AU-4(1) / AU-9(2) / AU-6(3) / SI-4(2) NIST SP 800-53 Rev 5

During an active incident, do you have logging + EDR data centralised somewhere accessible (separate from the affected systems)?

Demonstrate that security logs and EDR telemetry are continuously replicated to a centralized repository that is architecturally isolated from endpoint and production systems, and remains accessible during incident response activities.

Description

What this control does

This control ensures that security logs, endpoint detection and response (EDR) telemetry, and event data are replicated to a centralized logging infrastructure that remains operationally independent from production and endpoint systems. During an active incident, attackers frequently target logging systems to erase evidence of compromise, disable detection mechanisms, or obfuscate their activities. By maintaining logs in a separate, hardened environment (such as a SIEM, dedicated log aggregation platform, or cloud-based security data lake), organizations preserve forensic evidence and maintain visibility even when compromised systems are isolated, encrypted by ransomware, or taken offline.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Attackers delete or tamper with local logs on compromised systems to eliminate evidence of initial access, lateral movement, or data exfiltration
Ransomware encryption renders logs stored on affected endpoints or file servers inaccessible, preventing timely incident scoping and containment
Compromised administrator credentials are used to disable or purge logging services on primary systems, creating forensic blind spots
Incident responders cannot establish accurate timelines or identify scope of compromise when logs are only available on affected infrastructure
EDR agents are disabled or tampered with locally, and without centralized telemetry replication, detection gaps go unnoticed until significant damage occurs
Distributed denial-of-service or resource exhaustion attacks targeting logging infrastructure disrupt forensic data collection across the environment
Regulatory or legal hold requirements cannot be satisfied when event data is lost due to lack of independent log retention

Testing procedure

How an auditor verifies this control

Obtain and review the organization's logging architecture diagram identifying all systems generating security logs, EDR telemetry sources, and the centralized log repository or SIEM platform
Verify the network architecture documentation to confirm that the centralized logging infrastructure is segmented or logically separated from production systems, with restricted management access controls
Select a representative sample of 8-12 critical systems (domain controllers, application servers, database servers, network devices) and confirm their log forwarding configurations point to the centralized repository
Examine EDR agent deployment records and configuration files to verify that telemetry is being forwarded in real-time or near-real-time to a centralized EDR console or data lake independent of endpoint storage
Query the centralized logging repository for recent log entries from sampled systems to confirm active ingestion and verify timestamp accuracy and completeness of forwarded events
Review access control policies for the centralized logging platform to confirm that write access is limited to automated forwarders and read access during incidents is restricted to authorized security personnel
Test accessibility by simulating an endpoint isolation scenario: disconnect a test system from the network and verify that historical logs for that system remain queryable in the centralized repository
Review incident response runbooks to confirm documented procedures reference the centralized logging platform as the authoritative source for forensic investigation and log analysis

Evidence required Architecture diagrams depicting log flow from endpoints and infrastructure to centralized repository with network segmentation details; configuration exports from SIEM, log aggregator, or EDR console showing active data sources and retention policies; screenshots of query results from the centralized platform displaying recent logs from sampled systems with timestamps; access control matrix or IAM policy excerpts for the logging infrastructure showing role-based restrictions; incident response playbook excerpts referencing centralized log access procedures.

Pass criteria All sampled critical systems and EDR endpoints forward logs in real-time or near-real-time to a centralized repository that is architecturally separated from production infrastructure, remains accessible during simulated isolation, and maintains access controls restricting modification by standard administrative accounts.