IG2 IG3

Collect Detailed Audit Logs

Control Group: 8. Audit Log Management

Asset Type: Network

Security Function: Detect

Description

Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.

Implementation Checklist

1

Deploy detection tools or enable detection capabilities

2

Configure alerting thresholds and notification channels

3

Establish monitoring schedule and review process

4

Test detection capabilities with simulated events

5

Document detection procedures and escalation paths

6

Enable logging on all in-scope systems

7

Configure log forwarding to centralized SIEM

8

Define log retention periods per policy

9

Establish log review schedule and procedures

Tool Recommendations

Splunk Enterprise Security Gartner MQ Leader, SIEM 2024

SIEM platform with log management, threat detection, investigation, and compliance reporting across enterprise data sources

Cisco (Splunk) · Ingest-based or workload-based

Microsoft Sentinel Gartner MQ Leader, SIEM 2024

Cloud-native SIEM and SOAR with AI-driven analytics, automated threat response, and native Azure/M365 integration

Microsoft · Pay-as-you-go (per GB ingested)

CrowdStrike Falcon LogScale Gartner MQ Leader, EPP 2024; Forrester Wave Leader, Security Analytics 2024

High-performance log management and observability platform designed for petabyte-scale data with real-time search

CrowdStrike · Per-GB subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Insufficient Forensic Detail to Identify Attack Origin

Confidentiality

Basic audit logs capture only that an event occurred but lack source addresses, destination addresses, usernames, and other contextual details needed to determine who initiated the activity, from where, and what was affected.

Sensitive Data Breach with No Attribution Trail

Confidentiality

An attacker accesses sensitive data stores, but the logs lack sufficient detail (user identity, source IP, accessed records) to identify the compromised account, determine the scope of data exposure, or satisfy breach notification requirements.

Vulnerabilities (When Safeguard Absent)

Default Logging Levels Without Detailed Event Fields

Assets containing sensitive data use default logging configurations that capture minimal event details, omitting critical fields like source/destination addresses, user identities, and object-level access details needed for forensic analysis.

No Logging Standards for Sensitive Data Assets

The organization has not defined which detailed fields must be captured in audit logs for assets processing sensitive data, resulting in inconsistent and insufficient logging detail across databases, file servers, and applications.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Detection tool deployment evidence (dashboard screenshots, agent status)	Captured monthly
Technical	Sample alert/detection output demonstrating capability	Captured quarterly
Technical	SIEM dashboard showing log sources and collection status	Captured monthly
Record	Log review records and findings	Per review cycle
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Audit Log Management Policy

Control 8

Related Safeguards in Control 8

8.1 Establish and Maintain an Audit Log Management Process

8.2 Collect Audit Logs

8.3 Ensure Adequate Audit Log Storage

8.4 Standardize Time Synchronization

8.6 Collect DNS Query Audit Logs

8.7 Collect URL Request Audit Logs

8.8 Collect Command>Line Audit Logs

8.9 Centralize Audit Logs

8.10 Retain Audit Logs

8.11 Conduct Audit Log Reviews

8.12 Collect Service Provider Logs