SPLK-CL-000235 - Splunk Enterprise must notify analysts of applicable events for Tier 2 CSSP and JRSS only.

Information

Sending notifications or populating dashboards are ways to monitor and alert on applicable events and allow analysts to mitigate issues.

Tier 2 CSSP and JRSS analysts perform higher-level analysis at larger network coverage and have specific guidelines to handle alerts and reports. This requirement allows these analysts to not be burdened by all of the lower-level alerts that can be considered 'white noise' by isolating their alerting and reporting requirements from other requirements in this STIG.

Satisfies: SRG-APP-000291-AU-000200, SRG-APP-000292-AU-000420, SRG-APP-000293-AU-000430, SRG-APP-000294-AU-000440

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

This fix applies to Tier 2 CSSP or JRSS instances only.

Configure Splunk notifications and dashboards in accordance with designated SSPs, SOPs, and/or TTPs.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Splunk_Enterprise_7-x_for_Windows_V3R1_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(1), CAT|III, CCI|CCI-000015, Rule-ID|SV-221940r992035_rule, STIG-ID|SPLK-CL-000235, STIG-Legacy|SV-111389, STIG-Legacy|V-102385, Vuln-ID|V-221940

Plugin: Splunk

Control ID: 0c6ee9d1275574064be5259cd977442255dc1045c65d65db1b4a181a07a9d4c2