What to Provide
(1) The documented policy/procedure that defines your organization's process for utilizing a log management tool.
(2) A screenshot of the security log management dashboard or dashboards used to monitor all in-scope production systems for security related events.
(3) A screenshot of an example security event notification or example alert notification message created by your security log management tools.
Evidence Format
(1) Word/PDF document
(2) Screenshots or exported images in a common image file type, such as .jpg, .png, or .pdf.
(3) Screenshots or exported images in a common image file type, such as .jpg, .png, or .pdf.
Additional Guidance
For each tool that monitors events, the evidence should demonstrate:
What security events are being monitored
Which events will trigger a notification
Who receives a notification and how
Your log management may be covered by multiple tools, or a single log management tool (such as AWS CloudTrail, AWS GuardDuty, Azure Defender, or Google Security Command Center) may monitor several production systems by itself.
The following systems are common event monitoring tools:
Intrusion detection systems
Endpoint management tools
Antivirus
Log management tools for production systems and infrastructure
Your log management tools monitor your in-scope production systems for events such as:
Actions taken by privileged or root users
Users accessing sensitive or customer data
Invalid login attempts
Malicious activity, such as DDoS attacks, brute force logins, etc.
Example Evidence
AWS GuardDuty (Dashboard)
AWS GuardDuty (Alert Notification Configurations)
Google Security Command Center (Dashboard)
Google Security Command Center (Alert Notification Configurations)
Azure Defender (Dashboard)
Azure Defender (Alert Notification Configurations)
Associated Unified Control ID | Associated Framework Control |
CTRL-833 | LCL-48 |