Define a primary service
As part of the Splunk App for PCI Compliance, primary functions are defined as one or more of the following items:
- Running Process (process name)
- Installed Service (service name)
- Listening Port (transport/port combination)
Primary functions are defined in a Splunk lookup table (
SA-EndpointProtection/lookups/primary_functions.csv). This lookup table contains three separate primary keys (one for service, process, and transport/port respectively). The remainder of the header determines whether or not the function is primary and what that function is. This results in the following CSV header:
Function names are arbitrary, but we recommend the following:
Application (name, for instance "Tomcat") Authentication Database Domain Name Service (DNS) Mail Proxy Network Time Protocol (NTP) Web
SA-EndpointProtection/lookups/primary_functions.csv file contains examples that come with the Splunk App for PCI Compliance.
Primary functions running on a system are determined by comparing the defined primary functions with the running processes, installed services, and listening ports found on a system.
- Running processes are found in the "
- Services are found in the "
- Listening ports are found in the "
For example, the following search examines the "
localprocesses_tracker for primary functions":
| inputlookup append=T localprocesses_tracker | `get_primary_function(process)` | rename app as process
Compliance Managers may want to use multiple services and/or processes to determine the primary function of a system. This is easily done as long as the function name is consistent among applications in the stack.
To do this, you will need to define a primary service. You can have several service names that represent an application stack but a single function. In the
SA-EndpointProtection/lookups/primary_functions.csv file identify all of the services and/or processes associated with the primary function with the same function name.
The following search simulates a system running these services to show how they result in a single function:
| head 1 | stats count | eval service="apple|banana|carrot" | `makemv(service)` | rename service as app | mvexpand app | `get_primary_function(service)` | stats dc(function)
This search will result in a
dc(function) == 1
Set up adaptive response actions in
This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.0.1