Requirement text: AU.2.044: Review audit logs.
DISCUSSION FROM SOURCE: CMMC
Reviewing audit logs is a common control in information security. Organizations have the
flexibility to determine which logs and specific events to review. The level of audit log review
should be determined based on a risk assessment or similar activity.
CMMC CLARIFICATION
You should ensure that your organization reviews its audit logs. Logs should be checked
regularly, organizations with small environments may be able to do this manually. The
process of reviewing audit logs varies by organization. The intent of this practice is to
become familiar with the logs being automatically created on the systems present in your
organization and identify key events in the logs that might indicate malicious activity. Larger
organizations may need automation to complete this task with success.
Example
You are the administrator for a company with a small IT environment. You know the
importance of reviewing audit logs. Every week you log on to the Windows server as an
admin user, open the Event Viewer and check for signs that the log files have been altered:
Windows event ID 104 – Event Log was Cleared, event ID 1102 – Audit Log was Cleared),
event ID 4719 – System audit policy was changed. Look for login and new user created
events: Windows event IDs 4624 (failure) and 4625 (success)) and event IDs 4728, 4732 and
4756 – User added to Privileged Group.
References
• CMMC
• CIS Controls v7.1 6.7
• NIST CSF v1.1 PR.PT-1
• CERT RMM v1.2 COMP:SG3.SP1
• NIST SP 800-53 Rev 4 AU-6