The asset list provides external information about the devices on your system, such as the asset priority, owner, and business unit. It also provides the geographic location of the asset and the DNS and Windows machine name of the asset. You can search on any of these fields from the asset list and use them while you are investigating events.
When an event contains a field that PCI Compliance identifies as belonging to a host or device, Splunk App for PCI Compliance looks up the device in the asset list and generates new fields that contain the information from the asset list. The asset information provides PCI Compliance with contextual information about the systems involved in an event or related to a notable event that can allow a security analyst or incident investigator to identify additional asset information such as asset priority, categories, business unit, owner, and other information.
Maintain the asset list to allow assets to be correlated with events. See Asset and Identity Correlation in the User Manual.
Register asset and identity data
You have choices for registering asset and identity data:
- Manually register asset and identity data in Asset and Identity Manger
- Use LDAP to register data in Asset and Identity Manger
See Add asset and identity data to Splunk Enterprise Security in the Splunk Enterprise Security Administer Splunk Enterprise Security guide.
Set up asset categories
After formatting an asset list as a lookup, the following identity categories are specific to PCI. See Format an asset or identity list as a lookup in Splunk Enterprise Security.
The category list specifies a list of categories that can be used for the category field in the asset list. The relationship between the
pci_domain field and the
category field is the single most important factor in determining asset management and PCI compliance in a cardholder data environment. The PCI compliance analyst needs a list of all assets that reside in a trusted zone, to monitor and report on these assets as a group and tell them apart from any assets that are not in a trusted zone.
The asset table fields
pci_domain can be used to determine your PCI compliance scoping for assets.
- Use the category field to distinguish assets relevant for PCI compliance from other assets.
- Use the pci_domain field to identify the PCI domain-relevant details about PCI compliance assets.
|Asset table field
|wireless, trust, untrust, cardholder, dmz
|Configure one or more domains for every asset related to PCI. The domains measure security compliance in accordance with "trust" or "untrust" fields. Separate valid values with a pipe if multiple values apply to a single asset. For example,
trust|dmz. If left blank, defaults to
trust for designating traffic from the internal network. Use
untrust for designating traffic from the external network. Use
wireless, dmz, cardholder depending on the purpose of your assets.
|Separate valid values with a pipe if multiple values apply to a single asset. Use
cardholder to define the cardholder data environment for PCI compliance. For example, people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data. Use
pci to identify a network component, server, or application included in or connected to the cardholder data environment.
Verify that your asset data was added to the Splunk App for PCI Compliance
Check the Asset Center dashboard.
Steps to configure the Splunk App for PCI Compliance
This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0