How does EchelonGraph detect NIST 800-53 AU-6 violations?

EchelonGraph automatically detects NIST 800-53 AU-6 violations using scanner rule NIST-AU-006. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for NIST 800-53 AU-6?

What SIEM or log analysis tool is in use? Who reviews alerts? On what cadence? Show last week's alert triage queue. What was the response? How are missed events detected post-hoc?

🏛️NIST 800-53 AU-6Rule: NIST-AU-006high

Audit Record Review, Analysis, and Reporting

Description

Review and analyze audit records for indications of inappropriate or unusual activity; report findings to designated personnel.

⚠️ Risk Impact

Logs without review = compliance theatre. The breach that gets discovered 9 months later was almost certainly visible in logs nobody read. Active analysis is the only way logs produce security value.

🔍 How EchelonGraph Detects This

NIST-AU-006Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

Deploy SIEM or log analytics: AWS Security Lake, GCP Security Command Center, Splunk, Sumo Logic, Elastic SIEM. Define detection rules. Triage alerts daily. Document review cadence + responsible parties.

💀 Real-World Attack Scenario

Capital One 2019: the SSRF + AWS metadata exploitation that leaked 106M records was visible in CloudTrail logs for over 100 days before discovery. The breach was discovered only when the attacker posted screenshots to GitHub. The logs existed; nobody reviewed them. Total cost: $270M+ direct fines and remediation.

💰 Cost of Non-Compliance

Capital One breach $190M class-action + $80M OCC fine. Average dwell time without active log review: 277 days. With active review: 23 days. Cost differential: $2.7M per breach (IBM 2024).

📋 Audit Questions

1.What SIEM or log analysis tool is in use?
2.Who reviews alerts? On what cadence?
3.Show last week's alert triage queue. What was the response?
4.How are missed events detected post-hoc?

🎯 MITRE ATT&CK Mapping

T1078 — Valid AccountsT1530 — Data from Cloud Storage

⚡ Common Pitfalls

⛔SIEM deployed but no on-call rotation for alerts
⛔Detection rules from vendor defaults — not tuned to your environment, produce noise
⛔No documented post-incident loop back to detection rule improvement

📈 Business Value

Active log review is the bridge from 'we collect logs' to 'we have security'. The single biggest factor in dwell-time reduction.

⏱️ Effort Estimate

Manual

60-120 hours initial SIEM + detection rule development; ongoing tuning

With EchelonGraph

EchelonGraph correlates events across cloud + workload + identity layers; surfaces high-fidelity findings

🔗 Cross-Framework References

SOC2-CC7.2ISO27001-A.8.16

Automate NIST 800-53 AU-6 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →