How does EchelonGraph detect NIST 800-53 AU-2 violations?

EchelonGraph automatically detects NIST 800-53 AU-2 violations using scanner rule NIST-AU-002. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for NIST 800-53 AU-2?

Show the event-logging policy. Which event types are logged on each system? Walk me through an actual incident — were the right logs available? How is log coverage tested? Are application-layer events (authentication, data access) logged in addition to infrastructure?

🏛️NIST 800-53 AU-2Rule: NIST-AU-002high

Event Logging

Description

Identify the types of events that the system is capable of logging; specify the event types that the organization deems necessary to be logged.

⚠️ Risk Impact

Logs you don't collect can't be reviewed. Events you don't log are invisible during incident response. The first AU-2 question every forensic investigator asks: 'what events does this system log?'

🔍 How EchelonGraph Detects This

NIST-AU-002Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

Document log policy: which event categories (authentication, authorization, configuration, data access, privileged actions) are logged. Apply consistently across cloud, application, and infrastructure layers. Test event coverage via deliberate adversarial actions.

💀 Real-World Attack Scenario

An attacker compromised an AWS IAM user and granted themselves S3 read access. They downloaded 47GB of customer data over 6 weeks. Investigation later found CloudTrail was logging API calls — but the system administrator had disabled S3 server-access logging on the affected bucket 'to reduce log volume'. The data exfiltration was visible in S3 logs that never existed.

💰 Cost of Non-Compliance

Detection gap from undocumented logging: avg 65 days longer dwell time (Mandiant M-Trends 2024). FedRAMP AU-2 violations: ATO renewal blocked pending remediation.

📋 Audit Questions

1.Show the event-logging policy. Which event types are logged on each system?
2.Walk me through an actual incident — were the right logs available?
3.How is log coverage tested?
4.Are application-layer events (authentication, data access) logged in addition to infrastructure?

🎯 MITRE ATT&CK Mapping

T1070 — Indicator Removal on HostT1562.008 — Disable Cloud Logs

⚡ Common Pitfalls

⛔Logging infrastructure events but not application events (vice versa)
⛔Disabling logs for 'cost reduction' without documenting risk acceptance
⛔Default cloud logging that misses data-plane events (S3 object-level access, etc.)

📈 Business Value

Comprehensive event logging is the substrate every other security capability rests on. Without it, detection is impossible, forensics fails, and audits surface 'unable to determine' findings.

⏱️ Effort Estimate

Manual

20-40 hours for log policy + verification

With EchelonGraph

EchelonGraph evaluates log coverage across cloud accounts; flags gaps

🔗 Cross-Framework References

SOC2-CC7.1ISO27001-A.8.15

Automate NIST 800-53 AU-2 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →