Tanium must alert the ISSO, ISSM, and other individuals designated by the local organization when the following Indicators of Compromise (IOCs) or potential compromise are detected: real time intrusion detection; threats identified by authoritative sources (e.g., CTOs); and Category I, II, IV, and VII incidents in accordance with CJCSM 6510.01B.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-254950	TANS-AP-001250	SV-254950r867750_rule		Medium

Description
When a security event occurs, the application that has detected the event must immediately notify the appropriate support personnel so they can respond appropriately. Alerts may be generated from a variety of sources, including, audit records or inputs from malicious code protection mechanisms, intrusion detection, or prevention mechanisms. Alerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Individuals designated by the local organization to receive alerts may include, for example, system administrators, mission/business owners, or system owners. IOCs are forensic artifacts from intrusions identified on organizational information systems (at the host or network level). IOCs provide organizations with valuable information on objects or information systems that have been compromised. These indicators reflect the occurrence of a compromise or a potential compromise. This requirement applies to applications that provide monitoring capability for unusual/unauthorized activities including, but not limited to, host-based intrusion detection, antivirus, and malware applications.

Description

When a security event occurs, the application that has detected the event must immediately notify the appropriate support personnel so they can respond appropriately. Alerts may be generated from a variety of sources, including, audit records or inputs from malicious code protection mechanisms, intrusion detection, or prevention mechanisms. Alerts may be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Individuals designated by the local organization to receive alerts may include, for example, system administrators, mission/business owners, or system owners. IOCs are forensic artifacts from intrusions identified on organizational information systems (at the host or network level). IOCs provide organizations with valuable information on objects or information systems that have been compromised. These indicators reflect the occurrence of a compromise or a potential compromise. This requirement applies to applications that provide monitoring capability for unusual/unauthorized activities including, but not limited to, host-based intrusion detection, antivirus, and malware applications.

STIG	Date
Tanium 7.x Application on TanOS Security Technical Implementation Guide	2022-10-31

Details

Check Text ( C-58563r867748_chk )
Note: If THR is not licensed or used for detection then this is not applicable. 1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Threat Response". 4. Expand the left menu. 5. Click "Alerts". 6. Filter on status "Unresolved". If any alerts are unresolved, this is a finding.

Check Text ( C-58563r867748_chk )

Note: If THR is not licensed or used for detection then this is not applicable.

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication.

2. Click "Modules" on the top navigation banner.

3. Click "Threat Response".

4. Expand the left menu.

5. Click "Alerts".

6. Filter on status "Unresolved".

If any alerts are unresolved, this is a finding.

Fix Text (F-58507r867749_fix)
1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication. 2. Click "Modules" on the top navigation banner. 3. Click "Threat Response". 4. Expand the left menu. 5. Click "Alerts". 6. Filter on status "Unresolved". 7. Resolve any open IOC-based alerts and change status to applicable status.

Fix Text (F-58507r867749_fix)

1. Using a web browser on a system that has connectivity to the Tanium Application, access the Tanium Application web user interface (UI) and log on with multi-factor authentication.

2. Click "Modules" on the top navigation banner.

3. Click "Threat Response".

4. Expand the left menu.

5. Click "Alerts".

6. Filter on status "Unresolved".

7. Resolve any open IOC-based alerts and change status to applicable status.