Detections
Analytics

800-53|AU-6(1)

Title

PROCESS INTEGRATION

Description

The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.

Supplemental

Organizational processes benefiting from integrated audit review, analysis, and reporting include, for example, incident response, continuous monitoring, contingency planning, and Inspector General audits.

Reference Item Details

Related: AU-12,PM-7

Category: AUDIT AND ACCOUNTABILITY

Parent Title: AUDIT REVIEW, ANALYSIS, AND REPORTING

Family: AUDIT AND ACCOUNTABILITY

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.4.4 Set IP address for 'logging host'CiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.6.3 Configure Netflow on Strategic PortsCiscoCIS Cisco NX-OS L2 v1.1.0
2.1 Ensure monitoring and alerting exist for ACCOUNTADMIN and SECURITYADMIN role grantsSnowflakeCIS Snowflake Foundations v1.0.0 L1
2.1 Ensure That Cloud Audit Logging Is Configured ProperlyGCPCIS Google Cloud Platform v3.0.0 L1
2.1.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 13.0 Ventura Cloud-tailored v1.0.0 L1
2.1.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 14.0 Sonoma Cloud-tailored v1.0.0 L1
2.1.11 Ensure the spoofed domains report is reviewed weeklymicrosoft_azureCIS Microsoft 365 Foundations E5 L1 v3.1.0
2.1.12 Ensure the 'Restricted entities' report is reviewed weeklymicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v3.1.0
2.1.13 Ensure malware trends are reviewed at least weeklymicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v3.1.0
2.2 Ensure monitoring and alerting exist for MANAGE GRANTS privilege grantsSnowflakeCIS Snowflake Foundations v1.0.0 L1
2.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 14.0 Sonoma v1.1.0 L1
2.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 13.0 Ventura v2.1.0 L1
2.2.4 Set IP address for 'logging host'CiscoCIS Cisco IOS XE 17.x v2.1.0 L1
2.2.4 Set IP address for 'logging host'CiscoCIS Cisco IOS XE 16.x v2.1.0 L1
2.3 Ensure monitoring and alerting exist for password sign-ins of SSO usersSnowflakeCIS Snowflake Foundations v1.0.0 L1
2.3.1 Ensure the Account Provisioning Activity report is reviewed at least weeklymicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v3.1.0
2.3.2 Ensure non-global administrator role group assignments are reviewed at least weeklymicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v3.1.0
2.4 Ensure monitoring and alerting exist for password sign-in without MFASnowflakeCIS Snowflake Foundations v1.0.0 L1
2.4.1.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 12.0 Monterey Cloud-tailored v1.0.0 L1
2.5 Ensure monitoring and alerting exist for creation, update and deletion of security integrationsSnowflakeCIS Snowflake Foundations v1.0.0 L1
2.5.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 12.0 Monterey v3.1.0 L1
2.5.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 10.15 Catalina v3.0.0 L1
2.5.2.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 11.0 Big Sur v4.0.0 L1
2.5.2.2 Ensure Firewall Is EnabledUnixCIS Apple macOS 10.14 v2.0.0 L1
2.6 Ensure monitoring and alerting exist for changes to network policies and associated objectsSnowflakeCIS Snowflake Foundations v1.0.0 L1
2.7 Ensure monitoring and alerting exist for SCIM token creationSnowflakeCIS Snowflake Foundations v1.0.0 L1
2.8 Ensure monitoring and alerting exists for new share exposuresSnowflakeCIS Snowflake Foundations v1.0.0 L1
2.9 Ensure monitoring and alerting exists for sessions from unsupported Snowflake Connector for Python and JDBC and ODBC driversSnowflakeCIS Snowflake Foundations v1.0.0 L2
2.12 Ensure That Cloud DNS Logging Is Enabled for All VPC NetworksGCPCIS Google Cloud Platform v3.0.0 L1
2.12.8 - Miscellaneous Config - enable sar accounting - 'activity reports are generated every 20 minutes or less on weekday 8a-5p'UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.12.8 - Miscellaneous Config - enable sar accounting - 'activity reports are generated hourly on weekday 6p-7a'UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.12.8 - Miscellaneous Config - enable sar accounting - 'activity reports are generated hourly on weekends'UnixCIS AIX 5.3/6.1 L2 v1.1.0
2.12.8 - Miscellaneous Config - enable sar accounting - 'daily summaries are being prepared'UnixCIS AIX 5.3/6.1 L2 v1.1.0
3.1.2 Ensure user role group changes are reviewed at least weeklymicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v3.1.0
3.2 Ensure CloudTrail log file validation is enabledamazon_awsCIS Amazon Web Services Foundations L2 3.0.0
3.3.2 Configure Storm ControlCiscoCIS Cisco NX-OS L2 v1.1.0
3.7 Ensure proxies pass source IP information - X-Real-IPUnixCIS NGINX Benchmark v2.1.0 L1 Loadbalancer
3.7 Ensure proxies pass source IP information - X-Real-IPUnixCIS NGINX Benchmark v2.1.0 L1 Proxy
4.1 Ensure unauthorized API calls are monitoredamazon_awsCIS Amazon Web Services Foundations L2 3.0.0
4.2 Ensure management console sign-in without MFA is monitoredamazon_awsCIS Amazon Web Services Foundations L1 3.0.0
4.3 Ensure usage of 'root' account is monitoredamazon_awsCIS Amazon Web Services Foundations L1 3.0.0
4.4 Ensure IAM policy changes are monitoredamazon_awsCIS Amazon Web Services Foundations L1 3.0.0
4.5 Ensure CloudTrail configuration changes are monitoredamazon_awsCIS Amazon Web Services Foundations L1 3.0.0
4.6 Ensure AWS Management Console authentication failures are monitoredamazon_awsCIS Amazon Web Services Foundations L2 3.0.0
4.10 Ensure security group changes are monitoredamazon_awsCIS Amazon Web Services Foundations L2 3.0.0
4.11 Ensure Network Access Control Lists (NACL) changes are monitoredamazon_awsCIS Amazon Web Services Foundations L2 3.0.0
4.12 Ensure changes to network gateways are monitoredamazon_awsCIS Amazon Web Services Foundations L1 3.0.0
4.13 Ensure route table changes are monitoredamazon_awsCIS Amazon Web Services Foundations L1 3.0.0
4.14 Ensure VPC changes are monitoredamazon_awsCIS Amazon Web Services Foundations L1 3.0.0
4.15 Ensure AWS Organizations changes are monitoredamazon_awsCIS Amazon Web Services Foundations L1 3.0.0