IG2 IG3

Retain Audit Logs

Control Group: 8. Audit Log Management

Asset Type: Network

Security Function: Protect

Description

Retain audit logs across enterprise assets for a minimum of 90 days.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Enable logging on all in-scope systems

7

Configure log forwarding to centralized SIEM

8

Define log retention periods per policy

9

Establish log review schedule and procedures

Tool Recommendations

Splunk Enterprise Security Gartner MQ Leader, SIEM 2024

SIEM platform with log management, threat detection, investigation, and compliance reporting across enterprise data sources

Cisco (Splunk) · Ingest-based or workload-based

Microsoft Sentinel Gartner MQ Leader, SIEM 2024

Cloud-native SIEM and SOAR with AI-driven analytics, automated threat response, and native Azure/M365 integration

Microsoft · Pay-as-you-go (per GB ingested)

Exabeam Gartner MQ Visionary, SIEM 2024; Forrester Wave Strong Performer 2024

AI-driven SIEM with behavioral analytics, automated investigation, and SOAR capabilities for threat detection

Exabeam · Per-user subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Historical Attack Evidence Destroyed by Premature Log Deletion

Integrity

Logs are retained for less than 90 days, and when a breach discovered months after initial compromise requires forensic investigation, the critical evidence from the initial intrusion and lateral movement phases has already been purged.

Compliance Violation from Insufficient Log Retention

Availability

Regulatory requirements mandate specific log retention periods (often 1-7 years), and insufficient retention results in compliance failures, audit findings, and potential penalties during regulatory examinations.

Vulnerabilities (When Safeguard Absent)

Log Retention Below 90-Day Minimum

Audit logs are retained for fewer than 90 days due to storage constraints or misconfigured rotation policies, destroying forensic evidence needed for incident investigations given the average breach detection time exceeds 200 days.

No Log Retention Policy Enforcement Mechanism

Even where retention policies exist on paper, no technical controls enforce minimum retention periods, allowing storage pressure or misconfigurations to silently purge logs before the required retention period expires.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Technical	SIEM dashboard showing log sources and collection status	Captured monthly
Record	Log review records and findings	Per review cycle
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Audit Log Management Policy

Control 8

Log Retention Policy

Control 8

Related Safeguards in Control 8

8.1 Establish and Maintain an Audit Log Management Process

8.2 Collect Audit Logs

8.3 Ensure Adequate Audit Log Storage

8.4 Standardize Time Synchronization

8.5 Collect Detailed Audit Logs

8.6 Collect DNS Query Audit Logs

8.7 Collect URL Request Audit Logs

8.8 Collect Command>Line Audit Logs

8.9 Centralize Audit Logs

8.11 Conduct Audit Log Reviews

8.12 Collect Service Provider Logs