Back to Control Explorer

AU.2.044

Content

Control Acronym

AU

Family

Audit And Accountability

CMMC Level

2

800-171 Control #

N/A

CMMC Description

Review audit logs.

CMMC Clarification

You should ensure that your organization reviews its audit logs. Logs should be checked regularly, organizations with small environments may be able to do this manually. The process of reviewing audit logs varies by organization. The intent of this practice is to become familiar with the logs being automatically created on the systems present in your organization and identify key events in the logs that might indicate malicious activity. Larger organizations may need automation to complete this task with success. Example You are the administrator for a company with a small IT environment. You know the importance of reviewing audit logs. Every week you log on to the Windows server as an admin user, open the Event Viewer and check for signs that the log files have been altered: Windows event ID 104 – Event Log was Cleared, event ID 1102 – Audit Log was Cleared), event ID 4719 – System audit policy was changed. Look for login and new user created events: Windows event IDs 4624 (failure) and 4625 (success)) and event IDs 4728, 4732 and 4756 – User added to Privileged Group.

800-171 Description

800-171 Discussion

N/A

Other Source Discussion

Reviewing audit logs is a common control in information security. Organizations have the flexibility to determine which logs and specific events to review. The level of audit log review should be determined based on a risk assessment or similar activity.

CIS Control References

CIS Controls v7.1 6.7

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AU-6

CMMC Derived

CMMC

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.PT-1

CERT RMM Reference

CERT RMM v1.2 COMP:SG3.SP1

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Sub-Criterias

Assessment Sub-Criteria 1

AU.2.044.[a] the organization defines one or more policies and/or procedures for the event types to look for when information system audit records are reviewed and analyzed;

Assessment Sub-Criteria 2

AU.2.044.[b] the organization defines one or more policies and/or procedures for the frequency to review and analyze information system audit records for indications of organizationally defined events; and

Assessment Sub-Criteria 3

AU.2.044.[c] the organization reviews and analyzes information system audit records for indications of organizationally defined events with the organization-defined frequency.

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15