Splunk® App for PCI Compliance

User Manual

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

Audit dashboards

Audit dashboards in the Splunk App for PCI Compliance provide the ability to audit different areas and activities in your PCI compliance environment. Audit dashboards are shared with the Splunk Enterprise Security framework.

Use the audit dashboards to validate the security and integrity of the data in Splunk App for PCI Compliance. Ensure that forwarders are functioning, that data has not been tampered with and is secured in transmission, and that analysts are reviewing the notable events detected by correlation searches.

Incident Review Audit

The Incident Review Audit dashboard provides an overview of incident review activity. The panels display how many incidents are being reviewed and by which user, along with a list of the most recently reviewed events. The metrics on this dashboard allow security managers to review the activities of analysts.

Panel Description
Review Activity by Reviewer Displays the numbers of events reviewed by each user. This panel is useful for determining which user is performing the incident reviews and if the total number of incidents reviewed is changing over time. The drilldown opens a search with all activity by the selected reviewer.
Top Reviewers Displays the top users that have performed incident reviews. The panel includes details for each user, including the date they first performed an incident review, the date they last performed a review, and the total number of incidents reviewed. The drilldown opens a search with all activity by the selected reviewer.
Notable Events By Status - Last 48 Hours Displays the status, count, and urgency for all notable events in the last 48 hours. This panel is useful for determining if the incident review users are keeping up with incidents, or whether a backlog of unreviewed incidents is forming. The drilldown opens the Incident Review dashboard and searches on the selected urgency and status over the lat 48 hours.
Notable Events By Owner - Last 48 Hours Displays the owner, count, and urgency for all notable events in the last 48 hours. This panel is useful for determining how many events are assigned to a user and the urgency of the events. The drilldown opens the Incident Review dashboard and searches on the selected urgency over the lat 48 hours.
Mean Time to Triage - Last 14 days Displays the average time it took for a notable event to be triaged after it was created over the last 14 days, split by the name of the notable event. This panel is useful for determining how quickly analysts are triaging notable events, or whether certain types of events take longer to triage than others. The drilldown opens the Incident Review dashboard and searches on the matching notable event names over the last 14 days.
Mean Time to Closure - Last 60 days Displays the average time it took for a notable event to be closed after it was created over the last 60 days, split by the name of the notable event. This panel is useful for determining how long it takes to close certain types of notable event investigations. The drilldown opens the Incident Review dashboard and searches on the matching notable event names that have a status of closed from the last 60 days.
Recent Review Activity Displays the 10 most recent changes on the incident review dashboard, such as triage actions. The drilldown opens a search with the selected rule ID.

Data sources

The reports in the Incident Review Audit dashboard reference fields in the notable index and the incident review objects in a KV store collection.

Suppression Audit

The Suppression Audit dashboard provides an overview of notable event suppression activity. This dashboard shows how many events are being suppressed, and by whom.

The metrics on this dashboard allow security managers to review the activities of analysts, which is useful for tuning correlation searches. You can identify correlation search rules that are generating more events than your analysts are capable of looking at, and tune them accordingly.

Panel Description
Suppressed Events Over Time - Last 24 Hours Displays notable events suppressed in the last 24 hours.
Suppression History Over Time - Last 30 Days Displays the history of suppressed notable events.
Suppression Management Activity Displays suppression management activity for the time period.
Expired Suppressions Displays expired suppressions.

Data sources

The reports in the Suppression Audit dashboard reference events in the Notable index.

Per-Panel Filter Audit

The Per-Panel Filter Audit dashboard provides information about the filters currently in use in your deployment.

The following table describes the panels for this dashboard.

Panel Description
Per-Panel By Reviewer Displays the count of updates to per-panel filters by user
Top Users Shows users, sparkline for trends, number of views, and first and last time viewed.
Recent Filter Activity Activity by time, user, action, and filename


ES Configuration Health

Use the ES Configuration Health dashboard to compare the latest installed version of the application to prior releases and identify configuration anomalies. The dashboard does not report changes to a TA or add-ons. Select the previous version of Enterprise Security installed in your environment using the Previous ES Version filter. You can use this dashboard with PCI by selecting the version of ES that has the same framework components. For example, the 3.4.x version of PCI contains framework components from the 4.7.x version of Enterprise Security.

Mode Description
Unshipped The Unshipped setting compares the latest installed version of Enterprise Security with the content in the ES installation package. Any item that was not provided as part of the Enterprise Security installation, such as files or scripts used for customization, is labeled as an Unshipped item. Review Unshipped items to evaluate their use, determine if they are still needed, and reconcile if necessary. The Unshipped setting ignores the Previous ES Version filter.
Removed Stanzas The Removed Stanzas setting compares the latest installed version of Enterprise Security with the version that you select in the filter. Removed Stanzas are configuration stanzas that changed between versions, such as a deprecated threat list or input. Review Removed Stanzas to evaluate their use, determine if they are still needed, and reconcile if necessary.
Local Overrides The Local Overrides setting compares the installed version of Enterprise Security with the version that you select in the filter. A setting that conflicts with or overrides the installed version of Enterprise Security is labeled as a Local Override. Review any Local Override settings to evaluate their use, determine if they are still needed, and reconcile if necessary.

Data Model Audit

The Data Model Audit dashboard displays information about the state of data model accelerations in your environment.

Field Name Panel Description
Top Accelerations By Size Displays the accelerated data models sorted in descending order by MB on disk
Top Accelerations By Run Duration Displays the accelerated data models sorted in descending order by the time spent on running acceleration tasks.
Accelerations Details Displays a table of the accelerated data models with additional information.

Data sources

The reports in the Data Model Audit dashboard reference fields in the Splunk Audit data model. For a list of data model objects and constraints, see Splunk Audit Logs in the Common Information Model Add-on Manual.

Forwarder Audit

The Forwarder Audit dashboard reports on hosts forwarding data to Splunk Enterprise.

Use the search filters and time range selector to focus on groups of forwarders, or an individual forwarder.

Filter by Description Action
Show only expected hosts An expected host is a host defined by the field is_expected in the Asset table. Drop-down, select to filter by
Host Filter by the host field in the Asset table. Text field. Wildcard with an asterisk (*)
Business Unit Filter by the business unit bunit field in the Asset table. Text field. Wildcard with an asterisk (*)
Category Filter by the category field in the Asset table. Drop-down, select to filter by
Panel Description
Event Count Over Time By Host Displays the number of events reported over the time period selected in the filter. The events are split by host.
Hosts By Last Report Time Displays a list of hosts, ordered by the last time they reported an event.
Splunkd Process Utilization Displays the resource utilization of the forwarder's Splunk daemon splunkd.
Splunk Service Start Mode Displays the host names that are forwarding events, but are not configured to have splunkd start on boot.

Data sources

Relevant data sources for the Forwarder Audit dashboard include data from all forwarders in your Splunk environment and the Application_State data model. See the Common Information Model Add-on Manual for more information. The Common Information Model fields bunit and category are derived by automatic identity lookup and do not need to be mapped directly.

Indexing Audit

The Indexing Audit dashboard is designed to help administrators estimate the volume of event data being indexed by Splunk Enterprise. The dashboard displays use EPD (Events Per Day) as a metric to track the event volume per index and the rate of change in the total event counts per index over time. The EPD applies only to event counts and is unrelated to the Volume Per Day metric used for licensing.

Panel Description
Key Indicators The key indicators on this dashboard are scoped to All Time, not the Last 24 hours.
Events Per Day Over Time Displays a column chart representing the event counts per day.
Events Per Day Displays a table representing event counts per day and the average eps.
Events Per Index (Last Day) Displays a table of event counts per index for the last day.

Data sources

The reports in the Indexing Audit dashboard reference data generated by the Audit - Events Per Day - Lookup Gen saved search and are stored within a KVStore collection.

Search Audit

The Search Audit dashboard provides information about the searches being executed in Splunk Enterprise. This dashboard is useful for identifying long running searches and tracking search activity by user.

Panel Description
Searches Over Time by Type Shows the number of searches executed over time by type, such as ad-hoc, scheduled, or real-time. Helps determine whether Splunk's performance is being affected by excessive numbers of searches.
Searches Over Time by User Shows the number of searches executed by each user. Helps determine when a particular user is executing an excessive number of searches. The splunk-system-user is the name of the account used to execute scheduled searches in Splunk Enterprise.
Top Searches by Run Time Lists the most expensive searches in terms of duration. Helps to identify specific searches that may be adversely affecting Splunk performance.

Data sources

The reports in the Search Audit dashboard reference scheduled search auditing events from the audit index.

View Audit

The View Audit dashboard reports on the most active views in Enterprise Security. View Audit enables tracking of views that are being accessed on a daily basis and helps to identify any errors triggered when users review dashboard panels.

Panel Description
View Activity Over Time Displays the Enterprise Security views that have the greatest access counts over time. The drilldown opens a search view of all page activity for the time selected.
Expected View Activity Lists the views set up in the Expected View list. Review these views on a daily basis for your deployment. Select a dashboard to see details in the Expected View Scorecard panel below.

Use Configure > Lists and Lookups > Expected Views to set up the Expected View list.

Web Service Errors Displays errors that occurred while loading the web interface. Helps identify custom views that contain errors or an underlying issue that need to be escalated to Splunk.

Data sources

The reports in the View Audit dashboard reference fields in the Splunk Audit data model. For a list of data model objects and constraints, see Splunk Audit Logs in the Common Information Model Add-on Manual.

Data Protection

The Data Protection dashboard reports on the the status of the data integrity controls.

Panel Description
Data Integrity Control By Index Displays a view of all indexes with data protection enabled, sorted by search peer. For more information on configuring and validating data integrity, see Manage data integrity in the Securing Splunk Enterprise Manual.
Sensitive Data Displays the count of events with sensitive data. This panel requires enabling the Personally Identifiable Information Detected correlation search.
Last modified on 26 January, 2018
Reports   Define a primary service

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters