From Splunk Wiki

Daily log review for PCI

Daily log review for PCI is no different from other Daily Log Review process with Splunk. In the case of the Splunk for PCI application, the two main event type tags are ok and not_ok.

• As an example, you can tag the firewall-teardown event type defined for Cisco Pix data as ok from a security perspective. This event has very little significance and can be safely marked as ok

• There are two pre-defined searches that should be executed and the results analyzed on a daily basis. These are PCI-Req10-Daily log review - New events and PCI-Req10-Daily log review - Not OK events.

• The events produced by PCI-Req10-Daily log review - Not OK events should be analyzed and where relevant, appropriate actions should be taken. These actions could extend from patching a system, to opening a security trouble ticket for further investigation, or refining existing policies.

• When new events are produced by PCI-Req10-Daily log review - New events, define new event types for them that appropriately describe these events and tag them accordingly with ok or not_ok. When defining the new event types, the security analyst should take the appropriate measures to guarantee that these are not too loose (to avoid a situation where more than the required events are incorrectly matched by the new event type).

• To help mitigate the scenario described above, the security analyst should run a search for eventtypetag=ok on a regular basis and analyze the results for potential false positives. In cases where some exist, the event types should be clearly identified and the definitions should be tuned to reduce these false positives.