Add custom correlation searches
The Splunk App for PCI Compliance includes correlation searches that are used to identify threats to systems within the PCI cardholder data environment. These correlation searches have been mapped to the relevant sections of PCI DSS.
You can create custom correlation searches from within the app and map them to the relevant PCI DSS sections for use with the app.
Create a custom correlation search
Create a custom correlation search using the Correlation Search editor within the Configuration dashboard of the app. For this example, create a correlation search for PCI Requirement 9.
1. Go to Configure > Correlation Searches and click New. The "Correlation Search" editor opens.
2. In the "Correlation Search" editor, give your search a name and assign it to a domain based on what you are monitoring.
3. Set the "Application Context" as "DA-PCI-Requirement9".
4. Fill out the rest of the editor as appropriate.
5. Click Save.
The editor creates a
correlationsearches.conf file in the
local directory of the app selected as the "Application Context". In the example above, the file is placed in the
The contents of
correlationsearches.conf look like this:
[Network - PCI Requirement 9 - Rule] rule_name = PCI Requirement 9 security_domain = network severity = critical
Map the PCI DSS controls
After the correlation search is created, you can map the correlation search to the relevant PCI DSS controls. This step requires file system access on the server.
In the same directory where the
correlationsearches.conf was created:
1. Create a
2. Copy the stanza for the correlation search created by the editor in the
correlationsearches.conf file and paste it into the
[Network - PCI Requirement 9 - Rule]
3. Add a compliance control mapping by adding a governance and control line under the correlation search stanza.
[Network - PCI Requirement 9 - Rule] compliance.0.governance = pci compliance.0.control = 9.1
4. Add additional compliance control mappings in pairs. The first line indicates the compliance or governance standard (for example, pci). The second line indicates the control mapping for the standard (for example, 9.1).
[Network - PCI Requirement 9 - Rule] compliance.0.governance = pci compliance.0.control = 9.1 compliance.1.governance = pci compliance.1.control = 9.2
5. Save the file. The results take effect the next time the correlation search fires to create a notable event.
See "Create new correlation searches" in this manual for additional information.
Add a custom report
Using a dedicated index for PCI data
This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1