An error occurred:

Check: ENS-CO-000109

Trellix ENS 10.x STIG: ENS-CO-000109 (in version v3 r2)

Title

(U) The Trellix ENS Common Options must be configured to log Critical and Alert Threat Prevention events. (Cat II impact)

Discussion

(U) Logging is imperative to forensic analysis and must be configured to capture the most severe events, at a minimum. Events with a severity of Critical and Alert are the two highest events and should be analyzed for risk to the managed system as well as the site and enterprise.

Check Content

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog. From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Verify Client Logging >> Event Logging >> Threat Prevention events to log >> Access Protection is configured for "Critical and Alert" events. Verify Client Logging >> Event Logging >> Threat Prevention events to log >> On-Access Scan is configured for "Critical and Alert" events. Verify Client Logging >> Event Logging >> Threat Prevention events to log >> On-Demand Scan is configured for "Critical and Alert" events. If Client Logging >> Event Logging >> Threat Prevention events to log is not configured for "Critical and Alert" events for "Access Protection", "On-Access Scan", and "On-Demand Scan", this is a finding. If Client Logging >> Event Logging >> Threat Prevention events to log is configured for "All Except Informational" or "All" events for "Access Protection", "On-Access Scan", and "On-Demand Scan", this is not a finding.

Fix Text

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Configure Client Logging >> Event Logging >> Threat Prevention events to log >> Access Protection for "Critical and Alert" events. Configure Client Logging >> Event Logging >> Threat Prevention events to log >> On-Access Scan for "Critical and Alert" events. Configure Client Logging >> Event Logging >> Threat Prevention events to log >> On-Demand Scan for "Critical and Alert" events. Click "Save".

Additional Identifiers

Rule ID: SV-228232r1022704_rule

Vulnerability ID: V-228232

Group Title: SRG-APP-000358

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001851

Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-4(1)

Transfer to Alternate Storage