Splunk® App for PCI Compliance

Installation and Configuration Manual

Download manual as PDF

This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Download topic as PDF

Configure Incident Workflow

Notable event statuses are used to manage the workflow of notable events in the Splunk App for PCI Compliance. Most users do not need to change these settings from the default. The workflow status of a notable event enables you to manage PCI compliance workflow and events.

The default incident workflow is for a new event to be changed from Unassigned to Assigned and the status changed from New to In Progress. From there, the PCI compliance analyst can troubleshoot the issue. If there is some action that needs to be taken, the status might be changed to Pending, or it might go straight to Resolved. To move from Resolved to Closed the event must then be verified by another party (admin).

Pci app config incidentWorkflow panel.png

Notable event options

By default, a notable event in the Incident Review dashboard is assigned a status of New and owner Unassigned. The initial urgency is determined when the notable event is generated, and is based on the severity of the event and the priority of the asset corresponding to the event. The correlation searches define the event's severity. The asset table defines an asset's priority.

For more information, see "Correlation searches and severity" in the Splunk App for PCI Compliance User Manual.

Notable event options

Notable Event Status Description
Unassigned An error is preventing the issue from having a valid status assignment.
New (default) The event has not yet been reviewed.
In Progress Investigation or response is in progress.
Pending Event closure is pending some action.
Resolved Issue is resolved and awaits verification.
Closed Event or issue is resolved and verified.
Urgency level (a computed value) Description
Informational Event is informational only.
Low Event has low urgency.
Medium Event has medium urgency.
High Event has high urgency.
Critical Event has critical urgency.
Owner Description
unassigned Event is unassigned.
admin Event is assigned to admin.
pcianalyst Event is assigned to pci analyst.
pciadmin Event is assigned to pci admin.

Modify notable event workflow fields and values

An individual notable event can be modified from the Incident Review dashboard.

To modify a notable event:

  1. Click Finalize (RoundCheckMark.png) to finalize any real-time searches that might be running.
  2. Select an event and check the box next to it.
  3. Click Edit selected events to open the Edit Event panel.

From here you can change status of the event, assign it to a PCI compliance administrator (pciadmin), and add a comment.

Pci-edit event panel.png

When you are done, click Update.

Modify log review settings

The Comment field can be set so that a comment must be entered when an event is edited. PCI compliance analysts might be required to enter comments when reviewing notable events to improve the quality of records. In most PCI compliance configurations, comments are mandatory for changing the characteristics of an event. This saves tracking down the person to understand why they did what they did, and creates a more complete audit record.

Mandatory commenting is an optional feature. By default, it is turned off. To enable mandatory commenting, go to Configure > Log Review Settings. Select "Comment Required" and specify a minimum comment length.

Es-log review settings comment.png

Note: The option to "Allow Overriding of Urgency" can be disabled from this same panel by deselecting it (Configure > Log Review Settings).

If the modified event is not displayed when the Incident Review dashboard refreshes, check to see that the filters at the top of the dashboard are not removing the modified events (for example, search for "New" when the event is changed to "In Progress").

Edit notable event status

The default notable event statuses can be edited or a new status can be added. Before editing or adding any status, plan out the status workflow to be used in the enterprise.

The workflow can be implemented using the Notable Event Statuses editor to manage notable event statuses, status transitions, default status, and user authorization.

To implement this new workflow, use the Notable Event Status panel. Go to Configure > Notable Event Statuses.

Pci-configure NE status.png

Change the details of a notable event by clicking on a label. Individual events can be enabled or disabled.

Pci-notable events edit status.png

The Edit Notable Event Status panel shows the label, the description, the status, and the status transitions for a particular event.

  • Click the Default status check box to assign this status to any new notable event. Only one notable event status can have "Default status" checked. Whenever a new notable event is noted, it is assigned this status if the "Default status" checkbox is checked.
  • Click End status to configure this status so that it cannot be transitioned to another status. This particular event status becomes terminal.
  • Click Enabled to enable this status for notable events.

Click Save after making your edits to implement the changes.

Status transitions

The Splunk App for PCI Compliance provides a default set of workflow status transitions.

Status transitions include:

  • New - transitions to In Progress when event is being investigated or reviewed
  • In Progress - transitions to Pending when closure is pending some action
  • Pending - transitions to Resolved when event is resolved but not verified
  • Resolved - transitions to Closed after verification
  • Closed - the issue has been resolved and verified

Some of these statuses can be disabled from the Edit Notable Event Status panel. Go to Configure > Notable Event Statuses. To disable a status, click Disable.

User authorization

Authorization for each status transition can be assigned to specific user roles. For example, a pciadmin can close an issue, while a pcianalyst can assign an event and change its status from New to In Progress.

See "Configure user roles" in this document for more information about user roles and their permissions.

Notable event suppression

Click Configure on the menu bar to open the Configuration panel.

Pci-configure.png

Click on Notable Event Suppressions on the Configuration panel to review the status of events on the Notable Event Suppression panel.

Es incident workflow partial.png

Suppressing notable events

When a notable event is suppressed, it suppresses events that are already in the notable index that you do not want to appear on the dashboards.

Use Notable Event Suppressions to view, modify, or delete notable event suppressions.

Go to Configure > Notable Event Suppressions.

Es-notable event suppression list.png

Create notable event suppressions

1. Go to Configure > Notable Event Suppressions

2. Click New to create a new notable event suppression.

Es-notableEvent suppression edit.png

3. Add information to the fields and click Save.

See "How to suppress notable event filters" in this manual for information about how to create a notable event suppression.

Edit or disable notable events suppressions

1. Go to Configure > Notable Event Suppressions.

2. Click the name of the event to edit.

3. In the editor, make the desired changes.

4. Click Save.

To disable (or enable) an individual notable event suppression:

1. Click on the label next to the event name to enable or disable individual notable event suppressions.

2. Click Save.

Audit suppression activity

The Notable Event suppression activity is shown in the Suppression Audit dashboard.

To audit suppression activity go to Audit > Suppression Audit.

Throttling

Throttling occurs before events are added to the notable event index. This means that throttled events are not added to the notable index.

Throttling prevents the duplication of related events.

Suppress.png

Suppression

Suppression is applied to events that are already in the notable index. Suppression is used for events on which you cannot currently act and do not want to appear in dashboards.

Suppression hides alerts that you do not want to see.

PREVIOUS
Notable events
  NEXT
Plan the upgrade

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters