Data management overview
The Splunk App for PCI Compliance works with Splunk software and supports all CIM-compliant data ingestion methods. After the app is installed and configured, solution administrators can start to add data to the Splunk deployment.
The Splunk App for PCI Compliance requires considerations when determining how to get data from the various sources. When you set up a data input for the Splunk App for PCI Compliance, make sure the data is correctly mapped using a technology add-on so that the data is normalized and assigned the correct source type.
Considerations for data inputs with PCI compliance
You can use each of the main approaches for Splunk data inputs (monitoring files, monitoring network ports, monitoring Windows and Unix data, and deploying custom scripted inputs) with the Splunk App for PCI Compliance. Some approaches work better than others because the input data must be assigned the correct source type.
- Monitoring files: Deploy a forwarder on each system where you want to monitor files and source type the file inputs on the forwarder. If there is a large number of forwarders with identical configurations, use the deployment server to set up and manage the logging sources across your forwarders.
- Monitoring network ports: You can send data to a forwarder or directly to an indexer on any TCP or UDP port. Be careful when sending data from multiple sources over the same port. See the Get data from TCP and UDP ports section in Getting Data In.
- Monitoring Windows data: To implement Windows eventlog monitoring, deploy a forwarder on each system. If there is a large number of forwarders with identical configurations, use the Splunk Enterprise deployment server to set up and manage the logging sources across your forwarders.
- Scripted inputs: A scripted input is a flexible input type that collects data from API's and remote data interfaces. See Get data from APIs and other remote data interfaces through scripted inputs in Getting Data In.
Source typing
Set the correct source type for data to be properly processed by Splunk platform and used by the Splunk App for PCI Compliance. The app works with all types of inputs. Technology add-ons provide search-time knowledge to map data.
For more information about automatic source typing, see Why source types matter in Getting Data In.
Identify assets
To get the most out of the Splunk App for PCI Compliance, you must provide information about the assets, which are the devices and systems in the environment. This can be done by using the asset list, a comma-separated values (CSV) lookup file with contextual information about your systems, information that cannot be gathered from events themselves. Augmenting events with additional asset information helps security analysts and incident investigators. Populate the asset list either by building an automated capture from an existing asset database or by populating the file manually.
The asset list includes a number of fields used by the dashboards and correlation searches in the app. Splunk App for PCI Compliance still functions without an asset list, but the functionality for some dashboards and features is incomplete. Some of the important fields in the asset list include:
ip, mac, nt_host, dns, owner
- Asset information. These fields are used to provide details about current assets in the Splunk App for PCI Compliance.
priority
- Assets by priority. This field is used to determine the urgency of the notable events associated with security incidents.
category
- Asset category. This field is used to define systems in-scope for PCI and/or contain cardholder data. Categories are configurable and are defined in a separate category list. Used by many Splunk for PCI Compliance dashboards to filter the view. Common examples are compliance and security standards governing the asset, or functional categories (such as server, domain_controller, and so on). An asset can be included in multiple categories by assigning a bar-delimited list of categories in the asset list (for example,pci|cardholder|server
).
pci_domain
- This field is used to specify the network zone the asset is found within. An asset can be included in multiple PCI domains by assigning a pipe-delimited list of domains in the asset list. The following values are supported by default:trust
trust|wireless
trust|cardholder
trust|dmz
untrust
bunit
- Assets by business unit. Used by many Splunk for PCI Compliance dashboards to restrict the view. A free-form field that can be used to specify the business unit the asset is part of.
Assets are defined in a CSV lookup table located under the Identity Management supporting add-on in the $SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/assets.csv
directory. Populate this file with the correct asset information for your infrastructure. The CSV file can be constructed manually or populated by a script that pulls the information from an existing asset table or database. See Configure assets in this manual.
Identify system identities
The Splunk App for PCI Compliance needs to have information about the identities who use the system. Create an identity list, which is a list of account names, legal names, nicknames, alternate names, and phone numbers within your organization. The identity list provides information used to correlate identities (individuals) with both events and assets.
Identities are defined in CSV lookup table located under the Identity Management supporting add-on in the $SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/identities.csv
directory. Populate this file with the identity information for your infrastructure. The CSV file can be constructed manually or populated by a script that pulls the information from an existing identity table or database.
The identity list includes a number of fields that are used by the dashboards and correlation searches in PCI Compliance. Splunk App for PCI Compliance still functions without an identity list, but the functionality for some dashboards and features is incomplete. Some of the important fields in the identity list include:
- Identities by Priority: Used to determine the urgency of the notable events associated with security incidents involving identities.
- Identities by Business Unit: Used by many PCI Compliance dashboards to restrict the view to a particular business unit. A free-form field that can be used to specify to which the business unit the identity belongs.
- Identities by Category: Used by many PCI Compliance dashboards to restrict the view. Categories are configurable and are defined in a separate category list. Common examples are compliance and security standards governing the identity, or functional categories (such as server, domain_controller, and so on.). You can include an identity in multiple categories by assigning a bar-delimited list of categories in the identity list (for example, "pci|cardholder|server")
- Identities: Used to view details of the current identities in the system.
Deployment options | Using technology add-ons |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1
Feedback submitted, thanks!