The Logging and Monitoring (LOG) domain aids CSPs and CSCs in collecting, storing, analyzing and reporting on the activities and events that occur in their cloud environment. This in turn helps to detect and respond to security incidents, operational issues and system anomalies, comply with regulatory requirements, audit and verify the effectiveness of their security controls, and improve their security posture and performance.
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| LOG-10 | Audit Records Protection | mitigates | T1070.009 | Clear Persistence |
Comments
This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings.
|
| LOG-10 | Audit Records Protection | mitigates | T1070.007 | Clear Network Connection History and Configurations |
Comments
This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings.
|
| LOG-10 | Audit Records Protection | mitigates | T1070 | Indicator Removal |
Comments
This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings.
|
| LOG-10 | Audit Records Protection | mitigates | T1562 | Impair Defenses |
Comments
This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings.
|
| LOG-10 | Audit Records Protection | mitigates | T1562.002 | Disable Windows Event Logging |
Comments
This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings.
|
| LOG-10 | Audit Records Protection | mitigates | T1070.002 | Clear Linux or Mac System Logs |
Comments
This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings.
|
| LOG-10 | Audit Records Protection | mitigates | T1070.001 | Clear Windows Event Logs |
Comments
This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings.
|
| LOG-10 | Audit Records Protection | mitigates | T1562.012 | Disable or Modify Linux Audit System |
Comments
This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings.
|
| LOG-10 | Audit Records Protection | mitigates | T1562.001 | Disable or Modify Tools |
Comments
This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings.
|
| LOG-10 | Audit Records Protection | mitigates | T1562.007 | Disable or Modify Cloud Firewall |
Comments
This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings.
|
| LOG-10 | Audit Records Protection | mitigates | T1562.008 | Disable or Modify Cloud Logs |
Comments
This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings.
|
| LOG-08 | Audit Logs Sanitization | mitigates | T1528 | Steal Application Access Token |
Comments
This control requires organizations to implement technical measures that automatically detect and remove sensitive data from logs to prevent unauthorized exposure. Log Sanitization may help mitigate risks from Unsecured Credentials (T1552), where attackers target logs for sensitive information such as credentials or access tokens.
|
| LOG-08 | Audit Logs Sanitization | mitigates | T1552 | Unsecured Credentials |
Comments
This control requires organizations to implement technical measures that automatically detect and remove sensitive data from logs to prevent unauthorized exposure. Log Sanitization may help mitigate risks from Unsecured Credentials (T1552), where attackers target logs for sensitive information such as credentials or access tokens.
|
| LOG-08 | Audit Logs Sanitization | mitigates | T1213 | Data from Information Repositories |
Comments
This control requires organizations to implement technical measures that automatically detect and remove sensitive data from logs to prevent unauthorized exposure. Data from Information Repositories (T1213) can occur if logs containing sensitive data are accessed or exfiltrated.
|
| LOG-04 | Audit Logs Access and Accountability | mitigates | T1562.008 | Disable or Modify Cloud Logs |
Comments
This control requires both CSP and CSC to restrict audit log access using RBAC, MFA, least privilege, and separation of duties, so that only authorized personnel can access sensitive logs and any access is traceable and secure. These set of controls are in place to ensure that proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
|
| LOG-04 | Audit Logs Access and Accountability | mitigates | T1562.001 | Disable or Modify Tools |
Comments
This control requires both CSP and CSC to restrict audit log access using RBAC, MFA, least privilege, and separation of duties, so that only authorized personnel can access sensitive logs and any access is traceable and secure. These set of controls are in place to ensure that proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
|
| LOG-04 | Audit Logs Access and Accountability | mitigates | T1562.012 | Disable or Modify Linux Audit System |
Comments
This control requires both CSP and CSC to restrict audit log access using RBAC, MFA, least privilege, and separation of duties, so that only authorized personnel can access sensitive logs and any access is traceable and secure. These set of controls are in place to ensure that proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
|
| LOG-04 | Audit Logs Access and Accountability | mitigates | T1070.001 | Clear Windows Event Logs |
Comments
This control requires both CSP and CSC to restrict audit log access using RBAC, MFA, least privilege, and separation of duties, so that only authorized personnel can access sensitive logs and any access is traceable and secure. These set of controls are in place to ensure that proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
|
| LOG-04 | Audit Logs Access and Accountability | mitigates | T1070.002 | Clear Linux or Mac System Logs |
Comments
This control requires both CSP and CSC to restrict audit log access using RBAC, MFA, least privilege, and separation of duties, so that only authorized personnel can access sensitive logs and any access is traceable and secure. These set of controls are in place to ensure that proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
|
| LOG-04 | Audit Logs Access and Accountability | mitigates | T1562.002 | Disable Windows Event Logging |
Comments
This control requires both CSP and CSC to restrict audit log access using RBAC, MFA, least privilege, and separation of duties, so that only authorized personnel can access sensitive logs and any access is traceable and secure. These set of controls are in place to ensure that proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
|
| LOG-04 | Audit Logs Access and Accountability | mitigates | T1562 | Impair Defenses |
Comments
This control requires both CSP and CSC to restrict audit log access using RBAC, MFA, least privilege, and separation of duties, so that only authorized personnel can access sensitive logs and any access is traceable and secure. These set of controls are in place to ensure that proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
|
| LOG-04 | Audit Logs Access and Accountability | mitigates | T1070 | Indicator Removal |
Comments
This control requires both CSP and CSC to restrict audit log access using RBAC, MFA, least privilege, and separation of duties, so that only authorized personnel can access sensitive logs and any access is traceable and secure. These set of controls are in place to ensure that proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
|
| LOG-02 | Audit Logs Protection | mitigates | T1070.009 | Clear Persistence |
Comments
This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering.
|
| LOG-02 | Audit Logs Protection | mitigates | T1070.007 | Clear Network Connection History and Configurations |
Comments
This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering.
|
| LOG-02 | Audit Logs Protection | mitigates | T1562.007 | Disable or Modify Cloud Firewall |
Comments
This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering.
|
| LOG-02 | Audit Logs Protection | mitigates | T1562.008 | Disable or Modify Cloud Logs |
Comments
This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering.
|
| LOG-02 | Audit Logs Protection | mitigates | T1562.001 | Disable or Modify Tools |
Comments
This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering.
|
| LOG-02 | Audit Logs Protection | mitigates | T1562.012 | Disable or Modify Linux Audit System |
Comments
This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering.
|
| LOG-02 | Audit Logs Protection | mitigates | T1070.001 | Clear Windows Event Logs |
Comments
This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering.
|
| LOG-02 | Audit Logs Protection | mitigates | T1070.002 | Clear Linux or Mac System Logs |
Comments
This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering.
|
| LOG-02 | Audit Logs Protection | mitigates | T1562.002 | Disable Windows Event Logging |
Comments
This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering.
|
| LOG-02 | Audit Logs Protection | mitigates | T1562 | Impair Defenses |
Comments
This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering.
|
| LOG-02 | Audit Logs Protection | mitigates | T1070 | Indicator Removal |
Comments
This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering.
|
| Capability ID | Capability Name | Number of Mappings |
|---|---|---|
| LOG-08 | Audit Logs Sanitization | 3 |
| LOG-02 | Audit Logs Protection | 11 |
| LOG-04 | Audit Logs Access and Accountability | 8 |
| LOG-10 | Audit Records Protection | 11 |