Detect and Alert on Log Service Tampering

Control ID:CCC.Logging.C07

Title:Detect and Alert on Log Service Tampering

Objective:Alert when any component of the critical logging infrastructure is disabled, modified, or deleted, indicating a defense evasion attempt.

Control Family:

Logging and Monitoring

ID	Title	Description	External Mappings	Capability Mappings	Control Mappings
CCC.Core.TH16	Publications are Disabled	Publication of events, metrics, and runtime logs may be disabled, leading to a lack of expected security and operational information being shared. This can impact system availability by delaying the detection of incidents while also impacting system design decisions and enforcement of operational thresholds, such as autoscaling or cost management.	1	1	0

ID	Title	Description
CCC.Core.F10	Log Publication	The service automatically publishes structured, verbose records of activities, operations, or events that occur within the service.

Reference ID	Entry ID	Remarks
NIST-CSF	DE.CM-03	-
NIST-CSF	DE.CM-09	-
NIST_800_53	SI-4	-
NIST_800_53	CA-7	-
NIST_800_53	AU-6	-

ID	Description	Applicability
CCC.Logging.C07.TR01	When an audit log event is recorded that corresponds to a modification of the logging service configuration such as disabling a log trail, deleting a log sink, or altering a log forwarding rule, an alert MUST be generated.	tlp-clear tlp-green tlp-amber tlp-red