Set up the identity list to enrich the data in the Splunk App for PCI Compliance. The identity list provides information about the users in your cardholder data environment, such as the user name, first and last name, and email address. Some of these fields, such as priority, watchlist, and endDate are used for dashboard charts and to calculate the urgency of notable events associated with identities. Other fields, such as "business unit" and "category", are used by the filters at the top of the dashboards. You can search on any of these fields from the identity list and use them while investigating events.
When an event contains a field that the Splunk App for PCI Compliance identifies as belonging to a specific identity, the app looks up the identity in the identities list and generates new fields that contain the information from the identities list. The identity information provides the app with contextual information about the identities involved in an event or related to a notable event that can allow a PCI compliance analyst or incident investigator to identify additional identity information such as priority, categories, business unit, watchlist, and other information.
Maintain the identity list to allow identities to be correlated with events. See Asset and Identity Correlation in the User Manual.
Register asset and identity data
You have choices for registering asset and identity data:
- Manually register asset and identity data in Asset and Identity Manger
- Use LDAP to register data in Asset and Identity Manger
See Add asset and identity data to Splunk Enterprise Security in the Splunk Enterprise Security Administer Splunk Enterprise Security guide.
Set up identity categories
After formatting an identity list as a lookup, the following identity categories are specific to PCI. See Format an asset or identity list as a lookup in Splunk Enterprise Security.
The category list specifies a list of categories that you can use for the category field in the identities list. The category list can be any set of categories you choose. Common examples are compliance and security standards, such as PCI, governing the identities, or functional categories such as
pci-analyst, and others. Assign user categories to identities to further enrich your data.
These user categories are available in the Splunk App for PCI Compliance.
|intern||temporary intern user|
|officer||user who is an officer of the company|
|pci||PCI analyst or PCI compliance manager|
|privileged||user with additional privileges|
You can edit this list by navigating to Configure > Content Management and selecting the Categories lookup.
Verify that your identity data was added to the Splunk App for PCI Compliance
Check the Identity Center dashboard.
Configure Primary Functions list
This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.0.1, 5.0.2, 5.1.0