Title

(U) The Trellix ENS Common Options must be configured to log events to the Windows Application Event Log. (Cat II impact)

Discussion

(U) Logging is imperative to forensic analysis. Logging directly to the local Windows or syslogs of managed clients allows for system-specific analysis. By using the Windows Application Event Log to capture log events, the logs are easily accessible to auditors for forensics and troubleshooting.

Check Content

(U) NOTE: This requirement allows for logging to an external syslog instead of the Windows Application Log but Windows events must still be logged. Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Verify Client Logging >> Event Logging >> "Log events to Windows Application Event Log" is selected. If Client Logging >> Event Logging >> "Log events to Windows Application Event Log" is not selected, this is a finding.

Fix Text

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Select the Client Logging >> Event Logging >> "Log events to Windows Application Event Log" option. Click "Save".

Additional Identifiers

Rule ID: SV-228231r961395_rule

Vulnerability ID: V-228231

Group Title: SRG-APP-000358

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.