Back

Identify cybersecurity events in event logs and audit logs.


CONTROL ID
13206
CONTROL TYPE
Technical Security
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Review and update event logs and audit logs, as necessary., CC ID: 00596

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A sample of security-relevant events relating to data transfer policies are taken at least every three months and assessed against security policies for CDSs to identify any operational failures. (Control: ISM-1523; Revision: 1, Australian Government Information Security Manual, June 2023)
  • A sample of security-relevant events relating to data transfer policies are taken at least every three months and assessed against security policies for CDSs to identify any operational failures. (Control: ISM-1523; Revision: 1, Australian Government Information Security Manual, September 2023)
  • The data sources that you include in your monitoring allow for timely identification of security events which might affect the operation of your essential function. (C1.a ¶ 1, NCSC CAF guidance, 3.1)
  • Identify and monitor security-related events within applications and the underlying infrastructure. Define and implement a system to generate alerts to responsible stakeholders based on such events and corresponding metrics. (LOG-03, Cloud Controls Matrix, v4.0)
  • Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack. (CIS Control 6: Maintenance, Monitoring and Analysis of Audit Logs, CIS Controls, 7.1)
  • Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack. (CIS Control 6: Maintenance, Monitoring and Analysis of Audit Logs, CIS Controls, V7)
  • Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack. (CIS Control 8: Audit Log Management, CIS Controls, V8)
  • The organization's audit trails are designed to detect cybersecurity events that may materially harm normal operations of the organization. (PR.PT-1.1, CRI Profile, v1.2)
  • The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures. (Security Continuous Monitoring (DE.CM), CRI Profile, v1.2)
  • The organization's audit trails are designed to detect cybersecurity events that may materially harm normal operations of the organization. (PR.PT-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures. (DE.CM Security Continuous Monitoring, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures. (DE.CM Security Continuous Monitoring, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Perform cyber defense trend analysis and reporting. (T0333, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Reconstruct a malicious attack or activity based off network traffic. (T0298, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Reconstruct a malicious attack or activity based off network traffic. (T0298, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)