Splunk® App for PCI Compliance

Installation and Configuration Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Add custom correlation searches

The Splunk App for PCI Compliance includes correlation searches that are used to identify threats to systems within the PCI cardholder data environment. These correlation searches have been mapped to the relevant sections of PCI DSS.

You can create custom correlation searches from within the app and map them to the relevant PCI DSS sections for use with the app.

Create a custom correlation search

Create a custom correlation search using the Content Management page. For this example, create a correlation search for Splunk_DA-ESS_PCICompliance.

  1. Go to Configure >Content Management > Create new content > Correlation Search.
  2. Type a search name. Include a domain in the search name if you want.
  3. Set the Application Context as PCI Compliance.
  4. Create a search with the guided search wizard.
  5. Fill out the rest of the fields on the page.
  6. Click Save.

For assistance creating correlation searches, see Create a correlation search in Splunk Enterprise Security Tutorials.

Correlation searches are saved in a configuration file

The Splunk App for PCI Compliance saves the search to the correlationsearches.conf file in the local directory of the app defined in the application context for the search. In the steps above, the correlationsearches.conf file is placed in the /Applications/splunk/etc/apps/Splunk_DA-ESS_PCICompliance/local directory.

The contents of correlationsearches.conf look like this: 

[PCI - 1.3.3 - Unauthorized or Insecure Communication Permitted - Rule]
rule_name = Unauthorized or Insecure Communication Permitted 
security_domain = network
severity = high

Map the PCI DSS controls

After you create a correlation search, map the correlation search to the relevant PCI DSS controls. This step requires file system access on the server. Splunk Cloud customers must work with Support to map the correlation search to the relevant PCI DSS controls.

Perform these steps in the same directory as the correlationsearches.conf file where the search exists. For example, /Applications/splunk/etc/apps/Splunk_DA-ESS_PCICompliance/local.

  1. Create a governance.conf file.
    /Applications/splunk/etc/apps/Splunk_DA-ESS_PCICompliance/local/governance.conf
  2. Copy the stanza for the custom correlation search from the correlationsearches.conf file and paste it into the governance.conf file.
    [PCI - 1.3.3 - Unauthorized or Insecure Communication Permitted – Rule]
  3. Add a compliance control mapping by adding a governance and control line under the correlation search stanza.
    [PCI - 1.3.3 - Unauthorized or Insecure Communication Permitted – Rule]
    compliance.0.governance = pci
    compliance.0.control = 1.3.3
  4. (Optional) Add additional compliance control mappings in pairs. The first line indicates the compliance or governance standard. The second line indicates the control mapping for the standard.
    [PCI - 1.3.3 - Unauthorized or Insecure Communication Permitted – Rule]
    compliance.0.governance = pci
    compliance.0.control = 1.3.3
    compliance.1.governance = pci
    compliance.1.control = 1.3.2
  5. Save the file. The results take effect the next time the correlation search matches and creates a notable event.

See Create new correlation searches in this manual for additional information.

Last modified on 27 October, 2016
PREVIOUS
Configure a custom report 		  NEXT
Reports in the Splunk App for PCI Compliance

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters