Define a primary service
As part of the Splunk App for PCI Compliance, primary functions are defined as one or more of the following items:
- Running Process (process name)
- Installed Service (service name)
- Listening Port (transport/port combination)
Primary functions are defined in a Splunk lookup table (SA-EndpointProtection/lookups/primary_functions.csv
). This lookup table contains three separate primary keys (one for service, process, and transport/port respectively). The remainder of the header determines whether or not the function is primary and what that function is. This results in the following CSV header:
process,service,transport,port,is_primary,function
Function names are arbitrary, but we recommend the following:
Application (name, for instance "Tomcat") Authentication Database Domain Name Service (DNS) Mail Proxy Network Time Protocol (NTP) Web
The SA-EndpointProtection/lookups/primary_functions.csv
file contains examples that come with the Splunk App for PCI Compliance.
Lookups
Primary functions running on a system are determined by comparing the defined primary functions with the running processes, installed services, and listening ports found on a system.
- Running processes are found in the "
localprocesses_tracker
" - Services are found in the "
services_tracker
" - Listening ports are found in the "
listeningports_tracker
"
For example, the following search examines the "localprocesses_tracker for primary functions
":
| inputlookup append=T localprocesses_tracker | `get_primary_function(process)` | rename app as process
Compliance Managers may want to use multiple services and/or processes to determine the primary function of a system. This is easily done as long as the function name is consistent among applications in the stack.
To do this, you will need to define a primary service. You can have several service names that represent an application stack but a single function. In the SA-EndpointProtection/lookups/primary_functions.csv
file identify all of the services and/or processes associated with the primary function with the same function name.
For example:
process | service | transport | port | is_primary | function |
---|---|---|---|---|---|
apple | true | improve health | |||
banana | true | improve health | |||
carrot | true | improve health |
The following search simulates a system running these services to show how they result in a single function:
| head 1 | stats count | eval service="apple|banana|carrot" | `makemv(service)` | rename service as app | mvexpand app | `get_primary_function(service)` | stats dc(function)
This search will result in a dc(function) == 1
Audit dashboards | Set up adaptive response actions in |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0, 5.3.1, 5.3.2
Feedback submitted, thanks!