Splunk® App for PCI Compliance

Installation and Configuration Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Acrobat logo Download topic as PDF

Understand the Solution

Splunk platform technologies work together to monitor the data from diverse applications, devices, and systems within your PCI cardholder data environment (CDE).

Data from the PCI CDE is monitored and tagged using Splunk Forwarders and sent to Splunk Indexers. After the data arrives at the indexers, custom categorization and field extractions are performed as required for the PCI app, and the data is stored. The PCI app searches the indexed data and returns results to populate key dashboards and provide administrators with a picture into the CDE.

The Splunk App for PCI Compliance 3.0.0 consists of a main app, domain add-ons (DA-*), supporting add-ons (SA-*), and technology add-ons (TA-*). Together, they provide a single interface to monitor the data from diverse applications, devices, and systems within the PCI CDE.

  • Domain add-ons provide the dashboards and views for each domain within the app.
  • Supporting add-ons provide the underlying support modules and tools leveraged by domain add-ons (saved searches, macros, and so on).
  • Technology add-ons provide the feeds to get data from different sources, and search-time knowledge maps to normalize the data for use within the app.

The add-ons that make up the Splunk App for PCI Compliance 3.0.0 appear in the following table.

Type of Add-on Description
Main app Allows the domain add-ons, supporting add-ons, and technology add-ons to work together on the Splunk search head to provide the Splunk App for PCI Compliance.  It is found in the app installation directory and is called “SplunkPCIComplianceSuite."  It includes the general app configuration settings and navigation used within the app interface.
Domain Add-on Domain add-ons are specialized add-ons that are included to provide domain specific reports and correlation searches for each of the PCI DSS major requirements. They are found on in the app installation directory and can be identified with “DA-*” in the names (for example, DA-PCI-Requirement1). Each major requirement within PCI has a specific domain add-on dedicated to it.
Supporting Add-ons Supporting add-ons are specialized add-ons that provide shared framework for use within the Splunk App for PCI Compliance and other apps such as the Splunk App for Enterprise Security. These add-ons include the notable event framework, shared saved searches, and other app components that are not specific to PCI or to the Splunk App for PCI Compliance but are used. Splunk App for Enterprise Secuirty shares these add-ons.
Technology Add-ons Technology add-ons are specialized add-ons that help to map and normalize data feeds from specific sources in your Splunk environment for use within the Splunk App for PCI Compliance. The add-ons can include a feed to help gather data from a source, and a map that normalizes the data to the Splunk Common Information Model. Splunk App for Enterprise Secuirty shares these add-ons.

Within the domain add-ons and supporting add-ons, there are a number of important files that need to be called out. These files are necessary to understand how to configure the Splunk App for PCI Compliance. Most of these files can be modified from within the Splunk App for PCI Compliance configuration interface.

Name File Location Description
PCI Views SplunkPCIComplianceSuite/lookups/pci_views.csv List of reports and mapping to main PCI DSS requirement.
Editable Lookups SplunkPCIComplianceSuite/lookups/editable_lookups.csv Editable lookup file for audit, network protection, identity management, and threat intelligence.
Expected Views SA-AuditAndDataProtection/lookups/expected_views.csv Views that are audited.
Prohibited Traffic SA-NetworkProtection/lookups/prohibited_traffic.csv Traffic that generates notable events when detected.
Identities SA-IdentityManagement/lookups/identities.csv List of identities associated with Identity Correlation.
Assets SA-IdentityManagement/lookups/assets.csv List of assets associated with Asset Correlation.
Categories List SA-IdentityManagement/lookups/categories.csv Categories that apply to assets and identities.
PCI Domains List SA-IdentityManagement/lookups/pci_domains.csv List of PCI domain labels.
Urgency Matrix SA-ThreatIntelligence/lookups/urgency.csv List of defined urgency levels.
Last modified on 24 October, 2015
Get support and find information about Splunk software
Identify data feeds

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters