From Splunk Wiki
(Redirected from Apps:DailyLogReviewForPCI)
Daily log review for PCI
Daily log review for PCI is no different from other Daily Log Review process with Splunk. In the case of the Splunk for PCI application, the two main event type tags are
- As an example, you can tag the
firewall-teardownevent type defined for Cisco Pix data as
okfrom a security perspective. This event has very little significance and can be safely marked as
- There are two pre-defined searches that should be executed and the results analyzed on a daily basis. These are
PCI-Req10-Daily log review - New eventsand
PCI-Req10-Daily log review - Not OK events.
- The events produced by
PCI-Req10-Daily log review - Not OK eventsshould be analyzed and where relevant, appropriate actions should be taken. These actions could extend from patching a system, to opening a security trouble ticket for further investigation, or refining existing policies.
- When new events are produced by
PCI-Req10-Daily log review - New events, define new event types for them that appropriately describe these events and tag them accordingly with
not_ok. When defining the new event types, the security analyst should take the appropriate measures to guarantee that these are not too loose (to avoid a situation where more than the required events are incorrectly matched by the new event type).
- To help mitigate the scenario described above, the security analyst should run a search for
eventtypetag=okon a regular basis and analyze the results for potential false positives. In cases where some exist, the event types should be clearly identified and the definitions should be tuned to reduce these false positives.