Audit record reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or organizational entities conducting auditing activities. Audit record reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can help generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the time stamp in the record is insufficient. 

Priority: Medium

Category  Situational Awareness 

Services Associated with AWS:   

  • AWS CloudTrail, AWS Identity and Access Management (IAM), AWS Security Hub

Objective Evidence:  

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screen shot of report from SIEM

Possible Technology Considerations : 

  • Centralized Log Management
  • Security Information & Event Management (SIEM)

What needs to be answered :  

Is there the capability to process audit records for events of interest based on selectable event criteria, such as user identity, event type, location, times, dates, system resources, IP, or information object accessed? Can this be done on-demand? 

  • Implement Audit Record Reduction Capability
    Description: This check ensures that organizations have implemented audit record reduction capabilities to manipulate and summarize collected audit information in a format that is more meaningful for analysis and reporting purposes. Audit record reduction techniques, such as data mining and advanced data filters, are utilized to identify anomalous behavior and extract relevant insights from the audit records. This capability enables analysts to efficiently analyze the audit data and identify potential security incidents.
  • Enable Customizable Report Generation
    Description: This check verifies that organizations have implemented the capability to generate customizable reports based on the reduced audit records. The report generation functionality allows analysts to generate reports tailored to specific requirements, including selecting desired data elements, applying filters, and organizing the information in a format that facilitates analysis and reporting. Customizable reports enhance the effectiveness of on-demand analysis and reporting activities.
  • Address Time Ordering Challenges in Audit Records
    Description: This check ensures that organizations address challenges related to time ordering in audit records by employing appropriate mechanisms to maintain accurate and granular timestamps. Time ordering is critical for effective analysis and investigation of security incidents. Organizations implement measures to ensure that the timestamps in audit records provide sufficient granularity and accuracy, enabling the proper sequencing of events and facilitating chronological analysis.

More Details:   

Monitoring software capable of on demand and scheduled report generation of system activity.