The Dragos Platform must be configured to send backup audit records.

An XCCDF Rule

Description

<VulnDiscussion>Configuring the Dragos Platform to send out backup audit records is a critical best practice for ensuring the security, integrity, and availability of audit data. It supports disaster recovery, regulatory compliance, forensic investigations, and overall operational resilience, thereby strengthening the organization's cybersecurity posture. Storing backup audit records in a separate location ensures that even if the primary system is compromised or experiences a failure, the audit records remain intact and secure. This separation enhances the overall integrity and security of the audit data. In the event of a catastrophic event such as a cyberattack, hardware failure, or natural disaster, having backup audit records stored offsite allows for recovery of critical audit data. This capability is essential for restoring operations and conducting post-incident analyses. In the aftermath of a security incident, forensic investigators rely on audit records to reconstruct events and understand the nature and impact of the incident. Backup audit records provide a reliable source of information for these investigations, even if the primary records are tampered with or deleted. Regularly backing up audit records ensures operational continuity by safeguarding critical data. In case of an unexpected event, the Dragos Platform can quickly access the backup records to continue monitoring and analyzing security events without significant disruption. Regular backups of audit records help ensure accountability by providing a reliable and tamper-evident log of activities. This accountability is essential for maintaining trust and transparency within the organization and with external stakeholders. Satisfies: SRG-APP-000125, SRG-APP-000515, SRG-APP-000358</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-265657r1018447_rule
Severity: Medium
References: CCI-001348 CCI-001851 CCI-001851
Updated: 17 days ago

Create Syslog server and Rule.

1. Create a Syslog server on a third-party device. The steps may vary depending on the chosen Syslog server software.

2. Create a syslog server output in the Dragos UI.
Navigate to Admin >> Integrations.

Click "LAUNCH" in the Syslog section.

Click "ADD NEW SERVER".

Enter third-party server information and click "NEXT".

Input Message Template.

Click "SAVE".

3. Create a rule.
Navigate to Notification >> RULES Tab.

Click "NEW RULE".

Fill in Name and Processing Order.

Select For Rule Criteria:
If ANY of the following - "Notification Type" "Equals" "System"
Action = Send Syslog (third-party server)

Click "SAVE".

The Dragos Platform must be configured to send backup audit records.

Description

Remediation - Manual Procedure