Check: ENS-CO-000109
Trellix ENS 10.x STIG:
ENS-CO-000109
(in versions v3 r1 through v2 r5)
Title
(U) The Trellix ENS Common Options must be configured to log Critical and Alert Threat Prevention events. (Cat II impact)
Discussion
(U) Logging is imperative to forensic analysis and must be configured to capture the most severe events, at a minimum. Events with a severity of Critical and Alert are the two highest events and should be analyzed for risk to the managed system as well as the site and enterprise.
Check Content
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Verify Client Logging >> Event Logging >> Threat Prevention events to log >> Access Protection is configured for "Critical and Alert" events. Verify Client Logging >> Event Logging >> Threat Prevention events to log >> On-Access Scan is configured for "Critical and Alert" events. Verify Client Logging >> Event Logging >> Threat Prevention events to log >> On-Demand Scan is configured for "Critical and Alert" events. If Client Logging >> Event Logging >> Threat Prevention events to log is not configured for "Critical and Alert" events for "Access Protection", "On-Access Scan", and "On-Demand Scan", this is a finding.
Fix Text
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Configure Client Logging >> Event Logging >> Threat Prevention events to log >> Access Protection for "Critical and Alert" events. Configure Client Logging >> Event Logging >> Threat Prevention events to log >> On-Access Scan for "Critical and Alert" events. Configure Client Logging >> Event Logging >> Threat Prevention events to log >> On-Demand Scan for "Critical and Alert" events. Click "Save".
Additional Identifiers
Rule ID: SV-228232r961395_rule
Vulnerability ID: V-228232
Group Title: SRG-APP-000358
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001851 |
Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging. |
Controls
Number | Title |
---|---|
AU-4(1) |
Transfer to Alternate Storage |