Log Retention
Description
Audit logs must be retained for at least 1 year, with 3 months immediately available for analysis.
⚠️ Risk Impact
Short log retention means losing the forensic record for the period most breaches go undetected. The average dwell time is 277 days; retention shorter than that fails forensics.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Cloud-native long-term storage (S3 with Object Lock, GCS with retention policies, Azure Blob with retention locks). Lifecycle policies for hot/cool/archive tiers. Tamper-evident storage.
💀 Real-World Attack Scenario
A merchant detected a breach 9 months after initial compromise. Investigation required logs from the compromise period; the company's log retention was 90 days. Pre-compromise logs were already aged out. Forensic reconstruction was impossible; the company couldn't determine scope or attribute the breach.
💰 Cost of Non-Compliance
Avg dwell time: 277 days (Mandiant M-Trends). Log retention <12 months fails most forensic investigations.
📋 Audit Questions
- 1.Log retention period?
- 2.What is immediately available vs archived?
- 3.Tamper-evident storage?
- 4.Show retrieval test.
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Cost-driven retention reduction below 12 months
- ⛔No tamper-evidence — logs could be retroactively modified
- ⛔Archived logs that can't actually be retrieved (untested)
📈 Business Value
Log retention is foundational to forensic capability.
⏱️ Effort Estimate
Initial retention architecture + lifecycle policies
EchelonGraph monitors retention configuration + flags gaps
🔗 Cross-Framework References
Automate PCI DSS 10.5 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →