Are logs from endpoints, servers, identity provider and firewalls centralised in a SIEM or log platform?
Demonstrate that logs from all in-scope endpoints, servers, identity providers, and firewalls are actively forwarded to, ingested by, and retained within a centralized SIEM or log management platform with sufficient coverage and retention.
Description
What this control does
This control ensures that security-relevant log data from all critical infrastructure components—including endpoint devices, servers, identity providers (such as Active Directory, Okta, or Azure AD), and network firewalls—are forwarded to and retained in a centralized Security Information and Event Management (SIEM) or dedicated log aggregation platform. Centralization enables correlation of events across disparate systems, reduces mean time to detect (MTTD) for security incidents, and supports forensic investigations by maintaining a tamper-resistant audit trail. Without centralized logging, security teams operate with siloed visibility, significantly degrading detection and response capabilities.
Control objective
What auditing this proves
Demonstrate that logs from all in-scope endpoints, servers, identity providers, and firewalls are actively forwarded to, ingested by, and retained within a centralized SIEM or log management platform with sufficient coverage and retention.
Associated risks
Risks this control addresses
- Delayed detection of lateral movement or multi-stage attacks due to inability to correlate events across endpoints, servers, and network boundaries
- Insufficient forensic evidence following a security incident because logs are scattered across disconnected systems or overwritten before collection
- Failure to detect credential compromise or privilege escalation when identity provider authentication logs are not analyzed alongside endpoint or server activity
- Blind spots in threat hunting and anomaly detection where firewall traffic logs cannot be correlated with endpoint behavior or authentication events
- Regulatory non-compliance due to inadequate log retention or inability to produce complete audit trails during investigations
- Increased attacker dwell time as security operations center (SOC) analysts lack unified visibility to triage alerts and prioritize response
- Loss of critical security telemetry when local logs are deleted, tampered with, or unavailable due to system failures or ransomware encryption
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's inventory of endpoints, servers, identity providers, and firewalls that are in-scope for centralized logging.
- Request and examine the SIEM or log platform's architecture documentation, including data source configuration, log forwarding agents deployed, and supported log types.
- Verify configuration exports or screenshots from the SIEM platform showing active data sources, including endpoint agents, syslog receivers, API integrations for identity providers, and firewall log forwarders.
- Select a representative sample of endpoints, servers, identity providers, and firewalls from the inventory and confirm each asset appears as an active data source in the SIEM platform.
- Review recent log ingestion metrics or dashboards within the SIEM to validate that logs from sampled sources are being received continuously and in near real-time.
- Generate test events on sampled systems—such as a failed authentication attempt on the identity provider, a file creation on an endpoint, or a deny rule trigger on a firewall—and verify these events appear in the SIEM within the expected timeframe.
- Examine log retention policies configured in the SIEM to confirm they meet organizational requirements and applicable regulatory standards (e.g., 90 days, one year).
- Cross-reference the SIEM data source inventory against the organization's asset inventory to identify any critical systems not forwarding logs and assess whether gaps are documented and risk-accepted.