Splunk® App for PCI Compliance

Data Source Integration Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Acrobat logo Download topic as PDF

Dashboard Requirements Matrix

In order to be displayed in the Splunk App for PCI Compliance dashboards, data must conform to the requirements specified in these tables. The tags, fields, and source types required by each dashboard and panel are shown. When certain fields are omitted, they are automatically replaced with default values (such as unknown). The rest of the data must still meet the source type and tag requirements for the dashboards.

Note: By default, the tags in the "Tags" column use an AND unless specifically defined.

R1: Network Traffic

Name Fields Tags
Firewall Rule Activity
Activity by Month rule,dvc,vendor_product network, communicate
Network Traffic Activity
Traffic by Source and Destination Domain action,src,dest,transport,dest_port network, communicate
Recent Notable Events Depends on notable events created by correlation searches
Traffic Detail action,src,dest,transport,dest_port network, communicate
Prohibited Services
Notable Events by Status (Last 30 days) Depends on notable events created by correlation searches
Recent Notable Events Depends on notable events created by correlation searches
Service Details
* Since this is based on the assets list and the interesting processes lookup, these lists need to be populated to make this scorecard work.
dest,app sourcetype="*:LocalProcesses" OR sourcetype=ps

R2: Default Configurations

Name Fields Tags
Default Account Access
Default Account Access over Time
Accounts will only appear here if the account is a default account as defined by the identities lookup (and has a category of default).
action,app,src,src_user,dest,user authentication (excluding events with action=success and a user field ending in $)
Recent Notable Events Depends on notable events created by correlation searches
Default Account Access Details
Accounts will only appear here if the account is a default account as defined by the identities lookup (has a category of default).
action,app,src,src_user,dest,user authentication (excluding events with action=success and a user field ending in $)
Insecure Authentication Attempts
Insecure Authentication Attempts action,app,src,src_user,dest,user authentication (excluding events with action=success and a user field ending in $)
Primary Functions
Primary Function Summary
Based is based on the primary functions and assets lookups. These will be needed to use this dashboard.
function (listening, port) or (sourcetype=":Service") or (sourcetype=":LocalProcesses" OR sourcetype=ps)
Recent Notable Events Depends on notable events created by correlation searches
Primary Function Details
Based is based on the primary functions and assets lookups. These will be needed to use this dashboard.
ip mac nt_host dns owner category pci_domain process service port function (listening, port) or (sourcetype=":Service") or (sourcetype=":LocalProcesses" OR sourcetype=ps)
Prohibited Services
Notable Events by Status (Last 30 days) Depends on notable events created by correlation searches
Recent Notable Events Depends on notable events created by correlation searches
Service Details
Uses information from the assets list, interesting services, interesting processes lookups
ip mac nt_host dns owner category pci_domain process service port (listening, port) or (sourcetype=":Service") or (sourcetype=":LocalProcesses" OR sourcetype=ps)
System Misconfigurations
Systems With Misconfigurations (Last 90 days) dest misconfiguration AND (ids attack) OR (network vulnerability report)
Recent Notable Events Depends on notable events created by correlation searches
System Misconfiguration Details dest signature misconfiguration AND (ids attack) OR (network vulnerability report)
Wireless Network Misconfigurations
Wireless Misconfigurations Summary
(Last 90 days)
dest misconfiguration AND (ids attack) OR (network vulnerability report)
Recent Notable Events Depends on notable events created by correlation searches
Wireless Misconfigurations Detail ndest signature misconfiguration AND (ids attack) OR (network vulnerability report)

R3: Protect Data at Rest

Name Fields Tags
Credit Card Data Found
Credit Card Transmission Event Summary (by source) src network ids attack pii
Recent Notable Events Depends on notable events created by correlation searches
Credit Card Transmission Event Details dvc, signature, src, dest network ids attack pii

R4: Protect Data in Motion

Name Fields Tags
Credit Card Data Found
Credit Card Transmission Event Summary (by source) src network ids attack pii
Recent Notable Events Depends on notable events created by correlation searches
Credit Card Transmission Event Details dvc, signature, src, dest network ids attack pii

R5: Anti-malware Protection

Name Fields Tags
Endpoint Product Deployment
Missing Antivirus
This panel uses the contents of the asset lookup and shows hosts that have not reported activity, indicating that they have malware protection (such as a signature update).
ip mac nt_host dns owner requires_av category pci_domain (endpoint application version) OR (endpoint application signature update)
Disabled Antivirus
This panel uses the contents of the asset lookup and show systems that have not reported activity indicative of having working anti-virus protection (such as signature updates).
ip mac nt_host dns owner requires_av category pci_domain (endpoint application version) OR (endpoint application signature update)
Endpoint Product Versions
Summary dest, product_version, vendor_product (endpoint application version) OR (endpoint application signature update)
Details vendor_product, product_version, dest, dest_category, dest_pci_domain (endpoint application version) OR (endpoint application signature update)
Malware Activity
Malware Signature Updates
Anti-malware Signature Summary signature_version dest vendor_product (endpoint application version) OR (endpoint application signature update)
Recent Notable Events Depends on notable events created by correlation searches
Anti-malware Signature Details
Relies on the contents of the assets lookup.
dest vendor_product signature_version (endpoint application version) OR (endpoint application signature update)

R6: Patch Update Protection

Name Fields Tags
Anomalous System Uptime
Anomalous System Uptime
This panel users assets the lookup.
SystemUpTime uptime
Default Account Access
Default Account Access over Time
Accounts will only appear here if the account is a default account as defined by the identities lookup (for example,has a category of default).
action,app,src,src_user,dest,user authentication (excluding events with action=success and a user field ending in $)
Recent Notable Events Depends on notable events created by correlation searches
Default Account Access Details
Accounts will only appear here if the account is a default account as defined by the identities lookup (has a category of default).
Fields: action,app,src,src_user,dest,user authentication (excluding events with action=success and a user field ending in $)
Patch Service Status
Anomalous Update Service by System Count (Last 90 days)
This panel uses the assets lookup. Hosts need to have is_required set to true and dest_should_update set to true. Furthermore, the interesting_services_lookup is also used to identified patch services.
dest Tags/Sourcetype: sourcetype="*:Service" tag::app=update
Recent Notable Events Depends on notable events created by correlation searches
Service Details
This panel uses the assets lookup and the interesting services lookup.
Fields: StartMode dest Tags/Sourcetype: sourcetype="*:Service" tag::app=update
System Patch Status
System Patch Status
This panel uses the assets lookup and the interesting services lookup.
StartMode dest Tags/Sourcetype: sourcetype="*:Service" tag::app=update

R7: Access Monitoring

Name Fields Tags
PCI Resource Access
user, action, app, src, src_user authentication (excluding events with action=success and a user field ending in $)

R8: Activity Accountability

Default Account Access
Default Account Access over Time
Accounts will only appear here if the account is a default account as defined by the identities lookup (has a category of default).
action,app,src,src_user,dest,user authentication (excluding events with action=success and a user field ending in $)
Recent Notable Events Depends on notable events created by correlation searches
Default Account Access Details
Accounts will only appear here if the account is a default account as defined by the identities lookup (has a category of default).
action,app,src,src_user,dest,user authentication (excluding events with action=success and a user field ending in $)
PCI Resource Access
user, action, app, src, src_user authentication (excluding events with action=success and a user field ending in $)

R10: Cardholder Data

Name Fields Tags
Endpoint Changes
Endpoint Changes action, status, object_category, object, object_path, dest, user endpoint change
PCI Asset Logging
PCI Resource Logging
This panel works off the assets list.
src None necessary
PCI Resource Access
user, action, app, src, src_user authentication (excluding events with action=success and a user field ending in $)
Privileged User Activity
Privileged User Activity
event_id host sourcetype src_user user eventtype privileged
System Time Synchronization
System Time Synchronization Details
This panel relies on the asset and identities lookups.
dest time synchronize

R11: Vulnerability Testing

Name Fields Tags
Endpoint Changes
Endpoint Changes action, status, object_category, object, object_path, dest, user endpoint change
Rogue Wireless Access Point Detection
Rogue Device History (Last 90 days) dest (ids attack rogue wireless) OR (network vulnerability report rogue wireless)
Recent Notable Events Depends on notable events created by correlation searches
Rogue Device Details signature,dest,vendor_product (ids attack rogue wireless) OR (network vulnerability report rogue wireless)
Vulnerability Report
cvss, severity, signature, dest network vulnerability
IDS/IPS Alert Activity
IDS/IPS Alert Activity over Time severity ids attack
Recent Notable Events Depends on notable events created by correlation searches
IDS/IPS Alert Activity Details ids_type, severity, signature, src, dest ids attack

Audit

Incident Review Audit

Panel Tags Fields
Review Activity by Reviewer over Time default OR privileged
Notable Events by Status default OR privileged
Top Reviewers default OR privileged
Recent Review Activity default OR privileged

Suppression Audit

Panel Tags Fields
Currently Suppressed Events (Last 24 hours)
Suppressed Notable Event History
Suppression Management Activity
Expired Suppressions

Forwarder Audit

Panel Tags Fields
Host Event Count over Time _time, app, view, user, host
Hosts Not Reporting host, user
Splunkd Resource Utilization _time, host
Splunkd Anomalous StartMode anomalous, avail, check, default, os, privileged, process, report, should_timesync, should_update

Search Audit

Panel Tags Fields
Search Activity by Type default OR privileged
Search Activity by user user
Search Activity by Expense user

View Audit

Panel Tags Fields
Splunk App for Enterprise Security View Activity
Expanded View Activity privileged OR default
Expected View Scorecard
Recent Web Service Errors

Data Protection

Panel Tags Fields
Data Protection
Protecting Correlated Events with Event Hashing
Tampered Correlated Events
Protecting Event Data with IT Data Signing
Verifying Data Integrity Using IT Data Signing id, date, _time, ip_address, host_name, MAC_address
Protecting Splunk's Audit Data with Audit Signing
Verifying Splunk's Audit Data gap, validity

Resources

Identity Center

The Identity Center contents are based upon the identity list lookup file.

Panel Tags Fields
Identities by Priority priority
Identities by Business Unit bunit
Identities by Category category
Identities

Asset Center

The Asset Center contents are based upon the asset list lookup file.

Panel Tags Fields
Assets by Priority priority
Assets by Business Unit bunit
Assets by Category category
Asset Information
Last modified on 06 August, 2015
PREVIOUS
FAQ
  NEXT
Common Information Model Field Reference

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters