Collect Service Provider Logs
Description
Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events.
Implementation Checklist
Tool Recommendations
SIEM platform with log management, threat detection, investigation, and compliance reporting across enterprise data sources
Cisco (Splunk) · Ingest-based or workload-based
Cloud-native SIEM and SOAR with AI-driven analytics, automated threat response, and native Azure/M365 integration
Microsoft · Pay-as-you-go (per GB ingested)
High-performance log management and observability platform designed for petabyte-scale data with real-time search
CrowdStrike · Per-GB subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
SaaS Account Compromise Without Audit Visibility
ConfidentialityAttackers compromise credentials for cloud service provider platforms (Microsoft 365, AWS, Salesforce) and the organization has no visibility into authentication events, privilege changes, or data access because service provider logs are not collected.
Cloud Data Exfiltration via Unmonitored Provider APIs
ConfidentialitySensitive data stored in cloud platforms is accessed or exported through provider APIs and sharing mechanisms, but without collecting service provider logs the organization cannot detect unauthorized data access or exfiltration from these platforms.
Shadow Administrator Activity in Cloud Services
IntegrityUnauthorized privilege escalation or admin account creation in cloud service providers goes undetected because user management events from these platforms are not collected or monitored by the enterprise security team.
Vulnerabilities (When Safeguard Absent)
No Integration with Cloud Service Provider Log APIs
The organization has not configured log collection from cloud service providers (AWS CloudTrail, Azure Activity Logs, Google Cloud Audit Logs, Microsoft 365 Unified Audit Log), leaving all cloud-based activity unmonitored.
SaaS Application Logs Not Forwarded to Central SIEM
Business-critical SaaS applications have audit logging capabilities, but their logs are not forwarded to the enterprise SIEM, creating visibility gaps for applications that process sensitive data outside the on-premises infrastructure.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Technical | Detection tool deployment evidence (dashboard screenshots, agent status) | Captured monthly |
| Technical | Sample alert/detection output demonstrating capability | Captured quarterly |
| Technical | SIEM dashboard showing log sources and collection status | Captured monthly |
| Record | Log review records and findings | Per review cycle |
| Record | Third-party risk assessment reports and scorecards | Annually per vendor |
| Document | Vendor contracts with security requirements | Per contract cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |