Ensure that alert and event publication settings cannot be changed to suppress security-relevant notifications without authorization.
Core / Ccc / Controls / DEV
Validate Alert and Event Publication Configuration
CCC.Core.CN15 · Observability
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.Core.CP07 | Event Publication | The service automatically publishes a structured state-change record upon creation, deletion, or modification of data, configuration, components, or child resources. |
| CCC.Core.CP17 | Alerting | The service may be configured to emit a notification based on a user-defined condition related to the data published by a child or networked resource. |
| CCC.Core.CP10 | Log Publication | The service automatically publishes structured, verbose records of activities, operations, or events that occur within the service. |
| CCC.Core.CP09 | Metrics Publication | The service automatically publishes structured, numeric, time-series data points related to the performance, availability, and health of the service or its child resources. |
Related Threats
| ID | Title | Description |
|---|---|---|
| CCC.Core.TH11 | Publications are Incorrectly Triggered | Incorrectly triggered publications may disseminate inaccurate or misleading information, creating a data integrity risk. Such misinformation can cause unintended operations to be initiated, conceal legitimate issues, and disrupt the availability or reliability of systems and their data. |
| CCC.Core.TH16 | Publications are Disabled | Publication of events, metrics, and runtime logs may be disabled, leading to a lack of expected security and operational information being shared. This can impact system availability by delaying the detection of incidents while also impacting system design decisions and enforcement of operational thresholds, such as autoscaling or cost management. |
Assessment Requirements
| ID | Text | Applicability |
|---|---|---|
| CCC.Core.CN15.AR01 | When an attempt is made to disable security-relevant alerts or event publication for the service or a child resource, the service MUST require authorization from a privileged administrative principal. | tlp-clear, tlp-green, tlp-amber, tlp-red |
| CCC.Core.CN15.AR02 | When alert thresholds are modified on the service or a child resource, the service MUST log the client identity, time, and nature of the change. | tlp-amber, tlp-red |