How does EchelonGraph detect NIST 800-53 AU-3 violations?

EchelonGraph automatically detects NIST 800-53 AU-3 violations using scanner rule NIST-AU-003. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for NIST 800-53 AU-3?

Show a sample audit log entry. What fields does it contain? How do logs from different systems correlate (trace-ID, request-ID)? Walk me through an incident — were the logs sufficient for investigation? How is log schema enforced?

🏛️NIST 800-53 AU-3Rule: NIST-AU-003medium

Content of Audit Records

Description

Generate audit records containing information that establishes: what type of event occurred, when the event occurred, where the event occurred, source of the event, outcome of the event, and identity of involved subjects.

⚠️ Risk Impact

Logs without sufficient detail are useless during incident response. 'API call failed' tells you nothing; 'API call from IP X by user Y with payload Z at timestamp T returned HTTP 401' tells you everything you need.

🔍 How EchelonGraph Detects This

NIST-AU-003Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as medium-severity findings with remediation guidance.

🔧 Remediation

Apply structured logging (JSON with consistent schema). Include: timestamp, principal, source IP, user-agent, action, target, outcome, request-ID, trace-ID. Document logging policy per system. Test log content via tabletop.

💀 Real-World Attack Scenario

An attacker successfully brute-forced a privileged account. The logs recorded 'authentication event' but no source IP, no user-agent, no time-of-day pattern. Forensic team couldn't determine where the attack originated, what device was used, or whether other accounts were targeted. Investigation took 4× longer due to log content gaps.

💰 Cost of Non-Compliance

Insufficient log detail increases incident investigation cost 3-5× (Mandiant M-Trends 2024). FedRAMP AU-3 deficiencies block ATO renewal.

📋 Audit Questions

1.Show a sample audit log entry. What fields does it contain?
2.How do logs from different systems correlate (trace-ID, request-ID)?
3.Walk me through an incident — were the logs sufficient for investigation?
4.How is log schema enforced?

🎯 MITRE ATT&CK Mapping

T1070 — Indicator Removal on Host

⚡ Common Pitfalls

⛔Logs without source IP / user-agent — can't correlate to network traffic
⛔Free-text log messages instead of structured fields
⛔Inconsistent schemas across systems — correlation impossible

📈 Business Value

Detailed audit records transform incident response from guesswork to forensics. Material for SOC effectiveness + post-incident root-cause analysis.

⏱️ Effort Estimate

Manual

20-40 hours for structured-logging migration + schema enforcement

With EchelonGraph

EchelonGraph correlates events across cloud + workload via trace-ID

🔗 Cross-Framework References

SOC2-CC7.1ISO27001-A.8.15

Automate NIST 800-53 AU-3 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →