Correlating audit record review, analysis, and reporting processes helps to ensure that they do not operate independently, but rather collectively. Regarding the assessment of a given organizational system, the requirement is agnostic as to whether this correlation is applied at the system level or at the organization level across all systems. 

Priority: High   

Category :  Situational Awareness 

Services Associated with AWS:  

  • AWS CloudTrail, AWS Identity and Access Management (IAM), AWS Security Hub

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation of role-based security training being performed
  • Administrative: supporting documentation of professional competence by individual(s) performing log reviews
  • Administrative: supporting documentation of log reviews being performed
  • Technical: screen shot of logs from SIEM

Possible Technology Considerations : 

  • Centralized Log Management
  • Security Information & Event Management (SIEM) 

What needs to be answered :  

Are mechanisms used to integrate audit review, analysis, and reporting to processes for investigation and response to suspicious activity?

  • Implement Correlation of Audit Record Review, Analysis, and Reporting Processes
    Description: This check verifies that organizations have implemented processes to correlate the review, analysis, and reporting of audit records for effective investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. Correlation involves combining information from multiple audit records and sources to identify patterns, anomalies, and potential security incidents. The correlated data aids in understanding the context and scope of security events, enabling timely and appropriate actions to be taken.
  • Establish Incident Response Procedures for Correlated Audit Events
    Description: This check ensures that organizations have established incident response procedures that include specific steps for addressing correlated audit events. Incident response procedures define the actions, roles, responsibilities, and communication channels required to investigate and respond to security incidents identified through the correlation of audit records. These procedures facilitate a coordinated and timely response to mitigate the impact of security events and restore normal operations.
  • Document and Maintain Correlation Processes and Procedures
    Description: This check ensures that organizations document and maintain the processes and procedures for correlating audit record review, analysis, and reporting. The documentation includes the methodology, tools, and techniques used for correlation, as well as the roles and responsibilities of individuals involved in the process. By maintaining up-to-date documentation, organizations can ensure consistency and effectiveness in their efforts to identify and respond to security incidents through correlated audit records.

More Details:   

Monitoring systems capable of allowing audit review and report analysis.