Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]
Establish and maintain an audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Collect audit logs. Ensure that logging, per the enterprise's audit log management process, has been enabled across enterprise assets.
Ensure that logging destinations maintain adequate storage to comply with the enterprise's audit log management process.
Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported.
Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remote administrative terminals.
Centralize, to the extent possible, audit log collection and retention across enterprise assets.
Retain audit logs across enterprise assets for a minimum of 90 days.
Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.
Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events.