Identify data feeds
Before you install, configure, and deploy the Splunk App for PCI Compliance, identify the data feeds (sources of data) to be monitored in your cardholder data environment (CDE).
The following table shows the main data feeds to gather information about before deploying the app.
|Source||Example data||How data is used||Why it is important|
|Data sources.||Firewall data from Nessus.||Used in the dashboard.||Information about access attempts.|
|Asset information - lookup files, scripts.||List of servers in deployment.||Used by correlation searches.||Identify assets to monitor and report on.|
|Identity information - lookup files, scripts.||For example, verified users.||Used by correlation searches, notable events, reports.||Monitor expected users.|
The collection of data from these sources and the search-time knowledge maps applied to the data to normalize it for use in the app, create a real-time view into the state of PCI compliance in your cardholder data environment.
Data collected might include the following data:
- information from enterprise devices, systems, and applications in the cardholder data environment
- access attempts to PCI assets
- traffic between PCI domains
- vulnerabilities identified on PCI assets
- notification of malware found on PCI assets
- notification of compliance issues
The app uses this information to populate the dashboards, views, and reports that are available in the Splunk App for PCI Compliance. The app also provides trended views of areas over time, a breakdown of issues by PCI requirement, and visibility in the incident status. Any of this information can be presented in the form of a report.
Identify all of the data sources in your PCI cardholder data environment.
|Data source||Type of data collected|
|operating system logs||log files|
|network device logs||log files|
|security logs (anti-malware solutions)||log files|
|vulnerability management solutions||Common Vulnerabilities and Exposures (CVE) information|
|application logs||application specific notification (for Windows, for Unix)|
For each data source, identify the mapping (technology add-ons) needed to normalize the data for use with the Splunk App for PCI Compliance. For more information about integrating data sources for your deployment, see the Data Source Integration Manual.
The PCI DSS requires that all systems within the PCI cardholder data environment be monitored and reported on. The asset correlation capability within the app helps keep an accurate inventory of your assets.
Identify your assets. Collect the information about your assets and put them into the form of a CSV file. You can gather the information in a spreadsheet and convert it to a CSV file.
Note: Create the identities file following the format of the identities file in the app. The app expects the same columns as those in the file.
This file can be named
assets.csv and can be placed into
Note: The CSV file must use UNIX line endings. The
dos2unix utility can be used to correct line endings in a file produced on Windows or OS-X.
assets.csv file is installed with the app. You can make additions or modifications to this file using Splunk Web. Go to Configure > Assets > Edit'. Make your changes and Save the file.
The editor does not validate input.
The Splunk App for PCI Compliance relies on identity information to help identify privileged users, contractors, terminated users, and other information relevant for reports, searches, and alerts.
This information can be supplied by lookup files (
identities.csv), scripts, and so on. To identify those users, collect the information about your users and put them into the form of a CSV file. The information can be gathered in a spreadsheet and outputted as a CSV file.
identities.csv file is installed with the app. Additions or modifications to this file can be made using Splunk Web. Go to Configure > Assets > Edit. Make your changes and Save the file.
The editor does not validate input.
Note: The CSV file must use UNIX line endings. Use the
dos2unix utility to correct line endings in a file produced on Windows or OS-X.
Understand the Solution
Platform and hardware requirements
This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1