Skip to main content
← All controls
AU-2 / AU-3 / AU-6 / AU-9 / SI-4 / A.8.15 / A.8.16 / CIS-8.2 / CIS-8.5 / CIS-8.11 NIST SP 800-53 Rev 5

Logging and alerting

Demonstrate that the organization captures security-relevant events in centralized logs, generates alerts for defined threat scenarios, retains logs according to policy, and protects log integrity throughout the lifecycle.

Description

What this control does

Logging and alerting is the systematic collection, retention, and real-time monitoring of security-relevant events across systems, applications, networks, and security controls to detect and respond to incidents. This control requires configuring centralized log aggregation, defining alert thresholds for suspicious activity, establishing retention policies aligned with compliance requirements, and ensuring logs are tamper-resistant and time-synchronized. Effective implementation enables timely incident detection, supports forensic investigations, satisfies regulatory obligations, and provides an audit trail for accountability.

Control objective

What auditing this proves

Demonstrate that the organization captures security-relevant events in centralized logs, generates alerts for defined threat scenarios, retains logs according to policy, and protects log integrity throughout the lifecycle.

Associated risks

Risks this control addresses

  • Attackers perform malicious activities undetected due to insufficient logging coverage of critical systems and applications
  • Security incidents go unnoticed for extended periods because alert rules do not trigger on anomalous behaviors or known attack patterns
  • Forensic investigations fail due to inadequate log retention, missing timestamps, or premature deletion of evidence
  • Log tampering by adversaries conceals their actions and prevents accurate incident reconstruction
  • Compliance violations occur when audit logs required by regulations are not collected or retained for mandated periods
  • Operational outages are prolonged because system errors and performance degradation are not detected through monitoring alerts
  • Insider threats exploit blind spots in logging to exfiltrate data or abuse privileges without triggering detection mechanisms

Live threat patterns this control mitigates:

HIGH Database Leak / Unauthorised Data Exposure Attacker dumps or sells a customer database. Implies the data store was accessible from the internet, lacked encryption…

Testing procedure

How an auditor verifies this control

  1. Obtain the organization's logging and monitoring policy, including defined event types, retention schedules, and alerting procedures
  2. Inventory all logging sources including servers, network devices, cloud services, applications, security tools, and databases to assess coverage
  3. Review centralized log management system configuration to verify all critical assets forward logs and validate time synchronization settings
  4. Select a sample of 10-15 critical systems across on-premises and cloud environments and confirm logs are actively being collected and indexed
  5. Examine alert rule definitions and verify that rules exist for common attack scenarios such as failed authentication attempts, privilege escalation, malware detection, and data exfiltration
  6. Request evidence of recent alert generation and review alert triage records to confirm alerts reach the appropriate security personnel and trigger investigation workflows
  7. Validate log integrity controls by reviewing access controls to the log management system, write-once storage configurations, and cryptographic hash implementations where applicable
  8. Test log retention by querying logs from the oldest retention period specified in policy and confirming availability and completeness of archived data
Evidence required Auditors collect the logging and monitoring policy document, configuration exports from the centralized SIEM or log aggregation platform showing enabled data sources and retention settings, screenshots of alert rule configurations with triggering conditions and notification targets, sample log entries with timestamps demonstrating collection from critical systems, access control lists for the log management infrastructure, and tickets or case records showing alert response activities. Additional evidence includes network diagrams annotated with logging architecture, compliance mapping documents linking log types to regulatory requirements, and validation queries demonstrating retrieval of historical logs.
Pass criteria All critical systems forward logs to a centralized platform with accurate time synchronization, alert rules exist for defined threat scenarios and generate notifications to security personnel, logs are retained per policy minimums and protected by integrity controls, and historical logs are retrievable for the full retention period.

Where this control is tested

Audit programs including this control

Database Leak / Unauthorised Data Exposure — Audit Program

Attacker dumps or sells a customer database. Implies the data store was accessible from the internet, lacked encryption…

6 controls · v0.1.0