Splunk® App for PCI Compliance

Installation and Configuration Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Acrobat logo Download topic as PDF

Add custom correlation searches

The Splunk App for PCI Compliance includes correlation searches that are used to identify threats to systems within the PCI cardholder data environment. These correlation searches have been mapped to the relevant sections of PCI DSS.

You can create custom correlation searches from within the app and map them to the relevant PCI DSS sections for use with the app.

Create a custom correlation search

Create a custom correlation search using the Correlation Search editor within the Configuration dashboard of the app. For this example, create a correlation search for PCI Requirement 9.

1. Go to Configure > Correlation Searches and click New. The "Correlation Search" editor opens.

2. In the "Correlation Search" editor, give your search a name and assign it to a domain based on what you are monitoring.

3. Set the "Application Context" as "DA-PCI-Requirement9".

4. Fill out the rest of the editor as appropriate.

5. Click Save.

The editor creates a correlationsearches.conf file in the local directory of the app selected as the "Application Context". In the example above, the file is placed in the /Applications/splunk/etc/apps/DA-PCI-Requirement9/local directory.

The contents of correlationsearches.conf look like this:

[Network - PCI Requirement 9  - Rule]
rule_name = PCI Requirement 9
security_domain = network
severity = critical

Map the PCI DSS controls

After the correlation search is created, you can map the correlation search to the relevant PCI DSS controls. This step requires file system access on the server.

In the same directory where the correlationsearches.conf was created:

1. Create a governance.conf file.
Example: /Applications/splunk/etc/apps/DA-PCI-Requirement9/local/governance.conf

2. Copy the stanza for the correlation search created by the editor in the correlationsearches.conf file and paste it into the governance.conf file.

[Network - PCI Requirement 9  - Rule]

3. Add a compliance control mapping by adding a governance and control line under the correlation search stanza.

[Network - PCI Requirement 9  - Rule]
compliance.0.governance = pci
compliance.0.control = 9.1

4. Add additional compliance control mappings in pairs. The first line indicates the compliance or governance standard (for example, pci). The second line indicates the control mapping for the standard (for example, 9.1).

[Network - PCI Requirement 9  - Rule]
compliance.0.governance = pci
compliance.0.control = 9.1
compliance.1.governance = pci
compliance.1.control = 9.2

5. Save the file. The results take effect the next time the correlation search fires to create a notable event.

See "Create new correlation searches" in this manual for additional information.

Last modified on 26 October, 2015
Add a custom report
Using a dedicated index for PCI data

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters