Understand the Solution
Splunk platform technologies work together to monitor the data from diverse applications, devices, and systems within your PCI cardholder data environment (CDE).
Data from the PCI CDE is monitored and tagged using Splunk Forwarders and sent to Splunk Indexers. After the data arrives at the indexers, custom categorization and field extractions are performed as required for the PCI app, and the data is stored. The PCI app searches the indexed data and returns results to populate key dashboards and provide administrators with a picture into the CDE.
The Splunk App for PCI Compliance 3.0.0 consists of a main app, domain add-ons (DA-*), supporting add-ons (SA-*), and technology add-ons (TA-*). Together, they provide a single interface to monitor the data from diverse applications, devices, and systems within the PCI CDE.
- Domain add-ons provide the dashboards and views for each domain within the app.
- Supporting add-ons provide the underlying support modules and tools leveraged by domain add-ons (saved searches, macros, and so on).
- Technology add-ons provide the feeds to get data from different sources, and search-time knowledge maps to normalize the data for use within the app.
The add-ons that make up the Splunk App for PCI Compliance 3.0.0 appear in the following table.
|Type of Add-on||Description|
|Main app||Allows the domain add-ons, supporting add-ons, and technology add-ons to work together on the Splunk search head to provide the Splunk App for PCI Compliance. It is found in the app installation directory and is called “SplunkPCIComplianceSuite." It includes the general app configuration settings and navigation used within the app interface.|
|Domain Add-on||Domain add-ons are specialized add-ons that are included to provide domain specific reports and correlation searches for each of the PCI DSS major requirements. They are found on in the app installation directory and can be identified with “DA-*” in the names (for example, DA-PCI-Requirement1). Each major requirement within PCI has a specific domain add-on dedicated to it.|
|Supporting Add-ons||Supporting add-ons are specialized add-ons that provide shared framework for use within the Splunk App for PCI Compliance and other apps such as the Splunk App for Enterprise Security. These add-ons include the notable event framework, shared saved searches, and other app components that are not specific to PCI or to the Splunk App for PCI Compliance but are used. Splunk App for Enterprise Secuirty shares these add-ons.|
|Technology Add-ons||Technology add-ons are specialized add-ons that help to map and normalize data feeds from specific sources in your Splunk environment for use within the Splunk App for PCI Compliance. The add-ons can include a feed to help gather data from a source, and a map that normalizes the data to the Splunk Common Information Model. Splunk App for Enterprise Secuirty shares these add-ons.|
Within the domain add-ons and supporting add-ons, there are a number of important files that need to be called out. These files are necessary to understand how to configure the Splunk App for PCI Compliance. Most of these files can be modified from within the Splunk App for PCI Compliance configuration interface.
|PCI Views||SplunkPCIComplianceSuite/lookups/pci_views.csv||List of reports and mapping to main PCI DSS requirement.|
|Editable Lookups||SplunkPCIComplianceSuite/lookups/editable_lookups.csv||Editable lookup file for audit, network protection, identity management, and threat intelligence.|
|Expected Views||SA-AuditAndDataProtection/lookups/expected_views.csv||Views that are audited.|
|Prohibited Traffic||SA-NetworkProtection/lookups/prohibited_traffic.csv||Traffic that generates notable events when detected.|
|Identities||SA-IdentityManagement/lookups/identities.csv||List of identities associated with Identity Correlation.|
|Assets||SA-IdentityManagement/lookups/assets.csv||List of assets associated with Asset Correlation.|
|Categories List||SA-IdentityManagement/lookups/categories.csv||Categories that apply to assets and identities.|
|PCI Domains List||SA-IdentityManagement/lookups/pci_domains.csv||List of PCI domain labels.|
|Urgency Matrix||SA-ThreatIntelligence/lookups/urgency.csv||List of defined urgency levels.|
Get support and find information about Splunk software
Identify data feeds
This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1