IG2 IG3

Collect URL Request Audit Logs

Control Group: 8. Audit Log Management

Asset Type: Network

Security Function: Detect

Description

Collect URL request audit logs on enterprise assets, where appropriate and supported.

Implementation Checklist

1

Deploy detection tools or enable detection capabilities

2

Configure alerting thresholds and notification channels

3

Establish monitoring schedule and review process

4

Test detection capabilities with simulated events

5

Document detection procedures and escalation paths

6

Enable logging on all in-scope systems

7

Configure log forwarding to centralized SIEM

8

Define log retention periods per policy

9

Establish log review schedule and procedures

Tool Recommendations

Splunk Enterprise Security Gartner MQ Leader, SIEM 2024

SIEM platform with log management, threat detection, investigation, and compliance reporting across enterprise data sources

Cisco (Splunk) · Ingest-based or workload-based

Microsoft Sentinel Gartner MQ Leader, SIEM 2024

Cloud-native SIEM and SOAR with AI-driven analytics, automated threat response, and native Azure/M365 integration

Microsoft · Pay-as-you-go (per GB ingested)

Exabeam Gartner MQ Visionary, SIEM 2024; Forrester Wave Strong Performer 2024

AI-driven SIEM with behavioral analytics, automated investigation, and SOAR capabilities for threat detection

Exabeam · Per-user subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Malicious URL Access Without Detection or Blocking

Confidentiality

Users access phishing URLs, malware download sites, or attacker-controlled web applications, but without URL request logging the security team cannot identify compromised users or detect ongoing web-based attacks.

Drive-By Download Attacks Without Forensic Trail

Integrity

Enterprise assets visit compromised legitimate websites that deliver exploit kits, but without URL request logs there is no record of which assets visited the compromised site or when the infection occurred.

Vulnerabilities (When Safeguard Absent)

No Web Proxy or URL Request Logging

The organization does not log HTTP/HTTPS URL requests from enterprise assets, providing no visibility into web browsing patterns, malicious URL access, or web-based attack delivery vectors.

HTTPS Traffic Inspection Gap in URL Logging

URL logging only captures HTTP requests while HTTPS traffic passes uninspected, meaning the majority of modern web traffic including malicious communications is not recorded in audit logs.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Detection tool deployment evidence (dashboard screenshots, agent status)	Captured monthly
Technical	Sample alert/detection output demonstrating capability	Captured quarterly
Technical	SIEM dashboard showing log sources and collection status	Captured monthly
Record	Log review records and findings	Per review cycle
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Audit Log Management Policy

Control 8

Related Safeguards in Control 8

8.1 Establish and Maintain an Audit Log Management Process

8.2 Collect Audit Logs

8.3 Ensure Adequate Audit Log Storage

8.4 Standardize Time Synchronization

8.5 Collect Detailed Audit Logs

8.6 Collect DNS Query Audit Logs

8.8 Collect Command>Line Audit Logs

8.9 Centralize Audit Logs

8.10 Retain Audit Logs

8.11 Conduct Audit Log Reviews

8.12 Collect Service Provider Logs