Navigate

AU-7

AU-7: Audit Record Reduction and Report Generation

Provide and implement an audit record reduction and report generation capability that:

a: Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and

b: Does not alter the original content or time ordering of audit records.

Supplemental

Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient.

CIA Levels
Confidentiality	moderate
Integrity	moderate
Availability	unknown

Overlays
CMMC, DAF Baseline, Int-A, Int-B, Int-C, Privacy (accountability), Privacy (high), Privacy (low), Privacy (moderate)

CSF Categories
PR.PT-1, RS.AN-3

Related Controls

The controls below (if any) were marked by NIST as being related to AU-7.

Control	Description
AC-2	a: Define and document the types of accounts allowed and specifically prohibited for use within the system; b: Assign account managers; c: Require [prerequisites and criteria for group and role membership are defined;] for group and role membership; d: Specify: 1: Authorized users of the system; 2: Group and role membership; and 3: Access authorizations (i.e., privileges) and [attributes (as required) for each account are defined;] for each account; e: Require approvals by [personnel or roles required to approve requests to create accounts is/are defined;] for requests to create accounts; f: Create, enable, modify, disable, and remove accounts in accordance with [policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;]; g: Monitor the use of accounts; h: Notify account managers and [personnel or roles to be notified is/are defined;] within: 1: [time period within which to notify account managers when accounts are no longer required is defined;] when accounts are no longer required; 2: [time period within which to notify account managers when users are terminated or transferred is defined; ] when users are terminated or transferred; and 3: [time period within which to notify account managers when system usage or the need to know changes for an individual is defined;] when system usage or need-to-know changes for an individual; i: Authorize access to the system based on: 1: A valid access authorization; 2: Intended system usage; and 3: [attributes needed to authorize system access (as required) are defined;]; j: Review accounts for compliance with account management requirements [the frequency of account review is defined;]; k: Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l: Align account management processes with personnel termination and transfer processes.
AU-2	a: Identify the types of events that the system is capable of logging in support of the audit function: [the event types that the system is capable of logging in support of the audit function are defined;]; b: Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c: Specify the following event types for logging within the system: [one of ]; d: Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e: Review and update the event types selected for logging [the frequency of event types selected for logging are reviewed and updated;].
AU-3	Ensure that audit records contain information that establishes the following: a: What type of event occurred; b: When the event occurred; c: Where the event occurred; d: Source of the event; e: Outcome of the event; and f: Identity of any individuals, subjects, or objects/entities associated with the event.
AU-4	Allocate audit log storage capacity to accommodate [audit log retention requirements are defined;].
AU-5	a: Alert [personnel or roles receiving audit logging process failure alerts are defined;] within [time period for personnel or roles receiving audit logging process failure alerts is defined;] in the event of an audit logging process failure; and b: Take the following additional actions: [additional actions to be taken in the event of an audit logging process failure are defined;].
AU-6	a: Review and analyze system audit records [frequency at which system audit records are reviewed and analyzed is defined;] for indications of [inappropriate or unusual activity is defined;] and the potential impact of the inappropriate or unusual activity; b: Report findings to [personnel or roles to receive findings from reviews and analyses of system records is/are defined;] ; and c: Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
AU-12	a: Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on [system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;]; b: Allow [personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined;] to select the event types that are to be logged by specific components of the system; and c: Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3).
AU-16	Employ [methods for coordinating audit information among external organizations when audit information is transmitted across organizational boundaries are defined;] for coordinating [audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries is defined;] among external organizations when audit information is transmitted across organizational boundaries.
CM-5	Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.
IA-5	Manage system authenticators by: a: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; b: Establishing initial authenticator content for any authenticators issued by the organization; c: Ensuring that authenticators have sufficient strength of mechanism for their intended use; d: Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; e: Changing default authenticators prior to first use; f: Changing or refreshing authenticators [a time period for changing or refreshing authenticators by authenticator type is defined;] or when [events that trigger the change or refreshment of authenticators are defined;] occur; g: Protecting authenticator content from unauthorized disclosure and modification; h: Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and i: Changing authenticators for group or role accounts when membership to those accounts changes.
IR-4	a: Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; b: Coordinate incident handling activities with contingency planning activities; c: Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d: Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.
PM-12	Implement an insider threat program that includes a cross-discipline insider threat incident handling team.
SI-4	a: Monitor the system to detect: 1: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;] ; and 2: Unauthorized local, network, and remote connections; b: Identify unauthorized use of the system through the following techniques and methods: [techniques and methods used to identify unauthorized use of the system are defined;]; c: Invoke internal monitoring capabilities or deploy monitoring devices: 1: Strategically within the system to collect organization-determined essential information; and 2: At ad hoc locations within the system to track specific types of transactions of interest to the organization; d: Analyze detected events and anomalies; e: Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f: Obtain legal opinion regarding system monitoring activities; and g: Provide [system monitoring information to be provided to personnel or roles is defined;] to [personnel or roles to whom system monitoring information is to be provided is/are defined;] [one or more of "as needed"/"{{ insert: param, si-04_odp.06 }} "].

Enhancements

The controls below (if any) add on to the requirements of AU-7.

Control	Description
AU-7(1)	Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [fields within audit records that can be processed, sorted, or searched are defined;].
AU-7(2)

Related CCIs

The CCIs below are tied to AU-7.

CCI	Definition
CCI-001875	Provide an audit reduction capability that supports on-demand audit review and analysis.
CCI-001876	Provide an audit reduction capability that supports on-demand reporting requirements.
CCI-001877	Provide an audit reduction capability that supports after-the-fact investigations of incidents.
CCI-001878	Provide a report generation capability that supports on-demand audit review and analysis.
CCI-001879	Provide a report generation capability that supports on-demand reporting requirements.
CCI-001880	Provide a report generation capability that supports after-the-fact investigations of security incidents.
CCI-001881	Provide an audit reduction capability that does not alter original content or time ordering of audit records.
CCI-001882	Provide a report generation capability that does not alter original content or time ordering of audit records.
CCI-003822	Implement an audit reduction capability that supports on-demand audit review and analysis.
CCI-003823	Implement an audit reduction capability that supports on-demand reporting requirements.
CCI-003824	Implement an audit reduction capability that supports after-the-fact investigations of incidents.
CCI-003825	Implement a report generation capability that supports on-demand audit review and analysis.
CCI-003826	Implement a report generation capability that supports on-demand reporting requirements.
CCI-003827	Implement a report generation capability that supports after-the-fact investigations of incidents.
CCI-003828	Implement an audit reduction capability that does not alter original content or time ordering of audit records.
CCI-003829	Implement a report generation capability that does not alter original content or time ordering of audit records.