Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records].
NIST 800-53 (r4) Supplemental Guidance:
Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component. Related controls: AU-2, AU-12.
NIST 800-53 (r5) Discussion:
Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component.
38North Guidance:
Meets Minimum Requirement:
The Cloud Service Offering (CSO) provides the capability to process CSO audit records for events of interest based on the organization-defined audit fields [defined within the audit and accountability policy and procedures] within the audit records. This is typically implemented by the Cloud Service Provider (CSP) with the use of a Security Information and Event Management (SIEM) tool.
Best Practice:
SIEM tool should have the ability to generate reports based on different criteria based on events of interest or certain fields within the audit logs like event type, user ID, date and time etc..
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Screen shots or excel exports of SIEM tool search results based on specific criteria such as event type, user ID, events during certain date time from specific system components etc.
Screen shots of listing of offenses or dashboards within the SIEM tool that shows possible incidents or anomalies that need further analysis by Security Operations Center (SOC) personnel or security team that analyzes audit logs.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse