Splunk Enterprise 7.x for Windows Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000068-AU-000035
Group -
Splunk Enterprise must display the Standard Mandatory DOD Notice and Consent Banner and accept user acknowledgement before granting access to the application.
Display of the DOD-approved use notification before granting access to the application ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive ...Rule Low Severity -
SRG-APP-000427-AU-000040
Group -
Splunk Enterprise must only allow the use of DOD-approved certificate authorities for cryptographic functions.
Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient secur...Rule Medium Severity -
SRG-APP-000610-AU-000050
Group -
SRG-APP-000291-AU-000200
Group -
SRG-APP-000141-AU-000090
Group -
When Splunk Enterprise is distributed over multiple servers, each server must be configured to disable non-essential capabilities.
Applications are capable of providing a wide variety of functions and services. Some of the functions and services may not be necessary to support the configuration. This becomes more of an issue i...Rule Medium Severity -
SRG-APP-000118-AU-000100
Group -
Splunk Enterprise installation directories must be secured.
If audit data were to become compromised, competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult if not impossible to achieve. In a...Rule Medium Severity -
SRG-APP-000516-AU-000340
Group -
Splunk Enterprise forwarders must be configured with Indexer Acknowledgement enabled.
To prevent the loss of data during transmission, a handshake acknowledgement between the sender and the recipient may need configured.Rule Low Severity -
SRG-APP-000389-AU-000180
Group -
Splunk Enterprise idle session timeout must be set to not exceed 15 minutes.
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When applications provide the capability to change security roles or escalate the fu...Rule Low Severity -
SRG-APP-000295-AU-000190
Group -
SRG-APP-000291-AU-000200
Group -
Splunk Enterprise must notify analysts of applicable events for Tier 2 CSSP and JRSS only.
Sending notifications or populating dashboards are ways to monitor and alert on applicable events and allow analysts to mitigate issues. Tier 2 CSSP and JRSS analysts perform higher-level analysis...Rule Low Severity -
SRG-APP-000065-AU-000240
Group -
Splunk Enterprise must enforce the limit of 3 consecutive invalid logon attempts by a user during a 15 minute time period.
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the a...Rule Medium Severity -
SRG-APP-000503-AU-000280
Group -
Splunk Enterprise must be configured with a successful/unsuccessful logon attempts report.
The SIEM or Central Log Server is the mitigation method for most of the other STIGs applied to an organization. Robust alerting and reporting is a key feature in any incident response plan. The ab...Rule Medium Severity -
SRG-APP-000095-AU-000050
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.