Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-206515 | SRG-APP-000516-AU-000360 | SV-206515r401224_rule | Medium |
Description |
---|
In most Central Log Server products today, log review (threat detection), can be automated by creating correlation content matching the organizational-defined Events of Interest (e.g., account change actions, privilege command use, and other AU and AC family controls) to automatically notify or automatically create trouble tickets for threats as they are detected in real time. Auditors have repeatedly expressed a strong preference for automated ticketing. They are also more likely to follow up on the threat and action items needed to address the detected issues if the ticketing process is automated. This is a function provided by most enterprise-level SIEMs. If the Central Log Server does not provide this function, it must forward the log records to a log server that does. |
STIG | Date |
---|---|
Central Log Server Security Requirements Guide | 2021-06-24 |
Check Text ( C-6775r285786_chk ) |
---|
Note: This is not applicable (NA) if the Central Log Server (e.g., syslog) does not perform analysis. Examine the configuration. Verify the Central Log Server automatically creates trouble tickets for organization-defined threats and events of interest as they are detected in real time (within seconds). If the Central Log Server is not configured to automatically create trouble tickets for organization-defined threats and events of interest as they are detected in real time (within seconds), this is a finding. |
Fix Text (F-6775r285787_fix) |
---|
Configure the Central Log Server to automatically create trouble tickets for organization-defined threats and events of interest as they are detected in real time (within seconds). |