IG2 IG3

Conduct Audit Log Reviews

Control Group: 8. Audit Log Management

Asset Type: Network

Security Function: Detect

Description

Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.

Implementation Checklist

1

Deploy detection tools or enable detection capabilities

2

Configure alerting thresholds and notification channels

3

Establish monitoring schedule and review process

4

Test detection capabilities with simulated events

5

Document detection procedures and escalation paths

6

Enable logging on all in-scope systems

7

Configure log forwarding to centralized SIEM

8

Define log retention periods per policy

9

Establish log review schedule and procedures

Tool Recommendations

Splunk Enterprise Security Gartner MQ Leader, SIEM 2024

SIEM platform with log management, threat detection, investigation, and compliance reporting across enterprise data sources

Cisco (Splunk) · Ingest-based or workload-based

Microsoft Sentinel Gartner MQ Leader, SIEM 2024

Cloud-native SIEM and SOAR with AI-driven analytics, automated threat response, and native Azure/M365 integration

Microsoft · Pay-as-you-go (per GB ingested)

CrowdStrike Falcon LogScale Gartner MQ Leader, EPP 2024; Forrester Wave Leader, Security Analytics 2024

High-performance log management and observability platform designed for petabyte-scale data with real-time search

CrowdStrike · Per-GB subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Prolonged Attacker Dwell Time from Unreviewed Logs

Confidentiality

Audit logs capture indicators of compromise including failed authentication attempts, privilege escalation events, and unusual data access patterns, but without regular review these warnings go unnoticed while attackers operate freely for months.

Missed Insider Threat Indicators in Stale Log Data

Confidentiality

Audit logs contain patterns indicating insider threats such as after-hours data access, bulk downloads, or privilege abuse, but without weekly log reviews these behavioral anomalies are never flagged or investigated.

Brute Force Attacks Succeeding Without Alert Escalation

Confidentiality

Brute force and password spraying attacks generate obvious log patterns across authentication systems, but without scheduled log reviews and anomaly detection these attacks succeed before anyone notices the authentication anomalies.

Vulnerabilities (When Safeguard Absent)

No Scheduled Log Review Process or Cadence

The organization collects audit logs but has no process for regularly reviewing them, treating log collection as a compliance checkbox rather than an active threat detection capability.

No Defined Anomaly Detection Criteria for Log Reviews

Even when logs are reviewed, analysts lack defined criteria for what constitutes an anomaly or abnormal event, resulting in subjective and inconsistent review quality that misses subtle indicators of compromise.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Detection tool deployment evidence (dashboard screenshots, agent status)	Captured monthly
Technical	Sample alert/detection output demonstrating capability	Captured quarterly
Technical	SIEM dashboard showing log sources and collection status	Captured monthly
Record	Log review records and findings	Per review cycle
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Audit Log Management Policy

Control 8

Related Safeguards in Control 8

8.1 Establish and Maintain an Audit Log Management Process

8.2 Collect Audit Logs

8.3 Ensure Adequate Audit Log Storage

8.4 Standardize Time Synchronization

8.5 Collect Detailed Audit Logs

8.6 Collect DNS Query Audit Logs

8.7 Collect URL Request Audit Logs

8.8 Collect Command>Line Audit Logs

8.9 Centralize Audit Logs

8.10 Retain Audit Logs

8.12 Collect Service Provider Logs