Splunk® App for PCI Compliance

Data Source Integration Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Acrobat logo Download topic as PDF


The Payment Card Industry Data Security Standard or PCI DSS, is an industry standard for all organizations that handle cardholder data. This data can include credit cards, debit cards, ATM cards, and point of sale (POS) cards. The Data Security Standard is made up of twelve (12) requirements that businesses are expected to comply with. The Splunk App for PCI Compliance gives the PCI compliance manager visibility into PCI compliance-relevant data captured and indexed within Splunk.

The Splunk App for PCI Compliance's scorecards, reports, and correlation searches are designed to present a unified view of PCI compliance across heterogeneous vendor data formats. Traditional approaches do so based on normalizing the data into a common schema at time of data collection. Splunk provides this unified view based on search-time mappings to a common set of field names and tags that can be defined at any time after the data is already captured, indexed, and available for ad hoc search.

These search-time mappings mean that you don't need to write parsers up front before you can start collecting and searching the data. However, you do need to define the field extractions and tags for each data format before the PCI compliance scorecards, reports, and correlation searches will work on that data. These tags and field extractions for data formats are defined in technology add-ons. The Splunk App for PCI Compliance ships with an initial set of these add-ons. This manual explains how to create your own.

Technology add-ons contain the Splunk "knowledge" - field extractions, tags, and source types - necessary to extract and normalize detailed information from the data sources at search time and make the resulting information available for reporting. By creating your own technology add-ons, you can easily add new or custom types of data and fully integrate them with the existing dashboards and reports within the Splunk App for PCI Compliance.

Once you have created a technology add-on, you can add it to your Splunk App for PCI Compliance deployment or post it to Splunkbase to share with others.

What is a technology add-on?

A technology add-on is a Splunk app that extracts knowledge from IT data so that it can be processed by Splunk for PCI Compliance, as well as other apps that leverage the Common Information Model (CIM). The technology add-on may pull data into Splunk or simply map data that is already coming in. Technology add-ons may conflict with or duplicate other Splunk apps that are already pulling in the same sort of data if they disagree on the source type. The difference between a technology add-on and another Splunk app is compliance with the Common Information Model.

Note: The technology add-on will not require a user interface because reporting will be handled by existing Centers and Searches in the Splunk App for PCI Compliance.

Define a source type for the data

By default Splunk automatically sets a source type for a given data input. Each technology add-on should have at least one source type defined for the data that is captured and indexed within Splunk. This will require an override of the automatic source type that Splunk will attempt to assign to the data source, because the primary source type must be set in the technology add-on in order to apply the right field extractions used by Splunk for PCI Compliance. A technology add-on can extrapolate key data within the raw text of logs to extract "fields," that are fully compliant with the Common Information Model in the Knowledge Manager Manual.

Specifically, a technology add-on performs the following functions:

  • Capture and index the data: If necessary, the technology add-on can import and source type the data into Splunk. This is not required if the data is already in Splunk and source-typed properly.
  • Identify the relevant events that should be visible for security purposes (such as a successful login to a server).
  • Extract fields and aliases that match the CIM so that Notable Events can be generated and dashboards will function properly.
  • Create tags to categorize the data (for example, tagging all data indicating network communication with the tags "network" and "communicate").
  • Create any additional required fields that are not in the original data source (such as fields that describe the vendor or product).
  • Normalize field values to a common standard (such as changing "Accepted public key" or "Success Audit" into "action=success").

Each technology add-on is designed for a specific data format, such as a particular vendor's firewall or router. Once the technology add-on is created, data sources simply need to be assigned the corresponding source type for the technology add-on to begin processing the data.

Things you need to know to build a technology add-on

See the Common Information Model in the Knowledge Manager Manual, part of the core Splunk product documentation, for more information about these tasks:

See the "Out-of-the-box Source Types" in this document for a list of tags and source types that are already available with the Splunk App for PCI Compliance.

Available technology add-ons

Each Splunk App for PCI Compliance technology add-on is specific to a single technology, or portion of a technology that provides all the Splunk knowledge necessary to incorporate that technology into the Splunk App for PCI Compliance. You can use pre-packaged add-ons when available:

  • Technology add-ons for a number of common source types are bundled with the Splunk App for PCI Compliance. Some of these add-ons may need to be configured for your environment. Each add-on contains a README file that details the required configurations.
Last modified on 23 March, 2015
Create a technology add-on

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters