Rule ID
SV-214635r383131_rule
Version
V2R1
CCIs
CCI-001243
Without an alert, security personnel may be unaware of an impending failure of the audit capability, and the ability to perform forensic analysis and detect rate-based and other anomalies will be impeded. The IDPS generates an immediate (within seconds) alert which notifies designated personnel of the incident. Sending a message to an unattended log or console does not meet this requirement since that will not be seen immediately. These messages should include a severity level indicator or code as an indicator of the criticality of the incident.
Verify an alert is sent when malicious code is detected. [edit] show security idp policy View the rulebase options for the IDP policies. If the rulebase options for the IDP policies that detect malicious code do not contain the "alert" option, this is a finding.
This requirement can be met using an alert. Alerts must be enabled and configured and then added to the IDP policy rulebase command as an option. The following is an example of the command that can be added to the IDP policy. The policy is called Malicious-Activity and the rule is called R1 in this example. [edit] set security idp idp-policy Malicious-Activity rulebase-ips rule R1 then notification log-attacks alert