Configure a custom report
The Splunk App for PCI Compliance provides reports for different aspects of your PCI compliance. Each report (or dashboard) in the Splunk App for PCI Compliance has an XML file, such as
pci_malware_activity.xml, that describes the information used in the report, which notable events provide the data, and how that data is displayed. These reports are included as part of the app.
Choose the domain that the report applies to
A report is associated, or categorized, with a domain within the app. In the Splunk App for PCI Compliance, these categories are shown in the Reports tab. The categories are:
- R1: Network Traffic
- R2: Default Configuration
- R3: Protect Data at Rest
To have the new report show up in the correct place in the app navigation (or correct location in the menu bar), you must choose the category domain that the report applies to.
The custom report must be referenced in the correct domain section of the navigation XML file. Within the navigation file (
default.xml), the categories look like this:
<nav> ... ... <collection label="Reports"> <collection label="R1: Network Traffic"> <view name="pci_communication_rule_activity"/> <view name="pci_traffic_activity"/> <view name="pci_prohibited_services"/> </collection> <collection label="R2: Default Configurations"> <view name="pci_default_account_access"/> <view name="pci_insecure_authentication_attempts"/> <view name="pci_system_inventory"/> <view name="pci_primary_functions"/> <view name="pci_prohibited_services"/> <view name="pci_system_misconfiguration"/> <view name="pci_weak_encrypted_communication"/> <view name="pci_wireless_misconfiguration"/> </collection> <!—ADD HERE--> </nav>
To add your custom report (
your_report.xml) to the app, you need to add it to the navigation XML file. The menu items in the app are referenced in the navigation XML file. Each app only has one navigation file. (
$SPLUNK_HOME/etc/apps/Splunk_DA-ESS_PCICompliance/local/data/ui/views/nav/default.xml). You must associate the new report with a domain.
- Select Settings > User interface > Navigation menus.
- Click default next to Splunk_DA-ESS_PCICompliance. An editor displays the navigation file for the Splunk App for PCI Compliance.
- Choose the category domain for the new report. This is the location in the
default.xmlfile where you reference your custom report file (
- Add the custom report to the
default.xmlfile and Save the file.
- Restart Splunk platform for the changes to take effect.
Note: When you open
default.xml, you are looking at the
default copy of the file. When you save, your changes are saved to a
local version of the file.
For example, to add your report to Monitor & Test, add the path to the
your_report.xml file and the display name in
default.xml as shown in the following code snippet.
<collection label="Monitor & Test"> <a href='/app/SplunkPCIComplianceSuite/pci_asset_logging?category=pci'>PCI Asset Logging</a> ... <a href='/app/SplunkPCIComplianceSuite/your_report.xml?category=pci'>Your custom report</a> ... </collection>
Email a report
You can configure the Splunk App for PCI compliance to email a report by attaching the report to the email as an HTML file or by including it inline in the email body. See Define actions for your scheduled report with the Edit Schedule dialog in the Reporting Manual.
Configure Interesting Ports list
Add custom correlation searches
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2