Configure identities
These identities (or user roles) are included as part of the Splunk App for PCI Compliance:
- admin
- pciadmin
- pcianalyst
- pciuser
Identities list
The identities list provides information about the users in your cardholder data environment, such as the user name, first and last name, and email address. Some of these fields, such as priority, watchlist, and endDate are used for dashboard charts and to calculate the urgency of notable events associated with identities. Other fields, such as "business unit" and "category", are used by the filters at the top of the dashboards. You can search on any of these fields from the identity list and use them while investigating events.
When an event contains a field that the Splunk App for PCI Compliance identifies as belonging to a specific identity, the app looks up the identity in the identities list and generates new fields that contain the information from the identities list. The identity information provides the app with contextual information about the identities involved in an event or related to a notable event that can allow a PCI compliance analyst or incident investigator to identify additional identity information such as priority, categories, business unit, watchlist, and other information. Administrators are encouraged to populate the identities list by either building an automated capture from an existing identity database or to simply populate the file manually.
There are several ways to modify the identities list for the Splunk App for PCI Compliance.
To modify the list from within the app, click Configure > Data Enrichment > Identity Management > Lists and Lookups.
Identities list location
The identities list is located in the add-on for identities:
$SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/identities.csv
You can modify the list by navigating to Configure > Data Enrichment > Identity Management and using the lookup editor. For more information, see Modify your identity list.
Identity fields
The first line of the identities.csv
file lists all the identities fields:
identity,prefix,nick,first,last,suffix,email,phone,phone2,managedBy,priority,bunit,category,watchlist,startDate,endDate
Identity lookups are performed on the src_user
and user
fields at search time.
The table describes the identity fields.
Field | Description | Examples |
---|---|---|
identity (key) | Pipe-delimited list of usernames representing the identity. | Mr. Tim, manager | admin |
prefix | Prefix of the identity name. | Mr., Mrs., Ms., Dr. |
nick | Nickname of the identity. | Bobby, Spud, Dr. Z |
first | First name of the identity. | Gordon |
last | Last name of the identity. | Tristler |
suffix | Suffix of the identity name. | Jr., Esq., M.D. |
Email address of the identity. | accounting@acmetech.com, gntrisler@acmetech.com | |
phone | Phone number for the identity. | +1 (800)555-8924 |
phone2 | Secondary phone number for the identity. | +1 (800)555-8924 |
managedBy | Username representing manager of the identity. | lietzow.tim, a.koski |
priority | Priority of the identity. | Value can be "low," "medium," "high," or "critical". For example, CEO would be "critical" |
bunit | Business unit associated with identity | emea, americas. |
category | Category of the identity. Can be a pipe-delimited list | intern, officer, pip, pci | ES, BD | PS |
watchlist | Is the identity on a watch list? | Value can be "true" or "false |
startDate | Start/Hire date of the identity. | 3/29/88 5:15 |
endDate | End/Termination date of the identity. | 7/12/08 19:49 |
Integrating third party identity data
To integrate identity data from third party sources you can:
- Modify Identity lists
- Modify Lists and Lookups
- Create a custom scripted input
Using any of these options maps the identity data and use it as part of the Splunk App for PCI Compliance solution.
Create your identity list
- To create or modify your identity list from within the app, click Configure > Data Enrichment > Identity Management > Lists and Lookups.
- Click Source for static_identities.
- Click Edit to edit the
identities.csv
file. Use the editor to manually make changes or additions to the identities file. One way to add content is to copy data from a spreadsheet (in CSV format) and paste it into the editor. The editor does not validate input. Make sure your changes are correct. - Click Save. The changes are saved to
identities.csv
. You must place this file on each search head in a distributed deployment.
You can also edit the $SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/identities.csv
file to make your changes or additions.
Update the list periodically to ensure that the Splunk App for PCI Compliance has reasonably up-to-date identity information. Update at least every quarter.
Modify your identity list
- To modify your identity list from within the app, click Configure > Data Enrichment > Identity Management > Lists and Lookups.
- Click Identities to edit the
identities.csv
file and make your changes or additions. - Click Save. This file must be placed on each search head in a distributed deployment.
Scripted inputs
Note: Splunk platform loads the identities list at search time. You do not need to restart Splunk platform after changes.
You can view Identities at any time by going to Resources > Identity Center in the Splunk App for PCI Compliance.
Identity categories
The category list specifies a list of categories that you can use for the category field in the identities list. The category list can be any set of categories you choose. Common examples are compliance and security standards (such as PCI) governing the identities, or functional categories (such as officer
, pci-analyst
, and so on).
These user categories are available in the Splunk App for PCI Compliance.
Category | Description |
---|---|
cardholder | cardholder user |
contractor | contractor user |
default | default user |
intern | temporary intern user |
officer | user who is an officer of the company |
pci | PCI analyst or PCI compliance manager |
privileged | user with additional privileges |
sox | Sarbanes–Oxley user |
You can edit this list by navigating to Configure > Data Enrichment > Lists and Lookups > Categories. For more information, see "Modify your identity list".
Identities and PCI compliance
In the Identity Center, the Category field displays these identity categories, available for use as filters.
This filter restricts the view to events related to privileged access. You can use the dashboard filters to show only privileged access, or any other identity category.
Privileged accounts: Any account that is known to have administrator or super-user access is considered "privileged" (such as root or administrator accounts).
To edit this list of categories, navigate to Configure > Data Enrichment > Lists and Lookups > Categories. For more information, see Modify your identity list.
Configure user roles
Splunk platform includes a built-in user management system and also provides facilities for integration with external authentication systems such as LDAP or SSO systems. Splunk authentication allows you to add users, assign them to roles, and give those roles custom capabilities as needed for your organization. The Splunk App for PCI Compliance manages access and authentication with permissions and roles. Additional roles are created for the various types of users who work with Splunk App for PCI Compliance.
- Use Settings > Access controls > Users to add users and assign roles.
- Use Settings > Access controls > Roles to set the capabilities that a role has.
See About user authentication in Securing Splunk Enterprise for information about setting up user authentication.
In Splunk platform, the admin
role has (almost) complete administrative access, and that role inherits all capabilities of the other roles. All Splunk platform roles describe additive powers which are potentially inherited by other roles. This design avoids potential conflicts between the capabilities of two or more roles.
Splunk platform has three predefined user roles: admin
, power
, user
. The Splunk App for PCI Compliance adds three additional predefined user roles: pci_admin
, pci_analyst
, pci_user
. Assign all Splunk App for PCI Compliance users appropriate roles in order to perform their duties.
There are three conceptual categories of PCI compliance users used by the Splunk App for PCI Compliance:
- PCI Compliance Manager: Reviews PCI Compliance Posture, Protection Centers, and Audit dashboards in order to understand current PCI Compliance Posture of the organization. PCI Compliance Managers generally do not configure the product or manage incidents.
- PCI Compliance Analyst: Uses PCI Compliance Posture and Incident Review dashboards to manage and investigate PCI compliance incidents. PCI Compliance Analyst are also responsible for reviewing Protection Centers and providing direction on what constitutes a PCI compliance incident. Generally, they define the thresholds used by correlation searches and dashboards. A PCI Compliance Analyst needs to be able to edit correlation searches and create suppressions.
- PCI Compliance Administrator: Installs and maintains Splunk Enterprise and Splunk Apps. This user is responsible for configuring workflow, new data sources, tuning of rules, and troubleshooting the application.
Each user type requires different levels of access to perform its assigned functions. The following table outlines the various capabilities required by the different functions.
Role | PCI Compliance Manager | PCI Compliance Analyst | PCI Compliance Administrator |
---|---|---|---|
pci_user capabilities | yes | yes | yes |
pci_analyst capabilities | yes | yes | |
admin capabilities | yes |
In the following table, each row inherits the role of the rows above it, and the capabilities of that role.
Splunk role | Inheritance | Notes |
---|---|---|
user | Inherits no other roles by default and cannot perform real-time searches. | View PCI compliance dashboards and search notable event indexes. |
pci_user | Inherits the user role.
|
Have all the capabilities of a user , plus the ability to perform real-time searches. This role is assigned by a pci_admin .
|
power | Inherits the user role but does not inherit the pci_user role.
|
Have all the capabilities of a user , in addition to the ability to perform real-time searches.The capabilities of pci_user and power are the same. However, you should use the pci_user role for PCI compliance users to facilitate upgrades with future capabilities.
|
pci_analyst | Inherits the power and user roles' capabilities.
|
Can own notable events and perform workflow status transitions. This role is assigned by a pci_admin .
|
pci_admin | Provides a grouping of capabilities necessary to administer the product. It inherits pci_analyst , pci_user , power , and user roles.
|
Can perform all capabilities of a pci_analyst and pci_user .Can edit correlation searches, edit review statuses, own notable events, and perform all workflow transitions. The pci_admin can also create and assign custom PCI compliance roles. The pci_admin role is a "container" for capabilities required to administer PCI compliance only.
|
admin | The admin role inherits pci_admin , pci_analyst , pci_user , power , and user role capabilities.
|
Can administer the Splunk App for PCI Compliance with no additional capabilities. All Splunk Enterprise administrators are assumed to be PCI compliance administrators. |
Role inheritance
Understanding role inheritance in Splunk platform is critical to managing PCI compliance roles. To delete capabilities (or permissions) from roles, Splunk platform iterates through inheritance relationships. Removing an inherited role has collateral effects.
Editing pci_admin
and removing pci_analyst
from "Inherited Roles" removes any capabilities that were inherited by pci_analyst
, unless they were explicitly granted to pci_admin
.
For example, pci_admin
inherits the pci_analyst
capabilities, and therefore has the can_own_notable_events
capability. Removing can_own_notable_events
from pci_analyst
impacts pci_admin
as well. If an administrator edits the pci_admin
role and explicitly enables the can_own_notable_events
capability, then pci_admin
retains the can_own_notable_events
capability even after removing the inherited pci_analyst
capability of can_own_notable_events
.
Note: The pci_admin
role does not explicitly grant the edit_log_review_settings
capability needed to edit log review settings. This is a known limitation. The admin
role inherits this capability by default.
See Add and edit roles with Splunk Web in Securing Splunk Enterprise.
Set up concurrent searches
By default, Splunk Enterprise only allows three searches to be run concurrently for 'user' and 'power' roles. When you install the Splunk App for PCI Compliance, it increases these values to ten by default because dashboards generally execute more than three searches. You might want to change the number of concurrent searches.
To change the number of concurrent searches, change the default search quota by editing the authorize.conf
file:
Edit the file at $SPLUNK_HOME/etc/system/local/authorize.conf
and set srchJobsQuota
for each role.
See the following example:
[role_user] srchJobsQuota = 15 [role_power] srchJobsQuota = 15
Edit notable event suppression for a new user or role
Allow a new user or role to edit notable event suppressions.
To enable non-admins to have the ability to create notable event suppressions in Splunk Web, do the following:
- Log in as
admin
. - Select Configure > All Configurations > Permissions.
- Select Edit Notable Event Suppression row.
- Select the role (for example, pci_analyst) and select a check box to grant the permission.
- Cilck Save.
The suppression of notable events is an event type. Add the modified role to a list of roles allowed to modify event types.
The second step is make changes to the local.meta
file to add this role to the list:
- Edit the
$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/metadata/local.meta
file. - Make this addition for the
pci_admin
role:
##access = read : [ * ], write : [ admin,role2,role3 ] [eventtypes] access = read : [ * ], write : [ admin,pci_analyst ]
- Save the file.
- Restart Splunk platform to enable the changes.
Configure assets | Configure Primary Functions list |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
Feedback submitted, thanks!