Define a primary service
As part of the Splunk App for PCI Compliance, primary functions are defined as one or more of the following items:
- Running Process (process name)
- Installed Service (service name)
- Listening Port (transport/port combination)
Primary functions are defined in a Splunk lookup table (SA-EndpointProtection/lookups/primary_functions.csv). This lookup table contains three separate primary keys (one for service, process, and transport/port respectively). The remainder of the header determines whether or not the function is primary and what that function is. This results in the following CSV header:
process,service,transport,port,is_primary,functionFunction names are arbitrary, but we recommend the following:
Application (name, for instance "Tomcat")
Authentication
Database
Domain Name Service (DNS)
Mail
Proxy
Network Time Protocol (NTP)
WebThe SA-EndpointProtection/lookups/primary_functions.csv file contains examples that come with the Splunk App for PCI Compliance.
Lookups
Primary functions running on a system are determined by comparing the defined primary functions with the running processes, installed services, and listening ports found on a system.
- Running processes are found in the "
localprocesses_tracker" - Services are found in the "
services_tracker" - Listening ports are found in the "
listeningports_tracker"
For example, the following search examines the "localprocesses_tracker for primary functions":
| inputlookup append=T localprocesses_tracker | `get_primary_function(process)` | rename app as processCompliance Managers may want to use multiple services and/or processes to determine the primary function of a system. This is easily done as long as the function name is consistent among applications in the stack.
To do this, you will need to define a primary service. You can have several service names that represent an application stack but a single function. In the SA-EndpointProtection/lookups/primary_functions.csv file identify all of the services and/or processes associated with the primary function with the same function name.
For example:
| process | service | transport | port | is_primary | function |
|---|---|---|---|---|---|
| apple | true | improve health | |||
| banana | true | improve health | |||
| carrot | true | improve health |
The following search simulates a system running these services to show how they result in a single function:
| head 1 | stats count | eval service="apple|banana|carrot" | `makemv(service)` | rename service as app | mvexpand app | `get_primary_function(service)` | stats dc(function)This search will result in a dc(function) == 1