STIGQter STIGQter: STIG Summary: Splunk Enterprise 7.x for Windows Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

Splunk Enterprise must notify the System Administrator (SA) and Information System Security Officer (ISSO) when account events are received (creation, deletion, modification, disabling).

DISA Rule

SV-221939r508660_rule

Vulnerability Number

V-221939

Group Title

SRG-APP-000291-AU-000200

Rule Version

SPLK-CL-000200

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

If the Splunk instance is used for Tier 2 CSSP (formerly CND-SP) or JRSS analysis, this fix is N/A.

Configure Splunk Enterprise, using the reporting and notification tools, to notify the SA and ISSO when account events are received for all devices and hosts within its scope of coverage.

Check Contents

If the Splunk instance is used for Tier 2 CSSP (formerly CND-SP) or JRSS analysis, this check is N/A.

Interview the SA to verify that a process exists to notify the SA and ISSO when account events are received for all devices and hosts within its scope of coverage.

Interview the ISSO to confirm receipt of this notification.

If Splunk Enterprise is not configured to notify the SA and ISSO when account events are received for all devices and hosts within its scope of coverage, this is a finding.

Vulnerability Number

V-221939

Documentable

False

Rule Version

SPLK-CL-000200

Severity Override Guidance

If the Splunk instance is used for Tier 2 CSSP (formerly CND-SP) or JRSS analysis, this check is N/A.

Interview the SA to verify that a process exists to notify the SA and ISSO when account events are received for all devices and hosts within its scope of coverage.

Interview the ISSO to confirm receipt of this notification.

If Splunk Enterprise is not configured to notify the SA and ISSO when account events are received for all devices and hosts within its scope of coverage, this is a finding.

Check Content Reference

M

Target Key

4082

Comments