Splunk® App for PCI Compliance

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

Configure assets

The asset list provides external information about the devices on your system, such as the asset priority, owner, and business unit. It also provides the geographic location of the asset and the DNS and Windows machine name of the asset. You can search on any of these fields from the asset list and use them while you are investigating events.

When an event contains a field that PCI Compliance identifies as belonging to a host or device, Splunk App for PCI Compliance looks up the device in the asset list and generates new fields that contain the information from the asset list. The asset information provides PCI Compliance with contextual information about the systems involved in an event or related to a notable event that can allow a security analyst or incident investigator to identify additional asset information such as asset priority, categories, business unit, owner, and other information.

Maintain the asset list to allow assets to be correlated with events. See Asset and Identity Correlation in the User Manual.

Register asset and identity data

You have choices for registering asset and identity data:

  • Manually register asset and identity data in Asset and Identity Manger
  • Use LDAP to register data in Asset and Identity Manger

See Add asset and identity data to Splunk Enterprise Security in the Splunk Enterprise Security Administer Splunk Enterprise Security guide.

Set up asset categories

After formatting an asset list as a lookup, the following identity categories are specific to PCI. See Format an asset or identity list as a lookup in Splunk Enterprise Security.

The category list specifies a list of categories that can be used for the category field in the asset list. The relationship between the pci_domain field and the category field is the single most important factor in determining asset management and PCI compliance in a cardholder data environment. The PCI compliance analyst needs a list of all assets that reside in a trusted zone, to monitor and report on these assets as a group and tell them apart from any assets that are not in a trusted zone.

The asset table fields category and pci_domain can be used to determine your PCI compliance scoping for assets.

  • Use the category field to distinguish assets relevant for PCI compliance from other assets.
  • Use the pci_domain field to identify the PCI domain-relevant details about PCI compliance assets.
Asset table field Valid values Description
pci_domain wireless, trust, untrust, cardholder, dmz Configure one or more domains for every asset related to PCI. The domains measure security compliance in accordance with "trust" or "untrust" fields. Separate valid values with a pipe if multiple values apply to a single asset. For example, trust|dmz. If left blank, defaults to untrust. Use trust for designating traffic from the internal network. Use untrust for designating traffic from the external network. Use wireless, dmz, cardholder depending on the purpose of your assets.
category cardholder, pci Separate valid values with a pipe if multiple values apply to a single asset. Use cardholder to define the cardholder data environment for PCI compliance. For example, people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data. Use pci to identify a network component, server, or application included in or connected to the cardholder data environment.

Verify that your asset data was added to the Splunk App for PCI Compliance

Check the Asset Center dashboard.

Last modified on 11 November, 2020
Steps to configure the Splunk App for PCI Compliance   Configure identities

This documentation applies to the following versions of Splunk® App for PCI Compliance: 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters