Thanks for the input.
Actually we had attempted to blow the auditor away with our "automated investigation with Splunk" - A user performs an action (e.g. accesses a customer's account), Splunk then looks up vacation data to see if that user is scheduled to work, then the access control logs to see if they're in the Building or VPN logs if they're not, then checks if the computer they're logged in to with AD is the same as the one corresponding to the account access, then if the user is allowed to access the account in question and then alert as appropriate if one or more items do not comply.
So the auditor asked "what if an account is hijacked and someone deletes the logs from that account" - Which basically throws our investigation abilities out the window. Any user with that option (currently only me) can just say their account was hijacked. It's a "who guards the guards" game.
... View more
our PCI auditor has had a look at the logging capabilities on Splunk and is concerned about the "can_delete" user's capabilities. One thing that will get him to "like" splunk would be if there was some way of logging this action AND the IP it came from.
SOS can log all of the user's search activities, however, it just shows a username, and does not tie that to an IP address. I can't find an IP in the raw logs either. Does anyone know an easy way to find this out and show it to our auditor?
... View more