adjust based on specific requirement
product: windows
detection:
selection_failed_logon:
EventID: 4625 # Failed logon (10.2.4)
selection_admin_logon:
EventID: 4624 # Successful logon
TargetUserName|contains: # Administrative accounts (10.2.2)
- 'admin'
- 'Administrator'
selection_account_mgmt:
EventID: # Account management (10.2.5, 10.2.7)
- 4720 # Account created
- 4722 # Account enabled
- 4724 # Password reset
- 4726 # Account deleted
- 4738 # Account changed
condition: selection_failed_logon or selection_admin_logon or selection_account_mgmt
falsepositives:
- Legitimate administrative activity must be logged per PCI-DSS
level: medium
fields:
- ComputerName
- TargetUserName
- WorkstationName
- IpAddress
- Timestamp
# PCI-DSS 10.2 Requirements:
#
# 10.2.1 - All individual user accesses to cardholder data
# 10.2.2 - All actions taken by individuals with root or administrative privileges
# 10.2.3 - Access to all audit trails
# 10.2.4 - Invalid logical access attempts
# 10.2.5 - Use of identification and authentication mechanisms
# 10.2.6 - Initialization of audit logs
# 10.2.7 - Creation and deletion of system-level objects
#
# Additional PCI-DSS Detection Rules:
#
# File Access to Cardholder Data (10.2.1):
# logsource:
# category: file_event
# detection:
# selection:
# TargetFilename|contains: '\cardholder-data\'
#
# Service Creation (10.2.7):
# logsource:
# category: process_creation
# detection:
# selection:
# Image|endswith: '\sc.exe'
# CommandLine|contains: 'create'
Reference in New Issue View Git Blame Copy Permalink