Closed adhilto closed 1 month ago
Will assess with the team and make needed changes.
Will discuss with @tmcomeau to determined what action should be taken.
After discussing this issue with @tmcomeau, @lrsmitre, @prodjom, and @mdueltgen we believe changes need to be made. We propose the following options:
Option 1: Leave the policy as is and add an implementation step saying to follow the steps in the GCP link I found for sending logs to a SIEM.
Option 2: Change the policy to make the requirement to have the logs sent to GCP and in the not say that the policy is to facilitate the sending of logs to SIEM.
@adhilto and @buidav Which option do you think would be the best as we cannot include specific implementation on how to connect to a SIEM as it could be different for each agency.
@adhilto and @buidav Which option do you think would be the best as we cannot include specific implementation on how to connect to a SIEM as it could be different for each agency.
There was a similar discussion for M365 AAD 4.1 with Ted and the M365 team. Instead of having instructions of how to send the logs to any one place, the instructions were left to be generic with a note on the policy pointing to CLAW. Note that this policy we still have some back and forth with, as it is the least prescriptive policy in AAD. Rope in Ted if you want to hear his thoughts on it.
Instructions:
Follow the configuration instructions unique to the products and integration patterns at your organization to send the security logs to the security operations center for monitoring.
Note: Agencies can benefit from security detection capabilities offered by the CISA Cloud Log Aggregation Warehouse (CLAW) system. Agencies are urged to send the logs to CLAW. Contact CISA at [cyberliason@cisa.dhs.gov](mailto:cyberliason@cisa.dhs.gov) to request integration instructions.
@buidav Ok, thank you! I will use the instructions you provided.
Pull request has been created.
The baseline requirement:
What the implementation steps say to do:
This will send logs to GCP. But the requirement is to send the logs to "the agency's centralized SEIM," which seems like would require an additional step, depending on what the agency is using as their SEIM.