Splunk® App for PCI Compliance

Installation and Configuration Manual

Download manual as PDF

Download topic as PDF

Configure assets

The asset list provides external information about the devices on your system, such as the asset priority, owner, and business unit. It also provides the geographic location of the asset and the DNS and Windows machine name of the asset. You can search on any of these fields from the asset list and use them while you are investigating events.

When an event contains a field that PCI Compliance identifies as belonging to a host or device, Splunk App for PCI Compliance looks up the device in the asset list and generates new fields that contain the information from the asset list. The asset information provides PCI Compliance with contextual information about the systems involved in an event or related to a notable event that can allow a security analyst or incident investigator to identify additional asset information such as asset priority, categories, business unit, owner, and other information.

Maintain the asset list to allow assets to be correlated with events. See Asset and Identity Correlation in the User Manual.

Add asset data to the asset list

  1. Collect data. See Example methods of adding asset and identity data to the Splunk App for PCI Compliance.
  2. Format asset data as a lookup.
  3. Configure a new asset list.
  4. Set up asset categories.
  5. Verify that your asset data was added to the Splunk App for PCI Compliance.

Format asset data as a lookup

Create a plain text, CSV-formatted file with Unix line endings. Use the correct headers for the CSV file. For an example asset list, review the demo_identities.csv file in SA-IdentityManagement/package/lookups. If you use a custom search to generate a lookup, make sure that the lookup produced by the search results contains fields that match the headers.

Asset fields

The first line of the assets.csv file lists the asset fields used by the Splunk App for PCI Compliance:

ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av

This table describes the necessary fields for an asset list.

Field Description Example
ip IP address (can be a range). Example: 2.0.0.0/8, 1.2.3.4, 192.168.15.9-192.169.15.27
mac The MAC address of the host (can be a range). Example: 00:25:bc:42:f4:60, 00:25:bc:42:f4:60-00:25:bc:42:f4:6F
nt_host The Windows machine name of the host. Example: ACMEapp
dns The DNS name of the host. Example: corp1.acmetech.com
owner The name of the user who owns or uses the host. Example: john.doe
priority The priority of the host. Must be either unknown, informational, low, medium, high, or critical. Example: Must be one of unknown, informational, low, medium, high, or critical
lat The latitude of the asset. Example: 41.040855
long The longitude of the asset. Example: 28.986183
city The city in which the asset is located. Example: Chicago
country The country in which the asset is located. Example: USA
bunit The business unit of the asset. Example: EMEA
category One or more categories for the asset. To specify multiple categories for an asset, use a vertical bar. To use this field, set up the categories lookup. See Set up asset categories. Example: pci, cardholder, pci|cardholder
pci_domain The domain of the host as it pertains to PCI. The domain is used to identify instances where cardholder data may pass to Internet-facing devices, such as for PCI requirement 1.3.3. Example: Must be one of trust, trust|wireless, trust|cardholder, trust|dmz, untrust
If left blank, defaults to untrust.
is_expected Indicates whether events from this asset should always be expected. If set to true, an alert triggers when this asset quits reporting events. Example: true (leave blank to indicate "false")
should_timesync Indicates whether this asset must be monitored for time-syncing events. If true, an alert is triggered if the host has not performed a time-sync event (such as a NTP request). Example: true (leave blank to indicate "false")
should_update Indicates whether this asset must be monitored for system update events. If true, an alert is triggered if the host does not seem to be performing system updates. Example: true (leave blank to indicate "false")
requires_av Indicates whether the asset requires anti-virus software to be installed. Example: true or false

Configure a new asset list

Configure a new asset list as a lookup in the Splunk App for PCI Compliance. This process creates the lookup in the Splunk App for PCI Compliance and defines the lookup for the merge process. If you want, you can maintain a lookup file manually. See Manually add new asset or identity data.

Prerequisites The lookup file must be a plain text, CSV-format file with Unix line endings and include a .csv filename extension.

Add the new lookup table file.

  1. From the Splunk menu bar, select Settings > Lookups > Lookup table files.
  2. Click New.
  3. Select a Destination App of SA-IdentityManagement.
  4. Select the lookup file to upload.
  5. Type the Destination filename that the lookup table file should have on the search head. The name should include the file name extension.
    For example, network_assets_from_CMDB.csv
  6. Click Save to save the lookup table file and return to the list of lookup table files.

Set permissions on the lookup table file to share it with the Splunk App for PCI Compliance.

  1. From Lookup table files, locate the new lookup table file and select Permissions.
  2. Set Object should appear in to All apps.
  3. Set Read access for Everyone.
  4. Set Write access for admin or other roles.
  5. Click Save.

Add a new lookup definition.

  1. From the Splunk menu bar, select Settings > Lookups > Lookup definitions.
  2. Click New.
  3. Select a Destination App of SA-IdentityManagement.
  4. Type a name for the lookup source. This name must match the name defined later in the input stanza definition on the Identity Management dashboard.
    For example, network_assets_from_CMDB.
  5. Select a Type of File based.
  6. Select the lookup table file created.
    For example, select network_assets_from_CMDB.csv.
  7. Click Save.

Set permissions on the lookup definition to share it with the Splunk App for PCI Compliance.

  1. From Lookup definitions, locate the new lookup definition and select Permissions.
  2. Set Object should appear in to All apps.
  3. Set Read access for Everyone.
  4. Set Write access for admin or other roles.
  5. Click Save.

Add an input stanza for the lookup source.

  1. Return to the Splunk App for PCI Compliance.
  2. From the Splunk App for PCI Compliance menu bar, select Configure > Data Enrichment > Identity Management.
  3. Click New.
  4. Type the name of the lookup.
    For example, network_assets_from_CMDB.
  5. Type a Category to describe the new asset or identity list.
    For example, CMDB_network_assets.
  6. Type a Description of the contents of the list.
    For example, network assets from the CMDB.
  7. Type asset or identity to define the type of list.
    For example, asset.
  8. Type a Source that refers to the lookup definition name.
    For example, lookup://network_assets_from_CMDB.

Set up asset categories

The category list specifies a list of categories that can be used for the category field in the asset list. The relationship between the pci_domain field and the category field is the single most important factor in determining asset management and PCI compliance in a cardholder data environment. The PCI compliance analyst needs a list of all assets that reside in a trusted zone, to monitor and report on these assets as a group and tell them apart from any assets that are not in a trusted zone.

The asset table fields category and pci_domain can be used to determine your PCI compliance scoping for assets.

  • Use the category field to distinguish assets relevant for PCI compliance from other assets.
  • Use the pci_domain field to identify the PCI domain-relevant details about PCI compliance assets.
Asset table field Valid values Description
pci_domain wireless, trust, untrust, cardholder, dmz Separate valid values with a pipe if multiple values apply to a single asset. For example, trust|dmz. If left blank, defaults to untrust.
category cardholder, pci Separate valid values with a pipe if multiple values apply to a single asset. Use cardholder to define the cardholder data environment for PCI compliance. For example, people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data. Use pci to identify a network component, server, or application included in or connected to the cardholder data environment.

See Format asset data as a lookup on this page.

Verify that your asset data was added to the Splunk App for PCI Compliance

Check the Asset Center dashboard.

PREVIOUS
Steps to configure the Splunk App for PCI Compliance
  NEXT
Configure identities

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters