Splunk® App for PCI Compliance

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

Configure identities

Set up the identity list to enrich the data in the Splunk App for PCI Compliance. The identity list provides information about the users in your cardholder data environment, such as the user name, first and last name, and email address. Some of these fields, such as priority, watchlist, and endDate are used for dashboard charts and to calculate the urgency of notable events associated with identities. Other fields, such as "business unit" and "category", are used by the filters at the top of the dashboards. You can search on any of these fields from the identity list and use them while investigating events.

When an event contains a field that the Splunk App for PCI Compliance identifies as belonging to a specific identity, the app looks up the identity in the identities list and generates new fields that contain the information from the identities list. The identity information provides the app with contextual information about the identities involved in an event or related to a notable event that can allow a PCI compliance analyst or incident investigator to identify additional identity information such as priority, categories, business unit, watchlist, and other information.

Maintain the identity list to allow identities to be correlated with events. See Asset and Identity Correlation in the User Manual.

Register asset and identity data

You have choices for registering asset and identity data:

  • Manually register asset and identity data in Asset and Identity Manger
  • Use LDAP to register data in Asset and Identity Manger

See Add asset and identity data to Splunk Enterprise Security in the Splunk Enterprise Security Administer Splunk Enterprise Security guide.

Set up identity categories

After formatting an identity list as a lookup, the following identity categories are specific to PCI. See Format an asset or identity list as a lookup in Splunk Enterprise Security.

The category list specifies a list of categories that you can use for the category field in the identities list. The category list can be any set of categories you choose. Common examples are compliance and security standards, such as PCI, governing the identities, or functional categories such as officer, pci-analyst, and others. Assign user categories to identities to further enrich your data.

These user categories are available in the Splunk App for PCI Compliance.

Category Description
cardholder cardholder user
contractor contractor user
default default user
intern temporary intern user
officer user who is an officer of the company
pci PCI analyst or PCI compliance manager
privileged user with additional privileges
sox Sarbanes–Oxley user

You can edit this list by navigating to Configure > Content Management and selecting the Categories lookup.

Verify that your identity data was added to the Splunk App for PCI Compliance

Check the Identity Center dashboard.

Last modified on 23 September, 2019
Configure assets   Configure Primary Functions list

This documentation applies to the following versions of Splunk® App for PCI Compliance: 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters