STIGQter STIGQter: STIG Summary: Splunk Enterprise 7.x for Windows Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

Splunk Enterprise must notify the System Administrator (SA) or Information System Security Officer (ISSO) if communication with the host and devices within its scope of coverage is lost.

DISA Rule

SV-221627r508660_rule

Vulnerability Number

V-221627

Group Title

SRG-APP-000361-AU-000140

Rule Version

SPLK-CL-000310

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

If the Splunk instance is used for Tier 2 CSSP (formerly CND-SP) or JRSS analysis, this fix is N/A.

Configure Splunk Enterprise using the reporting and notification tools to create a report with notification to the SA and ISSO of any audit failure events, such as loss of communication or logs no longer being collected.

Check Contents

If the Splunk instance is used for Tier 2 CSSP (formerly CND-SP) or JRSS analysis, this check is N/A.

Interview the SA to verify that a process exists to notify the SA and ISSO of any audit failure, such as loss of communication or logs no longer being collected.

Interview the ISSO to confirm receipt of this notification.

If a report does not exist to notify the SA and ISSO of audit failure events, or the ISSO does not confirm receipt of the report, this is a finding.

Vulnerability Number

V-221627

Documentable

False

Rule Version

SPLK-CL-000310

Severity Override Guidance

If the Splunk instance is used for Tier 2 CSSP (formerly CND-SP) or JRSS analysis, this check is N/A.

Interview the SA to verify that a process exists to notify the SA and ISSO of any audit failure, such as loss of communication or logs no longer being collected.

Interview the ISSO to confirm receipt of this notification.

If a report does not exist to notify the SA and ISSO of audit failure events, or the ISSO does not confirm receipt of the report, this is a finding.

Check Content Reference

M

Target Key

4082

Comments