Splunk Enterprise must be configured with a report to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-251676 | SRG-APP-000516-AU-000350 | SPLK-CL-000280 | SV-251676r961863_rule | 2025-03-05 | 2 |
| Description |
|---|
| Detecting when multiple systems are showing anomalies can often indicate an attack. Notifying appropriate personnel can initiate a proper response and mitigation of the attack. |
| ℹ️ Check |
|---|
| Interview the SA to verify that a report exists to notify the SA and ISSO, at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage. Interview the ISSO to confirm receipt of this report. If a report does not exist, or the ISSO does not confirm receipt of this report, this is a finding. |
| ✔️ Fix |
|---|
| Configure Splunk Enterprise, using the Reporting and Alert tools, to notify the SA and ISSO, at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage. |