aj-stein-nist/semi-automated-log-review.xml

## semi-automated-log-review.xml
<?xml version="1.0" encoding="UTF-8"?>
<component-definition xmlns="http://csrc.nist.gov/ns/oscal/1.0"
    uuid="4d091abe-7489-4cb7-bb94-1a4d1c532c80"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://raw.githubusercontent.com/usnistgov/OSCAL/master/xml/schema/oscal_component_schema.xsd">
  <metadata>
    <title>NIST OISM Enterprise Cloud Security Overlay</title>
    <last-modified/>
    <version>20211215</version>
    <oscal-version>1.1.0-alpha</oscal-version>
  </metadata>
  <role id="nist-cloud-aws-system-administrator"/>
  <party/>
    <rule uuid="823ca7d8-0eaf-4485-9526-d63baf8324d8"
     name="NIST Common Controls Audit Record Review, Analysis, and Reporting">
      <title>Ensure Audit Record Review, Analysis, and Reporting</title>
      <condition>review logs at specific intervals for specific anomalies in the SIEM system</condition>
      <description>
        <p>NIST OISM requires DevOps engineers or system administrators to properly configure
        infastructure, network, system, and application logs for defined anomalies and forward
        them to proper Splunk indices. It is required they are retrievable using known log
        identifiers with predetermined queries, potentially triggered by alerts. With or
        without alerts, DevOps engineers or system administrators are expected to review the logs
        for these alerts and record a review log, whether or not confirmed anomaly events are in
        the logs.</p>
      </description>
      <condition-evaluator uuid="6db8ee2a-2ca8-4c1e-b4fc-5050051ece26"
        name="nist-oism-audit-review-splunk"
        type="semi-automated-review">
          <title>Log into Splunk and Review Predetermined Queries</title>
          <description>
            <p>Using the provided checklist, NIST OISM will provide you
            step by step instructions about how to log into the Splunk SIEM
            service, which indices to search, and which queries to execute.</p>
          </description>
          <prop ns="https://www.open-scap.org" type="argument" name="siem-server" value="https://siem-search-head.nist.gov:9876/en-US/account/login?return_to=%2Fen-US%2F"/>
          <prop ns="https://www.open-scap.org" type="argument" name="index" value="aws_logins"/>
          <prop ns="https://www.open-scap.org" type="argument" name="query"
            value="sourcetype='aws:cloudtrail' | spath | search errorCode=AccessDenied"/>
          <link rel="dependency" href="#151a06ba-0083-4d96-b7d7-c00ba99d1a77"/>
          <link rel="dependency" href="#2f78e608-d10d-4986-a3ae-a5cf02741a4d"/>
      </condition-evaluator>
      <condition-target ref-id="nist-cloud-aws-system-administrator">
          <description/>
      </condition-target>
      <prop name="supports" value="#5fee2acd-dbec-4d09-bc91-53c9e20e0ebf"/>
  </rule>
  <component uuid="6b9b34ad-ac13-43b6-a14c-e276ab4eaa73">
    <title/>
    <description/>
    <purpose/>
    <responsible-role/>
    <control-implementation
      uuid="559f76db-060f-44d0-bbc8-fdce1798e4ee"
      source="https://github.com/usnistgov/oscal-content/blob/master/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.xml">
      <description/>
      <implemented-requirement uuid="5a82db6f-3bef-408b-b7f7-8c54b6136580">
        <description/>
        <set-parameter/>
        <statement
          statement-id="au-6_smt.a"
          uuid="5fee2acd-dbec-4d09-bc91-53c9e20e0ebf">
          <description>
            <p>This component provides NIST organizational policy for audit logging.
            The policy and materials will sufficiently prepare DevOPs engineers or
            system administrators of an information system to perform the necessary
            procedures and comply with NIST risk management requirements.</p>
          </description>
        </statement>
      </implemented-requirement>
    </control-implementation>
  </component>
  <back-matter>
    <resource uuid="2f78e608-d10d-4986-a3ae-a5cf02741a4d">
      <title>NIST OISM SSP for Common Controls - Audit Logging Policies and Procedures</title>
      <rlink media-type="application/pdf"
        href="https://intranet.nist.gov/oism/common-controls/au.pdf">
    </resource>
    <resource uuid="151a06ba-0083-4d96-b7d7-c00ba99d1a77">
      <title>Self-Assessment Report &amp; Checklist for NIST OISM Event Log Reviews in Splunk</title>
      <rlink media-type="text/html"
        href="https://nistgov.sharepoint.com/:w:/s/OISMSecurityPrivacy/MTY5MDhhYTktODI1MS00NjhhLWIyZDktZTI3OTZhZmFlMjBk"/>
    </resource>
  </back-matter>
</component-definition>
	<?xml version="1.0" encoding="UTF-8"?>
	<component-definition xmlns="http://csrc.nist.gov/ns/oscal/1.0"
	uuid="4d091abe-7489-4cb7-bb94-1a4d1c532c80"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://raw.githubusercontent.com/usnistgov/OSCAL/master/xml/schema/oscal_component_schema.xsd">
	<metadata>
	<title>NIST OISM Enterprise Cloud Security Overlay</title>
	<last-modified/>
	<version>20211215</version>
	<oscal-version>1.1.0-alpha</oscal-version>
	</metadata>
	<role id="nist-cloud-aws-system-administrator"/>
	<party/>
	<rule uuid="823ca7d8-0eaf-4485-9526-d63baf8324d8"
	name="NIST Common Controls Audit Record Review, Analysis, and Reporting">
	<title>Ensure Audit Record Review, Analysis, and Reporting</title>
	<condition>review logs at specific intervals for specific anomalies in the SIEM system</condition>
	<description>
	<p>NIST OISM requires DevOps engineers or system administrators to properly configure
	infastructure, network, system, and application logs for defined anomalies and forward
	them to proper Splunk indices. It is required they are retrievable using known log
	identifiers with predetermined queries, potentially triggered by alerts. With or
	without alerts, DevOps engineers or system administrators are expected to review the logs
	for these alerts and record a review log, whether or not confirmed anomaly events are in
	the logs.</p>
	</description>
	<condition-evaluator uuid="6db8ee2a-2ca8-4c1e-b4fc-5050051ece26"
	name="nist-oism-audit-review-splunk"
	type="semi-automated-review">
	<title>Log into Splunk and Review Predetermined Queries</title>
	<description>
	<p>Using the provided checklist, NIST OISM will provide you
	step by step instructions about how to log into the Splunk SIEM
	service, which indices to search, and which queries to execute.</p>
	</description>
	<prop ns="https://www.open-scap.org" type="argument" name="siem-server" value="https://siem-search-head.nist.gov:9876/en-US/account/login?return_to=%2Fen-US%2F"/>
	<prop ns="https://www.open-scap.org" type="argument" name="index" value="aws_logins"/>
	<prop ns="https://www.open-scap.org" type="argument" name="query"
	value="sourcetype='aws:cloudtrail' \| spath \| search errorCode=AccessDenied"/>
	<link rel="dependency" href="#151a06ba-0083-4d96-b7d7-c00ba99d1a77"/>
	<link rel="dependency" href="#2f78e608-d10d-4986-a3ae-a5cf02741a4d"/>
	</condition-evaluator>
	<condition-target ref-id="nist-cloud-aws-system-administrator">
	<description/>
	</condition-target>
	<prop name="supports" value="#5fee2acd-dbec-4d09-bc91-53c9e20e0ebf"/>
	</rule>
	<component uuid="6b9b34ad-ac13-43b6-a14c-e276ab4eaa73">
	<title/>
	<description/>
	<purpose/>
	<responsible-role/>
	<control-implementation
	uuid="559f76db-060f-44d0-bbc8-fdce1798e4ee"
	source="https://github.com/usnistgov/oscal-content/blob/master/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.xml">
	<description/>
	<implemented-requirement uuid="5a82db6f-3bef-408b-b7f7-8c54b6136580">
	<description/>
	<set-parameter/>
	<statement
	statement-id="au-6_smt.a"
	uuid="5fee2acd-dbec-4d09-bc91-53c9e20e0ebf">
	<description>
	<p>This component provides NIST organizational policy for audit logging.
	The policy and materials will sufficiently prepare DevOPs engineers or
	system administrators of an information system to perform the necessary
	procedures and comply with NIST risk management requirements.</p>
	</description>
	</statement>
	</implemented-requirement>
	</control-implementation>
	</component>
	<back-matter>
	<resource uuid="2f78e608-d10d-4986-a3ae-a5cf02741a4d">
	<title>NIST OISM SSP for Common Controls - Audit Logging Policies and Procedures</title>
	<rlink media-type="application/pdf"
	href="https://intranet.nist.gov/oism/common-controls/au.pdf">
	</resource>
	<resource uuid="151a06ba-0083-4d96-b7d7-c00ba99d1a77">
	<title>Self-Assessment Report & Checklist for NIST OISM Event Log Reviews in Splunk</title>
	<rlink media-type="text/html"
	href="https://nistgov.sharepoint.com/:w:/s/OISMSecurityPrivacy/MTY5MDhhYTktODI1MS00NjhhLWIyZDktZTI3OTZhZmFlMjBk"/>
	</resource>
	</back-matter>
	</component-definition>