MON-001 Audit Log Scope and Generation
Description
Security-relevant events are defined and logged across all production systems, applications, and cloud services. Log events include: authentication successes and failures, privilege use, administrative actions, data access and export, configuration changes, and system errors. Log scope is documented and reviewed at defined intervals.
Rationale
Logs are the primary evidence source for incident investigation, compliance audits, and forensic analysis. Undefined scope leads to gaps that cannot be reconstructed after the fact.
Framework Mappings (9)
| LOG-07 | Logging Scope | full |
| LOG-09 | Log Records | full |
| LOG-12 | Transaction/Activity Logging | partial |
| LOG-13 | Access Control Logs | partial |
| EU-AI-Art.12.1 | Logging and Record-Keeping — Automatic Event Logging Capability | partial |
| 8.15 | Logging | full |
| AU-12 | Audit Record Generation | full |
| AU-2 | Event Logging | full |
| AU-3 | Content of Audit Records | full |
Evidence (2)
Logging configuration for production systems, applications, and cloud services showing security-relevant event categories are enabled, including authentication, privilege use, administrative actions, data access, configuration changes, and errors.
Example: AWS CloudTrail configuration showing management events and data events enabled for all production accounts; application logging configuration (e.g., log level and category settings in application config); GCP Audit Logs configuration export
Test: Review logging configuration for cloud platform and application services. Verify: (1) authentication successes and failures are logged; (2) privilege use and administrative actions are logged; (3) data access and export events are logged; (4) configuration changes generate log events; (5) cross-check against a live log stream in the SIEM and confirm events of each type are appearing.
Audit logging scope policy or standard defining which event categories are required to be logged, where logs must be sent, and the review schedule for scope coverage.
Example: Audit Logging Policy or Security Monitoring Standard (version-controlled, approved within last 12 months) with an enumerated list of required event categories
Test: Request the audit logging policy. Verify: (1) required event categories are explicitly listed; (2) the document references all system types in scope (cloud platform, application, network, endpoint); (3) log forwarding requirements are specified; (4) the review schedule is defined and the last review was completed within the required interval.
Questions (2)
Are security-relevant events defined and logged across all production systems, applications, and cloud services, including authentication, privilege use, administrative actions, data access, configuration changes, and system errors?
Log scope should be documented in a formal policy or standard. Gaps in event categories (e.g. no data access logging) are a common audit finding.
Which event categories are captured in your production audit logs?
All seven categories are expected for a complete audit logging posture. Missing data access or configuration change logging are the most common gaps in enterprise SaaS environments.