Splunk® App for PCI Compliance

Installation and Configuration Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Acrobat logo Download topic as PDF

Example methods of adding asset and identity data to the Splunk App for PCI Compliance

These example methods cover some common ways to add asset and identity data to the Splunk App for PCI Compliance. You can work with Splunk Professional Services to find the best solution for your environment.

Collect and extract asset and identity data

Collect and extract your asset and identity data in order to add it to the Splunk App for PCI Compliance. In a Splunk Cloud deployment, work with Splunk Professional Services to design and implement an asset and identity collection solution.

Determine where the asset and identity data in your environment is stored, and collect and update your asset and identity data automatically to reduce the overhead and maintenance that manual updating requires and improve data integrity.

  • Use Splunk DB Connect or another Splunk platform add-on to connect to an external database or repository.
  • Use scripted inputs to import and format the lists.
  • Use events indexed in the Splunk platform with a search to collect, sort, and export the data to a list.

Suggested collection methods for assets and identities.

Technology Asset or Identity data Collection methods
Active Directory Both SA-ldapsearch and a custom search.
LDAP Both SA-ldapsearch and a custom search.
CMDB Asset DB Connect and a custom search.
ServiceNow Both Splunk Add-on for ServiceNow
Asset Discovery Asset Asset Discovery App
Bit9 Asset Splunk Add-on for Bit9 and a custom search.
Cisco ISE Both Splunk Add-on for Cisco ISE and a custom search.
Microsoft SCOM Asset Splunk Add-on for Microsoft SCOM and a custom search.
Okta Identity Splunk Add-on for Okta and a custom search.
Sophos Asset Splunk Add-on for Sophos and a custom search.
Symantec Endpoint Protection Asset Splunk Add-on for Symantec Endpoint Protection and a custom search.

Add asset data from indexed events in Splunk platform

Identify hosts that appear in indexed events that are not currently associated with existing asset data and add those hosts to your asset lookup.

Use this example search to compare hosts communicating with the Splunk platform to the set of existing asset information and review the table of unmatched hosts. You can then export the table as an asset list.

| `host_eventcount` 
| search host_is_expected=false NOT host_asset_id=*
| fields - firstTime,recentTime,lastTime,_time, host_owner_*,host_asset_tag,host_asset_id 
| sort -totalCount,dayDiff 
| table host,ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av

Manually add new asset or identity data

Manually add new asset or identity data to the Splunk App for PCI Compliance by editing the static_assets and static_identities lists. For example, add internal subnets, IP addresses that should be whitelisted, and other static asset and identity data.

  1. From the Splunk App for PCI Compliance menu bar, select Configure > Content Management.
  2. Locate the Assets list or the Identities list and click to edit.
  3. Use the scroll bars to view the columns and rows in the table. Double click in a cell to add, change, or remove content.
  4. Click Save.
Last modified on 23 September, 2019
Modify asset and identity lookups in the Splunk App for PCI Compliance
Configure Primary Functions list

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters