STIGQter: STIG Summary: Splunk Enterprise 7.x for Windows Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

Splunk Enterprise must be configured to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.

DISA Rule

SV-221628r508660_rule

Vulnerability Number

V-221628

Group Title

SRG-APP-000516-AU-000350

Rule Version

SPLK-CL-000320

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure Splunk Enterprise, using the reporting and notification tools, to notify the SA and ISSO, at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.

Check Contents

Interview the SA to verify that a process exists to notify the SA and ISSO, at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.

Interview the ISSO to confirm receipt of this notification.

If a report does not exist, or the ISSO does not confirm receipt of this report, this is a finding.

Vulnerability Number

V-221628

Documentable

False

Rule Version

SPLK-CL-000320

Severity Override Guidance

Interview the SA to verify that a process exists to notify the SA and ISSO, at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.

Interview the ISSO to confirm receipt of this notification.

If a report does not exist, or the ISSO does not confirm receipt of this report, this is a finding.

Check Content Reference

M

Target Key

4082

Comments