Audit Log Management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
Why Is This Control Critical?
Log collection and analysis is critical for an enterprise's ability to detect malicious activity quickly. Sometimes audit records are the only evidence of a successful attack. Attackers know that many enterprises keep audit logs for compliance purposes but rarely analyze them. Attackers use this knowledge to hide their location, malicious software, and activities on victim machines. Due to poor or nonexistent log analysis processes, attackers sometimes control victim machines for months or years without anyone in the target enterprise knowing.
Related Policy Templates
Safeguards (12)
| ID | Title | Function | IG | Checklist Items | Evidence |
|---|---|---|---|---|---|
| 8.1 | Establish and Maintain an Audit Log Management Process | Protect |
IG1
IG2
IG3
|
7 | 5 |
| 8.2 | Collect Audit Logs | Detect |
IG1
IG2
IG3
|
8 | 5 |
| 8.3 | Ensure Adequate Audit Log Storage | Protect |
IG1
IG2
IG3
|
7 | 5 |
| 8.4 | Standardize Time Synchronization | Protect |
IG2
IG3
|
5 | 3 |
| 8.5 | Collect Detailed Audit Logs | Detect |
IG2
IG3
|
8 | 5 |
| 8.6 | Collect DNS Query Audit Logs | Detect |
IG2
IG3
|
9 | 6 |
| 8.7 | Collect URL Request Audit Logs | Detect |
IG2
IG3
|
8 | 5 |
| 8.8 | Collect Command>Line Audit Logs | Detect |
IG2
IG3
|
8 | 5 |
| 8.9 | Centralize Audit Logs | Detect |
IG2
IG3
|
8 | 5 |
| 8.10 | Retain Audit Logs | Protect |
IG2
IG3
|
7 | 5 |
| 8.11 | Conduct Audit Log Reviews | Detect |
IG2
IG3
|
8 | 5 |
| 8.12 | Collect Service Provider Logs | Detect |
IG3
|
12 | 7 |
Audit Verification Details
Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Audit logging is enabled on all in-scope systems and forwarded to centralized SIEM.
SIEM source status dashboard, log forwarding configuration
Changes to protection controls follow the change management process.
Change tickets, approval records
Logs are retained per the defined retention period and reviewed on schedule.
Retention policy config, log review records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | SIEM dashboard showing log sources and collection status | Captured monthly |
| Record | Log review records and findings | Per review cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Detection tools are deployed and actively collecting data.
Dashboard screenshots showing agent/sensor status and data flow
Alerting is configured with defined thresholds and notification channels.
Alert rule configuration exports, notification channel setup
Audit logging is enabled on all in-scope systems and forwarded to centralized SIEM.
SIEM source status dashboard, log forwarding configuration
Alerts are reviewed and triaged within the defined SLA.
Alert response logs, triage records with timestamps
Detection coverage has been tested with simulated events.
Detection test results, purple team exercise reports
Logs are retained per the defined retention period and reviewed on schedule.
Retention policy config, log review records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Detection tool deployment evidence (dashboard screenshots, agent status) | Captured monthly |
| Technical | Sample alert/detection output demonstrating capability | Captured quarterly |
| Technical | SIEM dashboard showing log sources and collection status | Captured monthly |
| Record | Log review records and findings | Per review cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Audit logging is enabled on all in-scope systems and forwarded to centralized SIEM.
SIEM source status dashboard, log forwarding configuration
Changes to protection controls follow the change management process.
Change tickets, approval records
Logs are retained per the defined retention period and reviewed on schedule.
Retention policy config, log review records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | SIEM dashboard showing log sources and collection status | Captured monthly |
| Record | Log review records and findings | Per review cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Detection tools are deployed and actively collecting data.
Dashboard screenshots showing agent/sensor status and data flow
Alerting is configured with defined thresholds and notification channels.
Alert rule configuration exports, notification channel setup
Audit logging is enabled on all in-scope systems and forwarded to centralized SIEM.
SIEM source status dashboard, log forwarding configuration
Alerts are reviewed and triaged within the defined SLA.
Alert response logs, triage records with timestamps
Detection coverage has been tested with simulated events.
Detection test results, purple team exercise reports
Logs are retained per the defined retention period and reviewed on schedule.
Retention policy config, log review records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Detection tool deployment evidence (dashboard screenshots, agent status) | Captured monthly |
| Technical | Sample alert/detection output demonstrating capability | Captured quarterly |
| Technical | SIEM dashboard showing log sources and collection status | Captured monthly |
| Record | Log review records and findings | Per review cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Detection tools are deployed and actively collecting data.
Dashboard screenshots showing agent/sensor status and data flow
Alerting is configured with defined thresholds and notification channels.
Alert rule configuration exports, notification channel setup
Audit logging is enabled on all in-scope systems and forwarded to centralized SIEM.
SIEM source status dashboard, log forwarding configuration
DNS filtering is active and blocking known malicious domains.
DNS filter configuration, block statistics
Alerts are reviewed and triaged within the defined SLA.
Alert response logs, triage records with timestamps
Detection coverage has been tested with simulated events.
Detection test results, purple team exercise reports
Logs are retained per the defined retention period and reviewed on schedule.
Retention policy config, log review records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Detection tool deployment evidence (dashboard screenshots, agent status) | Captured monthly |
| Technical | Sample alert/detection output demonstrating capability | Captured quarterly |
| Technical | SIEM dashboard showing log sources and collection status | Captured monthly |
| Record | Log review records and findings | Per review cycle |
| Technical | DNS filtering configuration and block statistics | Monthly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Detection tools are deployed and actively collecting data.
Dashboard screenshots showing agent/sensor status and data flow
Alerting is configured with defined thresholds and notification channels.
Alert rule configuration exports, notification channel setup
Audit logging is enabled on all in-scope systems and forwarded to centralized SIEM.
SIEM source status dashboard, log forwarding configuration
Alerts are reviewed and triaged within the defined SLA.
Alert response logs, triage records with timestamps
Detection coverage has been tested with simulated events.
Detection test results, purple team exercise reports
Logs are retained per the defined retention period and reviewed on schedule.
Retention policy config, log review records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Detection tool deployment evidence (dashboard screenshots, agent status) | Captured monthly |
| Technical | Sample alert/detection output demonstrating capability | Captured quarterly |
| Technical | SIEM dashboard showing log sources and collection status | Captured monthly |
| Record | Log review records and findings | Per review cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remote administrative terminals.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Detection tools are deployed and actively collecting data.
Dashboard screenshots showing agent/sensor status and data flow
Alerting is configured with defined thresholds and notification channels.
Alert rule configuration exports, notification channel setup
Audit logging is enabled on all in-scope systems and forwarded to centralized SIEM.
SIEM source status dashboard, log forwarding configuration
Alerts are reviewed and triaged within the defined SLA.
Alert response logs, triage records with timestamps
Detection coverage has been tested with simulated events.
Detection test results, purple team exercise reports
Logs are retained per the defined retention period and reviewed on schedule.
Retention policy config, log review records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Detection tool deployment evidence (dashboard screenshots, agent status) | Captured monthly |
| Technical | Sample alert/detection output demonstrating capability | Captured quarterly |
| Technical | SIEM dashboard showing log sources and collection status | Captured monthly |
| Record | Log review records and findings | Per review cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Centralize, to the extent possible, audit log collection and retention across enterprise assets.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Detection tools are deployed and actively collecting data.
Dashboard screenshots showing agent/sensor status and data flow
Alerting is configured with defined thresholds and notification channels.
Alert rule configuration exports, notification channel setup
Audit logging is enabled on all in-scope systems and forwarded to centralized SIEM.
SIEM source status dashboard, log forwarding configuration
Alerts are reviewed and triaged within the defined SLA.
Alert response logs, triage records with timestamps
Detection coverage has been tested with simulated events.
Detection test results, purple team exercise reports
Logs are retained per the defined retention period and reviewed on schedule.
Retention policy config, log review records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Detection tool deployment evidence (dashboard screenshots, agent status) | Captured monthly |
| Technical | Sample alert/detection output demonstrating capability | Captured quarterly |
| Technical | SIEM dashboard showing log sources and collection status | Captured monthly |
| Record | Log review records and findings | Per review cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Retain audit logs across enterprise assets for a minimum of 90 days.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Audit logging is enabled on all in-scope systems and forwarded to centralized SIEM.
SIEM source status dashboard, log forwarding configuration
Changes to protection controls follow the change management process.
Change tickets, approval records
Logs are retained per the defined retention period and reviewed on schedule.
Retention policy config, log review records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | SIEM dashboard showing log sources and collection status | Captured monthly |
| Record | Log review records and findings | Per review cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Detection tools are deployed and actively collecting data.
Dashboard screenshots showing agent/sensor status and data flow
Alerting is configured with defined thresholds and notification channels.
Alert rule configuration exports, notification channel setup
Audit logging is enabled on all in-scope systems and forwarded to centralized SIEM.
SIEM source status dashboard, log forwarding configuration
Alerts are reviewed and triaged within the defined SLA.
Alert response logs, triage records with timestamps
Detection coverage has been tested with simulated events.
Detection test results, purple team exercise reports
Logs are retained per the defined retention period and reviewed on schedule.
Retention policy config, log review records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Detection tool deployment evidence (dashboard screenshots, agent status) | Captured monthly |
| Technical | Sample alert/detection output demonstrating capability | Captured quarterly |
| Technical | SIEM dashboard showing log sources and collection status | Captured monthly |
| Record | Log review records and findings | Per review cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Contracts with third parties include security requirements.
Contract excerpts showing security clauses
Detection tools are deployed and actively collecting data.
Dashboard screenshots showing agent/sensor status and data flow
Alerting is configured with defined thresholds and notification channels.
Alert rule configuration exports, notification channel setup
Audit logging is enabled on all in-scope systems and forwarded to centralized SIEM.
SIEM source status dashboard, log forwarding configuration
Multi-factor authentication is enforced on all in-scope systems and accounts.
MFA enrollment status reports, conditional access policy config
Alerts are reviewed and triaged within the defined SLA.
Alert response logs, triage records with timestamps
Detection coverage has been tested with simulated events.
Detection test results, purple team exercise reports
Logs are retained per the defined retention period and reviewed on schedule.
Retention policy config, log review records
MFA exceptions are documented, approved, and compensating controls are in place.
Exception records with compensating control documentation
Third-party service providers are inventoried and risk-assessed.
Vendor inventory, risk assessment reports, security scorecards
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Detection tool deployment evidence (dashboard screenshots, agent status) | Captured monthly |
| Technical | Sample alert/detection output demonstrating capability | Captured quarterly |
| Technical | SIEM dashboard showing log sources and collection status | Captured monthly |
| Record | Log review records and findings | Per review cycle |
| Record | Third-party risk assessment reports and scorecards | Annually per vendor |
| Document | Vendor contracts with security requirements | Per contract cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |