The Cisco ISE must provide an alert to, at a minimum, the SA and ISSO of all audit failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server. This is required for compliance with C2C Step 1.

An XCCDF Rule

Description

<VulnDiscussion>Without an alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less). This does not apply to audit logs generated on behalf of the device itself (management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-242595r855856_rule
Severity: Medium
References: CCI-001858
Updated: 17 days ago

Configure Cisco ISE to notify one or more individuals when there is a Log Collection Error.

From the Web Admin portal:
1. Choose Administration >> System >> Settings >> Alarm Settings.
2. Select "Log Collector Error" from the list of default alarms and click "Edit".
3. Select "Enable".4. Select "Enter Multiple Emails Separated with Comma".
5. Configure email addresses of individuals and organizational accounts to be notified.
6. Click "Submit".

The Cisco ISE must provide an alert to, at a minimum, the SA and ISSO of all audit failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server. This is required for compliance with C2C Step 1.

Description

Remediation - Manual Procedure