Back

Eliminate false positives in event logs and audit logs.


CONTROL ID
07047
CONTROL TYPE
Log Management
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Review and update event logs and audit logs, as necessary., CC ID: 00596

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Initial analysis of suspected intrusions should include confirming whether an attack is actually occurring (e.g., by eliminating false positives). (CF.10.06.09a, The Standard of Good Practice for Information Security)
  • Initial analysis of suspected intrusions should include confirming whether an attack is actually occurring (e.g., by eliminating false positives). (CF.10.06.09a, The Standard of Good Practice for Information Security, 2013)
  • Identification and disposition of false positives and adjustment of logging parameters to minimize the volume of false positives in future log review. (App A Objective 15:7a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Provide timely detection, identification, and alerting of possible attacks/intrusions, anomalous activities, and misuse activities and distinguish these incidents and events from benign activities. (T0258, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide timely detection, identification, and alerting of possible attacks/intrusions, anomalous activities, and misuse activities and distinguish these incidents and events from benign activities. (T0258, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and the number of false negatives. (SI-4(13)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • Uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and the number of false negatives. (SI-4(13)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Use the traffic and event profiles in tuning system-monitoring devices. (SI-4(13)(c), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Use the traffic and event profiles in tuning system-monitoring devices. (SI-4(13)(c), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)