Configure identities
Set up the identity list to enrich the data in the Splunk App for PCI Compliance. The identity list provides information about the users in your cardholder data environment, such as the user name, first and last name, and email address. Some of these fields, such as priority, watchlist, and endDate are used for dashboard charts and to calculate the urgency of notable events associated with identities. Other fields, such as "business unit" and "category", are used by the filters at the top of the dashboards. You can search on any of these fields from the identity list and use them while investigating events.
When an event contains a field that the Splunk App for PCI Compliance identifies as belonging to a specific identity, the app looks up the identity in the identities list and generates new fields that contain the information from the identities list. The identity information provides the app with contextual information about the identities involved in an event or related to a notable event that can allow a PCI compliance analyst or incident investigator to identify additional identity information such as priority, categories, business unit, watchlist, and other information.
Maintain the identity list to allow identities to be correlated with events. See Asset and Identity Correlation in the User Manual.
Add identity data to the identity list
- Collect data. See Example methods of adding asset and identity data to the Splunk App for PCI Compliance.
- Format identity data as a lookup.
- Configure a new identity list.
- Set up identity categories.
- Verify that your identity data was added to the Splunk App for PCI Compliance.
Format identity data as a lookup
Create a plain text, CSV-formatted file with Unix line endings. Use the correct headers for the CSV file. For an example identity list, review the demo_identities.csv file in SA-IdentityManagement/package/lookups. If you use a custom search to generate a lookup, make sure that the lookup produced by the search results contains fields that match the headers.
Identity fields
The first line of the identities.csv file lists all the identities fields:
identity,prefix,nick,first,last,suffix,email,phone,phone2,managedBy,priority,bunit,category,watchlist,startDate,endDate,work_city,work_country,work_lat,work_long
The table describes the identity fields.
| Field | Description | Examples |
|---|---|---|
| identity (key) | Pipe-delimited list of usernames representing the identity. | Mr. Tim, manager | admin |
| prefix | Prefix of the identity name. | Mr., Mrs., Ms., Dr. |
| nick | Nickname of the identity. | Bobby, Spud, Dr. Z |
| first | First name of the identity. | Gordon |
| last | Last name of the identity. | Tristler |
| suffix | Suffix of the identity name. | Jr., Esq., M.D. |
| Email address of the identity. | accounting@acmetech.com, gntrisler@acmetech.com | |
| phone | Phone number for the identity. | +1 (800)555-8924 |
| phone2 | Secondary phone number for the identity. | +1 (800)555-8924 |
| managedBy | Username representing manager of the identity. | lietzow.tim, a.koski |
| priority | Priority of the identity. | Value can be "low," "medium," "high," or "critical". For example, CEO would be "critical" |
| bunit | Business unit associated with identity | emea, americas. |
| category | Category of the identity. Can be a pipe-delimited list | intern, officer, pip, pci | ES, BD | PS |
| watchlist | Is the identity on a watch list? | Value can be "true" or "false |
| startDate | Start/Hire date of the identity. | 3/29/88 5:15 |
| endDate | End/Termination date of the identity. | 7/12/08 19:49 |
| work_city | The primary work site city for an identity. | |
| work_country | The primary work site country for an identity. | |
| work_lat | The latitude of primary work site city in decimal degrees with compass direction. | 37.78N |
| work_long | The longitude of primary work site city in decimal degrees with compass direction. | 122.41W |
Configure a new identity list
Configure a new identity list as a lookup in the Splunk App for PCI Compliance. This process creates the lookup in the Splunk App for PCI Compliance and defines the lookup for the merge process. If you want, you can maintain a lookup file manually. See Manually add new asset or identity data.
Prerequisites
The lookup file must be a plain text, CSV-format file with Unix line endings and include a .csv filename extension.
Add the new lookup table file.
- From the Splunk menu bar, select Settings > Lookups > Lookup table files.
- Click New.
- Select a Destination App of SA-IdentityManagement.
- Select the lookup file to upload.
- Type the Destination filename that the lookup table file should have on the search head. The name should include the filename extension.
For example,identities_from_DB.csv - Click Save to save the lookup table file and return to the list of lookup table files.
Set permissions on the lookup table file to share it with the Splunk App for PCI Compliance.
- From Lookup table files, locate the new lookup table file and select Permissions.
- Set Object should appear in to All apps.
- Set Read access for Everyone.
- Set Write access for
adminor other roles. - Click Save.
Add a new lookup definition.
- From the Splunk menu bar, select Settings > Lookups > Lookup definitions.
- Click New.
- Select a Destination App of SA-IdentityManagement.
- Type a name for the lookup source. This name must match the name defined later in the input stanza definition on the Identity Management dashboard.
For example,identities_from_DB. - Select a Type of File based.
- Select the lookup table file created.
For example, selectidentities_from_DB.csv. - Click Save.
Set permissions on the lookup definition to share it with the Splunk App for PCI Compliance.
- From Lookup definitions, locate the new lookup definition and select Permissions.
- Set Object should appear in to All apps.
- Set Read access for Everyone.
- Set Write access for
adminor other roles. - Click Save.
Add an input stanza for the lookup source.
- Return to the Splunk App for PCI Compliance.
- From the Splunk App for PCI Compliance menu bar, select Configure > Data Enrichment > Identity Management.
- Click New.
- Type the name of the lookup.
For example,identities_from_DB. - Type a Category to describe the new asset or identity list.
For example, CMDB_network_assets. - Type a Description of the contents of the list.
For example, network assets from the CMDB. - Type asset or identity to define the type of list.
For example, asset. - Type a Source that refers to the lookup definition name.
For example,lookup://identities_from_DB.
Set up identity categories
The category list specifies a list of categories that you can use for the category field in the identities list. The category list can be any set of categories you choose. Common examples are compliance and security standards, such as PCI, governing the identities, or functional categories such as officer, pci-analyst, and others. Assign user categories to identities to further enrich your data.
These user categories are available in the Splunk App for PCI Compliance.
| Category | Description |
|---|---|
| cardholder | cardholder user |
| contractor | contractor user |
| default | default user |
| intern | temporary intern user |
| officer | user who is an officer of the company |
| pci | PCI analyst or PCI compliance manager |
| privileged | user with additional privileges |
| sox | Sarbanes–Oxley user |
You can edit this list by navigating to Configure > Content Management and selecting the Categories lookup.
Verify that your identity data was added to the Splunk App for PCI Compliance
Check the Identity Center dashboard.
| Configure assets | Modify asset and identity lookups in the Splunk App for PCI Compliance |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1
Download manual
Feedback submitted, thanks!