Out-of-the-box source types
This section provides a list of the data sources for which Splunk for PCI Compliance provides out-of-the-box support. It also provides a list of the source types that are used for the different data sources and technology add-ons.
Source types are important because PCI Compliance uses source types as the basis of understanding for all data coming in from a particular source. Source types need to be carefully defined so that they are not overloaded or misused.
When a supported data type is imported, the correct source type needs to be assigned to the data to ensure that data is recognized and parsed correctly by PCI Compliance. For example, events from a Juniper firewall must be assigned a netscreen:firewall source type for TA-juniper to recognize and parse them correctly.
To learn more about the supported data types and source types, see the "List of pretrained source types" in the Splunk documentation. For more information on assigning source types to data inputs, see "About default fields" in the Splunk documentation.
The following table lists the data sources with out-of-the-box support in the Splunk App for PCI Compliance, along with the associated source type and technology add-on name:
Wireless Devices
| Data source | Source type(s) | Add-on | Description |
|---|---|---|---|
| Motorola AirDefense wireless IDS | airdefense | TA-airdefense | Parses AirDefense log data for use in CIM compliant Splunk apps |
| Alcatel | alcatel | TA-alcatel | Parses Alcatel network switch log data for use in CIM compliant Splunk apps |
Proxies
| Data source | Source type(s) | Add-on | Description |
|---|---|---|---|
| Blue Coat ProxySG | bluecoat | TA-bluecoat | Parses Bluecoat proxy data for use in CIM compliant Splunk apps |
| Juniper NetScreen firewalls and IDP intrusion detection/prevention systems | juniper:idp, netscreen:firewall, juniper:nsm:idp, juniper:nsm | TA-juniper | Parses Juniper log data for use in CIM compliant Splunk apps |
| Fortinet Unified Threat Management (UTM) systems | fortinet | TA-fortinet | Parses Fortinet log data for use in CIM compliant Splunk apps |
| Palo Alto firewalls | pan, pan:config, pan:system, pan:threat, pan:traffic | TA-paloalto | Parses Palo Alto firewall log data for use in CIM compliant Splunk apps |
| Websense firewalls | websense | TA-websense | Parses Websense log data for use in CIM compliant Splunk apps |
Intrusion Detection/Prevention Systems
| Data source | Source type(s) | Add-on | Description |
|---|---|---|---|
| TippingPoint | tippingpoint | TA-tippingpoint | Parses Tipping Point log data for use in CIM compliant Splunk apps |
| Juniper IDP | juniper:idp, netscreen:firewall, juniper:nsm:idp, juniper:nsm | TA-juniper | Parses Juniper log data for use in CIM compliant Splunk apps |
| OSSEC host-based Intrusion Detection System (IDS) | ossec | TA-ossec | Parses OSSEC HIDS log data for use in CIM compliant Splunk apps |
| Snort network intrusion prevention and detection system (IDS/IPS) | snort | TA-snort | Parses Snort IDS (open source) log data for use in CIM compliant Splunk apps |
| McAfee firewall | mcafee:ids | TA-mcafee | Allows you to ingest McAfee EPO data for use in CIM compliant Splunk apps |
| Norse IPViking | norse | Splunk_TA_norse | Allows you to download Norse Darklist threat intelligence data for use in Splunk. It also includes support for contextual lookups to Norse IPViking |
| Windows Management Instrumentation (WMI) | WMI:LocalApplication, WMI:LocalSystem, WMI:LocalSecurity, WMI:CPUTime, WMI:FreeDiskSpace, WMI:LocalPhysicalDisk, WMI:Memory, WMI:LocalNetwork, WMI:LocalProcesses, WMI:ScheduledJobs, WMI:Service, WMI:InstalledUpdates, WMI:Uptime, WMI:UserAccounts, WMI:UserAccountsSID, WMI:Version | Splunk_TA_windows | Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps |
Networking Devices
| Data source | Source type(s) | Add-on | Description |
|---|---|---|---|
| Bro IDS 2.1 | bro | TA-Bro | Allows you to ingest packet captures (pcap) in Splunk using Bro IDS 2.1 |
| Common Event Format (CEF) | cef | TA-cef | Parses ArcSight CEF data to the field names for use in CIM compliant Splunk apps, and is a useful template to start from when building a new add-on |
| flowd NetFlow collector | flowd | TA-flowd | Parses flowd NetFlow data for use in CIM compliant Splunk apps |
| NetFlow | flowfix | Splunk_TA_flowfix | Allows you to ingest NetFlow versions 5 and 7, along with IPFIX without vendor extensions. |
| FTP servers | vsftpd | TA-ftp | Parses vsftpd log data for use in CIM compliant Splunk apps |
Anti-virus / Endpoint Software
| Data source | Source type(s) | Add-on | Description |
|---|---|---|---|
| Sophos | SEC server log or sys log (sophos:threats) | TA-sophos | Parses Sophos log data for use in CIM compliant Splunk apps |
| FireEye | cef logs or XML output | TA-fireeye | Parses FireEye data for use in CIM compliant Splunk apps |
| McAfee anti-virus | mcafee:epo, mcafee:ids | TA-mcafee | Allows you to ingest McAfee EPO data for use in CIM compliant Splunk apps |
| Symantec AntiVirus Version 10 and earlier. |
sav, winsav | TA-sav | Parses Symantec Anti-Virus log data for use in CIM compliant Splunk apps |
| Symantec Endpoint Protection (SEP) and Symantec AntiVirus version 11 and later. |
sep, sep:scm_admin | TA-sep | Parses Symantec Endpoint Protection log data for use in CIM compliant Splunk apps |
| Trend Micro Endpoint Protection | WinEventLog:Application:trendmicro | TA-trendmicro | Parses Trend Micro log data for use in CIM compliant Splunk apps |
Vulnerability Management Systems
| Data source | Source type(s) | Add-on | Description |
|---|---|---|---|
| nCircle IP360 vulnerability management system | ncircle:ip360 | TA-ncircle | Allows you to ingest nCircle log data for use in CIM compliant Splunk apps |
| Nessus vulnerability scanner | nessus | TA-nessus | Allows you to ingest Tenable Nessus log data for use in CIM compliant Splunk apps |
| Nmap security scanner | nmap | TA-nmap | Parses Network Mapper log data for use in CIM compliant Splunk apps |
Operating Systems
| Data source | Source type(s) | Add-on | Description |
|---|---|---|---|
| Snare | snare | Splunk_TA_windows | Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps |
| NTSyslog | ntsyslog | Splunk_TA_windows | Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps |
| Monitorware | monitorware | Splunk_TA_windows | Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps |
| Platform-specific Unix authentication (security) logs. | dhcpd, linux_secure, aix_secure, osx_secure, syslog; | Splunk_TA_nix | Includes predefined inputs to collect data from *nix systems and normalize the data for use in CIM compliant Splunk apps |
| Windows event, DHCP, and system update logs. | DhcpSrvLog, WindowsUpdateLog, WinRegistry, WinEventLog:Security, WinEventLog:Application, WinEventLog:System, fs_notification, scripts:InstalledApps, scripts:ListeningPorts | Splunk_TA_windows | Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps |
| Windows Perfmon | PERFMON:CPUTime, PERFMON:FreeDiskSpace, PERFMON:Memory, PERFMON:LocalNetwork | Splunk_TA_windows | Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps |
Other
| Data source | Source type(s) | Add-on | Description |
|---|---|---|---|
| IP2Location geolocation software | (not applicable) | TA-ip2location | Provides the ability to correlate IP addresses to locations using the Python IP2Location library |
| Oracle database | oracle | TA-oracle | Parses Oracle database server log data for use in CIM compliant Splunk apps |
| RSA ACE (SecurID) | WinEventLog:Application:rsa | TA-rsa | Parses RSA ACE log data for use in CIM compliant Splunk apps |
| Splunk Enterprise access and authentication logs | audittrail | TA-splunk | Parses Splunk audit log data for use in CIM compliant Splunk apps |
Note about Cisco Add-ons
The TA-Cisco add-on has been removed from the Splunk App for PCI Compliance package. The various Cisco apps and add-ons (Cisco IPS, Cisco Firewalls, Cisco CSA, Cisco ESA, Cisco WSA, Cisco MARS) provide the necessary knowledge layers, without needing the general purpose one from the Splunk App for PCI Compliance. This makes it possible to download only the technology apps and add-ons needed in your environment.
These apps have been tested with Splunk for PCI Compliance:
- Splunk for Cisco IPS
- Splunk for Cisco Firewalls
- Splunk for Cisco IronPort Email Security Appliance
- Splunk for Cisco IronPort Web Security Appliance
These apps can be installed on the search head with Splunk for PCI Compliance and then partially disabled to prevent load.
- To disable the Cisco searches, go to Manager > Searches and Reports, select the app name and disable all searches.
- To disable their dashboards, go to Manager > User Interface > Views, select the app name and disable all views.
| Create a technology add-on | Generic example |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1
Download manual
Feedback submitted, thanks!