Splunk® App for PCI Compliance

Installation and Configuration Manual

Download manual as PDF

This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Download topic as PDF

Add custom correlation searches

The Splunk App for PCI Compliance includes correlation searches that are used to identify threats to systems within the PCI cardholder data environment. These correlation searches have been mapped to the relevant sections of PCI DSS.

You can create custom correlation searches from within the app and map them to the relevant PCI DSS sections for use with the app.

Create a custom correlation search

Create a custom correlation search using the Content Management page. For this example, create a correlation search for Splunk_DA-ESS_PCICompliance.

  1. Go to Configure >Content Management > Create new content > Correlation Search.
  2. Type a search name. Include a domain in the search name if you want.
  3. Set the Application Context as PCI Compliance.
  4. Create a search with the guided search wizard.
  5. Fill out the rest of the fields on the page.
  6. Click Save.

For assistance creating correlation searches, see Create a correlation search in Splunk Enterprise Security Tutorials.

Correlation searches are saved in a configuration file

The Splunk App for PCI Compliance saves the search to the correlationsearches.conf file in the local directory of the app defined in the application context for the search. In the steps above, the correlationsearches.conf file is placed in the /Applications/splunk/etc/apps/Splunk_DA-ESS_PCICompliance/local directory.

The contents of correlationsearches.conf look like this:

[PCI - 1.3.3 - Unauthorized or Insecure Communication Permitted - Rule]
rule_name = Unauthorized or Insecure Communication Permitted 
security_domain = network
severity = high 

Map the PCI DSS controls

After you create a correlation search, map the correlation search to the relevant PCI DSS controls. This step requires file system access on the server. Splunk Cloud customers must work with Support to map the correlation search to the relevant PCI DSS controls.

Perform these steps in the same directory as the correlationsearches.conf file where the search exists. For example, /Applications/splunk/etc/apps/Splunk_DA-ESS_PCICompliance/local.

  1. Create a governance.conf file.
    /Applications/splunk/etc/apps/Splunk_DA-ESS_PCICompliance/local/governance.conf
  2. Copy the stanza for the custom correlation search from the correlationsearches.conf file and paste it into the governance.conf file.
    [PCI - 1.3.3 - Unauthorized or Insecure Communication Permitted – Rule]
  3. Add a compliance control mapping by adding a governance and control line under the correlation search stanza.
    [PCI - 1.3.3 - Unauthorized or Insecure Communication Permitted – Rule]
    compliance.0.governance = pci
    compliance.0.control = 1.3.3
  4. (Optional) Add additional compliance control mappings in pairs. The first line indicates the compliance or governance standard. The second line indicates the control mapping for the standard.
    [PCI - 1.3.3 - Unauthorized or Insecure Communication Permitted – Rule]
    compliance.0.governance = pci
    compliance.0.control = 1.3.3
    compliance.1.governance = pci
    compliance.1.control = 1.3.2
  5. Save the file. The results take effect the next time the correlation search matches and creates a notable event.

See Create new correlation searches in this manual for additional information.

PREVIOUS
Configure a custom report
  NEXT
Reports in the Splunk App for PCI Compliance

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters