Splunk® App for PCI Compliance

Installation and Configuration Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Acrobat logo Download topic as PDF

Configure a custom report

The Splunk App for PCI Compliance provides reports for different aspects of your PCI compliance. Each report (or dashboard) in the Splunk App for PCI Compliance has an XML file, such as pci_malware_activity.xml, that describes the information used in the report, which notable events provide the data, and how that data is displayed. These reports are included as part of the app.

To add a custom report to your deployment, you need to first create the XML file for your report. See About the Dashboard Editor in the Dashboards and Visualizations.

Choose the domain that the report applies to

A report is associated, or categorized, with a domain within the app. In the Splunk App for PCI Compliance, these categories are shown in the Reports tab. The categories are:

  • R1: Network Traffic
  • R2: Default Configuration
  • R3: Protect Data at Rest

To have the new report show up in the correct place in the app navigation (or correct location in the menu bar), you must choose the category domain that the report applies to.

The custom report must be referenced in the correct domain section of the navigation XML file. Within the navigation file (default.xml), the categories look like this:

            <collection label="Reports">
        <collection label="R1: Network Traffic">
            <view name="pci_communication_rule_activity"/>
            <view name="pci_traffic_activity"/>
            <view name="pci_prohibited_services"/>
        <collection label="R2: Default Configurations">
            <view name="pci_default_account_access"/>
            <view name="pci_insecure_authentication_attempts"/>
            <view name="pci_system_inventory"/>
            <view name="pci_primary_functions"/>
            <view name="pci_prohibited_services"/>
            <view name="pci_system_misconfiguration"/>
            <view name="pci_weak_encrypted_communication"/>
            <view name="pci_wireless_misconfiguration"/>
 	  <!—ADD HERE-->


Add the report to the navigation (menu bar)

To add your custom report (your_report.xml) to the app, you need to add it to the navigation XML file. The menu items in the app are referenced in the navigation XML file. Each app only has one navigation file. ($SPLUNK_HOME/etc/apps/Splunk_DA-ESS_PCICompliance/local/data/ui/views/nav/default.xml). You must associate the new report with a domain.

  1. Select Settings > User interface > Navigation menus.
  2. Click default next to Splunk_DA-ESS_PCICompliance. An editor displays the navigation file for the Splunk App for PCI Compliance.
  3. Choose the category domain for the new report. This is the location in the default.xml file where you reference your custom report file (your_report.xml).
  4. Add the custom report to the default.xml file and Save the file.
  5. Restart Splunk platform for the changes to take effect.

Note: When you open default.xml, you are looking at the default copy of the file. When you save, your changes are saved to a local version of the file.

For example, to add your report to Monitor & Test, add the path to the your_report.xml file and the display name in default.xml as shown in the following code snippet.

<collection label="Monitor & Test">
               <a href='/app/SplunkPCIComplianceSuite/pci_asset_logging?category=pci'>PCI Asset Logging</a> 
                <a href='/app/SplunkPCIComplianceSuite/your_report.xml?category=pci'>Your custom report</a>

Email a report

You can configure the Splunk App for PCI compliance to email a report by attaching the report to the email as an HTML file or by including it inline in the email body. See Define actions for your scheduled report with the Edit Schedule dialog in the Reporting Manual.

Last modified on 13 February, 2018
Configure Interesting Ports list
Configure and deploy indexes

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters