Splunk® App for PCI Compliance

Installation and Configuration Manual

Create new correlation searches

You can create your own correlation searches to create notable events that you want to have stored in the notable index and to appear on the Incident Review dashboard.

Create a custom correlation search using the Content Management page. For this example, create a correlation search for Splunk_DA-ESS_PCICompliance.

  1. Select Configure > Content Management.
  2. Select Create new content > Correlation Search.
  3. Type a search name. Include a domain in the search name if you want.
  4. Set the Application Context as PCI Compliance.
  5. Create a search with the guided search wizard.
  6. Fill out the rest of the fields on the page.
  7. Click Save.

For assistance creating correlation searches, see Create a correlation search in Splunk Enterprise Security Tutorials.

Configure thresholds for correlation searches

Correlation searches use thresholds to set the number of security events of a specified type that must occur to trigger a notable event. You can configure the thresholds for these searches based on the typical number of events in your environment.

For example, the Malware Outbreak Detected correlation search triggers when the number of new infections within the last 24 hours exceeds the threshold, alerting you when an organization-wide issue is developing. However, this correlation search may need to be adjusted to reflect the size and load of your environment. A large enterprise might consider ten new infections within a 24-hour period an outbreak, whereas a small company might consider only 3 new infections an outbreak. The threshold sets the number of infections that correlation search considers noteworthy.

Threshold settings are best configured after developing a baseline of security events. Index two weeks of data before finalizing the baseline settings. Thresholds need to be adjusted over time as the network changes.

Add governance to a correlation search

Map new or existing correlation searches to the relevant PCI DSS controls by adding governance to the search.

This step requires file system access on the server. Splunk Cloud Platform customers must work with Splunk Support to map a new correlation search to the relevant PCI DSS controls.

Perform these steps in the same directory as the savedsearches.conf file where the search exists. For example, /Applications/splunk/etc/apps/Splunk_DA-ESS_PCICompliance/local.

  1. Create a governance.conf file.
    /Applications/splunk/etc/apps/Splunk_DA-ESS_PCICompliance/local/governance.conf
  2. Copy the stanza for the custom correlation search from the savedsearches.conf file and paste it into the governance.conf file.
    [PCI - 1.3.3 - Unauthorized or Insecure Communication Permitted – Rule]
  3. Add a compliance control mapping by adding a governance and control line under the correlation search stanza. For example, this correlation search applies for all systems in your environment.
    [PCI - 1.3.3 - Unauthorized or Insecure Communication Permitted – Rule]
    compliance.0.governance = pci
    compliance.0.control = 1.3.3
  4. (Optional) Add a tag value to specify a tag that must be present in the notable event in order for the governance and control mapping to be applied. For example, the results of this correlation search matter for PCI compliance only if the deleted account is related to PCI.
    [Access - Account Deleted - Rule]
    compliance.0.governance = pci
    compliance.0.control = 8.5
    compliance.0.tag = pci
  5. (Optional) Add additional compliance control mappings, incrementing the number to indicate an additional mapping. For example, this results of this search are relevant for both the 1.3.3 control and the 1.3.2 control.
    [PCI - 1.3.3 - Unauthorized or Insecure Communication Permitted – Rule]
    compliance.0.governance = pci
    compliance.0.control = 1.3.3
    compliance.1.governance = pci
    compliance.1.control = 1.3.2
  6. Save the file. The results take effect the next time the correlation search matches and creates a notable event.

Notable events must contain a tag value for governance to be applied based on the tag field. Notable events can contain a tag value if:

  • The correlation search results contain a tag field. For example, values(Authentication.tag) as tag is contained in the correlation search syntax.
  • The correlation search results contain a field that is correlated with the asset and identity lookups, and the lookup contains a category value for the asset or identity.
Last modified on 14 February, 2022
Configure correlation searches   Notable events

This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0, 5.3.1, 5.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters