Alert On Audit Log Changes And Access

CCC.AuditLog.C03: Alert On Audit Log Changes And Access

Control ID:CCC.AuditLog.C03

Title:Alert On Audit Log Changes And Access

Objective:Ensure that specific alerts have been configured to detect changes in audit log configuration such as disabling exporting of logs. Alerts MUST also be created to detect changes in retention/object lock policies for exported data log sources/buckets.

Control Family:

Integrity

Related Threats

ID	Title	Description	External Mappings	Capability Mappings	Control Mappings
CCC.Core.TH07	Logs are Tampered With or Deleted	Tampering or deletion of service logs will reduce the system's ability to maintain an accurate record of events. Any actions that compromise the integrity of logs could disrupt system availability by disrupting monitoring, hindering forensic investigations, and reducing the accuracy of audit trails.	1	1	0

Related Capabilities

ID	Title	Description
CCC.Core.F03	Access Log Publication	The service automatically publishes structured, verbose records of activities performed within the scope of the service by external actors.
CCC.Core.F10	Log Publication	The service automatically publishes structured, verbose records of activities, operations, or events that occur within the service.

Guideline Mappings

Reference ID	Entry ID	Remarks
NIST-CSF	DE.CM-1	-
NIST_800_53	AU-5	-
NIST_800_53	AU-6	-

Assessment Requirements

ID	Description	Applicability
CCC.AuditLog.C03.TR01	When an attempt is made to disable a log source, then an alert MUST be generated.	tlp-red tlp-amber
CCC.AuditLog.C03.TR02	When an attempt is made to alter the retention or object lock status of an external data log source or bucket, then an alert MUST be generated.	tlp-red tlp-amber