An error occurred:

Check: ENS-CO-000109

Trellix ENS 10.x STIG: ENS-CO-000109 (in versions v2 r14 through v2 r5)

Title

(U) The Trellix ENS Common Options must be configured to log Critical and Alert Threat Prevention events. (Cat II impact)

Discussion

(U) Logging is imperative to forensic analysis and must be configured to capture the most severe events, at a minimum. Events with a severity of Critical and Alert are the two highest events and should be analyzed for risk to the managed system as well as the site and enterprise.

Check Content

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Verify Client Logging >> Event Logging >> Threat Prevention events to log >> Access Protection is configured for "Critical and Alert" events. Verify Client Logging >> Event Logging >> Threat Prevention events to log >> On-Access Scan is configured for "Critical and Alert" events. Verify Client Logging >> Event Logging >> Threat Prevention events to log >> On-Demand Scan is configured for "Critical and Alert" events. If Client Logging >> Event Logging >> Threat Prevention events to log is not configured for "Critical and Alert" events for "Access Protection", "On-Access Scan", and "On-Demand Scan", this is a finding.

Fix Text

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Configure Client Logging >> Event Logging >> Threat Prevention events to log >> Access Protection for "Critical and Alert" events. Configure Client Logging >> Event Logging >> Threat Prevention events to log >> On-Access Scan for "Critical and Alert" events. Configure Client Logging >> Event Logging >> Threat Prevention events to log >> On-Demand Scan for "Critical and Alert" events. Click "Save".

Additional Identifiers

Rule ID: SV-228232r944448_rule

Vulnerability ID: V-228232

Group Title: SRG-APP-000358

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001851

The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-4 (1)

Transfer To Alternate Storage