Splunk® App for PCI Compliance

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

Configure assets

Asset list

The asset list provides external information about the devices on your system, such as the asset priority, owner, and business unit. It also provides the geographic location of the asset and the asset's DNS and Windows machine name. You can search on any of these fields from the asset list and use them while you are investigating events.

When an event contains a field that PCI Compliance identifies as belonging to a host or device, Splunk App for PCI Compliance looks up the device in the asset list and generates new fields that contain the information from the asset list. The asset information provides PCI Compliance with contextual information about the systems involved in an event or related to a notable event that can allow a security analyst or incident investigator to identify additional asset information such as asset priority, categories, business unit, owner, and other information.

To learn more about how the assets list is used by the Splunk App for PCI Compliance, see "Asset Management" in the Splunk App for PCI Compliance User Manual.

Asset list location

The asset list is located under the Identity Management supporting add-on:

   $SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/assets.csv

Asset fields

The first line of the assets.csv file lists the asset fields used by the Splunk App for PCI Compliance:

    ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,
    pci_domain,is_expected,should_timesync,should_update,requires_av

This table describes the necessary fields for an asset list.

Field Description Example
ip IP address (can be a range). Example: 2.0.0.0/8, 1.2.3.4, 192.168.15.9-192.169.15.27
mac The MAC address of the host (can be a range). Example: 00:25:bc:42:f4:60, 00:25:bc:42:f4:60-00:25:bc:42:f4:6F
nt_host The Windows machine name of the host. Example: ACMEapp
dns The DNS name of the host. Example: corp1.acmetech.com
owner The name of the user who owns or uses the host. Example: john.doe
priority The priority of the host. Must be either unknown, informational, low, medium, high, or critical. Example: Must be one of unknown, informational, low, medium, high, or critical
lat The latitude of the asset. Example: 41.040855
long The longitude of the asset. Example: 28.986183
city The city in which the asset is located. Example: Chicago
country The country in which the asset is located. Example: USA
bunit The business unit of the asset. Example: EMEA
category One or more categories for the asset. To specify multiple categories for an asset, use a vertical bar. To use this field, set up the category list. Example: pci, cardholder, pci/cardholder
pci_domain The domain of the host as it pertains to PCI. The domain is used to identify instances where cardholder data may pass to Internet-facing devices (reference PCI requirement 1.3.3). wireless, trust|cardholder, trust|dmz, untrust

Untrust is not a required specification; it is inferred if pci_domain is left empty.

is_expected Indicates whether events from this asset should always be expected. If set to true, an alert is triggered when this asset quits reporting events. Example: true (leave blank to indicate "false")
should_timesync Indicates whether this asset must be monitored for time-syncing events. If true, an alert is triggered if the host has not performed a time-sync event (such as a NTP request). Example: true (leave blank to indicate "false")
should_update Indicates whether this asset must be monitored for system update events. If true, an alert is triggered if the host does not seem to be performing system updates. Example: true (leave blank to indicate "false")
requires_av Indicates whether the asset requires anti-virus software to be installed. Example: true or false

Learn more about asset management in the Splunk App for PCI Compliance User Manual.

Category list

The category list specifies a list of categories that can be used for the category field in the asset list. The category list can be any set of categories. Common examples are compliance and security standards (such as PCI) governing the asset, or functional categories (such as pci, cardholder, and pci|cardholder.).

Create your asset list

To set up the asset list, populate a comma-separated values (CSV) file containing the asset information. Do this by exporting data into CSV format from a existing source.

  1. To view, create, or modify the current asset list, click Configure > Data Enrichment > Identity Management.
  2. Click Source for static_assets
  3. Edit the Asset list. The editor does not check for typographical errors or validate input.
  4. Click Save.

Note: The CSV file must use UNIX line endings. The dos2unix utility can be used to correct line endings in a file produced on Windows or OS X.

Alternatively, the file can be installed to the following path: $SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/assets.csv.

Update the list periodically to ensure that the Splunk App for PCI Compliance has the most current information.

You can view Assets in the Asset Center dashboard in the Splunk App for PCI Compliance (Resources > Asset Center).

It is possible to configure a scripted input or use another Splunk app to populate the list if the details are available from an external data source, such as a a database. You can configure automatic updates using a combination of scripted inputs and custom search commands (written in Python). The implementation details depend on the technology that stores the information and are beyond the scope of this document.

Note: Splunk platform loads the identities list at search time. Splunk platform does not need to be restarted after changes.

Last modified on 27 October, 2016
Steps to configure the Splunk App for PCI Compliance   Configure identities

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters