← Back to Splunk Enterprise 7.x for Windows Security Technical Implementation Guide

V-221940

CAT III (Low)

Splunk Enterprise must notify analysts of applicable events for Tier 2 CSSP and JRSS only.

Rule ID

SV-221940r1015828_rule

STIG

Splunk Enterprise 7.x for Windows Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-000015 CCI-001683 CCI-001684 CCI-001685 CCI-001686

Discussion

Sending notifications or populating dashboards are ways to monitor and alert on applicable events and allow analysts to mitigate issues. Tier 2 CSSP and JRSS analysts perform higher-level analysis at larger network coverage and have specific guidelines to handle alerts and reports. This requirement allows these analysts to not be burdened by all of the lower-level alerts that can be considered "white noise" by isolating their alerting and reporting requirements from other requirements in this STIG. Satisfies: SRG-APP-000291-AU-000200, SRG-APP-000292-AU-000420, SRG-APP-000293-AU-000430, SRG-APP-000294-AU-000440

Check Content

This check applies to Tier 2 CSSP or JRSS instances only.

Verify that notifications and dashboards are configured in accordance with designated SSPs, SOPs, and/or TTPs.

The absence of notifications and dashboards is a finding.

Fix Text

This fix applies to Tier 2 CSSP or JRSS instances only.

Configure Splunk notifications and dashboards in accordance with designated SSPs, SOPs, and/or TTPs.