Using technology add-ons with the Splunk App for PCI Compliance
This topic provides instruction on using predefined technology add-on feeds to gather data from common compliance data sources.
Normalize data at search time
To derive information from the types of data monitored in your cardholder data environment, Splunk platform parses, indexes, and normalizes data so that it can be used by apps in searches, views, and reports. The data is normalized by tagging it.
For example, one firewall add-on might report an incident as a "failed attempt" while another one might report an incident as "unsuccessful". When the data is normalized, it is mapped to a field in the common information model, such as "failed". The "failed" field can be used as part of searches, filters, views, reports, and so on. Additional tagging and search-time information, such as correlating asset information with events, is provided by technology add-ons.
Technology add-ons and data inputs
The Splunk App for PCI Compliance data inputs are closely connected with technology add-ons, mapping data for use in the app. Manage apps to configure or add technology add-ons to your configuration.
- Select Apps > Manage Apps.
- Click Edit properties for the app you want to configure.
- Configure the app and click Save.
You can also select one of the other available options to find more apps or install an app from a file.
For each data source:
- Identify the technology add-on: Identify the technology and determine the corresponding technology add-on. If the Splunk App for PCI Compliance does not ship with default support for your type of data or data source, you might be able to find an add-on on Splunkbase. You can also create your own add-ons.
- Customize the technology add-on where necessary: Each technology add-on provided with the Splunk App for PCI Compliance comes with a README file, located in the root of the add-on folder in
$SPLUNK_HOME/etc/apps. The README details any changes you need to make to the add-on to configure it for your deployment. For example, you might need to specify the location or source of the data, choose whether the data is located in a file or in a database, and so on.
- Install the technology add-on: You must install the technology add-on on each search head that handles the data. You must also install technology add-ons that perform index-time processing on each indexer and forwarder. If technology add-ons exist as part of a Splunk Enterprise Security installation on the same search head, they are shared with the Splunk App for PCI Compliance.
- Configure the server, device, or technology where necessary: In some cases, you might need to enable logging or data collection for the device or application and/or configure the output for collection by Splunk software. Consult the documentation for that technology for details.
- Set up a Splunk data input and set the source type where necessary: The Splunk App for PCI Compliance supports all Splunk data input methods, including network inputs, file monitoring, and scripted inputs. The README file in the technology add-on directory describes which input types are supported for this particular technology. The README file also includes the source type associated with the data and tells you whether or not you need to explicitly specify the source type when you set up the data input.
Data management overview
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0