Splunk® App for PCI Compliance

Installation and Configuration Manual

Network Traffic Activity

This report provides a six month view of network traffic activity between PCI domains. This report looks at traffic data produced by firewalls, routers, switches, and any other device that produces network traffic data. You can modify and customize the report by using different filters.

Relevant data sources

Relevant data sources for this report include any device that creates network traffic activity, such as firewalls.

How to configure this report

  1. Index firewall activity data in Splunk platform.
  2. Map the data to the following Common Information Model fields. host,action,dvc,rule,transport,src,src_port,dest,dest_port,vendor_product. CIM-compliant add-ons for these data sources perform this step for you.
  3. Set the category column for each asset in the Asset table to pci or cardholder.
  4. Set the pci_domain column for each asset in the Asset table to {dmz|trust|untrust|cardholder|wireless}.
  5. Set the is_secure and is_prohibited columns of the prohibited traffic list to {true|false}.

Mapping examples:

  • The action field shows either allowed or blocked traffic.
  • The eventtypes for traffic-related data are tagged with communicate and network

Report description

The Network Traffic Activity report relies on the Network Traffic data model.

Useful searches for troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that you have data from your network devices. sourcetype=<your_sourcetype_for_your_data> Returns data from your network devices.
Verify that network activity data has been indexed in Splunk platform. tag=network tag=communicate

or `communicate`

Returns all network traffic data from your network devices.
Verify that the fields are normalized to the Common Information Model. `communicate` | fields sourcetype, action, dvc, rule, transport, src, dest Returns a list of events and the specific network traffic fields of data populated from your devices.
Last modified on 14 February, 2022
Firewall Rule Activity   Default Account Access

This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0, 5.3.1, 5.3.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters