Security logs are collected centrally and retained for investigation

Implementation steps

1. 1

   Identify critical log sources and configure centralized collection

   Collect logs from: authentication systems (identity provider, VPN, SSO), endpoint agents, firewalls and network devices, cloud infrastructure (CloudTrail, Azure Activity Log, GCP Audit Log), and web application access logs. Send all logs to a central SIEM or log management platform. Avoid relying on per-system log storage which is difficult to search and easy for attackers to tamper with.

   splunk microsoft-sentinel elastic-siem datadog aws-cloudtrail
2. 2

   Set retention policies aligned to your investigation needs

   Retain security logs for at least 90 days in hot storage (quickly searchable) and at least 12 months in cold storage (archivable). Compliance frameworks like PCI-DSS require 12 months minimum. For ransomware investigations, 90 days of hot logs is often needed to trace the initial intrusion. Ensure logs are stored in a tamper-evident location that attackers who compromise production cannot modify.

   splunk aws-s3 elastic azure-log-analytics datadog
3. 3

   Verify log completeness and integrity regularly

   Monitor log ingestion rates so you know when a log source stops sending. An endpoint that goes silent in your SIEM may indicate the agent was disabled by an attacker. Set alerts for log source gaps. Periodically verify that logs cannot be deleted by standard user accounts. Test log search and retrieval to confirm you can find specific events when needed for an investigation.

   splunk elastic datadog microsoft-sentinel pagerduty

Evidence required