Splunk® App for PCI Compliance

Data Source Integration Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Acrobat logo Download topic as PDF

Out-of-the-box source types

This section provides a list of the data sources for which Splunk for PCI Compliance provides out-of-the-box support. It also provides a list of the source types that are used for the different data sources and technology add-ons.

Source types are important because PCI Compliance uses source types as the basis of understanding for all data coming in from a particular source. Source types need to be carefully defined so that they are not overloaded or misused.

When a supported data type is imported, the correct source type needs to be assigned to the data to ensure that data is recognized and parsed correctly by PCI Compliance. For example, events from a Juniper firewall must be assigned a netscreen:firewall source type for TA-juniper to recognize and parse them correctly.

To learn more about the supported data types and source types, see the "List of pretrained source types" in the Splunk documentation. For more information on assigning source types to data inputs, see "About default fields" in the Splunk documentation.

The following table lists the data sources with out-of-the-box support in the Splunk App for PCI Compliance, along with the associated source type and technology add-on name:

Wireless Devices

Data source Source type(s) Add-on Description
Motorola AirDefense wireless IDS airdefense TA-airdefense Parses AirDefense log data for use in CIM compliant Splunk apps
Alcatel alcatel TA-alcatel Parses Alcatel network switch log data for use in CIM compliant Splunk apps

Proxies

Data source Source type(s) Add-on Description
Blue Coat ProxySG bluecoat TA-bluecoat Parses Bluecoat proxy data for use in CIM compliant Splunk apps
Juniper NetScreen firewalls and IDP intrusion detection/prevention systems juniper:idp, netscreen:firewall, juniper:nsm:idp, juniper:nsm TA-juniper Parses Juniper log data for use in CIM compliant Splunk apps
Fortinet Unified Threat Management (UTM) systems fortinet TA-fortinet Parses Fortinet log data for use in CIM compliant Splunk apps
Palo Alto firewalls pan, pan:config, pan:system, pan:threat, pan:traffic TA-paloalto Parses Palo Alto firewall log data for use in CIM compliant Splunk apps
Websense firewalls websense TA-websense Parses Websense log data for use in CIM compliant Splunk apps

Intrusion Detection/Prevention Systems

Data source Source type(s) Add-on Description
TippingPoint tippingpoint TA-tippingpoint Parses Tipping Point log data for use in CIM compliant Splunk apps
Juniper IDP juniper:idp, netscreen:firewall, juniper:nsm:idp, juniper:nsm TA-juniper Parses Juniper log data for use in CIM compliant Splunk apps
OSSEC host-based Intrusion Detection System (IDS) ossec TA-ossec Parses OSSEC HIDS log data for use in CIM compliant Splunk apps
Snort network intrusion prevention and detection system (IDS/IPS) snort TA-snort Parses Snort IDS (open source) log data for use in CIM compliant Splunk apps
McAfee firewall mcafee:ids TA-mcafee Allows you to ingest McAfee EPO data for use in CIM compliant Splunk apps
Norse IPViking norse Splunk_TA_norse Allows you to download Norse Darklist threat intelligence data for use in Splunk. It also includes support for contextual lookups to Norse IPViking
Windows Management Instrumentation (WMI) WMI:LocalApplication, WMI:LocalSystem, WMI:LocalSecurity, WMI:CPUTime, WMI:FreeDiskSpace, WMI:LocalPhysicalDisk, WMI:Memory, WMI:LocalNetwork, WMI:LocalProcesses, WMI:ScheduledJobs, WMI:Service, WMI:InstalledUpdates, WMI:Uptime, WMI:UserAccounts, WMI:UserAccountsSID, WMI:Version Splunk_TA_windows Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps

Networking Devices

Data source Source type(s) Add-on Description
Bro IDS 2.1 bro TA-Bro Allows you to ingest packet captures (pcap) in Splunk using Bro IDS 2.1
Common Event Format (CEF) cef TA-cef Parses ArcSight CEF data to the field names for use in CIM compliant Splunk apps, and is a useful template to start from when building a new add-on
flowd NetFlow collector flowd TA-flowd Parses flowd NetFlow data for use in CIM compliant Splunk apps
NetFlow flowfix Splunk_TA_flowfix Allows you to ingest NetFlow versions 5 and 7, along with IPFIX without vendor extensions.
FTP servers vsftpd TA-ftp Parses vsftpd log data for use in CIM compliant Splunk apps

Anti-virus / Endpoint Software

Data source Source type(s) Add-on Description
Sophos SEC server log or sys log (sophos:threats) TA-sophos Parses Sophos log data for use in CIM compliant Splunk apps
FireEye cef logs or XML output TA-fireeye Parses FireEye data for use in CIM compliant Splunk apps
McAfee anti-virus mcafee:epo, mcafee:ids TA-mcafee Allows you to ingest McAfee EPO data for use in CIM compliant Splunk apps
Symantec AntiVirus
Version 10 and earlier.
sav, winsav TA-sav Parses Symantec Anti-Virus log data for use in CIM compliant Splunk apps
Symantec Endpoint
Protection (SEP) and Symantec AntiVirus
version 11 and later.
sep, sep:scm_admin TA-sep Parses Symantec Endpoint Protection log data for use in CIM compliant Splunk apps
Trend Micro Endpoint Protection WinEventLog:Application:trendmicro TA-trendmicro Parses Trend Micro log data for use in CIM compliant Splunk apps

Vulnerability Management Systems

Data source Source type(s) Add-on Description
nCircle IP360 vulnerability management system ncircle:ip360 TA-ncircle Allows you to ingest nCircle log data for use in CIM compliant Splunk apps
Nessus vulnerability scanner nessus TA-nessus Allows you to ingest Tenable Nessus log data for use in CIM compliant Splunk apps
Nmap security scanner nmap TA-nmap Parses Network Mapper log data for use in CIM compliant Splunk apps

Operating Systems

Data source Source type(s) Add-on Description
Snare snare Splunk_TA_windows Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps
NTSyslog ntsyslog Splunk_TA_windows Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps
Monitorware monitorware Splunk_TA_windows Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps
Platform-specific Unix authentication (security) logs. dhcpd, linux_secure, aix_secure, osx_secure, syslog; Splunk_TA_nix Includes predefined inputs to collect data from *nix systems and normalize the data for use in CIM compliant Splunk apps
Windows event, DHCP, and system update logs. DhcpSrvLog, WindowsUpdateLog, WinRegistry, WinEventLog:Security, WinEventLog:Application, WinEventLog:System, fs_notification, scripts:InstalledApps, scripts:ListeningPorts Splunk_TA_windows Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps
Windows Perfmon PERFMON:CPUTime, PERFMON:FreeDiskSpace, PERFMON:Memory, PERFMON:LocalNetwork Splunk_TA_windows Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps

Other

Data source Source type(s) Add-on Description
IP2Location geolocation software (not applicable) TA-ip2location Provides the ability to correlate IP addresses to locations using the Python IP2Location library
Oracle database oracle TA-oracle Parses Oracle database server log data for use in CIM compliant Splunk apps
RSA ACE (SecurID) WinEventLog:Application:rsa TA-rsa Parses RSA ACE log data for use in CIM compliant Splunk apps
Splunk Enterprise access and authentication logs audittrail TA-splunk Parses Splunk audit log data for use in CIM compliant Splunk apps

Note about Cisco Add-ons

The TA-Cisco add-on has been removed from the Splunk App for PCI Compliance package. The various Cisco apps and add-ons (Cisco IPS, Cisco Firewalls, Cisco CSA, Cisco ESA, Cisco WSA, Cisco MARS) provide the necessary knowledge layers, without needing the general purpose one from the Splunk App for PCI Compliance. This makes it possible to download only the technology apps and add-ons needed in your environment.

These apps have been tested with Splunk for PCI Compliance:

These apps can be installed on the search head with Splunk for PCI Compliance and then partially disabled to prevent load.

  • To disable the Cisco searches, go to Manager > Searches and Reports, select the app name and disable all searches.
  • To disable their dashboards, go to Manager > User Interface > Views, select the app name and disable all views.
Last modified on 23 March, 2015
PREVIOUS
Create a technology add-on
  NEXT
Generic example

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters