STIGQter: STIG Summary: Splunk Enterprise 7.x for Windows Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

Splunk Enterprise must be configured to aggregate log records from organization-defined devices and hosts within its scope of coverage.

DISA Rule

SV-221621r508660_rule

Vulnerability Number

V-221621

Group Title

SRG-APP-000086-AU-000020

Rule Version

SPLK-CL-000250

Severity

CAT III

CCI(s)

• CCI-000174 - The information system compiles audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within an organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail.

Weight

10

Fix Recommendation

Configure Splunk Enterprise to aggregate log records from organization-defined devices and hosts within its scope of coverage, as defined in the site security plan.

Check Contents

Examine the site documentation that lists the scope of coverage for the instance being reviewed.

Select Settings >> Data Inputs. Verify that data inputs are configured to support the scope of coverage documented for the site.

If Splunk enterprise is not configured to aggregate log records from organization-defined devices and hosts within its scope of coverage, this is a finding.

Vulnerability Number

V-221621

Documentable

False

Rule Version

SPLK-CL-000250

Severity Override Guidance

Examine the site documentation that lists the scope of coverage for the instance being reviewed.

Select Settings >> Data Inputs. Verify that data inputs are configured to support the scope of coverage documented for the site.

If Splunk enterprise is not configured to aggregate log records from organization-defined devices and hosts within its scope of coverage, this is a finding.

Check Content Reference

M

Target Key

4082

Comments