N
|
controlAU-6

Audit Record Review, Analysis, and Reporting (AU-6)

Review and analyze system audit records [organization-defined] for indications of [organization-defined] and the potential impact of the inappropriate or unusual activity; Report findings to [organization-defined] ; and Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

Security Baselines

LOWMODERATEHIGH
auditaccountabilitylogging

Why These Connect

Baselined In3

This control is included in the linked security baseline (LOW, MODERATE, or HIGH).

Supports49

These related controls work together — a change to one may affect the others.

Mitigates2

This control helps defend against or reduce the risk of the linked threat technique.

Enhances10

These enhancements add specific capabilities or refinements to the base control.

Related Controls(39)

AC-7Unsuccessful Logon Attempts (AC-7)
LMH
AU-2Event Logging (AU-2)
LMH
AU-4Audit Log Storage Capacity (AU-4)
LMH
AC-2Account Management (AC-2)
LMH
AC-3Access Enforcement (AC-3)
LMH
AC-5Separation of Duties (AC-5)
MH
AC-6Least Privilege (AC-6)
MH
AC-17Remote Access (AC-17)
LMH
AU-7Audit Record Reduction and Report Generation (AU-7)
MH
AU-16Cross-organizational Audit Logging (AU-16)CA-2Control Assessments (CA-2)
LMH
CA-7Continuous Monitoring (CA-7)
LMH
CM-2Baseline Configuration (CM-2)
LMH
CM-5Access Restrictions for Change (CM-5)
LMH
CM-6Configuration Settings (CM-6)
LMH
CM-10Software Usage Restrictions (CM-10)
LMH
CM-11User-installed Software (CM-11)
LMH
IA-2Identification and Authentication (Organizational Users) (IA-2)
LMH
IA-3Device Identification and Authentication (IA-3)
MH
IA-5Authenticator Management (IA-5)
LMH
IA-8Identification and Authentication (Non-organizational Users) (IA-8)
LMH
IR-5Incident Monitoring (IR-5)
LMH
MA-4Nonlocal Maintenance (MA-4)
LMH
MP-4Media Storage (MP-4)
MH
PE-3Physical Access Control (PE-3)
LMH
PE-6Monitoring Physical Access (PE-6)
LMH
RA-5Vulnerability Monitoring and Scanning (RA-5)
LMH
SA-8Security and Privacy Engineering Principles (SA-8)
LMH
SC-7Boundary Protection (SC-7)
LMH
SI-3Malicious Code Protection (SI-3)
LMH
SI-4System Monitoring (SI-4)
LMH
SI-7Software, Firmware, and Information Integrity (SI-7)
MH
AU-9Protection of Audit Information (AU-9)
LMH
AU-11Audit Record Retention (AU-11)
LMH
AU-12Audit Record Generation (AU-12)
LMH
IR-4Incident Handling (IR-4)
LMH
PM-7Enterprise Architecture (PM-7)PM-12Insider Threat Program (PM-12)PM-31Continuous Monitoring Strategy (PM-31)

Threat Coverage(2 ATT&CK techniques)

T1136Create AccountT1562Impair Defenses

Control Enhancements(10)

AU-6(1)Automated Process Integration (AU-6(1))
MH
AU-6(2)Automated Security Alerts (AU-6(2))W
AU-6(3)Correlate Audit Record Repositories (AU-6(3))
MH
AU-6(4)Central Review and Analysis (AU-6(4))
AU-6(5)Integrated Analysis of Audit Records (AU-6(5))
H
AU-6(6)Correlation with Physical Monitoring (AU-6(6))
H
AU-6(7)Permitted Actions (AU-6(7))
AU-6(8)Full Text Analysis of Privileged Commands (AU-6(8))
AU-6(9)Correlation with Information from Nontechnical Sources (AU-6(9))
AU-6(10)Audit Level Adjustment (AU-6(10))W

See Also

@SP 800-53 OverviewCompare Baselines