Tanium must alert the ISSO, ISSM, and other individuals designated by the local organization when the following Indicators of Compromise (IOCs) or potential compromise are detected: real-time intrusion detection; threats identified by authoritative sources (e.g., CTOs); and Category I, II, IV, and VII incidents in accordance with CJCSM 6510.01B.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-253802	TANS-00-001600	SV-253802r850301_rule		Medium

Description
When a security event occurs, the application that has detected the event must immediately notify the appropriate support personnel so they can respond appropriately. Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection, or prevention mechanisms. Alerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Individuals designated by the local organization to receive alerts may include, for example, system administrators, mission/business owners, or system owners. IOCs are forensic artifacts from intrusions that are identified on organizational information systems (at the host or network level). IOCs provide organizations with valuable information on objects or information systems that have been compromised. These indicators reflect the occurrence of a compromise or a potential compromise. This requirement applies to applications that provide monitoring capability for unusual/unauthorized activities including but are not limited to host-based intrusion detection, antivirus, and malware applications.

Description

When a security event occurs, the application that has detected the event must immediately notify the appropriate support personnel so they can respond appropriately. Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection, or prevention mechanisms. Alerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Individuals designated by the local organization to receive alerts may include, for example, system administrators, mission/business owners, or system owners. IOCs are forensic artifacts from intrusions that are identified on organizational information systems (at the host or network level). IOCs provide organizations with valuable information on objects or information systems that have been compromised. These indicators reflect the occurrence of a compromise or a potential compromise. This requirement applies to applications that provide monitoring capability for unusual/unauthorized activities including but are not limited to host-based intrusion detection, antivirus, and malware applications.

STIG	Date
Tanium 7.x Security Technical Implementation Guide	2022-08-24

Details

Check Text ( C-57254r842432_chk )
Note: If THR is not licensed or used for detection, this is not applicable. 1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Threat Response". 4. Expand the left menu. 5. Click "Alerts". 6. Filter on status "Unresolved". If any alerts are unresolved, this is a finding.

Check Text ( C-57254r842432_chk )

Note: If THR is not licensed or used for detection, this is not applicable.

1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web user interface (UI) and log on with multifactor authentication.

2. Click "Modules" on the top navigation banner.

3. Click "Threat Response".

4. Expand the left menu.

5. Click "Alerts".

6. Filter on status "Unresolved".

If any alerts are unresolved, this is a finding.

Fix Text (F-57205r842433_fix)
1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Threat Response". 4. Expand the left menu. 5. Click "Alerts". 6. Filter on status "Unresolved". 7. Resolve any open IOC-based alerts and change status to applicable status.

Fix Text (F-57205r842433_fix)

1. Using a web browser on a system that has connectivity to the Tanium application, access the Tanium application web UI and log on with multifactor authentication.

2. Click "Modules" on the top navigation banner.

3. Click "Threat Response".

4. Expand the left menu.

5. Click "Alerts".

6. Filter on status "Unresolved".

7. Resolve any open IOC-based alerts and change status to applicable status.