All Apps and Add-ons

How can I search based on PCI requirements without using the Splunk App for PCI Compliance?

New Member

If downloading the PCI App is not an option, what would be the best/fastest way to create an index, or to generate searches based on the PCI requirements?

0 Karma

Splunk Employee
Splunk Employee

Hey @frizzoS3, if @rich7177 solved your problem, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!

0 Karma


There is an answer to this and while it's a really good answer that you'll learn a lot from, it's not an "easy" answer.

The short answer is that this is unlikely to be worth your time, at least if it's the sole way you are going about it. The PCI app has a lot of the intelligence you need to manage the controls required (when such things can even be DONE in Splunk - lots of things are simply procedures or documentation...), rebuilding it will take significant time and energy. And if you get them wrong, well, that's not the auditor's problem, it's your problem.

The second thing to know is that Splunk (indeed, nearly any product) can only do parts of this. A lot, as I mentioned, is procedures and documentation, making sure everyone knows their role, having responses ready for potential breaches, etc... For the parts you can use Splunk for, you should review expected implementation costs vs. if PCI app would supply it and how much that app costs.

Thirdly, though I give examples below - I have no idea what I'm doing. 🙂 Don't trust it, nor my opinion of what's right or wrong or what you need to do.

Fourthly, in addition to all the individual things I don't' really cover (but hint at) below, there's a lot of work in segmentation, confirming segmentation, isolating things, monitoring the isolated stuff and so on. That's possibly Splunk stuff, but the PCI app sort of lays out some of that in a way that works better than home built things.

But, assuming we have some skills available and the answers to the questions above indicate you should read on, well, then, read on.

First you have to define what you mean by "based on PCI requirements". This means finding out exactly what it is you are searching for. This will require reading the PCI requirements and a lot of thinking about those requirements. For instance, let's pick one semi-randomly - PCI DSS 3.4 which talks about confirming PAN or account numbers not being in audit logs. If we assume account numbers are 16 digit numbers, the first stab at this might be...

index=* | rex field=_raw "(?<PotentialPAN>\d{16})" | search PotentialPAN=*

Right? Now, I'm not suggesting this is the right search, only that this is one way to accomplish the control in a very, very minimal fashion - looking for strings of 16 digits. This will surely false-alarm on a bazillion things, and I'm positive the auditors won't quite like it, but it's the start of something. A tweak could be - let's say you know they PAN will always start with the numbers 8181 or 4545, in which case ...

index=* | rex field=_raw "(?<PotentialPAN>(8181|4545)\d{12})" | search PotentialPAN=*

That takes the same previous "16 digits" and instead looks for "8181(12 more digits)" or "4545(12 more digits)". Again, not saying this is adequate, just trying to outline the work that might be involved.

Let's take another one:
12.1 Establish, publish, maintain, and disseminate a security policy.
Nope, not a thing Splunk's likely to help with. It's policies and making sure everyone who needs it knows it.

Another: 10.6.1 [basically it's "Examine all logs daily" ]
Well, this seems like a perfect thing to use Splunk for, and it won't even take much "searching". Even disregarding PCI needs, it is smart to build some dashboards that know how to pull the relevant important information out of the firewalls, IPSes, AV, file access monitoring, login monitoring and all that other information. Filter out the nonsense (which fills most logs) and display the pieces that need actual reviewing or attention.

So, each individual control will need to be reviewed, assessed for how it could be implemented, then implemented, tested and checked for proper behavior. The auditied regularly.

I'd like to point out a ... well, apparently I have a habit of vaguely answering nearly-unanswerable questions like this ... answer I wrote a while back on compliance in another realm - an answer that is indirectly applicable to this one because they're both similar in the way they'll need to be handled.

So, I hope this helps though I doubt it will.

0 Karma
Get Updates on the Splunk Community!

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...