Splunk® App for PCI Compliance

User Manual

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

Define a primary service

As part of the Splunk App for PCI Compliance, primary functions are defined as one or more of the following items:

  • Running Process (process name)
  • Installed Service (service name)
  • Listening Port (transport/port combination)

Primary functions are defined in a Splunk lookup table (SA-EndpointProtection/lookups/primary_functions.csv). This lookup table contains three separate primary keys (one for service, process, and transport/port respectively). The remainder of the header determines whether or not the function is primary and what that function is. This results in the following CSV header:

process,service,transport,port,is_primary,function

Function names are arbitrary, but we recommend the following:

    Application (name, for instance "Tomcat")
    Authentication
    Database
    Domain Name Service (DNS)
    Mail
    Proxy
    Network Time Protocol (NTP)
    Web

The SA-EndpointProtection/lookups/primary_functions.csv file contains examples that come with the Splunk App for PCI Compliance.

Lookups

Primary functions running on a system are determined by comparing the defined primary functions with the running processes, installed services, and listening ports found on a system.

  • Running processes are found in the "localprocesses_tracker"
  • Services are found in the "services_tracker"
  • Listening ports are found in the "listeningports_tracker"

For example, the following search examines the "localprocesses_tracker for primary functions":

| inputlookup append=T localprocesses_tracker | `get_primary_function(process)` | rename app as process

Compliance Managers may want to use multiple services and/or processes to determine the primary function of a system. This is easily done as long as the function name is consistent among applications in the stack.

To do this, you will need to define a primary service. You can have several service names that represent an application stack but a single function. In the SA-EndpointProtection/lookups/primary_functions.csv file identify all of the services and/or processes associated with the primary function with the same function name.

For example:

process service transport port is_primary function
apple true improve health
banana true improve health
carrot true improve health

The following search simulates a system running these services to show how they result in a single function:

| head 1 | stats count | eval service="apple|banana|carrot" | `makemv(service)` | rename service as app | mvexpand app | `get_primary_function(service)` | stats dc(function)

This search will result in a dc(function) == 1

Last modified on 26 October, 2015
Audit dashboards   PCI Security Standards

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters