STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Dragos Platform 2.x Security Technical Implementation Guide

V-270993

CAT II (Medium)

The Dragos Platform must notify system administrators and information system security officer (ISSO) of local account activity.

Rule ID

SV-270993r1058013_rule

STIG

Dragos Platform 2.x Security Technical Implementation Guide

Version

V1R6

CCIs

CCI-001683, CCI-001684, CCI-001685, CCI-001686

Discussion

Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Sending notification of account creation events to the system administrator and ISSO is one method for mitigating this risk. Satisfies: SRG-APP-000291, SRG-APP-000292, SRG-APP-000293, SRG-APP-000294

Check Content

While logged in to the Dragos Platform with a user account with administrative privileges, navigate to Admin >> User Management >> Users.

Create a new user account (does not require roles or authentication). 

(Within 15 minutes)
1. Click the "Notifications" button. 
Verify a notification appears within Dragos Platform notifications page. 

If a notification does not occur, this is a finding. 

2. Observe that the same notification appears in the aggregate server/syslog recipient.
(Note: Depending on the software application used, steps to view syslog third-party alerts may vary.)

If an alert is not being sent to third-party syslog, this is a finding. 

3. Check Rules:
Navigate to Notification >> RULES Tab.

Verify a rule exists and has the following:
Action = "Send Syslog (third-party server)"
Criteria = "Detected By Equals Authentication to the Dragos Platform"
          "Detected By Equals User Account Activity" 

If a rule does not exist with the correct Action and Criteria, this is a finding.

4. Remove the test user just created.

Fix Text

1. If a notification does not appear, install KP-CW-24-001. This knowledge pack will add this and other notifications relevant to the STIG to the Dragos Platform.

Adding Knowledge Pack:
While logged in to the Dragos Platform with administrative privileges, navigate to Admin >> SiteStore Management >> Knowledge Packs.

Locate all "STIG-KP_Plus" Knowledge Pack(s).

Click "Deploy" button next to the Knowledge Pack(s).

Fill in the form and click "DEPLOY".

2. If a notification appears but is not received by the aggregate/syslog server, ensure there is a rule to trigger a syslog export in the "Notifications" applet of the Dragos Platform. If not, create one.

To create a rule, navigate to Notification >> RULES Tab.

Create two Attributes.

Click "NEW RULE".

Fill in Name and Processing Order.

Click "ADD ATTRIBUTE" in the "If ANY of the following" block
Type = "Detected By"
Select Operation = "Equals"
Select Value = "Authentication to the Dragos Platform"

Click "ADD ATTRIBUTE" in the "If ANY of the following" block
Type = "Detected By"
Select Operation = "Equals"
Select Value = "User Account Activity"

In the "THEN perform the following actions block:
Click "ADD ACTION"
Action = Send Syslog (third-party server)

Click "SAVE".