Splunk Enterprise must be configured with a successful/unsuccessful logon attempts report.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-221942 | SRG-APP-000503-AU-000280 | SPLK-CL-000280 | SV-221942r961824_rule | 2024-08-27 | 3 |
| Description |
|---|
| The SIEM or Central Log Server is the mitigation method for most of the other STIGs applied to an organization. Robust alerting and reporting is a key feature in any incident response plan. The ability to report on logon attempts is the first step is creating a chain of events for a forensic analysis and incident response. |
| ℹ️ Check |
|---|
| If the Splunk instance is used for Tier 2 CSSP (formerly CND-SP) or JRSS analysis, this check is N/A. Interview the System Administrator (SA) to demonstrate that a logon attempts report exists. If a report does not exist, this is a finding. |
| ✔️ Fix |
|---|
| If the Splunk instance is used for Tier 2 CSSP (formerly CND-SP) or JRSS analysis, this fix is N/A. Configure Splunk Enterprise using the reporting and notification tools to create a report that audits the logon attempts. Make this report available to the ISSM and other required individuals. |