Check: CYLN-OP-000180
Arctic Wolf CylanceON-PREM STIG:
CYLN-OP-000180
(in version v1 r1)
Title
CylanceON-PREM must be configured to support integration with a third-party Security Information and Event Management (SIEM) to support notifications. (Cat II impact)
Discussion
Integrating a Central Log Server for managing audit records enhances security monitoring, incident response, and compliance efforts. By providing centralized logging, real-time analysis, and automated alerting, a Central Log Server allows CylanceON-PREM to maintain a robust security posture and effectively respond to potential threats, ultimately contributing to the organization's overall security strategy. Satisfies: SRG-APP-000108, SRG-APP-000115, SRG-APP-000125, SRG-APP-000126, SRG-APP-000181, SRG-APP-000291, SRG-APP-000292, SRG-APP-000293, SRG-APP-000294, SRG-APP-000320, SRG-APP-000358, SRG-APP-000360, SRG-APP-000474, SRG-APP-000515, SRG-APP-000745, SRG-APP-000795
Check Content
Verify SIEM, Administrator privileges are required. 1. Log in to the admin console. 2. Navigate to CONFIGURATION >> Settings. 3. Find Syslog/SIEM. If Syslog/SIEM is not enabled or the settings are not configured correctly, this is a finding.
Fix Text
Configure SIEM. Administrator privileges are required. 1. Log in to the admin console. 2. Navigate to CONFIGURATION >> Settings. 3. Find Syslog/SIEM. 4. Click on the edit button beside Syslog/SIEM. 5. Slide the button to enable. 6. Populate the Syslog/SIEM configuration. 7. Click the green check to save.
Additional Identifiers
Rule ID: SV-272632r1113445_rule
Vulnerability ID: V-272632
Group Title: SRG-APP-000108
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000139 |
Alert organization-defined personnel or roles within an organization-defined time period in the event of an audit logging process failure. |
| CCI-000158 |
Provide the capability to process, sort, and search audit records for events of interest based on organization-defined audit fields within audit records. |
| CCI-001348 |
Store audit records on an organization-defined frequency in a repository that is part of a physically different system or system component than the system or component being audited. |
| CCI-001350 |
Implement cryptographic mechanisms to protect the integrity of audit information. |
| CCI-001683 |
The information system notifies organization-defined personnel or roles for account creation actions. |
| CCI-001684 |
The information system notifies organization-defined personnel or roles for account modification actions. |
| CCI-001685 |
The information system notifies organization-defined personnel or roles for account disabling actions. |
| CCI-001686 |
The information system notifies organization-defined personnel or roles for account removal actions. |
| CCI-001851 |
Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging. |
| CCI-001858 |
Provide an alert in an organization-defined real-time-period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur. |
| CCI-001876 |
Provide an audit reduction capability that supports on-demand reporting requirements. |
| CCI-002132 |
The information system notifies organization-defined personnel or roles for account enabling actions. |
| CCI-002702 |
Shut the system down, restart the system, and/or initiate organization-defined alternative action(s) when anomalies in the operation of the organization-defined security functions are discovered. |
| CCI-003821 |
Implement the capability to centrally review and analyze audit records from multiple components within the system. |
| CCI-003831 |
Alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information. |
Controls
| Number | Title |
|---|---|
| AC-2(4) |
Automated Audit Actions |
| AU-4(1) |
Transfer to Alternate Storage |
| AU-5 |
Response to Audit Processing Failures |
| AU-5(2) |
Real-time Alerts |
| AU-7 |
Audit Reduction and Report Generation |
| AU-7(1) |
Automatic Processing |
| AU-9(2) |
Audit Backup On Separate Physical Systems / Components |
| AU-9(3) |
Cryptographic Protection |
| SI-6 |
Security Function Verification |