Check: ENS-CO-000107
Trellix ENS 10.x STIG:
ENS-CO-000107
(in versions v3 r2 through v2 r13)
Title
(U) The Trellix ENS Common Options must be configured to send events to Trellix ePO. (Cat II impact)
Discussion
(U) Logging is imperative to forensic analysis. Logging directly to the local Windows or syslogs of managed clients allows for system-specific analysis. But in order to conduct forensic analysis from a site or enterprise perspective, the events must be sent to the ePO server for consolidation with events from other managed systems.
Check Content
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Verify Client Logging >> Event Logging >> "Send events to Trellix ePO" is selected. If Client Logging >> Event Logging >> "Send events to Trellix ePO" is not selected, this is a finding.
Fix Text
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Select the Client Logging >> Event Logging >> "Send events to Trellix ePO" option. Click "Save".
Additional Identifiers
Rule ID: SV-228230r961395_rule
Vulnerability ID: V-228230
Group Title: SRG-APP-000358
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001851 |
Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging. |
Controls
| Number | Title |
|---|---|
| AU-4(1) |
Transfer to Alternate Storage |