Splunk® App for PCI Compliance

Installation and Configuration Manual

Download manual as PDF

This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Download topic as PDF

Identify data feeds

Before you install, configure, and deploy the Splunk App for PCI Compliance, identify the data feeds (sources of data) to be monitored in your cardholder data environment (CDE).

The following table shows the main data feeds to gather information about before deploying the app.

Source Example data How data is used Why it is important
Data sources. Firewall data from Nessus. Used in the dashboard. Information about access attempts.
Asset information - lookup files, scripts. List of servers in deployment. Used by correlation searches. Identify assets to monitor and report on.
Identity information - lookup files, scripts. For example, verified users. Used by correlation searches, notable events, reports. Monitor expected users.

The collection of data from these sources and the search-time knowledge maps applied to the data to normalize it for use in the app, create a real-time view into the state of PCI compliance in your cardholder data environment.

Data collected might include the following data:

  • information from enterprise devices, systems, and applications in the cardholder data environment
  • access attempts to PCI assets
  • traffic between PCI domains
  • vulnerabilities identified on PCI assets
  • notification of malware found on PCI assets
  • notification of compliance issues

The app uses this information to populate the dashboards, views, and reports that are available in the Splunk App for PCI Compliance. The app also provides trended views of areas over time, a breakdown of issues by PCI requirement, and visibility in the incident status. Any of this information can be presented in the form of a report.

Data sources

Identify all of the data sources in your PCI cardholder data environment.

Data source Type of data collected
operating system logs log files
network device logs log files
security logs (anti-malware solutions) log files
vulnerability management solutions Common Vulnerabilities and Exposures (CVE) information
application logs application specific notification (for Windows, for Unix)

For each data source, identify the mapping (technology add-ons) needed to normalize the data for use with the Splunk App for PCI Compliance.


Asset information

See Configure assets in this manual for details about how to add asset information.

Identity Information

See Configure identities in this manual for details about how to add identity information.

PREVIOUS
Components of the Splunk App for PCI Compliance
  NEXT
Platform and hardware requirements

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters