AU-6: Audit Record Review, Analysis, and Reporting
Control Family:
Threats Addressed:
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- AU-6: Audit Review, Analysis, And Reporting
Incorporates the following control from the previous version: AU-6(10): Audit Level Adjustment.
Control Statement
- Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity;
- Report findings to [Assignment: organization-defined personnel or roles]; and
- Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
Supplemental Guidance
Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received.
Control Enhancements
AU-6(1): Automated Process Integration
Baseline(s):
- Moderate
- High
Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms].
AU-6(3): Correlate Audit Record Repositories
Baseline(s):
- Moderate
- High
Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.
AU-6(4): Central Review and Analysis
Baseline(s):
Provide and implement the capability to centrally review and analyze audit records from multiple components within the system.
AU-6(5): Integrated Analysis of Audit Records
Baseline(s):
- High
Integrate analysis of audit records with analysis of [Assignment (one or more): vulnerability scanning information, performance data, system monitoring information, [Assignment: organization-defined data/information collected from other sources] ] to further enhance the ability to identify inappropriate or unusual activity.
AU-6(6): Correlation with Physical Monitoring
Baseline(s):
- High
Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.
AU-6(7): Permitted Actions
Baseline(s):
Specify the permitted actions for each [Assignment (one or more): system process, role, user] associated with the review, analysis, and reporting of audit record information.
AU-6(8): Full Text Analysis of Privileged Commands
Baseline(s):
Perform a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system, or other system that is dedicated to that analysis.
AU-6(9): Correlation with Information from Nontechnical Sources
Baseline(s):
Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness.