Splunk® App for PCI Compliance

Installation and Configuration Manual

Download manual as PDF

This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Download topic as PDF

Configure identities

Set up the identity list to enrich the data in the Splunk App for PCI Compliance. The identity list provides information about the users in your cardholder data environment, such as the user name, first and last name, and email address. Some of these fields, such as priority, watchlist, and endDate are used for dashboard charts and to calculate the urgency of notable events associated with identities. Other fields, such as "business unit" and "category", are used by the filters at the top of the dashboards. You can search on any of these fields from the identity list and use them while investigating events.

When an event contains a field that the Splunk App for PCI Compliance identifies as belonging to a specific identity, the app looks up the identity in the identities list and generates new fields that contain the information from the identities list. The identity information provides the app with contextual information about the identities involved in an event or related to a notable event that can allow a PCI compliance analyst or incident investigator to identify additional identity information such as priority, categories, business unit, watchlist, and other information.

Maintain the identity list to allow identities to be correlated with events. See Asset and Identity Correlation in the User Manual.

Add identity data to the identity list

  1. Collect data. See Example methods of adding asset and identity data to the Splunk App for PCI Compliance.
  2. Format identity data as a lookup.
  3. Configure a new identity list.
  4. Set up identity categories.
  5. Verify that your identity data was added to the Splunk App for PCI Compliance.

Format identity data as a lookup

Create a plain text, CSV-formatted file with Unix line endings. Use the correct headers for the CSV file. For an example identity list, review the demo_identities.csv file in SA-IdentityManagement/package/lookups. If you use a custom search to generate a lookup, make sure that the lookup produced by the search results contains fields that match the headers.

Identity fields

The first line of the identities.csv file lists all the identities fields:

identity,prefix,nick,first,last,suffix,email,phone,phone2,managedBy,priority,bunit,category,watchlist,startDate,endDate,work_city,work_country,work_lat,work_long  

The table describes the identity fields.

Field Description Examples
identity (key) Pipe-delimited list of usernames representing the identity. Mr. Tim, manager | admin
prefix Prefix of the identity name. Mr., Mrs., Ms., Dr.
nick Nickname of the identity. Bobby, Spud, Dr. Z
first First name of the identity. Gordon
last Last name of the identity. Tristler
suffix Suffix of the identity name. Jr., Esq., M.D.
email Email address of the identity. accounting@acmetech.com, gntrisler@acmetech.com
phone Phone number for the identity. +1 (800)555-8924
phone2 Secondary phone number for the identity. +1 (800)555-8924
managedBy Username representing manager of the identity. lietzow.tim, a.koski
priority Priority of the identity. Value can be "low," "medium," "high," or "critical".
For example, CEO would be "critical"
bunit Business unit associated with identity emea, americas.
category Category of the identity. Can be a pipe-delimited list intern, officer, pip, pci | ES, BD | PS
watchlist Is the identity on a watch list? Value can be "true" or "false
startDate Start/Hire date of the identity. 3/29/88 5:15
endDate End/Termination date of the identity. 7/12/08 19:49
work_city The primary work site city for an identity.
work_country The primary work site country for an identity.
work_lat The latitude of primary work site city in decimal degrees with compass direction. 37.78N
work_long The longitude of primary work site city in decimal degrees with compass direction. 122.41W

Configure a new identity list

Configure a new identity list as a lookup in the Splunk App for PCI Compliance. This process creates the lookup in the Splunk App for PCI Compliance and defines the lookup for the merge process. If you want, you can maintain a lookup file manually. See Manually add new asset or identity data.

Prerequisites The lookup file must be a plain text, CSV-format file with Unix line endings and include a .csv filename extension.

Add the new lookup table file.

  1. From the Splunk menu bar, select Settings > Lookups > Lookup table files.
  2. Click New.
  3. Select a Destination App of SA-IdentityManagement.
  4. Select the lookup file to upload.
  5. Type the Destination filename that the lookup table file should have on the search head. The name should include the filename extension.
    For example, identities_from_DB.csv
  6. Click Save to save the lookup table file and return to the list of lookup table files.

Set permissions on the lookup table file to share it with the Splunk App for PCI Compliance.

  1. From Lookup table files, locate the new lookup table file and select Permissions.
  2. Set Object should appear in to All apps.
  3. Set Read access for Everyone.
  4. Set Write access for admin or other roles.
  5. Click Save.

Add a new lookup definition.

  1. From the Splunk menu bar, select Settings > Lookups > Lookup definitions.
  2. Click New.
  3. Select a Destination App of SA-IdentityManagement.
  4. Type a name for the lookup source. This name must match the name defined later in the input stanza definition on the Identity Management dashboard.
    For example, identities_from_DB.
  5. Select a Type of File based.
  6. Select the lookup table file created.
    For example, select identities_from_DB.csv.
  7. Click Save.

Set permissions on the lookup definition to share it with the Splunk App for PCI Compliance.

  1. From Lookup definitions, locate the new lookup definition and select Permissions.
  2. Set Object should appear in to All apps.
  3. Set Read access for Everyone.
  4. Set Write access for admin or other roles.
  5. Click Save.

Add an input stanza for the lookup source.

  1. Return to the Splunk App for PCI Compliance.
  2. From the Splunk App for PCI Compliance menu bar, select Configure > Data Enrichment > Identity Management.
  3. Click New.
  4. Type the name of the lookup.
    For example, identities_from_DB.
  5. Type a Category to describe the new asset or identity list.
    For example, CMDB_network_assets.
  6. Type a Description of the contents of the list.
    For example, network assets from the CMDB.
  7. Type asset or identity to define the type of list.
    For example, asset.
  8. Type a Source that refers to the lookup definition name.
    For example, lookup://identities_from_DB.

Set up identity categories

The category list specifies a list of categories that you can use for the category field in the identities list. The category list can be any set of categories you choose. Common examples are compliance and security standards, such as PCI, governing the identities, or functional categories such as officer, pci-analyst, and others. Assign user categories to identities to further enrich your data.

These user categories are available in the Splunk App for PCI Compliance.

Category Description
cardholder cardholder user
contractor contractor user
default default user
intern temporary intern user
officer user who is an officer of the company
pci PCI analyst or PCI compliance manager
privileged user with additional privileges
sox Sarbanes–Oxley user

You can edit this list by navigating to Configure > Content Management and selecting the Categories lookup.

Verify that your identity data was added to the Splunk App for PCI Compliance

Check the Identity Center dashboard.

PREVIOUS
Configure assets
  NEXT
Modify asset and identity lookups in the Splunk App for PCI Compliance

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters