Splunk Enterprise must be configured to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-221628	SPLK-CL-000320	SV-221628r879887_rule		Medium

Description
Detecting when multiple systems are showing anomalies can often indicate an attack. Notifying appropriate personnel can initiate a proper response and mitigation of the attack. Splunk can aggregate events from multiple devices and create alerts when specific events occur. Detecting similar events on multiple devices simultaneously may indicate an attack. The ability to alert and report on this activity can aid in thwarting an attack.

Description

Detecting when multiple systems are showing anomalies can often indicate an attack. Notifying appropriate personnel can initiate a proper response and mitigation of the attack. Splunk can aggregate events from multiple devices and create alerts when specific events occur. Detecting similar events on multiple devices simultaneously may indicate an attack. The ability to alert and report on this activity can aid in thwarting an attack.

STIG	Date
Splunk Enterprise 7.x for Windows Security Technical Implementation Guide	2023-06-09

Details

Check Text ( C-23343r416341_chk )
Interview the SA to verify that a process exists to notify the SA and ISSO, at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage. Interview the ISSO to confirm receipt of this notification. If a report does not exist, or the ISSO does not confirm receipt of this report, this is a finding.

Fix Text (F-23332r416342_fix)
Configure Splunk Enterprise, using the reporting and notification tools, to notify the SA and ISSO, at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.