Check: SRG-NET-000091-IDPS-00193
Intrusion Detection and Prevention Systems (IDPS) SRG:
SRG-NET-000091-IDPS-00193
(in versions v2 r6 through v2 r2)
Title
The IDPS must provide log information in a format that can be extracted and used by centralized analysis tools. (Cat II impact)
Discussion
Centralized review and analysis of log records from multiple IDPS components gives the organization the capability to better detect distributed attacks and provides increased data points for behavior analysis techniques. These techniques are invaluable in monitoring for indicators of complex attack patterns. To support the centralized analysis capability, the IDPS components must be able to provide the information in a format (e.g., Syslog) that can be extracted and used, allowing the application to effectively review and analyze the log records.
Check Content
Verify the IDPS provides log information in a format that can be extracted and used by centralized analysis tools. If the IDPS does not provide log information in a format that can be extracted and used by centralized analysis tools, this is a finding.
Fix Text
Configure the IDPS to provide log information in a format that can be extracted and used by centralized analysis tools.
Additional Identifiers
Rule ID: SV-69581r1_rule
Vulnerability ID: V-55335
Group Title: SRG-NET-000091-IDPS-00193
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000154 |
The information system provides the capability to centrally review and analyze audit records from multiple components within the system. |
Controls
| Number | Title |
|---|---|
| AU-6 (4) |
Central Review And Analysis |