Splunk® App for PCI Compliance

User Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Search macros

The Splunk App for PCI Compliance includes a variety of search macros that can be used to create custom searches and notable events. Search macros can be found in the /default directory of the Domain Add-ons (DA) and Supporting Add-ons (SA) listed here.

Some of these search macros provide data. For example:

`authentication`
`malware`
`ids_attack`
`communicate`
`get_summary`
`get_category`

Some search macros bring in lookup table data. For example:

`assets`
`identities`
`categories`

Other search macros perform lookups. For example:

`get_asset`
`get_identities4events`
`get_correlationsearches`

There are also utility search macros. For example:

`ctime(<timestamp>)`
`get_vendor_product`
`uitime`
`uptime2string`

The back ticks ` denote the start and the end of a search macro definition when used in the Splunk search language. The values (<timestamp>) following the search macro name denote the type and number of arguments used with the macro. Overloaded macros are macros with the same name, but a different number of required arguments.

To learn more about the syntax used in macros see Define search macros in Settings and macros.conf in the Splunk Enterprise documentation.

Access Protection

These search macros are part of SA-AccessProtection.

Search macro Intended purpose Expected data types
`authentication` used to report on access events system access logs, such as ssh, Windows, or database audit
`authentication(<action>)` used to validate success or failure of authentication access system access logs, such as ssh, Windows, or database audit
`account_management` used to report on account management events, such as Create, Update, or Delete actions system audit logs, such as Active Directory or OpenLDAP
`default_local_accounts` used to report usage of default local accounts Special user accounts table and system access logs

Audit and Data Protection

These search macros are part of SA-AuditAndDataProtection.

Search macro intended purpose expected data types
`splunkd_utilization` reports resource utilization of the Splunk data engine process Splunk internal logs
`splunkd_startmode` reports start mode of the Splunk data engine process Splunk internal logs
`index_thruput(<data_source>)` reports throughput of data by index, source, sourcetype, or host Splunk internal logs (metrics.log)
`license_info` reports license utilization level Splunk internal logs (license_audit.log)
`view_activity` reports usage of Splunk apps Splunk internal logs (_internal index, sourcetype splunk_web_access

Endpoint Protection

These search macros are part of SA-EndpointProtection.

Search macro intended purpose expected data types
`cputime` report all processor usage level records performance monitoring data, such as data from Windows or Unix endpoints
`cputime(<machine_name>)` report all processor usage level records for a single machine (cputime(ACME-001)) performance monitoring data, such as data from Windows or Unix endpoints
`cputime(<machine_name>, <top_N_processor_usage_records>)` report the top N processor usage level records for a single machine (cputime(ACME-001,10)) performance monitoring data, such as data from Windows or UNIX endpoints
`disk` report all disk space usage level records performance monitoring data, such as data from Windows or Unix endpoints
`disk(<machine_name>)` report all disk space usage level records for a single machine (disk(ACME-001)) performance monitoring data, such as data from Windows or Unix endpoints
`disk(<machine_name>, <disk_space_usage_level>)` report the top N disk space usage level records for a single machine (disk(ACME-001,10)) performance monitoring data, such as data from Windows or Unix endpoints
`endpoint_change` report system change events endpoint audit logs, such as data from Windows or Unix endpoints
`listeningports` report all records of listening network ports on endpoints performance monitoring data, such as data from Windows or Unix endpoints
`listeningports(<machine_name>)` report all records of listening network ports on a single machine (listeningports(ACME-001)) performance monitoring data, such as data from Windows or Unix endpoints
`listeningports(<machine_name>, <top_N_listening_network_ports>)` report the top N records of listening network ports on a single machine (listeningports(ACME-001,10)) performance monitoring data, such as data from Windows or Unix endpoints
`malware` report malware discovery and cleanup events endpoint protection data, such as from McAfee or Symantec
`memory` report all RAM usage level records performance monitoring data, such as data from Windows or Unix endpoints
`memory(<machine_name>)` report all RAM usage level records for a single machine (disk(ACME-001)) performance monitoring data, such as data from Windows or Unix endpoints
`memory(<machine_name>, <ram_usage_level>)` report the top N RAM usage level records for a single machine (disk(ACME-001,10)) performance monitoring data, such as data from Windows or Unix endpoints
`localprocesses` report all records of running processes on endpoints performance monitoring data, such as data from Windows or Unix endpoints
`localprocesses(<machine_name>)` report all records of running processes on a single machine (localprocesses(ACME-001)) performance monitoring data, such as data from Windows or Unix endpoints
`localprocesses(<machine_name>, <top_N_running_processes>)` report the top N records of running processes on a single machine (localprocesses(ACME-001,10)) performance monitoring data, such as data from Windows or Unix endpoints
`selinuxconfig` report all SE Linux configuration status records for all machines system audit data from Linux endpoints
`selinuxconfig(<machine_name>)` report all SE Linux configuration status records for a single machine (selinuxconfig(ACME-001)) system audit data from Linux endpoints
`selinuxconfig(<machine_name>, <top_N_conf_status_records>)` report the top N SE Linux configuration status records for a single machine (selinuxconfig(ACME-001,10)) system audit data from Linux endpoints
`service` report all records of running services on endpoints (note that "service" is used generically to refer to Windows or UNIX system services) performance monitoring data, such as data from Windows or Unix endpoints
`service(<machine_name>)` report all records of running services on a single machine (service(ACME-001)) performance monitoring data, such as data from Windows or Unix endpoints
`service(<machine_name>, <top_N_running_services>)` report the top N records of running services on a single machine (service(ACME-001,10)) performance monitoring data, such as data from Windows or Unix endpoints
`sshdconfig` report all SSHD configuration status records for all machines system audit data from UNIX or Linux endpoints
`sshdconfig(<machine_name>)` report all SSHD configuration status records for a single machine (sshdconfig(ACME-001)) system audit data from UNIX or Linux endpoints
`sshdconfig(<machine_name>, <top_N_SSHD_config_status_records>)` report the top N SSHD configuration status records for a single machine (sshdconfig(ACME-001,10)) system audit data from UNIX or Linux endpoints
`time_sync` report all time synchronization status records from all endpoints system audit data, such as data from Windows or Unix endpoints
`time_sync(<action>)` report successful or failed time synchronization status record from all endpoints (time_sync(success)) system audit data, such as data from Windows or Unix endpoints
`index_time_delta` report time synchronization problems on endpoints by evaluating difference between reported time and actual time at indexing events Splunk internal logs
`ntp_startmode` report all time synchronization service start mode records from all endpoints (note that any service tagged "time" will be reported, not just ntpd) system audit data, such as from Windows or UNIX endpoints
`ntp_startmode(<endpoint_name>)` report all time synchronization service start mode records from a single endpoint. Note that any service tagged "time" will be reported, not just UNIX ntpd. (ntp_startmode(ACME-001)) system audit data, such as from Windows or UNIX endpoints
`system_update` report patching status on endpoints system audit data, such as from Windows or UNIX endpoints
`update_startmode` report patching service status records from all endpoints (note that any service tagged "update" will be reported) system audit data, such as from Windows or UNIX endpoints
`update_startmode(<endpoint_name>)` report all patching service status records from a single endpoint. Note that any service tagged "update" will be reported. (update_startmode(ACME-001)) system audit data, such as from Windows or UNIX endpoints
`uptime` report all OS uptime records from all endpoints system audit data, such as from Windows or UNIX endpoints
`uptime(<endpoint_name>)` report all OS uptime records from a single endpoint. (uptime(ACME-001)) system audit data, such as from Windows or UNIX endpoints
`uptime(<endpoint_name>, <top_N_OS_uptime_records>)` report the top N OS uptime records from a single endpoints. (uptime(ACME-001,10)) system audit data, such as from Windows or UNIX endpoints
`useraccounts` reports all user account status records, management events, and password information records gathered from all endpoints system audit data, such as from Windows or UNIX endpoints
`useraccounts(<endpoint_name>)` reports all user account status records, management events, and password information records gathered from a single endpoint. (useraccounts(ACME-001)) system audit data, such as from Windows or UNIX endpoints
`useraccounts(<endpoint_name>, <top_N_user_account_status_records>)` reports the top N user account status records, management events, and password information records gathered from a single endpoint. (useraccounts(ACME-001,10)) system audit data, such as from Windows or UNIX endpoints
`system_version` report all raw events that operating system names and versions have been discovered from vulnerability scanners such as Nessus or OSSEC, and/or system audit data, such as from Windows or UNIX endpoints

Identity Management

These search macros are part of SA-IdentityManagement.

Macro Intended purpose Expected data types
`get_bunit(<business_unit_name>)` search `get_bunit(EMEA)` Assets and Identities lookups must be populated with business unit information.
`get_category(<category_name>)` search `get_category(email_servers)` Assets and Identities lookups must be populated with category information.
`asset_search(<asset_name>)` Find all records associated with a single asset by searching the asset-related fields and leveraging unspecified asset correlation information. For instance, asset_search(ACME-001) can find records via the machine's IP or MAC address, using source or destination fields. The Assets lookup must be populated with enough information about the asset to identify non-directly related fields.
`get_events4identity(<name_compound>, <string_to_match>)` Return the events associated with a given identity using any field from the Identities table. For instance, get_events4identity(email,jdoe@acmetech.com) can find records associated with the identity that the email address is associated with. Stack the command for more precise usage, such as get_events4identity(first,John) get_events4identity(last,Doe) The Identities lookup must be populated with enough information about the identity to identify non-directly related fields.
`identity_search(<identity_field_name>)` Find all records associated with a single identity specified with any field by searching the identity-related fields and leveraging unspecified identity correlation information. For instance, identity_search(jdoe@acmetech.com) can find records via the person's email address, Active Directory login, SAP account name, or phone number, using applicable fields. The Identities lookup must be populated with enough information about the identity to identify non-directly related fields.
`identity_search(<first_name>, <last_name>)` Find all records associated with a single identity specified with first and last name by searching the identity-related fields and leveraging unspecified identity correlation information. For instance, identity_search(John,Doe) can find records via the person's email address, Active Directory login, SAP account name, or phone number, using applicable fields. The Identities lookup must be populated with enough information about the identity to identify non-directly related fields.
`sessions` Reports all discovered network sessions. Sessions are tracked for VPN and DHCP logs. VPN or DHCP logs.

Network Protection

These search macros are part of SA-NetworkProtection.

Macro Intended purpose Expected data types
`communicate` Display networking data. Firewall logs
`communicate(<action>)` Display networking data by action (allowed or blocked). Firewall logs
`network_change` Display records of network change events Operational logs from network infrastructure devices
`ids_attack` Display all detected intrusion event records Intrusion Detection System and Intrusion Prevention System logs, (including network-based, host-based, and other types).
`proxy` Display web proxy events Web proxy server logs
`vulnerability` Display discovered vulnerability data. Vulnerability scanners, such as Nessus.


Threat Intelligence

These search macros are part of SA-ThreatIntelligence.

Macro Intended purpose Expected data types
`notable` Displays Notable Events with proper rendering the app's _notable index
`suppression_audit` Reports suppression events from audit logs The Notable Event Suppression feature needs to be used for this to have effect.
`suppression_audit-expired` Reports suppression expirations The Notable Event Suppression feature needs to be used for this to have effect.
`suppressed_notables` Reports suppressed Notable Events The Notable Event Suppression feature needs to be used for this to have effect.
Last modified on 27 October, 2016
PREVIOUS
Search View Matrix
  NEXT
FAQ

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters