Splunk® App for PCI Compliance

Installation and Configuration Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Data management overview

The Splunk App for PCI Compliance works with Splunk software and supports all CIM-compliant data ingestion methods. After the app is installed and configured, solution administrators can start to add data to the Splunk deployment.

The Splunk App for PCI Compliance requires considerations when determining how to get data from the various sources. When you set up a data input for the Splunk App for PCI Compliance, make sure the data is correctly mapped using a technology add-on so that the data is normalized and assigned the correct source type.

Considerations for data inputs with PCI compliance

You can use each of the main approaches for Splunk data inputs (monitoring files, monitoring network ports, monitoring Windows and Unix data, and deploying custom scripted inputs) with the Splunk App for PCI Compliance. Some approaches work better than others because the input data must be assigned the correct source type.

  • Monitoring files: Deploy a forwarder on each system where you want to monitor files and source type the file inputs on the forwarder. If there is a large number of forwarders with identical configurations, use the deployment server to set up and manage the logging sources across your forwarders.
  • Monitoring network ports: You can send data to a forwarder or directly to an indexer on any TCP or UDP port. Be careful when sending data from multiple sources over the same port. See the Get data from TCP and UDP ports section in Getting Data In.
  • Monitoring Windows data: To implement Windows eventlog monitoring, deploy a forwarder on each system. If there is a large number of forwarders with identical configurations, use the Splunk Enterprise deployment server to set up and manage the logging sources across your forwarders.

Source typing

Set the correct source type for data to be properly processed by Splunk platform and used by the Splunk App for PCI Compliance. The app works with all types of inputs. Technology add-ons provide search-time knowledge to map data.

For more information about automatic source typing, see Why source types matter in Getting Data In.

Identify assets

To get the most out of the Splunk App for PCI Compliance, you must provide information about the assets, which are the devices and systems in the environment. The asset list includes a number of fields used by the dashboards and correlation searches in the app. Splunk App for PCI Compliance still functions without an asset list, but the functionality for some dashboards and features is incomplete.

Some of the important fields in the asset list include:

  • ip, mac, nt_host, dns, owner - Asset information. These fields are used to provide details about current assets in the Splunk App for PCI Compliance.
  • priority - Assets by priority. This field is used to determine the urgency of the notable events associated with security incidents.
  • category - Asset category. This field is used to define systems in-scope for PCI and/or contain cardholder data. Categories are configurable and are defined in a separate category list. Used by many Splunk for PCI Compliance dashboards to filter the view. Common examples are compliance and security standards governing the asset, or functional categories (such as server, domain_controller, and so on). An asset can be included in multiple categories by assigning a bar-delimited list of categories in the asset list, For example, pci|cardholder|server. See Set up asset categories.
  • pci_domain - This field is used to specify the network zone the asset is found within. An asset can be included in multiple PCI domains by assigning a pipe-delimited list of domains in the asset list. The following values are supported by default:
    trust
    trust|wireless
    trust|cardholder
    trust|dmz
    untrust
  • bunit - Assets by business unit. Used by many Splunk for PCI Compliance dashboards to restrict the view. A free-form field that can be used to specify the business unit the asset is part of.

This can be done by using the asset list, a comma-separated values (CSV) lookup file with contextual information about your systems, information that cannot be gathered from events themselves. Augmenting events with additional asset information helps security analysts and incident investigators. Populate the asset list either by building an automated capture from an existing asset database or by populating the file manually. See Configure assets for more about how to add asset data to the asset list.

Identify system identities

The Splunk App for PCI Compliance needs to have information about the identities who use the system. Create an identity list, which is a list of account names, legal names, nicknames, alternate names, and phone numbers within your organization. The identity list provides information used to correlate identities (individuals) with both events and assets.

The identity list includes a number of fields that are used by the dashboards and correlation searches in PCI Compliance. Splunk App for PCI Compliance still functions without an identity list, but the functionality for some dashboards and features is incomplete. Some of the important fields in the identity list include:

  • Identities by Priority: Used to determine the urgency of the notable events associated with security incidents involving identities.
  • Identities by Business Unit: Used by many PCI Compliance dashboards to restrict the view to a particular business unit. A free-form field that can be used to specify to which the business unit the identity belongs.
  • Identities by Category: Used by many PCI Compliance dashboards to restrict the view. Categories are configurable and are defined in a separate category list. Common examples are compliance and security standards governing the identity, or functional categories (such as server, domain_controller, and so on.). You can include an identity in multiple categories by assigning a bar-delimited list of categories in the identity list (for example, "pci|cardholder|server")
  • Identities: Used to view details of the current identities in the system.

Identities are defined in CSV lookup table located under the Identity Management add-on in the $SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/identities.csv directory. Populate this file with the identity information for your infrastructure. The CSV file can be constructed manually or populated by a script that pulls the information from an existing identity table or database. See Configure identities for more about how to add identity data to the identity list.

Last modified on 25 January, 2018
PREVIOUS
Deployment options
  NEXT
Using technology add-ons with the Splunk App for PCI Compliance

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters