Log Review and Anomaly Detection
Description
Audit logs must be reviewed at least daily for anomalies; mechanisms must detect log delivery failures.
⚠️ Risk Impact
Logs without active review = compliance theatre. Modern attackers anticipate log review and time their actions; daily review surfaces the patterns attackers expect to remain unseen.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Deploy SIEM with daily triage. Alert on log-delivery failures. Document on-call rotation for high-priority alerts. Trend alert volumes + tune detection rules.
💀 Real-World Attack Scenario
Capital One 2019: logs visible in CloudTrail for 100+ days before discovery. Active log review would have surfaced the SSRF-IMDS pattern. The logs existed; review didn't. Total cost: $270M.
💰 Cost of Non-Compliance
Capital One: $270M. Dwell time without active review: 277 days vs 23 days with active review.
📋 Audit Questions
- 1.What SIEM is in use?
- 2.Daily triage cadence?
- 3.On-call rotation?
- 4.Last alert response timeline?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔SIEM deployed but no on-call
- ⛔Detection rules from vendor defaults — produce noise
- ⛔No feedback loop to detection rule improvement
📈 Business Value
Active log review is the bridge from 'we collect logs' to 'we have security'.
⏱️ Effort Estimate
SIEM + detection rules + on-call
EchelonGraph correlates events across cloud + workload + identity
🔗 Cross-Framework References
Automate PCI DSS 10.7 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →