STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Splunk Enterprise 7.x for Windows Security Technical Implementation Guide

Version

V3R2

Benchmark ID

Splunk_Enterprise_7-x_for_Windows_STIG

Total Checks

37

Tags

windows

CAT I: 7CAT II: 12CAT III: 18

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (37)

V-221600HIGHSplunk Enterprise must be installed with FIPS mode enabled, to implement NIST FIPS 140-2 approved ciphers for all cryptographic functions.V-221601HIGHSplunk Enterprise must use organization level authentication to uniquely identify and authenticate users.V-221602HIGHSplunk Enterprise must have all local user accounts removed after implementing organizational level user management system, except for one emergency account of last resort.V-221605MEDIUMSplunk Enterprise must use an SSO proxy service, F5 device, or SAML implementation to accept the DOD common access card (CAC) or other smart card credential for identity management, personal authentication, and multifactor authentication.V-221607MEDIUMSplunk Enterprise must use HTTPS/SSL for access to the user interface.V-221608HIGHSplunk Enterprise must use SSL to protect the confidentiality and integrity of transmitted information.V-221609HIGHSplunk Enterprise must use LDAPS for the LDAP connection.V-221612LOWSplunk Enterprise must be configured to back up the log records repository at least every seven days onto a different system or system component other than the system or component being audited.V-221613MEDIUMSplunk Enterprise must be configured to protect the log data stored in the indexes from alteration.V-221614MEDIUMSplunk Enterprise must use TCP for data transmission.V-221621LOWSplunk Enterprise must be configured to aggregate log records from organization-defined devices and hosts within its scope of coverage.V-221623LOWSplunk Enterprise must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to be assigned to the Power User role.V-221625LOWSplunk Enterprise must be configured to send an immediate alert to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated log record storage volume reaches 75 percent of the repository maximum log record storage capacity.V-221626LOWSplunk Enterprise must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) of all audit failure events, such as loss of communications with hosts and devices, or if log records are no longer being received.V-221627LOWSplunk Enterprise must notify the System Administrator (SA) or Information System Security Officer (ISSO) if communication with the host and devices within its scope of coverage is lost.V-221628MEDIUMSplunk Enterprise must be configured to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.V-221629LOWSplunk Enterprise must enforce password complexity for the account of last resort by requiring that at least one uppercase character be used.V-221630LOWSplunk Enterprise must enforce password complexity for the account of last resort by requiring that at least one lowercase character be used.V-221631LOWSplunk Enterprise must enforce password complexity for the account of last resort by requiring that at least one numeric character be used.V-221632MEDIUMSplunk Enterprise must enforce a minimum 15-character password length for the account of last resort.V-221633LOWSplunk Enterprise must enforce password complexity for the account of last resort by requiring that at least one special character be used.V-221634LOWSplunk Enterprise must enforce a 60-day maximum password lifetime restriction for the account of last resort.V-221635LOWSplunk Enterprise must prohibit password reuse for a minimum of five generations for the account of last resort.V-221931LOWSplunk Enterprise must display the Standard Mandatory DOD Notice and Consent Banner and accept user acknowledgement before granting access to the application.V-221932MEDIUMSplunk Enterprise must only allow the use of DOD-approved certificate authorities for cryptographic functions.V-221933HIGHSplunk Enterprise must use TLS 1.2 and SHA-2 or higher cryptographic algorithms.V-221934MEDIUMWhen Splunk Enterprise is distributed over multiple servers, each server must be configured to disable non-essential capabilities.V-221935MEDIUMSplunk Enterprise installation directories must be secured.V-221936LOWSplunk Enterprise forwarders must be configured with Indexer Acknowledgement enabled.V-221937LOWSplunk Enterprise idle session timeout must be set to not exceed 15 minutes.V-221938MEDIUMSplunk Enterprise idle session timeout must be set to not exceed 15 minutes.V-221939LOWSplunk Enterprise must notify the system administrator (SA) and information system security officer (ISSO) when account events are received (creation, deletion, modification, disabling).V-221940LOWSplunk Enterprise must notify analysts of applicable events for Tier 2 CSSP and JRSS only.V-221941MEDIUMSplunk Enterprise must enforce the limit of 3 consecutive invalid logon attempts by a user during a 15 minute time period.V-221942MEDIUMSplunk Enterprise must be configured with a successful/unsuccessful logon attempts report.V-246917LOWThe System Administrator (SA) and Information System Security Officer (ISSO) must configure the retention of the log records based on the defined security plan.V-274464HIGHSplunk Enterprise must use a version supported by the vendor.