Configure assets
The asset list provides external information about the devices on your system, such as the asset priority, owner, and business unit. It also provides the geographic location of the asset and the DNS and Windows machine name of the asset. You can search on any of these fields from the asset list and use them while you are investigating events.
When an event contains a field that PCI Compliance identifies as belonging to a host or device, Splunk App for PCI Compliance looks up the device in the asset list and generates new fields that contain the information from the asset list. The asset information provides PCI Compliance with contextual information about the systems involved in an event or related to a notable event that can allow a security analyst or incident investigator to identify additional asset information such as asset priority, categories, business unit, owner, and other information.
Maintain the asset list to allow assets to be correlated with events. See Asset and Identity Correlation in the User Manual.
Add asset data to the asset list
- Collect data. See Example methods of adding asset and identity data to the Splunk App for PCI Compliance.
- Format asset data as a lookup.
- Configure a new asset list.
- Set up asset categories.
- Verify that your asset data was added to the Splunk App for PCI Compliance.
Format asset data as a lookup
Create a plain text, CSV-formatted file with Unix line endings. Use the correct headers for the CSV file. For an example asset list, review the demo_identities.csv
file in SA-IdentityManagement/package/lookups
. If you use a custom search to generate a lookup, make sure that the lookup produced by the search results contains fields that match the headers.
Asset fields
The first line of the assets.csv
file lists the asset fields used by the Splunk App for PCI Compliance:
ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av
This table describes the necessary fields for an asset list.
Field | Description | Example |
---|---|---|
ip | IP address (can be a range). | Example: 2.0.0.0/8, 1.2.3.4, 192.168.15.9-192.169.15.27 |
mac | The MAC address of the host (can be a range). | Example: 00:25:bc:42:f4:60, 00:25:bc:42:f4:60-00:25:bc:42:f4:6F |
nt_host | The Windows machine name of the host. | Example: ACMEapp |
dns | The DNS name of the host. | Example: corp1.acmetech.com |
owner | The name of the user who owns or uses the host. | Example: john.doe |
priority | The priority of the host. Must be either unknown, informational, low, medium, high, or critical. | Example: Must be one of unknown, informational, low, medium, high, or critical |
lat | The latitude of the asset. | Example: 41.040855 |
long | The longitude of the asset. | Example: 28.986183 |
city | The city in which the asset is located. | Example: Chicago |
country | The country in which the asset is located. | Example: USA |
bunit | The business unit of the asset. | Example: EMEA |
category | One or more categories for the asset. To specify multiple categories for an asset, use a vertical bar. To use this field, set up the categories lookup. See Set up asset categories. | Example: pci | cardholder | pcicardholder |
pci_domain | The domain of the host as it pertains to PCI. The domain is used to identify instances where cardholder data may pass to Internet-facing devices, such as for PCI requirement 1.3.3. | Example: Must be one of trust, trust|wireless, trust|cardholder, trust|dmz, untrust If left blank, defaults to untrust. |
is_expected | Indicates whether events from this asset should always be expected. If set to true, an alert triggers when this asset quits reporting events. | Example: true (leave blank to indicate "false") |
should_timesync | Indicates whether this asset must be monitored for time-syncing events. If true, an alert is triggered if the host has not performed a time-sync event (such as a NTP request). | Example: true (leave blank to indicate "false") |
should_update | Indicates whether this asset must be monitored for system update events. If true, an alert is triggered if the host does not seem to be performing system updates. | Example: true (leave blank to indicate "false") |
requires_av | Indicates whether the asset requires anti-virus software to be installed. | Example: true or false |
Configure a new asset list
Configure a new asset list as a lookup in the Splunk App for PCI Compliance. This process creates the lookup in the Splunk App for PCI Compliance and defines the lookup for the merge process. If you want, you can maintain a lookup file manually. See Manually add new asset or identity data.
Prerequisites
The lookup file must be a plain text, CSV-format file with Unix line endings and include a .csv
filename extension.
Add the new lookup table file.
- From the Splunk menu bar, select Settings > Lookups > Lookup table files.
- Click New.
- Select a Destination App of SA-IdentityManagement.
- Select the lookup file to upload.
- Type the Destination filename that the lookup table file should have on the search head. The name should include the file name extension.
For example,network_assets_from_CMDB.csv
- Click Save to save the lookup table file and return to the list of lookup table files.
Set permissions on the lookup table file to share it with the Splunk App for PCI Compliance.
- From Lookup table files, locate the new lookup table file and select Permissions.
- Set Object should appear in to All apps.
- Set Read access for Everyone.
- Set Write access for
admin
or other roles. - Click Save.
Add a new lookup definition.
- From the Splunk menu bar, select Settings > Lookups > Lookup definitions.
- Click New.
- Select a Destination App of SA-IdentityManagement.
- Type a name for the lookup source. This name must match the name defined later in the input stanza definition on the Identity Management dashboard.
For example,network_assets_from_CMDB
. - Select a Type of File based.
- Select the lookup table file created.
For example, selectnetwork_assets_from_CMDB.csv
. - Click Save.
Set permissions on the lookup definition to share it with the Splunk App for PCI Compliance.
- From Lookup definitions, locate the new lookup definition and select Permissions.
- Set Object should appear in to All apps.
- Set Read access for Everyone.
- Set Write access for
admin
or other roles. - Click Save.
Add an input stanza for the lookup source.
- Return to the Splunk App for PCI Compliance.
- From the Splunk App for PCI Compliance menu bar, select Configure > Data Enrichment > Identity Management.
- Click New.
- Type the name of the lookup.
For example,network_assets_from_CMDB
. - Type a Category to describe the new asset or identity list.
For example, CMDB_network_assets. - Type a Description of the contents of the list.
For example, network assets from the CMDB. - Type asset or identity to define the type of list.
For example, asset. - Type a Source that refers to the lookup definition name.
For example,lookup://network_assets_from_CMDB
.
Set up asset categories
The category list specifies a list of categories that can be used for the category field in the asset list. The relationship between the pci_domain
field and the category
field is the single most important factor in determining asset management and PCI compliance in a cardholder data environment. The PCI compliance analyst needs a list of all assets that reside in a trusted zone, to monitor and report on these assets as a group and tell them apart from any assets that are not in a trusted zone.
The asset table fields category
and pci_domain
can be used to determine your PCI compliance scoping for assets.
- Use the category field to distinguish assets relevant for PCI compliance from other assets.
- Use the pci_domain field to identify the PCI domain-relevant details about PCI compliance assets.
Asset table field | Valid values | Description |
---|---|---|
pci_domain | wireless, trust, untrust, cardholder, dmz | Separate valid values with a pipe if multiple values apply to a single asset. For example, trust|dmz . If left blank, defaults to untrust.
|
category | cardholder, pci | Separate valid values with a pipe if multiple values apply to a single asset. Use cardholder to define the cardholder data environment for PCI compliance. For example, people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data. Use pci to identify a network component, server, or application included in or connected to the cardholder data environment.
|
See Format asset data as a lookup on this page.
Verify that your asset data was added to the Splunk App for PCI Compliance
Check the Asset Center dashboard.
Steps to configure the Splunk App for PCI Compliance | Configure identities |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1
Feedback submitted, thanks!