Currently PCI 1.2 - Rule - Detect Communication Directly To Untrusted From Trusted is configured to send e-mail alerts and alert mode is set as always , and it is scheduled to run on cron schedule (6****)
But we noticed that we are receiving some false positive alert e-mail with no events
So I tried to modify the alert condition from always to number of events > 5 after saving it and when I reopen the saved search the alert mode goes back to always
Can any body help me on this
asked 18 Apr '12, 06:01
Tks for the reply.
Actually I need to set it to greater than 0 , because when I set the e-mail alert before I used to get the blank pdf (specially when there are no events)
I will try the configuration and let you know the outcome.
answered 23 Apr '12, 22:36
I tried the workaround but the results are same.
answered 29 Apr '12, 00:30
This sounds to me like a permissions problem that will need to be sorted in the local.meta configuration file. Searches in some apps are not allocated an owner which would happen if they were created in the UI. This prevents issues if the account doesn't exist when the app is installed but occasionally it gets confused when it has been modified a couple of times by other users.
I would look in your $SPLUNK_HOME/etc/apps/SplunkPCIComplianceSuite/metadata/local.meta file for a stanza
and add the following line below it replacing admin with a valid administrator account.
I think the underlying issue is more serious. You are masking a potential threat by changing this. There are three potential scenarios.
1) you have an ip address marked as trusted that shouldn't be.
2) you have an ip address marked as untrusted that should be trusted.
3) Someone or something is making connections that shouldn't be allowed.
The first two can easily be remedied by editing your lookup file
answered 23 Apr '12, 02:38