Check: SRG-APP-000358-UEM-100013
Unified Endpoint Management Agent SRG:
SRG-APP-000358-UEM-100013
(in version v1 r1)
Title
The UEM Agent must be configured to enable the following function: transfer managed endpoint device audit logs read by the UEM Agent to an UEM server or third-party audit management server. (Cat II impact)
Discussion
Audit logs and alerts enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify when the security posture of the device is not as expected. This enables the UEM administrator to take an appropriate remedial action. MD audit logs must be transferred to an audit management service so they can be analyzed and acted on. Satisfies: FMT_SMF_EXT.4.1 Reference: PP-UEM-401006
Check Content
Verify the UEM Agent has enabled the following function: transfer managed endpoint device audit logs read by the UEM Agent to an UEM server or third-party audit management server. If the UEM Agent has not enabled the following function: transfer managed endpoint device audit logs read by the UEM Agent to an UEM server or third-party audit management server, this is a finding.
Fix Text
Configure the UEM Agent to enable the following function: transfer managed endpoint device audit logs read by the UEM Agent to an UEM server or third-party audit management server.
Additional Identifiers
Rule ID: SV-234242r617354_rule
Vulnerability ID: V-234242
Group Title: SRG-APP-000358
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001851 |
Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging. |
Controls
| Number | Title |
|---|---|
| AU-4(1) |
Transfer to Alternate Storage |