Audit And Accountability
Identify assets not reporting audit logs and assure appropriate organizationally defined systems are logging.
Robust audit logging is critical in defending against cyber attacks and preventing future attacks since logs are a common starting point for incident response and a core element in post-attack cyber forensics. A cyber attacker may try to disrupt logging at the start of an attack, making the absence of audit logging an initial indicator of a potential attack. Even if the audit logging failure occurred from benign causes, restoring the logging is needed to maintain a secure posture. Identifying assets that are reporting logs and comparing against the inventory of assets expected to provide audit logs provides the set of assets for which audit remediation is needed. It is important that the logging requirements for each asset, which may include many logs to be collected, are documented and compared to the set of received logs. Any discrepancies will start an investigation and remediation process. Example You are working your shift in the security operations center (SOC) when one of your hourly scanning scripts indicates that a data server is not providing logs to the central log collection server. The data server is on the list of assets for which a log is required. You send a notification to the administrator for the server to investigate and turn logging on, and copy the company threat hunting team as well.
Practice AU.2.042 required the creation and retention of audit logs. Audit logs are essential to cybersecurity awareness and incident response. This practice requires organizations to proactively determine if any assets that should be creating audit logs are not generating the required logs.
CIS Controls v7.1 6.2
NIST SP 800-53 Rev 4 AU-12