Splunk Enterprise Security

Config assets in SplunkES

hoandh
New Member

Hi all,

When I config assets in SplunkES, I have a problem which concern field pci_domain.
I have read the document but I don't understand clearly about this field : the purpose and effect of this field in SpunkES ?
Besides, if i have a asset which not belong pci scope, I need fill what in filed pci_dmain ?
I hope everyone will help my with this case.

Thanks everyone.

0 Karma
1 Solution

koshyk
Super Champion

An empty/null should be fine.
Please find a sample

ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av,
10.31.111.130,,myhost-01,myhost-01.domain.com,,medium,,,London,United Kingdom,IT,CATEGORY1,cardholder,TRUE,TRUE,TRUE,TRUE,TRUE
10.31.111.131,,myhost-02,myhost-02.domain.com,,medium,,,London,United Kingdom,IT,NON_CAT,,TRUE,TRUE,TRUE,TRUE,TRUE

you can get some hint by Looking into lookups of the APP SA-IdentityManagement/lookups/pci*

View solution in original post

0 Karma

koshyk
Super Champion

An empty/null should be fine.
Please find a sample

ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av,
10.31.111.130,,myhost-01,myhost-01.domain.com,,medium,,,London,United Kingdom,IT,CATEGORY1,cardholder,TRUE,TRUE,TRUE,TRUE,TRUE
10.31.111.131,,myhost-02,myhost-02.domain.com,,medium,,,London,United Kingdom,IT,NON_CAT,,TRUE,TRUE,TRUE,TRUE,TRUE

you can get some hint by Looking into lookups of the APP SA-IdentityManagement/lookups/pci*

0 Karma

hoandh
New Member

Thank you very much.
But actually I don't understand clearly about this field : the purpose and effect of this field in SpunkES ?
Can you explain detail for me ?

0 Karma

koshyk
Super Champion

please upvote/accept if these answers helped you

0 Karma

koshyk
Super Champion

pci_domain=> The domain of the host as it pertains to PCI. The domain is used to identify instances where cardholder data may pass to Internet-facing devices, such as for PCI requirement 1.3.3.An asset can be included in multiple PCI domains by assigning a pipe-delimited list of domains in the asset list.

This field is used for grouping of Identities by Priority and/or Business Unit and Category and used by SA-IdentityManagement add-on of the SPlunkES

So it is quite important for security posture of your organisation. Traditionally it used to be part of splunkES, but since there is an exclusive PCI app now, i'm not sure about the future of this field

0 Karma

hoandh
New Member

Thanks koshyk very much. I will upvote for this answer.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If an asset does not have PCI scope then you can leave the pci_domain field empty. The field is used in the Asset Center dashboard.

---
If this reply helps you, Karma would be appreciated.
0 Karma

hoandh
New Member

Thank you very much.
But actually I don't understand clearly about this field : the purpose and effect of this field in SpunkES ?
Can you explain detail for me ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...