Splunk Enterprise must be configured with a successful/unsuccessful logon attempts report.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-221942 | SPLK-CL-000280 | SV-221942r879874_rule | Medium |
| Description |
|---|
| The SIEM or Central Log Server is the mitigation method for most of the other STIGs applied to an organization. Robust alerting and reporting is a key feature in any incident response plan. The ability to report on logon attempts is the first step is creating a chain of events for a forensic analysis and incident response. |
| STIG | Date |
|---|---|
| Splunk Enterprise 7.x for Windows Security Technical Implementation Guide | 2023-06-09 |
Details
| Check Text ( C-23656r420294_chk ) |
|---|
| If the Splunk instance is used for Tier 2 CSSP (formerly CND-SP) or JRSS analysis, this check is N/A. Interview the System Administrator (SA) to demonstrate that a logon attempts report exists. If a report does not exist, this is a finding. |
| Fix Text (F-23645r420295_fix) |
|---|
| If the Splunk instance is used for Tier 2 CSSP (formerly CND-SP) or JRSS analysis, this fix is N/A. Configure Splunk Enterprise using the reporting and notification tools to create a report that audits the logon attempts. Make this report available to the ISSM and other required individuals. |