8
Audit Log Management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
Why Is This Control Critical?
Log collection and analysis is critical for an enterprise's ability to detect malicious activity quickly. Sometimes audit records are the only evidence of a successful attack. Attackers know that many enterprises keep audit logs for compliance purposes but rarely analyze them. Attackers use this knowledge to hide their location, malicious software, and activities on victim machines. Due to poor or nonexistent log analysis processes, attackers sometimes control victim machines for months or years without anyone in the target enterprise knowing.
Related Policy Templates
Safeguards (12)
| ID | Title | Asset Type | Function | Implementation Groups |
|---|---|---|---|---|
| 8.1 | Establish and Maintain an Audit Log Management Process | Network | Protect |
IG1
IG2
IG3
|
| 8.2 | Collect Audit Logs | Network | Detect |
IG1
IG2
IG3
|
| 8.3 | Ensure Adequate Audit Log Storage | Network | Protect |
IG1
IG2
IG3
|
| 8.4 | Standardize Time Synchronization | Network | Protect |
IG2
IG3
|
| 8.5 | Collect Detailed Audit Logs | Network | Detect |
IG2
IG3
|
| 8.6 | Collect DNS Query Audit Logs | Network | Detect |
IG2
IG3
|
| 8.7 | Collect URL Request Audit Logs | Network | Detect |
IG2
IG3
|
| 8.8 | Collect Command>Line Audit Logs | Devices | Detect |
IG2
IG3
|
| 8.9 | Centralize Audit Logs | Network | Detect |
IG2
IG3
|
| 8.10 | Retain Audit Logs | Network | Protect |
IG2
IG3
|
| 8.11 | Conduct Audit Log Reviews | Network | Detect |
IG2
IG3
|
| 8.12 | Collect Service Provider Logs | Data | Detect |
IG3
|