AuditRubric
de-cm-1 high Detect / Continuous Monitoring

Networks and network services are monitored to detect adverse events

Detection is what separates a contained incident from a breach you discover months later. Monitoring your network and systems for anomalous behavior gives you the visibility to catch attacks in progress, identify misconfigured services before they are exploited, and meet the logging requirements that auditors and regulators will ask about.

Estimated effort: 6h
loggingmonitoringdetectionsiemalertsretention

Implementation steps

  1. 1

    Enable centralized logging for all critical systems

    Route logs from your cloud infrastructure, identity provider, and production services into a single destination. You need authentication events, admin actions, network flow data, and application errors in one searchable place.

    aws-cloudtraildatadogsplunkelasticgrafana-loki
  2. 2

    Set up alerts for high-priority events

    Define alerts for: failed login spikes, successful logins from unexpected geographies, privilege escalation, new admin accounts, large data exports, and any change to security group or firewall rules.

    datadogpagerdutyopsgenieaws-guardduty
  3. 3

    Define log retention policy

    Logs must be retained long enough to support incident investigations. 90 days hot (searchable) and 12 months cold (archived) is a common baseline that satisfies most compliance frameworks.

    aws-s3cloudflare-logpush
  4. 4

    Test that alerts fire

    Run a tabletop exercise or deliberate test: trigger a failed login spike in a staging environment and verify the alert reaches the right person. Untested alerts are not alerts.

Evidence required

Logging configuration

Screenshots or config exports showing centralized logging is enabled for critical systems.

  • · AWS CloudTrail enabled across all regions
  • · Datadog agent installed on production hosts
  • · Okta system log forwarding configuration

Active alert rules

Export or screenshot of configured alert rules, showing at minimum the high-priority event types listed above.

  • · Datadog monitor list
  • · AWS GuardDuty findings configuration
  • · PagerDuty escalation policy

Log retention policy document

Written statement of how long logs are retained and where they are stored.

  • · Policy page in your documentation system
  • · AWS S3 lifecycle rule screenshot showing archive after 90 days

Related controls

de-cm-9 critical

Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

Continuous Monitoring
de-cm-7 high

Monitoring for unauthorized personnel, connections, devices, and software is performed

Continuous Monitoring
pr-ps-4 high

Log records are generated and made available for continuous monitoring

Platform Security
de-ae-3 high

Information is correlated from multiple sources

Adverse Event Analysis