Splunk® App for PCI Compliance

Installation and Configuration Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Components of the Splunk App for PCI Compliance

The Splunk App for PCI Compliance lets you to monitor and search the data indexed from your PCI cardholder data environment (CDE).

Data from your PCI CDE is monitored and tagged by Splunk forwarders and sent to Splunk indexers. The indexers perform custom categorization and field extractions for the Splunk App for PCI Compliance. From Splunk Web and the Splunk App for PCI Compliance, you can search the indexed data directly, and review key dashboards and reports.

  • The Splunk App for PCI Compliance (for Splunk Enterprise Security) is a single domain add-on that includes the PCI-specific content. called DA-ESS-PCICompliance.
  • The Splunk App for PCI Compliance (for Splunk Enterprise) includes that domain add-on in addition to supporting add-ons and technology add-ons from the Splunk Enterprise Security framework.
Type of Add-on Description
Domain Add-on Domain add-ons are specialized add-ons that are included to provide domain-specific reports and correlation searches. DA-ESS-PCICompliance provides the reports and correlation searches specific to PCI compliance.
Supporting Add-ons Supporting add-ons are specialized add-ons that make up the Splunk Enterprise Security framework. These add-ons include the notable event framework, shared saved searches, and other app components that are not specific to PCI Compliance but are used to provide functionality such as incident review and investigation.
Technology Add-ons Technology add-ons are specialized add-ons that help to map and normalize data feeds from specific sources in your Splunk environment for use within the Splunk App for PCI Compliance. The add-ons can include a feed to help gather data from a source, and a map that normalizes the data to the Splunk Common Information Model. These add-ons are shared with Splunk Enterprise Security.

Within the domain add-ons and supporting add-ons, there are a number of important files that need to be called out. These files are necessary to understand how to configure the Splunk App for PCI Compliance. All of these files can be modified from within the Splunk App for PCI Compliance configuration interface.

Name File Location Description
PCI Views Splunk_DA-ESS_PCICompliance/lookups/pci_views.csv List of reports and mapping to main PCI DSS requirement.
Expected Views SA-AuditAndDataProtection/lookups/expected_views.csv Views that are audited.
Prohibited Traffic SA-NetworkProtection/lookups/prohibited_traffic.csv Traffic that generates notable events when detected.
Identities SA-IdentityManagement/lookups/identities.csv List of identities associated with Identity Correlation.
Assets SA-IdentityManagement/lookups/assets.csv List of assets associated with Asset Correlation.
Categories List SA-IdentityManagement/lookups/categories.csv Categories that apply to assets and identities.
PCI Domains List SA-IdentityManagement/lookups/pci_domains.csv List of PCI domain labels.
Urgency Matrix SA-ThreatIntelligence/lookups/urgency.csv List of defined urgency levels.
Last modified on 25 January, 2018
PREVIOUS
Get support and find information about Splunk software
  NEXT
Identify data feeds

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters