STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← Back to Splunk Enterprise 8.x for Linux Security Technical Implementation Guide

V-251676

CAT II (Medium)

Splunk Enterprise must be configured with a report to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.

Rule ID

SV-251676r961863_rule

STIG

Splunk Enterprise 8.x for Linux Security Technical Implementation Guide

Version

V2R3

CCIs

CCI-000366

Discussion

Detecting when multiple systems are showing anomalies can often indicate an attack. Notifying appropriate personnel can initiate a proper response and mitigation of the attack.

Check Content

Interview the SA to verify that a report exists to notify the SA and ISSO, at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.

Interview the ISSO to confirm receipt of this report.

If a report does not exist, or the ISSO does not confirm receipt of this report, this is a finding.

Fix Text

Configure Splunk Enterprise, using the Reporting and Alert tools, to notify the SA and ISSO, at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.