Splunk® App for PCI Compliance

Installation and Configuration Manual

Download manual as PDF

This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Download topic as PDF

FAQ

Question: Correlation searches are working and notable events are created, but the scorecards are not active.

Answer: Two possibilities exist if notable events are created but do not show up on scorecards within the Splunk App for PCI Compliance.

1. Notable events are being suppressed by a suppression rule.
To troubleshoot this possibility, go to the Suppression Manager and/or the Suppression Audit view to determine if suppressions are actively suppressing notable events. You can also run these searches to determine if notable events are being suppressed.

  `notable`

versus

  `notable` | search NOT `suppression`

Validate that your suppression rules are accurate and properly enabled/disabled. This might be the way that you want your suppression rules set up.

2. Notable events are not linked to a governance and control value in governance.conf (this would only affect custom PCI correlation searches). To troubleshoot this possibility, perform these searches to determine if notable events are being filtered due to lack of governance linkage:

  `notable`
versus
<pre>  `notable` | search (`get_governance(pci)`)

To fix this issue, add governance.conf</pre> links to notable events per <code>governance.conf.spec or see "Configure correlation searches" in this manual.

Cisco add-ons

You can install these Cisco add-ons on the search head with the Splunk App for PCI Compliance and partially disable them to prevent load.

  • To disable the Cisco searches, go to Manager > Searches and Reports, select the app name and disable all searches.
  • To disable their dashboards, go to Manager > User Interface > Views, select the app name and disable all views.

This applies to these Cisco add-ons:

   Splunk for Cisco IPS
   http://splunk-base.splunk.com/apps/Splunk+for+Cisco+IPS
   Splunk for Cisco Firewalls
   http://splunk-base.splunk.com/apps/Splunk+for+Cisco+Firewalls
   Splunk for Cisco Client Security Agent
   http://splunk-base.splunk.com/apps/Splunk+for+Cisco+Client+Security+Agent
   Splunk for Cisco IronPort Email Security Appliance
   http://splunk-base.splunk.com/apps/Splunk+for+Cisco+IronPort+Email+Security+Appliance
   Splunk for Cisco IronPort Web Security Appliance
   http://splunk-base.splunk.com/apps/Splunk+for+Cisco+IronPort+Web+Security+Appliance
   Splunk for Cisco MARS
   http://splunk-base.splunk.com/apps/Splunk+for+Cisco+MARS
PREVIOUS
Troubleshoot your deployment
 

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters