Navigate

RA-5(8)

RA-5(8): Review Historic Audit Logs

Review historic audit logs to determine if a vulnerability identified in a [a system whose historic audit logs are to be reviewed is defined;] has been previously exploited within an [a time period for a potential previous exploit of a system is defined;].

Supplemental

Reviewing historic audit logs to determine if a recently detected vulnerability in a system has been previously exploited by an adversary can provide important information for forensic analyses. Such analyses can help identify, for example, the extent of a previous intrusion, the trade craft employed during the attack, organizational information exfiltrated or modified, mission or business capabilities affected, and the duration of the attack.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
DAF Baseline

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to RA-5(8).

Control	Description
AU-6	a: Review and analyze system audit records [frequency at which system audit records are reviewed and analyzed is defined;] for indications of [inappropriate or unusual activity is defined;] and the potential impact of the inappropriate or unusual activity; b: Report findings to [personnel or roles to receive findings from reviews and analyses of system records is/are defined;] ; and c: Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
AU-11	Retain audit records for [a time period to retain audit records that is consistent with the records retention policy is defined;] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

Control

Description

AU-6

a: Review and analyze system audit records [frequency at which system audit records are reviewed and analyzed is defined;] for indications of [inappropriate or unusual activity is defined;] and the potential impact of the inappropriate or unusual activity;

b: Report findings to [personnel or roles to receive findings from reviews and analyses of system records is/are defined;] ; and

c: Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

AU-11

Retain audit records for [a time period to retain audit records that is consistent with the records retention policy is defined;] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

Enhancements

The controls below (if any) add on to the requirements of RA-5(8).

Control	Description
No controls

Related CCIs

The CCIs below are tied to RA-5(8).

CCI	Definition
CCI-001071	Review historic audit logs to determine if a vulnerability identified in the organization-defined system has been previously exploited within an organization-defined time period.
CCI-004638	Defines the system in which will be identified for determining if a vulnerability has been exploited.
CCI-004639	Defines the time period for reviewing historic audit logs to determine if a vulnerability identified has been exploited.