The IDPS must capture and log organizationally defined additional information (identified by type, location, or subject) to the records for sensor events.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34598	SRG-NET-999999-IDPS-00219	SV-45464r1_rule		Low

Description
Sensor event logs must be configured to capture all organizationally defined information deemed necessary for possible event investigation and traceability. This additional information may include timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. This capability is critical for accurate forensic analysis.

Description

Sensor event logs must be configured to capture all organizationally defined information deemed necessary for possible event investigation and traceability. This additional information may include timestamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. This capability is critical for accurate forensic analysis.

STIG	Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide	2012-11-19

Details

Check Text ( C-42814r1_chk )
Verify log view setting can be reorganized to view the log entries by type, location or subject. Verify the sensor logs categorize each event logged by a minimum event type, location, and a description of the event. If sensor logs entries do not include a minimum of event type, location, and a description of the event for each event captured, this is a finding.

Fix Text (F-38861r1_fix)
Configure the sensors and central management server to categorize each alert. Alerts will include event type, location, and a description of the event.