The Splunk App for PCI Compliance needs to have information about the identities who use the system. See Configure assets for more about how to add asset data to the asset list. Populate the asset list either by building an automated capture from an existing asset database or by populating the file manually. Augmenting events with additional asset information helps security analysts and incident investigators. This can be done by using the asset list, a comma-separated values (CSV) lookup file with contextual information about your systems, information that cannot be gathered from events themselves. A free-form field that can be used to specify the business unit the asset is part of. Used by many Splunk for PCI Compliance dashboards to restrict the view. The following values are supported by default: An asset can be included in multiple PCI domains by assigning a pipe-delimited list of domains in the asset list. pci_domain - This field is used to specify the network zone the asset is found within.An asset can be included in multiple categories by assigning a bar-delimited list of categories in the asset list, For example, pci|cardholder|server. Common examples are compliance and security standards governing the asset, or functional categories (such as server, domain_controller, and so on). Used by many Splunk for PCI Compliance dashboards to filter the view. Categories are configurable and are defined in a separate category list. This field is used to define systems in-scope for PCI and/or contain cardholder data. This field is used to determine the urgency of the notable events associated with security incidents. These fields are used to provide details about current assets in the Splunk App for PCI Compliance. ip, mac, nt_host, dns, owner - Asset information.Some of the important fields in the asset list include: Splunk App for PCI Compliance still functions without an asset list, but the functionality for some dashboards and features is incomplete. The asset list includes a number of fields used by the dashboards and correlation searches in the app. To get the most out of the Splunk App for PCI Compliance, you must provide information about the assets, which are the devices and systems in the environment. Technology add-ons provide search-time knowledge to map data.įor more information about automatic source typing, see Why source types matter in Getting Data In. Set the correct source type for data to be properly processed by Splunk platform and used by the Splunk App for PCI Compliance. See Get data from APIs and other remote data interfaces through scripted inputs in Getting Data In. Scripted inputs: A scripted input is a flexible input type that collects data from API's and remote data interfaces.If there is a large number of forwarders with identical configurations, use the Splunk Enterprise deployment server to set up and manage the logging sources across your forwarders. Monitoring Windows data: To implement Windows eventlog monitoring, deploy a forwarder on each system.See the Get data from TCP and UDP ports section in Getting Data In. Be careful when sending data from multiple sources over the same port. Monitoring network ports: You can send data to a forwarder or directly to an indexer on any TCP or UDP port.If there is a large number of forwarders with identical configurations, use the deployment server to set up and manage the logging sources across your forwarders. Monitoring files: Deploy a forwarder on each system where you want to monitor files and source type the file inputs on the forwarder.Some approaches work better than others because the input data must be assigned the correct source type. You can use each of the main approaches for Splunk data inputs (monitoring files, monitoring network ports, monitoring Windows and Unix data, and deploying custom scripted inputs) with the Splunk App for PCI Compliance. When you set up a data input for the Splunk App for PCI Compliance, make sure the data is correctly mapped using a technology add-on so that the data is normalized and assigned the correct source type.Ĭonsiderations for data inputs with PCI compliance The Splunk App for PCI Compliance requires considerations when determining how to get data from the various sources. After the app is installed and configured, solution administrators can start to add data to the Splunk deployment. The Splunk App for PCI Compliance works with Splunk software and supports all CIM-compliant data ingestion methods.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |