The Dragos Platform must notify system administrators and information system security officer (ISSO) of local account activity.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-270993 | DRAG-OT-001190 | SV-270993r1058013_rule | CCI-001683 | medium |
| Description | ||||
| Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply create a new account. Sending notification of account creation events to the system administrator and ISSO is one method for mitigating this risk. Satisfies: SRG-APP-000291, SRG-APP-000292, SRG-APP-000293, SRG-APP-000294 | ||||
| STIG | Date | |||
| Dragos Platform 2.x Security Technical Implementation Guide | 2025-05-15 | |||
Details
Check Text (C-270993r1058013_chk)
While logged in to the Dragos Platform with a user account with administrative privileges, navigate to Admin >> User Management >> Users.
Create a new user account (does not require roles or authentication).
(Within 15 minutes)
1. Click the "Notifications" button.
Verify a notification appears within Dragos Platform notifications page.
If a notification does not occur, this is a finding.
2. Observe that the same notification appears in the aggregate server/syslog recipient.
(Note: Depending on the software application used, steps to view syslog third-party alerts may vary.)
If an alert is not being sent to third-party syslog, this is a finding.
3. Check Rules:
Navigate to Notification >> RULES Tab.
Verify a rule exists and has the following:
Action = "Send Syslog (third-party server)"
Criteria = "Detected By Equals Authentication to the Dragos Platform"
"Detected By Equals User Account Activity"
If a rule does not exist with the correct Action and Criteria, this is a finding.
4. Remove the test user just created.
Fix Text (F-74937r1058012_fix)
1. If a notification does not appear, install KP-CW-24-001. This knowledge pack will add this and other notifications relevant to the STIG to the Dragos Platform.
Adding Knowledge Pack:
While logged in to the Dragos Platform with administrative privileges, navigate to Admin >> SiteStore Management >> Knowledge Packs.
Locate all "STIG-KP_Plus" Knowledge Pack(s).
Click "Deploy" button next to the Knowledge Pack(s).
Fill in the form and click "DEPLOY".
2. If a notification appears but is not received by the aggregate/syslog server, ensure there is a rule to trigger a syslog export in the "Notifications" applet of the Dragos Platform. If not, create one.
To create a rule, navigate to Notification >> RULES Tab.
Create two Attributes.
Click "NEW RULE".
Fill in Name and Processing Order.
Click "ADD ATTRIBUTE" in the "If ANY of the following" block
Type = "Detected By"
Select Operation = "Equals"
Select Value = "Authentication to the Dragos Platform"
Click "ADD ATTRIBUTE" in the "If ANY of the following" block
Type = "Detected By"
Select Operation = "Equals"
Select Value = "User Account Activity"
In the "THEN perform the following actions block:
Click "ADD ACTION"
Action = Send Syslog (third-party server)
Click "SAVE".