800-53|AU-7(1)

Title

AUTOMATIC PROCESSING

Description

The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records].

Supplemental

Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AU-12,AU-2

Category: AUDIT AND ACCOUNTABILITY

Parent Title: AUDIT REDUCTION AND REPORT GENERATION

Family: AUDIT AND ACCOUNTABILITY

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
2.1 Ensure monitoring and alerting exist for ACCOUNTADMIN and SECURITYADMIN role grants	Snowflake	CIS Snowflake Foundations v1.0.0 L1
2.1 Ensure That Cloud Audit Logging Is Configured Properly	GCP	CIS Google Cloud Platform v3.0.0 L1
2.1.11 Ensure the spoofed domains report is reviewed weekly	microsoft_azure	CIS Microsoft 365 Foundations E5 L1 v3.1.0
2.1.12 Ensure the 'Restricted entities' report is reviewed weekly	microsoft_azure	CIS Microsoft 365 Foundations E3 L1 v3.1.0
2.1.13 Ensure malware trends are reviewed at least weekly	microsoft_azure	CIS Microsoft 365 Foundations E3 L1 v3.1.0
2.2 Ensure monitoring and alerting exist for MANAGE GRANTS privilege grants	Snowflake	CIS Snowflake Foundations v1.0.0 L1
2.3 Ensure monitoring and alerting exist for password sign-ins of SSO users	Snowflake	CIS Snowflake Foundations v1.0.0 L1
2.3.1 Ensure the Account Provisioning Activity report is reviewed at least weekly	microsoft_azure	CIS Microsoft 365 Foundations E3 L1 v3.1.0
2.3.2 Ensure non-global administrator role group assignments are reviewed at least weekly	microsoft_azure	CIS Microsoft 365 Foundations E3 L1 v3.1.0
2.4 Ensure monitoring and alerting exist for password sign-in without MFA	Snowflake	CIS Snowflake Foundations v1.0.0 L1
2.5 Ensure monitoring and alerting exist for creation, update and deletion of security integrations	Snowflake	CIS Snowflake Foundations v1.0.0 L1
2.6 Ensure monitoring and alerting exist for changes to network policies and associated objects	Snowflake	CIS Snowflake Foundations v1.0.0 L1
2.7 Ensure monitoring and alerting exist for SCIM token creation	Snowflake	CIS Snowflake Foundations v1.0.0 L1
2.8 Ensure monitoring and alerting exists for new share exposures	Snowflake	CIS Snowflake Foundations v1.0.0 L1
2.9 Ensure monitoring and alerting exists for sessions from unsupported Snowflake Connector for Python and JDBC and ODBC drivers	Snowflake	CIS Snowflake Foundations v1.0.0 L2
2.12 Ensure That Cloud DNS Logging Is Enabled for All VPC Networks	GCP	CIS Google Cloud Platform v3.0.0 L1
3.1.2 Ensure user role group changes are reviewed at least weekly	microsoft_azure	CIS Microsoft 365 Foundations E3 L1 v3.1.0
3.2 Ensure CloudTrail log file validation is enabled	amazon_aws	CIS Amazon Web Services Foundations v5.0.0 L2
3.7 Ensure proxies pass source IP information - X-Real-IP	Unix	CIS NGINX Benchmark v2.1.0 L1 Loadbalancer
3.7 Ensure proxies pass source IP information - X-Real-IP	Unix	CIS NGINX Benchmark v2.1.0 L1 Proxy
4.1 Ensure unauthorized API calls are monitored	amazon_aws	CIS Amazon Web Services Foundations v5.0.0 L2
4.2 Ensure management console sign-in without MFA is monitored	amazon_aws	CIS Amazon Web Services Foundations v5.0.0 L1
4.3 Ensure usage of the 'root' account is monitored	amazon_aws	CIS Amazon Web Services Foundations v5.0.0 L1
4.4 Ensure IAM policy changes are monitored	amazon_aws	CIS Amazon Web Services Foundations v5.0.0 L1
4.5 Ensure CloudTrail configuration changes are monitored	amazon_aws	CIS Amazon Web Services Foundations v5.0.0 L1
4.6 Ensure AWS Management Console authentication failures are monitored	amazon_aws	CIS Amazon Web Services Foundations v5.0.0 L2
4.7 Ensure disabling or scheduled deletion of customer created CMKs is monitored	amazon_aws	CIS Amazon Web Services Foundations v5.0.0 L2
4.8 Ensure S3 bucket policy changes are monitored	amazon_aws	CIS Amazon Web Services Foundations v5.0.0 L1
4.9 Ensure AWS Config configuration changes are monitored	amazon_aws	CIS Amazon Web Services Foundations v5.0.0 L2
4.10 Ensure security group changes are monitored	amazon_aws	CIS Amazon Web Services Foundations v5.0.0 L2
4.11 Ensure Network Access Control List (NACL) changes are monitored	amazon_aws	CIS Amazon Web Services Foundations v5.0.0 L2
4.12 Ensure changes to network gateways are monitored	amazon_aws	CIS Amazon Web Services Foundations v5.0.0 L1
4.13 Ensure route table changes are monitored	amazon_aws	CIS Amazon Web Services Foundations v5.0.0 L1
4.14 Ensure VPC changes are monitored	amazon_aws	CIS Amazon Web Services Foundations v5.0.0 L1
4.15 Ensure AWS Organizations changes are monitored	amazon_aws	CIS Amazon Web Services Foundations v5.0.0 L1
5.1.5.1 Ensure the Application Usage report is reviewed at least weekly	microsoft_azure	CIS Microsoft 365 Foundations E3 L1 v3.1.0
5.2.4.2 Ensure the self-service password reset activity report is reviewed at least weekly	microsoft_azure	CIS Microsoft 365 Foundations E3 L1 v3.1.0
5.2.6.1 Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly	microsoft_azure	CIS Microsoft 365 Foundations E5 L1 v3.1.0
6.4.1 Ensure mail forwarding rules are reviewed at least weekly	microsoft_azure	CIS Microsoft 365 Foundations E3 L1 v3.1.0
ALMA-09-047100 - The audit package must be installed on AlmaLinux OS 9.	Unix	DISA CloudLinux AlmaLinux OS 9 STIG v1r2
ALMA-09-054910 - The auditd service must be enabled on AlmaLinux OS 9.	Unix	DISA CloudLinux AlmaLinux OS 9 STIG v1r2
AOSX-13-000240 - The macOS system must enable System Integrity Protection.	Unix	DISA STIG Apple Mac OSX 10.13 v2r5
AOSX-14-005001 - The macOS system must enable System Integrity Protection.	Unix	DISA STIG Apple Mac OSX 10.14 v2r6
AOSX-15-005001 - The macOS system must enable System Integrity Protection.	Unix	DISA STIG Apple Mac OSX 10.15 v1r10
APPL-11-005001 - The macOS system must enable System Integrity Protection.	Unix	DISA STIG Apple macOS 11 v1r8
APPL-11-005001 - The macOS system must enable System Integrity Protection.	Unix	DISA STIG Apple macOS 11 v1r5
APPL-12-005001 - The macOS system must enable System Integrity Protection.	Unix	DISA STIG Apple macOS 12 v1r9
APPL-13-005001 - The macOS system must enable System Integrity Protection.	Unix	DISA STIG Apple macOS 13 v1r5
APPL-14-005001 The macOS system must ensure System Integrity Protection is enabled.	Unix	DISA Apple macOS 14 (Sonoma) STIG v2r3
APPL-15-005001 - The macOS system must ensure System Integrity Protection is enabled.	Unix	DISA Apple macOS 15 (Sequoia) STIG v1r3

Detections

Analytics