8.11: Conduct Audit Log Reviews
Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis..
Asset Type |
Security Function |
Implementation Groups |
---|---|---|
Network |
Detect |
2, 3 |
Dependencies
None
Inputs
Timestamp for two consecutive log reviews
Assumptions
Log reviews are conducted at regular and consistent intervals
Operations
Compare each timestamp to determine timeframe between log reviews in days (M1)
Measures
M1 = Timeframe between log reviews
Metrics
If M1 is greater than seven, this safeguard is measured at a 0 and receives a failing score.