Components of the Splunk App for PCI Compliance
The Splunk App for PCI Compliance lets you to monitor and search the data indexed from your PCI cardholder data environment (CDE).
Data from your PCI CDE is monitored and tagged by Splunk forwarders and sent to Splunk indexers. The indexers perform custom categorization and field extractions for the Splunk App for PCI Compliance. From Splunk Web and the Splunk App for PCI Compliance, you can search the indexed data directly, and review key dashboards and reports.
- The Splunk App for PCI Compliance (for Splunk Enterprise Security) is a single domain add-on that includes the PCI-specific content. called DA-ESS-PCICompliance.
- The Splunk App for PCI Compliance (for Splunk Enterprise) includes that domain add-on in addition to supporting add-ons and technology add-ons from the Splunk Enterprise Security framework.
Type of Add-on | Description |
---|---|
Domain Add-on | Domain add-ons are specialized add-ons that are included to provide domain-specific reports and correlation searches. DA-ESS-PCICompliance provides the reports and correlation searches specific to PCI compliance. |
Supporting Add-ons | Supporting add-ons are specialized add-ons that make up the Splunk Enterprise Security framework. These add-ons include the notable event framework, shared saved searches, and other app components that are not specific to PCI Compliance but are used to provide functionality such as incident review and investigation. |
Technology Add-ons | Technology add-ons are specialized add-ons that help to map and normalize data feeds from specific sources in your Splunk environment for use within the Splunk App for PCI Compliance. The add-ons can include a feed to help gather data from a source, and a map that normalizes the data to the Splunk Common Information Model. These add-ons are shared with Splunk Enterprise Security. |
Within the domain add-ons and supporting add-ons, there are a number of important files that need to be called out. These files are necessary to understand how to configure the Splunk App for PCI Compliance. All of these files can be modified from within the Splunk App for PCI Compliance configuration interface.
Name | File Location | Description |
---|---|---|
PCI Views | Splunk_DA-ESS_PCICompliance/lookups/pci_views.csv | List of reports and mapping to main PCI DSS requirement. |
Expected Views | SA-AuditAndDataProtection/lookups/expected_views.csv | Views that are audited. |
Prohibited Traffic | SA-NetworkProtection/lookups/prohibited_traffic.csv | Traffic that generates notable events when detected. |
Identities | SA-IdentityManagement/lookups/identities.csv | List of identities associated with Identity Correlation. |
Assets | SA-IdentityManagement/lookups/assets.csv | List of assets associated with Asset Correlation. |
Categories List | SA-IdentityManagement/lookups/categories.csv | Categories that apply to assets and identities. |
PCI Domains List | SA-IdentityManagement/lookups/pci_domains.csv | List of PCI domain labels. |
Urgency Matrix | SA-ThreatIntelligence/lookups/urgency.csv | List of defined urgency levels. |
Get support and find information about Splunk software | Identify data sources |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3
Feedback submitted, thanks!