Skip to main content
← All controls
DE.AE-3 / DE.CM-1 / DE.CM-7 / AU-6 / SI-4 NIST CSF v1.1 NIST CSF

Are logs centralised in a SIEM with detection rules tuned to your environment?

Demonstrate that all critical security logs are ingested into a SIEM platform, that detection rules are actively configured and tuned to the organization's specific environment, and that alerts generated are actionable and relevant to the threat profile.

Description

What this control does

This control establishes whether security event logs from across the enterprise (endpoints, servers, network devices, cloud services, applications) are aggregated into a Security Information and Event Management (SIEM) platform with detection rules customized to reflect the organization's technology stack, threat landscape, and operational behaviors. Effective centralization enables correlation of events across disparate sources, while environment-specific tuning reduces false positives and increases detection of relevant threats. Without centralized logging and tuned detection, attacks may proceed undetected across multiple systems, and security analysts waste time investigating noise rather than genuine incidents.

Control objective

What auditing this proves

Demonstrate that all critical security logs are ingested into a SIEM platform, that detection rules are actively configured and tuned to the organization's specific environment, and that alerts generated are actionable and relevant to the threat profile.

Associated risks

Risks this control addresses

  • Attackers move laterally across systems undetected because logs remain siloed and no correlation occurs across attack stages
  • Delayed detection of security incidents due to insufficient log visibility, resulting in extended dwell time and greater damage
  • Security analysts overwhelmed by high false-positive rates from generic detection rules, causing alert fatigue and missed true positives
  • Insider threats or privilege abuse go unnoticed due to lack of aggregated user activity visibility across systems
  • Compliance violations and audit failures due to inability to produce centralized evidence of security events and response activities
  • Compromised systems excluded from SIEM coverage remain blind spots where adversaries establish persistence without triggering alerts
  • Inability to meet incident response timelines and breach notification requirements due to fragmented log data and manual investigation overhead

Testing procedure

How an auditor verifies this control

  1. Obtain and review the organization's SIEM architecture documentation, including the inventory of all log sources configured to send data to the SIEM platform.
  2. Request and examine the complete list of systems, applications, network devices, and cloud services that generate security-relevant logs, then cross-reference against the SIEM log source inventory to identify coverage gaps.
  3. Select a representative sample of 10-15 critical assets (domain controllers, firewalls, cloud identity providers, endpoints) and verify that logs from each asset are actively flowing into the SIEM by querying recent log entries.
  4. Review the SIEM detection rule library and identify which rules are default/vendor-provided versus custom-developed or tuned for the organization's specific environment.
  5. Interview SIEM administrators and SOC analysts to document the tuning process, including how baseline behaviors are established, how thresholds are adjusted, and how frequently rules are updated based on threat intelligence or environmental changes.
  6. Examine a sample of 10-20 recent SIEM alerts and trace each back to the underlying detection rule, assessing whether the rule logic reflects organization-specific context such as business hours, approved administrative tools, or known benign behaviors.
  7. Test detection effectiveness by requesting evidence of recent rule tuning activities (e.g., change tickets, rule modification logs) and reviewing metrics such as alert volume trends, false positive rates, and mean time to triage over the past quarter.
  8. Validate that SIEM data retention policies meet regulatory and incident investigation requirements, and verify that log integrity controls (time synchronization, log forwarding encryption, tamper detection) are in place.
Evidence required SIEM architecture diagrams and log source inventory listing all integrated systems; configuration exports showing active log forwarding agents and parsers; screenshots or query results demonstrating recent log ingestion from sampled critical assets; detection rule library with metadata indicating custom/tuned rules versus defaults; change management records documenting recent rule modifications and tuning rationale; sample alert reports with analyst disposition notes; SOC metrics dashboard showing alert volume, false positive rates, and triage times; data retention policy documentation and log integrity control configurations.
Pass criteria All critical systems and high-value assets are confirmed as active SIEM log sources with recent ingestion verified, at least 30% of active detection rules show evidence of environment-specific tuning or customization within the past 12 months, documented tuning processes exist, and SOC metrics demonstrate manageable alert volumes with declining false positive trends.