Splunk® App for PCI Compliance

User Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Acrobat logo Download topic as PDF

Audit dashboards

Audit dashboards in the Splunk App for PCI Compliance provide the ability to audit different areas and activities in your PCI compliance environment.

Incident Review Audit dashboard

This dashboard provides visibility into the incident change activity performed in the Incident Review dashboard. Use this dashboard to see all changes made to the notable events discovered within the PCI compliance environment.

This dashboard displays:

  • Review Activity by Reviewer over Time - Tracks reviewer activity over time.
  • Notable Events by Status - Tracks new, open, and closed issues over the last 6 monhts.
  • Top Reviewers - List of reviewers over the last 6 months
  • Recent Review Activity - Tracks review activity over the last 6 months

Suppression Audit dashboard

Use this dashboard to audit suppression activity and ensure that it is being used appropriately. This dashboard provides an overview of notable event suppression activity. It shows how many events are being suppressed and by whom.

This dashboard displays:

  • Currently Suppressed Notable Events - Events suppressed in the last 24 hours. The events can be sorted by time, by correlation search, by suppression, or by urgency
  • Suppressed Notable Event History - You can select the time range for suppressed notable event to display in this panel. The results can be sorted by time, by correlation search, by suppression, or by urgency
  • Suppression Management Activity - You can select the time range for suppression management activity to display. Click "View full results" to see the event details.
  • Expired Suppressions - You can select the time range for expired suppression activity to display. Click "View full results" to see the event details.

View full results

At the bottom of either the Suppression Management Activity or the Expired Suppressions panels, click "View full results" to open the results from this panel in the timeline view. In the timeline view you can work with the search results in the same way you can work with any search; customize the search or save the search to view the same results at a later time.

Forwarder Audit dashboard

Use this dashboard to identify any change in the volume of data from each system in the cardholder data environment, and other issues that could prevent the data from getting to Splunk.

Splunk monitors the ingress data and provides compliance managers with visibility into the volume of data collected from each system. Review this dashboard at least once per day or more frequently as desired.

Filter options are available to narrow searches (Host, Business Unit, Category) Click "Expected hosts only" to view only those hosts expected to be reporting.

This dashboard displays:

  • Host Event Count over Time - Select the time range to view the number of event by host over time.
  • Hosts Not Responding - Select a time range to inspect hosts that have not reported. Click "View full results" to see the event details.
  • Splunkd Resource Utilization - Select the time range to view the usage of the Splunkd resource. Click "View full results" to see the event details.
  • Splunkd Anomalous Start Mode - Select the time range to view those hosts that do not automatically start Splunk. Click "View full results" to see the event details.

Search Audit dashboard

Use this dashboard to monitor information about the searches being executed in Splunk. This dashboard is useful for identifying who is running searches in Splunk, identifying longer-running searches, and tracking search activity over time and by user. Internal searches used by PCI Compliance are set to "user=splunk-system-user".

Splunk generates an audit message for every search that is executed against the data that is collected from security devices and systems within the cardholder data environment.

Filter options for ad hoc searches and selecting the time range are available.

This dashboard displays:

  • Search Activity by Type - Tracks the types of searches in the form of a bar chart over time.
  • Search Activity by User - A pie chart displays search activity by users. Click the chart for details about each user.
  • Search Activity by Expense - Shows the search type and length, plus additional details for the searches logged by the app. Click "View full results" to see the event details.

View Audit dashboard

Use this dashboard to identify views that have not been reviewed each day.

Compliance managers are required to perform daily log review. Splunk generates an audit event each time a user looks at a report or dashboard within Splunk. This dashboard provides information about who has viewed the reports and dashboards within the Splunk App for PCI Compliance.

This dashboard displays:

  • Splunk App for PCI Compliance View Activity - Select a time range to view the loads on the various views in the app.
  • Expected View Activity - Select a view to track how many times it has been reviewed in the past week.
  • Expected View Scorecard - Overall scorecard for reviews of expected views
  • Recent Web Service Errors - Details of web service error events over the past 24 hours. Click "View full results" to see the event details.
Last modified on 26 October, 2015
PREVIOUS
Reports
  NEXT
Define a primary service

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters