SPA Objectives - SIEM Tool

From Cooey Wiki

When is a SIEM an SPA?

A SIEM is an SPA when it ingests/aggregates logs from one or more CUI assets.

Assessment Objectives to Assess

AU.L2-3.3.1 - SYSTEM AUDITING [c,d,f]

  • A SIEM will shows audit records are created, contain the defined content, and are retained as defined.

AU.L2-3.3.2 - USER ACCOUNTABILITY [b]

  • The SIEM will show that audit records contain the defined content necessary to trace users to their actions.

AU.L2-3.3.4 - AUDIT FAILURE ALERTING [c]

  • A SIEM may be able to show that identified personnel/roles are alerted in an audit logging process failure.

AU.L2-3.3.5 - AUDIT CORRELATION [b]

  • A SIEM can help show review, analysis, and reporting processes are correlated.

AU.L2-3.3.6 - REDUCTION & REPORTING [a,b]

  • A SIEM can be used to show on-demand analysis and reporting of audit logs

AU.L2-3.3.8 - AUDIT PROTECTION [a-f]

  • The SIEM will show how audit information and tools are protected from unauthorized access, modification, and deletion.

AU.L2-3.3.9 - AUDIT MANAGEMENT [b]

  • The SIEM would need to be shown to demonstrate that a subset of users have access to manage the SIEM.

IR.L2-3.6.1 - INCIDENT HANDLING [c,d]

  • A SIEM will likely help support detection and analysis during an incident.

SI.L2-3.14.6 - MONITOR COMMUNICATIONS FOR ATTACKS [a,b,c]

  • A SIEM can show that the system, inbound traffic, and outbound traffic are monitored to detect attacks.

SI.L2-3.14.7 - IDENTIFY UNAUTHORIZED USE [b]

  • A SIEM will likely show that unauthorized use is identified.


Assessment Objectives that won't likely be Assessed

AU.L2-3.3.3 - EVENT REVIEW

  • A SIEM will likely not contain evidence that event types to be logged are reviewed and updated.

AU.L2-3.3.7 - AUTHORITATIVE TIME SOURCE

  • No AOs require a SIEM to demonstrate that an authoritative time source is selected and used.
Retrieved from "https://cooey.wiki/index.php?title=SPA_Objectives_-_SIEM_Tool&oldid=146"