Logging
Description
Logs that record activities, exceptions, faults, and other relevant events shall be produced, stored, protected, and analysed.
⚠️ Risk Impact
Logs you don't collect can't be reviewed. Events you don't log are invisible during incident response.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Document log policy: which event categories logged. Apply consistently across cloud, application, infrastructure. Centralise to SIEM. Retain 12+ months. Test event coverage via deliberate adversarial actions.
💀 Real-World Attack Scenario
An attacker compromised an AWS IAM user + downloaded 47GB of customer data over 6 weeks. CloudTrail logged API calls; S3 server-access logging was disabled 'to reduce log volume'. Investigation couldn't see exfil details. Disabled logging directly contributed to detection delay.
💰 Cost of Non-Compliance
Detection gap from undocumented logging: avg 65 days longer dwell time (Mandiant M-Trends 2024).
📋 Audit Questions
- 1.Event-logging policy documented?
- 2.Walk through actual incident — were right logs available?
- 3.Log coverage tested?
- 4.Are application-layer events logged?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Disabling logs for cost without documenting risk acceptance
- ⛔Default cloud logging that misses data-plane events
- ⛔Application events not logged
📈 Business Value
Comprehensive event logging is the substrate every other security capability rests on.
⏱️ Effort Estimate
20-40 hours log policy + verification
EchelonGraph evaluates log coverage; flags gaps
🔗 Cross-Framework References
Automate ISO 27001 A.8.15 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →