Identify data sources
Before you install, configure, and deploy the Splunk App for PCI Compliance, identify the data sources to be monitored in your cardholder data environment.
The following table shows the main data sources to gather information from before deploying the app.
|Source||Example data||How data is used||Why it is important|
|Data sources||Firewall data from Nessus.||Used in the dashboard.||Information about access attempts.|
|Asset information||List of servers in deployment.||Used by correlation searches.||Identify assets to monitor and report on.|
|Identity information||For example, verified users.||Used by correlation searches, notable events, reports.||Monitor expected users.|
Data from these sources and the search-time knowledge applied to the data to normalize it for use in the app create a real-time view into the state of PCI compliance in your cardholder data environment.
Additional data to collect might include the following:
- information from enterprise devices, systems, and applications in the cardholder data environment
- access attempts to PCI assets
- traffic between PCI domains
- vulnerabilities identified on PCI assets
- notification of malware found on PCI assets
- notification of compliance issues
The app uses this information to populate the dashboards, views, and reports that are available in the Splunk App for PCI Compliance. The app also provides trended views of areas over time, a breakdown of issues by PCI requirement, and visibility in the incident status. Any of this information can be presented in the form of a report.
Identify all of the data sources in your PCI cardholder data environment.
|Data source||Type of data collected|
|operating system logs||log files|
|network device logs||log files|
|security logs (anti-malware solutions)||log files|
|vulnerability management solutions||Common Vulnerabilities and Exposures (CVE) information|
|application logs||application specific notification (for Windows, for Unix)|
For each data source, identify the mapping (technology add-ons) needed to normalize the data for use with the Splunk App for PCI Compliance.
See Identify assets in the Installation and Configuration Manual.
See Identify system identities in the Installation and Configuration Manual.
Understand the Splunk App for PCI Compliance
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0