The asset list provides external information about the devices on your system, such as the asset priority, owner, and business unit. It also provides the geographic location of the asset and the asset's DNS and Windows machine name. You can search on any of these fields from the asset list and use them while you are investigating events.
When an event contains a field that PCI Compliance identifies as belonging to a host or device, Splunk App for PCI Compliance looks up the device in the asset list and generates new fields that contain the information from the asset list. The asset information provides PCI Compliance with contextual information about the systems involved in an event or related to a notable event that can allow a security analyst or incident investigator to identify additional asset information such as asset priority, categories, business unit, owner, and other information.
Asset list location
The asset list is located under the Identity Management supporting add-on:
The first line of the
assets.csv file lists the asset fields used by the Splunk App for PCI Compliance:
This table describes the necessary fields for an asset list.
|ip||IP address (can be a range).||Example: 22.214.171.124/8, 126.96.36.199, 192.168.15.9-188.8.131.52|
|mac||The MAC address of the host (can be a range).||Example: 00:25:bc:42:f4:60, 00:25:bc:42:f4:60-00:25:bc:42:f4:6F|
|nt_host||The Windows machine name of the host.||Example: ACMEapp|
|dns||The DNS name of the host.||Example: corp1.acmetech.com|
|owner||The name of the user who owns or uses the host.||Example: john.doe|
|priority||The priority of the host. Must be either unknown, informational, low, medium, high, or critical.||Example: Must be one of unknown, informational, low, medium, high, or critical|
|lat||The latitude of the asset.||Example: 41.040855|
|long||The longitude of the asset.||Example: 28.986183|
|city||The city in which the asset is located.||Example: Chicago|
|country||The country in which the asset is located.||Example: USA|
|bunit||The business unit of the asset.||Example: EMEA|
|category||One or more categories for the asset. To specify multiple categories for an asset, use a vertical bar. To use this field, set up the category list.||Example: pci, cardholder, pci/cardholder|
|pci_domain||The domain of the host as it pertains to PCI. The domain is used to identify instances where cardholder data may pass to Internet-facing devices (reference PCI requirement 1.3.3).||wireless, trust|cardholder, trust|dmz, untrust|
Untrust is not a required specification; it is inferred if pci_domain is left empty.
|is_expected||Indicates whether events from this asset should always be expected. If set to true, an alert is triggered when this asset quits reporting events.||Example: true (leave blank to indicate "false")|
|should_timesync||Indicates whether this asset must be monitored for time-syncing events. If true, an alert is triggered if the host has not performed a time-sync event (such as a NTP request).||Example: true (leave blank to indicate "false")|
|should_update||Indicates whether this asset must be monitored for system update events. If true, an alert is triggered if the host does not seem to be performing system updates.||Example: true (leave blank to indicate "false")|
|requires_av||Indicates whether the asset requires anti-virus software to be installed.||Example: true or false|
The category list specifies a list of categories that can be used for the category field in the asset list. The category list can be any set of categories. Common examples are compliance and security standards (such as PCI) governing the asset, or functional categories (such as
Create your asset list
To set up the asset list, populate a comma-separated values (CSV) file containing the asset information. Do this by exporting data into CSV format from a existing source.
- To view, create, or modify the current asset list, click Configure > Data Enrichment > Identity Management.
- Click Source for static_assets
- Edit the Asset list. The editor does not check for typographical errors or validate input.
- Click Save.
Note: The CSV file must use UNIX line endings. The
dos2unix utility can be used to correct line endings in a file produced on Windows or OS X.
Alternatively, the file can be installed to the following path:
Update the list periodically to ensure that the Splunk App for PCI Compliance has the most current information.
You can view Assets in the Asset Center dashboard in the Splunk App for PCI Compliance (Resources > Asset Center).
It is possible to configure a scripted input or use another Splunk app to populate the list if the details are available from an external data source, such as a a database. You can configure automatic updates using a combination of scripted inputs and custom search commands (written in Python). The implementation details depend on the technology that stores the information and are beyond the scope of this document.
Note: Splunk platform loads the identities list at search time. Splunk platform does not need to be restarted after changes.
Steps to configure the Splunk App for PCI Compliance
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1