AU.L2-3.3.1
AU.L2-3.3.1: System Auditing
Create and retain system audit logs and records to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
AU.L2-3.3.2
AU.L2-3.3.2: User Accountability
Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
AU.L2-3.3.3
AU.L2-3.3.3: Audit Review, Analysis, and Reporting
Regularly review and analyze audit logs to identify security events, then report findings to management.
AU.L2-3.3.4
Alerting When Audit Logging Fails: AU.L2-3.3.4 Guide
Alert system administrators and security personnel immediately when audit logging or analysis failures occur.
AU.L2-3.3.5
Log Correlation Across Systems: AU.L2-3.3.5 Guide
Correlate audit data from multiple sources to identify patterns and complex attack sequences that individual logs cannot detect.
AU.L2-3.3.6
Audit Log Filtering and Reporting: AU.L2-3.3.6 Guide
Create tools and processes to filter audit logs and generate reports that focus on security-relevant events rather than routine system activity.
AU.L2-3.3.7
AU.L2-3.3.7: Authoritative Time Source
Synchronize all system clocks to a reliable, authoritative time source so audit logs are trustworthy and events can be correlated accurately.
AU.L2-3.3.8
Protecting Audit Logs from Tampering: AU.L2-3.3.8 Guide
Protect audit logs from unauthorized access, modification, and deletion to preserve their integrity as evidence.
AU.L2-3.3.9
AU.L2-3.3.9: Audit Management
Limit audit log management functions (configuration, deletion, archival) to authorized individuals to prevent tampering.