Splunk® App for PCI Compliance

User Manual

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

Use default risk factors in

Use default risk factors designed for specific conditions to dynamically assign risk scores to risk objects and effectively isolate threats using . provides seven risk factors by default, which may be further customized based on your specific environment. You may also use these default risk factors as examples for guidance and create your own risk factors based on your environment.

All risk factors will be automatically displayed on the left panel of the Risk factor Editor. However, the default risk factors are disabled.

Following is the list of risk factors that are available on the app by default:

Number Risk factor Description
1 Admin User Increases the risk score of a user who has a privileged or administrative identity.
So, if "user_category" field matches regex value of "admin", risk factor is increased by a multiple of 1.5.
2 Contractor User Increases the risk score for a user who is a contractor.
So, if "user_category" field value is "contractor", risk score is increased by a sum of 5.
3 Critical Priority Destination Increases the risk score for critical destinations.
So, if "dest_priority" field value is "critical", risk factor is increased by a multiple of 1.5.
4 High Priority User Increases the risk score for high priority users.
So, if "user_priority" field value is "high", the risk factor is increased by a multiple of 1.25.
5 PCI Source Increases the risk score for Payment Card industry (PCI) sources.
So, if "src_category" field value is "pci", risk factor is increased by a multiple of 1.5.
6 Watchlisted Priority User Increases the risk score for users on a watch list when the user is not on a priority list.
So, if "user_watchlist" field is equal to "true" and the "user_priority" is not equal to "low", risk factor is increased by a multiple of 1.5.
For more information on watchlists, see the Splunk Blogs post Using watchlists to your advantage.
7 Watchlisted User Increases the risk score for users on a watch list by a multiple of 1.5.
So, if "user_watchlist" is "true", risk factor is increased by a multiple of 1.5.
For more information on watchlists, see the Splunk Blogs post Using watchlists to your advantage.

Create risk factors to adjust risk scores for risk objects so that you can effectively isolate threats using by mapping out the risk in the environment. See Create risk factors in Splunk Enterprise Security and Manage risk factors in Splunk Enterprise Security in the Splunk Enterprise Security Administer Splunk Enterprise Security manual.

Last modified on 03 September, 2021
Asset and Identity Correlation   Search View Matrix

This documentation applies to the following versions of Splunk® App for PCI Compliance: 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters