The Dragos Platform must alert the information system security officer (ISSO), information system security manager (ISSM), and other individuals designated by the local organization when events are detected that indicate a compromise or potential for compromise.

An XCCDF Rule

Description

When a security event occurs, Dragos Platform must immediately notify the appropriate support personnel so they can respond appropriately. Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection mechanisms, or prevention mechanisms. IOCs are forensic artifacts from intrusions that are identified on organizational information systems (at the host or network level). IOCs provide organizations with valuable information on objects or information systems that have been compromised. These indicators reflect the occurrence of a compromise or a potential compromise.

ID: SV-271070r1058032_rule
Version: DRAG-OT-002120
Severity: Medium
References: CCI-002664
Updated: 6 days ago

Remediation Templates

1. Configure Servers.
If using Syslog Server:
Create a Syslog server on a third-party device.
The steps may vary depending on the chosen Syslog server software. Refer to 2.3.x Dragos Platform Syslog Integration Guide in the Customer Portal for additional help.

Create a syslog server output in the Dragos UI.Navigate to Admin >> Integrations.
Click "LAUNCH" in the Syslog section.
Click "ADD NEW SERVER".
Enter third-party server information and click "NEXT".
Input Message Template.
Click "SAVE".

If using Email Server:
In the UI, navigate to Admin >> Integrations.
Click "LAUNCH" on the email block.

Configure the Email Server and Recipients:
Refer to 2.3.x Dragos Platform Email Integration Guide in the Customer Portal for additional help.

2. Creating System Rules:
Navigate to Notification >> RULES Tab.
Click "NEW RULE".
Fill in Name and Processing Order.

Create two Attributes.
Click "ADD ATTRIBUTE" in the "If ANY of the following" block:
Type = "Notification Type"
Select Operation = "Equals"
Select Value = "System"

Click "ADD ATTRIBUTE" in the "If ANY of the following" block:
Type = "Notification Type"
Select Operation = "Equals"
Select Value = "System failure"

In the "THEN perform the following actions block:
Click "ADD ACTION".
Action = "Send (<your syslog server or email server>)"

Click "SAVE".

The Dragos Platform must alert the information system security officer (ISSO), information system security manager (ISSM), and other individuals designated by the local organization when events are detected that indicate a compromise or potential for compromise.

Description

Remediation Templates

A Manual Procedure