Splunk Enterprise must notify analysts of applicable events for Tier 2 CSSP and JRSS only.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
low	V-221940	SRG-APP-000291-AU-000200	SPLK-CL-000235	SV-221940r1015828_rule	2024-08-27	3

Description
Sending notifications or populating dashboards are ways to monitor and alert on applicable events and allow analysts to mitigate issues. Tier 2 CSSP and JRSS analysts perform higher-level analysis at larger network coverage and have specific guidelines to handle alerts and reports. This requirement allows these analysts to not be burdened by all of the lower-level alerts that can be considered "white noise" by isolating their alerting and reporting requirements from other requirements in this STIG. Satisfies: SRG-APP-000291-AU-000200, SRG-APP-000292-AU-000420, SRG-APP-000293-AU-000430, SRG-APP-000294-AU-000440

Description

Sending notifications or populating dashboards are ways to monitor and alert on applicable events and allow analysts to mitigate issues. Tier 2 CSSP and JRSS analysts perform higher-level analysis at larger network coverage and have specific guidelines to handle alerts and reports. This requirement allows these analysts to not be burdened by all of the lower-level alerts that can be considered "white noise" by isolating their alerting and reporting requirements from other requirements in this STIG. Satisfies: SRG-APP-000291-AU-000200, SRG-APP-000292-AU-000420, SRG-APP-000293-AU-000430, SRG-APP-000294-AU-000440

ℹ️ Check
This check applies to Tier 2 CSSP or JRSS instances only. Verify that notifications and dashboards are configured in accordance with designated SSPs, SOPs, and/or TTPs. The absence of notifications and dashboards is a finding.

✔️ Fix
This fix applies to Tier 2 CSSP or JRSS instances only. Configure Splunk notifications and dashboards in accordance with designated SSPs, SOPs, and/or TTPs.