IG1 IG2 IG3

Collect Audit Logs

Control Group: 8. Audit Log Management

Asset Type: Network

Security Function: Detect

Description

Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets.

Implementation Checklist

1

Deploy detection tools or enable detection capabilities

2

Configure alerting thresholds and notification channels

3

Establish monitoring schedule and review process

4

Test detection capabilities with simulated events

5

Document detection procedures and escalation paths

6

Enable logging on all in-scope systems

7

Configure log forwarding to centralized SIEM

8

Define log retention periods per policy

9

Establish log review schedule and procedures

10

Draft policy/procedure document

11

Obtain stakeholder review and approval

12

Communicate to affected personnel

13

Schedule periodic review and updates

Tool Recommendations

Splunk Enterprise Security Gartner MQ Leader, SIEM 2024

SIEM platform with log management, threat detection, investigation, and compliance reporting across enterprise data sources

Cisco (Splunk) · Ingest-based or workload-based

Microsoft Sentinel Gartner MQ Leader, SIEM 2024

Cloud-native SIEM and SOAR with AI-driven analytics, automated threat response, and native Azure/M365 integration

Microsoft · Pay-as-you-go (per GB ingested)

CrowdStrike Falcon LogScale Gartner MQ Leader, EPP 2024; Forrester Wave Leader, Security Analytics 2024

High-performance log management and observability platform designed for petabyte-scale data with real-time search

CrowdStrike · Per-GB subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Blind Spots Enabling Undetected Compromise

Confidentiality

Attackers specifically target assets where audit logging is disabled or not collected, knowing their activities will leave no forensic trail, enabling prolonged dwell times and undetected data exfiltration.

Tampering Without Evidence on Unlogged Systems

Integrity

Malicious insiders or external attackers modify critical data, configurations, or access controls on systems where audit logs are not collected, making it impossible to detect or attribute unauthorized changes.

Anti-Forensics Exploitation of Logging Gaps

Confidentiality

Sophisticated attackers route their activities through assets without log collection, using these blind spots as staging areas for lateral movement and data staging while remaining invisible to security monitoring.

Vulnerabilities (When Safeguard Absent)

Audit Logging Disabled on Critical Enterprise Assets

Key servers, databases, network devices, and cloud services have audit logging disabled by default or intentionally turned off to conserve resources, creating forensic blind spots across the infrastructure.

Inconsistent Log Collection Across Asset Types

Logging is enabled on some asset categories (e.g., domain controllers) but not others (e.g., Linux servers, network appliances, SaaS applications), leaving significant portions of the environment without audit trails.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Detection tool deployment evidence (dashboard screenshots, agent status)	Captured monthly
Technical	Sample alert/detection output demonstrating capability	Captured quarterly
Technical	SIEM dashboard showing log sources and collection status	Captured monthly
Record	Log review records and findings	Per review cycle
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Audit Log Management Policy

Control 8

Related Safeguards in Control 8

8.1 Establish and Maintain an Audit Log Management Process

8.3 Ensure Adequate Audit Log Storage

8.4 Standardize Time Synchronization

8.5 Collect Detailed Audit Logs

8.6 Collect DNS Query Audit Logs

8.7 Collect URL Request Audit Logs

8.8 Collect Command>Line Audit Logs

8.9 Centralize Audit Logs

8.10 Retain Audit Logs

8.11 Conduct Audit Log Reviews

8.12 Collect Service Provider Logs