search

cisagov / ScubaGoggles

SCuBA Secure Configuration Baselines and assessment tool for Google Workspace
https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project
Creative Commons Zero v1.0 Universal
149 stars 20 forks source link

GWS.COMMONCONTROLS.14.1v0.1 implementation steps incomplete #240

Closed adhilto closed 1 month ago

adhilto commented 6 months ago

The baseline requirement: image

What the implementation steps say to do: image

This will send logs to GCP. But the requirement is to send the logs to "the agency's centralized SEIM," which seems like would require an additional step, depending on what the agency is using as their SEIM.

jkaufman-mitre commented 6 months ago

Will assess with the team and make needed changes.

jkaufman-mitre commented 5 months ago

Will discuss with @tmcomeau to determined what action should be taken.

jkaufman-mitre commented 5 months ago

After discussing this issue with @tmcomeau, @lrsmitre, @prodjom, and @mdueltgen we believe changes need to be made. We propose the following options:

Option 1: Leave the policy as is and add an implementation step saying to follow the steps in the GCP link I found for sending logs to a SIEM.

Option 2: Change the policy to make the requirement to have the logs sent to GCP and in the not say that the policy is to facilitate the sending of logs to SIEM.

@adhilto and @buidav Which option do you think would be the best as we cannot include specific implementation on how to connect to a SIEM as it could be different for each agency.

buidav commented 5 months ago

@adhilto and @buidav Which option do you think would be the best as we cannot include specific implementation on how to connect to a SIEM as it could be different for each agency.

There was a similar discussion for M365 AAD 4.1 with Ted and the M365 team. Instead of having instructions of how to send the logs to any one place, the instructions were left to be generic with a note on the policy pointing to CLAW. Note that this policy we still have some back and forth with, as it is the least prescriptive policy in AAD. Rope in Ted if you want to hear his thoughts on it.

Instructions: Follow the configuration instructions unique to the products and integration patterns at your organization to send the security logs to the security operations center for monitoring.

Note: Agencies can benefit from security detection capabilities offered by the CISA Cloud Log Aggregation Warehouse (CLAW) system. Agencies are urged to send the logs to CLAW. Contact CISA at [cyberliason@cisa.dhs.gov](mailto:cyberliason@cisa.dhs.gov) to request integration instructions.

jkaufman-mitre commented 5 months ago

@buidav Ok, thank you! I will use the instructions you provided.

jkaufman-mitre commented 5 months ago

Pull request has been created.