Splunk® App for PCI Compliance

Installation and Configuration Manual

Download manual as PDF

This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Download topic as PDF

Add a custom report

The Splunk App for PCI Compliance provides reports for different aspects of your PCI compliance. Each report (or dashboard) in the Splunk App for PCI Compliance has an XML file (for instance pci_malware_activity.xml) that describes the information used in the report, which notable events provide the data, and how that data is displayed. These reports are included as part of the app.

To add a custom report to your deployment, you need to first create the XML file for your report. See "About the Dashboard Editor" in the Dashboards and Visualizations.

Add the report to the navigation (menu bar)

To add your custom report (your_report.xml) to the app, you need to add it to the navigation XML file. The menu items in the app are referenced in the navigation XML file. Each app only has one navigation file. To have the new report show up in the correct place in the app navigation (or correct location in the menu bar), the custom report must be referenced in the correct domain section of the navigation XML file. ($SPLUNK_HOME/etc/apps/SplunkPCIComplianceSuite/local/data/ui/nav/default.xml). You must associate the new report with a domain.

1. To add your custom report to the navigation file, go to Manager > User interface > Navigation menus.

2. Select default next to SplunkPCIComplianceSuite. An editor displays the navigation file for the Splunk App for PCI Compliance.

3. Choose the domain for the new report. This is the location in the default.xml file where you reference your custom report file (your_report.xml).

A report is associated, or categorized, with a domain within the app. In the Splunk App for PCI Compliance, these categories are shown in the Reports tab. The categories are:

  • Network Security
  • Endpoint Security
  • Access Control
  • Monitor & Test

Within the navigation file (default.xml), the categories look like this:

   <nav>
            ...
            ...    
            <collection label="Reports">
        
                <collection label="Network Security">
                    <a href='/app/SplunkPCIComplianceSuite/pci_communication_rule_activity?category=pci'>Firewall Rule Activity</a>
                    ...
                    <!--ADD HERE-->
                    ...
                </collection>
        
                <collection label="Endpoint Security">
                    <a href='/app/SplunkPCIComplianceSuite/pci_malware_activity?category=pci'>Malware Activity</a>
                    ...
                    <!--ADD HERE-->
                    ...
                </collection>
        
                <collection label="Cardholder Data">
                    ...
                    <!--ADD HERE-->
                    ...
                </collection>
        
                <collection label="Access Control">
                  <a href='/app/SplunkPCIComplianceSuite/pci_insecure_authentication_attempts?category=pci'>Insecure Authentication Attempts</a>
                    ...
                    <!--ADD HERE-->
                    ...
                </collection>
        
                <collection label="Monitor & Test">
                  <a href='/app/SplunkPCIComplianceSuite/pci_asset_logging?category=pci'>PCI Asset Logging</a> 
                    ...
                    <!--ADD HERE-->
                    ...
                </collection>
        
            </collection>
        </nav>
        
You can add a report to any of the places in the file indicated with <!--ADD HERE-->.

4. Add the custom report to the default.xml file and Save the file.

For example, to add your report to Monitor & Test, add the path to the your_report.xml file and the display name in default.xml as shown in the following code snippet:


<collection label="Monitor & Test">
               <a href='/app/SplunkPCIComplianceSuite/pci_asset_logging?category=pci'>PCI Asset Logging</a> 
                    ...
                <a href='/app/SplunkPCIComplianceSuite/your_report.xml?category=pci'>Your custom report</a>
                    ...
</collection>

Click Save.

Note: When you open default.xml, you are looking at the default copy of the file. When you save, your changes are saved to a local version of the file.

5. Restart Splunk Enterprise.

Your new custom report shows up in the Monitor & Test menu in the Splunk App for PCI Compliance. You can also view the new report by going to Configure > Domains / Dashboards.

If you disable the custom report in Domains / Dashboards Navigation editor, you need to manually re-add it to the $SPLUNK_HOME/etc/apps/SplunkPCIComplianceSuite/local/data/ui/nav/default.xml file.

See the "Dashboards and Forms" in Dashboards and Visualizations.

Email a report

The Splunk App for PCI Compliance can be configured to email a report, either attaching it as an HTML file or including it inline in the email attachment. Using the "action.email.html.cssfile" parameter in savedsearches.conf you can add styling to the HTML document. Sample CSS files for both portrait and landscape mode, with simple pagination, are included in $SPLUNK_HOME/etc/apps/SplunkPCIComplianceSuite/appserver/static/stylesheets.

To enable styled HTML email output of a report:

1. A CSS file must be placed in $SPLUNK_HOME/etc/apps/<namespace>/appserver/static/stylesheets

where "namespace" is the name of the application in which the search is run.

2. The "action.email.html.cssfile" parameter in savedsearches.conf must be set to the name of the CSS file.

For example: [emailtest]
action.email = 1
action.email.html.cssfile = portrait.css
action.email.inline = 0
action.email.format = html
action.email.sendresults = 1
action.email.to = user@splunk.com
alert.digest_mode = True
alert.suppress = 0
alert.track = 1
cron_schedule = * * * * *
description = test2
dispatch.earliest_time = -1d
enableSched = 1
search = `communicate` | head 100 | table src src_port dest dest_port _time | convert ctime(_time)

Note: Make all changes to the savedsearches.conf file in $SPLUNK_HOME/etc/system/local. To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/system/default into ../local and edit there.

3. Set the "action.email.inline" parameter in savedsearches.conf, which controls whether the HTML is be sent as an attachment (0) or inline (1).

4. Refresh the saved search. Because the savedsearches.conf file has been edited directly, one final step is required to refresh the saved search. To do this, either:

  • Issue a request to the following URL using curl, wget, or the browser of your choice:

https://<your.server.ip.here>:8000/en-US/debug/refresh?entity=admin/savedsearch

or

  • Restart Splunk Enterprise.

$SPLUNK_HOME/bin/ ./splunk restart

Note: It is not possible to configure this feature using the Splunk Web UI. You must edit the savedsearches.conf file directly.

PREVIOUS
Configure Interesting Ports list
  NEXT
Add custom correlation searches

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters