Splunk Enterprise must be configured with a report to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.

Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Splunk Enterprise must be configured with a report to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-251676	SPLK-CL-000280	SV-251676r808264_rule		Medium

Description
Detecting when multiple systems are showing anomalies can often indicate an attack. Notifying appropriate personnel can initiate a proper response and mitigation of the attack.

STIG	Date
Splunk Enterprise 8.x for Linux Security Technical Implementation Guide	2021-11-30

Details

Check Text ( C-55114r808262_chk )
Interview the SA to verify that a report exists to notify the SA and ISSO, at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage. Interview the ISSO to confirm receipt of this report. If a report does not exist, or the ISSO does not confirm receipt of this report, this is a finding.

Fix Text (F-55068r808263_fix)
Configure Splunk Enterprise, using the Reporting and Alert tools, to notify the SA and ISSO, at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.