Splunk® App for PCI Compliance

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

FAQ

Question: Correlation searches are working and notable events are created, but the scorecards are not active.

Answer: Two possibilities exist if notable events are created but do not show up on scorecards within the Splunk App for PCI Compliance.

1. Notable events are being suppressed by a suppression rule.
To troubleshoot this possibility, go to the Suppression Manager and/or the Suppression Audit view to determine if suppressions are actively suppressing notable events. You can also run these searches to determine if notable events are being suppressed. 

  `notable`

versus 

  `notable` | search NOT `suppression`

Validate that your suppression rules are accurate and properly enabled/disabled. This might be the way that you want your suppression rules set up.

2. Notable events are not linked to a governance and control value in governance.conf (this would only affect custom PCI correlation searches). To troubleshoot this possibility, perform these searches to determine if notable events are being filtered due to lack of governance linkage: 

  `notable`
versus
<pre>  `notable` | search (`get_governance(pci)`)

To fix this issue, add governance.conf links to notable events per governance.conf.spec or see "Configure correlation searches" in this manual.

Cisco add-ons

You can install these Cisco add-ons on the search head with the Splunk App for PCI Compliance and partially disable them to prevent load.

  • To disable the Cisco searches, go to Manager > Searches and Reports, select the app name and disable all searches.
  • To disable their dashboards, go to Manager > User Interface > Views, select the app name and disable all views.

This applies to these Cisco add-ons: 

   Splunk for Cisco IPS
   http://splunk-base.splunk.com/apps/Splunk+for+Cisco+IPS

   Splunk for Cisco Firewalls
   http://splunk-base.splunk.com/apps/Splunk+for+Cisco+Firewalls

   Splunk for Cisco Client Security Agent
   http://splunk-base.splunk.com/apps/Splunk+for+Cisco+Client+Security+Agent

   Splunk for Cisco IronPort Email Security Appliance
   http://splunk-base.splunk.com/apps/Splunk+for+Cisco+IronPort+Email+Security+Appliance

   Splunk for Cisco IronPort Web Security Appliance
   http://splunk-base.splunk.com/apps/Splunk+for+Cisco+IronPort+Web+Security+Appliance

   Splunk for Cisco MARS
   http://splunk-base.splunk.com/apps/Splunk+for+Cisco+MARS
Last modified on 26 October, 2015
Troubleshoot your deployment  

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters