Splunk Enterprise must notify analysts of applicable events for Tier 2 CSSP and JRSS only.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-221940	SPLK-CL-000235	SV-221940r879669_rule		Low

Description
Sending notifications or populating dashboards are ways to monitor and alert on applicable events and allow analysts to mitigate issues. Tier 2 CSSP and JRSS analysts perform higher-level analysis at larger network coverage and have specific guidelines to handle alerts and reports. This requirement allows these analysts to not be burdened by all of the lower-level alerts that can be considered "white noise" by isolating their alerting and reporting requirements from other requirements in this STIG. Satisfies: SRG-APP-000291-AU-000200, SRG-APP-000292-AU-000420, SRG-APP-000293-AU-000430, SRG-APP-000294-AU-000440

Description

Sending notifications or populating dashboards are ways to monitor and alert on applicable events and allow analysts to mitigate issues. Tier 2 CSSP and JRSS analysts perform higher-level analysis at larger network coverage and have specific guidelines to handle alerts and reports. This requirement allows these analysts to not be burdened by all of the lower-level alerts that can be considered "white noise" by isolating their alerting and reporting requirements from other requirements in this STIG. Satisfies: SRG-APP-000291-AU-000200, SRG-APP-000292-AU-000420, SRG-APP-000293-AU-000430, SRG-APP-000294-AU-000440

STIG	Date
Splunk Enterprise 7.x for Windows Security Technical Implementation Guide	2023-06-09

Details

Check Text ( C-23654r420288_chk )
This check applies to Tier 2 CSSP or JRSS instances only. Verify that notifications and dashboards are configured in accordance with designated SSPs, SOPs, and/or TTPs. The absence of notifications and dashboards is a finding.

Fix Text (F-23643r420289_fix)
This fix applies to Tier 2 CSSP or JRSS instances only. Configure Splunk notifications and dashboards in accordance with designated SSPs, SOPs, and/or TTPs.