MON-01.8: Security Event Monitoring
Mechanisms exist to review event logs on an ongoing basis and escalate incidents in accordance with established timelines and procedures.
Control Question: Does the organization review event logs on an ongoing basis and escalate incidents in accordance with established timelines and procedures?
General (45)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC7.2 CC7.2-POF4 |
| CIS CSC 8.1 | 8.1 |
| CIS CSC 8.1 IG1 | 8.1 |
| CIS CSC 8.1 IG2 | 8.1 |
| CIS CSC 8.1 IG3 | 8.1 |
| CSA CCM 4 | LOG-03 |
| CSA IoT SCF 2 | CLS-08 MON-04 |
| GovRAMP Low | AU-02 |
| GovRAMP Low+ | AU-02 |
| GovRAMP Moderate | AU-02 |
| GovRAMP High | AU-02 |
| IMO Maritime Cyber Risk Management | 3.5.4 |
| ISO 27002 2022 | 8.16 |
| NIST 800-53 R4 | AU-2(3) |
| NIST 800-53 R5 (source) | AU-2 |
| NIST 800-53B R5 (privacy) (source) | AU-2 |
| NIST 800-53B R5 (low) (source) | AU-2 |
| NIST 800-53B R5 (moderate) (source) | AU-2 |
| NIST 800-53B R5 (high) (source) | AU-2 |
| NIST 800-82 R3 LOW OT Overlay | AU-2 |
| NIST 800-82 R3 MODERATE OT Overlay | AU-2 |
| NIST 800-82 R3 HIGH OT Overlay | AU-2 |
| NIST 800-161 R1 | AU-2 |
| NIST 800-161 R1 C-SCRM Baseline | AU-2 |
| NIST 800-161 R1 Flow Down | AU-2 |
| NIST 800-161 R1 Level 1 | AU-2 |
| NIST 800-161 R1 Level 2 | AU-2 |
| NIST 800-161 R1 Level 3 | AU-2 |
| NIST 800-171 R2 (source) | 3.3.3 3.14.3 |
| NIST 800-171A (source) | 3.3.3[a] 3.3.3[b] 3.3.3[c] 3.14.3[a] 3.14.3[b] 3.14.3[c] |
| NIST 800-171 R3 (source) | 03.03.01.b 03.03.05.a |
| NIST 800-171A R3 (source) | A.03.03.01.ODP[02] A.03.03.01.b[01] A.03.03.05.ODP[01] A.03.03.05.a |
| NIST CSF 2.0 (source) | DE.AE DE.AE-06 DE.CM-01 |
| OWASP Top 10 2021 | A01:2021 A07:2021 A09:2021 |
| PCI DSS 4.0.1 (source) | 10.4 10.4.1 10.4.1.1 10.4.2 10.4.2.1 10.4.3 12.4.2 |
| PCI DSS 4.0.1 SAQ A-EP (source) | 10.4.1 10.4.1.1 10.4.2 10.4.2.1 10.4.3 |
| PCI DSS 4.0.1 SAQ C (source) | 10.4.1 10.4.1.1 10.4.2 10.4.2.1 10.4.3 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 10.4.1 10.4.1.1 10.4.2 10.4.2.1 10.4.3 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 10.4.1 10.4.1.1 10.4.2 10.4.2.1 10.4.3 12.4.2 |
| Shared Assessments SIG 2025 | J.5 |
| SCF CORE Fundamentals | MON-01.8 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | MON-01.8 |
| SCF CORE ESP Level 1 Foundational | MON-01.8 |
| SCF CORE ESP Level 2 Critical Infrastructure | MON-01.8 |
| SCF CORE ESP Level 3 Advanced Threats | MON-01.8 |
US (15)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | SITUATION-2.A.MIL1 SITUATION-2.B.MIL1 SITUATION-2.C.MIL2 |
| US CISA CPG 2022 | 2.T |
| US CMMC 2.0 Level 2 (source) | AU.L2-3.3.3 SI.L2-3.14.3 |
| US CMMC 2.0 Level 3 (source) | AU.L2-3.3.3 SI.L2-3.14.3 |
| US DHS ZTCF | APP-02 SEC-01 |
| US FedRAMP R4 | AU-2(3) |
| US FedRAMP R4 (moderate) | AU-2(3) |
| US FedRAMP R4 (high) | AU-2(3) |
| US HIPAA Administrative Simplification 2013 (source) | 164.308(a)(1)(ii)(D) 164.312(b) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.308(a)(1)(ii)(D) 164.312(b) |
| US IRS 1075 | AU-2 |
| US SSA EIESR 8.0 | 5.6 5.7 |
| US TSA / DHS 1580/82-2022-01 | III.D.3.a |
| US - CA CCPA 2025 | 7123(c)(7) |
| US - NY SHIELD Act S5575B | 4(2)(b)(ii)(C)(2) |
EMEA (11)
| Framework | Mapping Values |
|---|---|
| EMEA EU EBA GL/2019/04 | 3.4.5(39) 3.4.5(40) |
| EMEA EU NIS2 Annex | 3.2.3 3.2.4 |
| EMEA Germany Banking Supervisory Requirements for IT (BAIT) | 5.5 |
| EMEA Israel CDMO 1.0 | 12.31 21.3 21.11 |
| EMEA Saudi Arabia CSCC-1 2019 | 2-11-1-2 |
| EMEA Saudi Arabia IoT CGIoT-1 2024 | 2-11-1 |
| EMEA Saudi Arabia ECC-1 2018 | 2-12-3-4 |
| EMEA Saudi Arabia SACS-002 | TPC-40 |
| EMEA UK CAF 4.0 | C1.a |
| EMEA UK CAP 1850 | C1 C2 |
| EMEA UK DEFSTAN 05-138 | 3101 3102 |
APAC (3)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0109 |
| APAC India SEBI CSCRF | DE.CM.S3 |
| APAC Singapore MAS TRM 2021 | 12.2.2 |
Americas (3)
| Framework | Mapping Values |
|---|---|
| Americas Canada CSAG | 3.5 |
| Americas Canada OSFI B-13 | 3.3.1 |
| Americas Canada ITSP-10-171 | 03.03.01.B 03.03.05.A |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to review event logs on an ongoing basis and escalate incidents in accordance with established timelines and procedures.
Level 1 — Performed Informally
Continuous Monitoring (MON) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Generating event logs and the review of event logs is narrowly-focused to business-critical systems and/ or systems that store, processes and/ or transmit sensitive/regulated data.
- Secure baseline configurations generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis.
Level 2 — Planned & Tracked
Continuous Monitoring (MON) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for situational awareness management. o Configure alerts for critical or sensitive data that is stored, transmitted and processed on assets. o Use a structured process to review and analyze logs.
- Situational awareness management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- Secure baseline configurations generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis.
- IT/cybersecurity personnel:
- A log aggregator, or similar automated tool, provides an event log report generation capability to aid in detecting and assessing anomalous activities on business-critical systems.
Level 3 — Well Defined
Continuous Monitoring (MON) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Governs asset management that ensures compliance with requirements for asset management. o Leverages a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets. o Centrally collects logs and is protected according to the manufacturer’s security guidelines to protect the integrity of the event logs with cryptographic mechanisms. o Monitors the organization for Indicators of Compromise (IoC) and provides 24x7x365 near real-time alerting capability. o Is configured to alert incident response personnel of detected suspicious events such that incident responders can look to terminate suspicious events.
- An IT Asset Management (ITAM) function, or similar function:
- A Security Incident Event Manager (SIEM), or similar automated tool:
- Both inbound and outbound network traffic is monitored for unauthorized activities to identify prohibited activities and assist incident handlers with identifying potentially compromised systems.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to review event logs on an ongoing basis and escalate incidents in accordance with established timelines and procedures.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to review event logs on an ongoing basis and escalate incidents in accordance with established timelines and procedures.
Assessment Objectives
- MON-01.8_A01 the frequency at which system audit records are reviewed and analyzed is defined.
- MON-01.8_A02 system audit records are reviewed and analyzed per an organization-defined frequency for indications and the potential impact of inappropriate or unusual activity.
- MON-01.8_A03 response actions to system security alerts and advisories are identified.
- MON-01.8_A04 system security alerts and advisories are monitored.
- MON-01.8_A05 actions in response to system security alerts and advisories are taken.
- MON-01.8_A06 the frequency of event types selected for logging are reviewed and updated.
- MON-01.8_A07 event types being logged are updated based on the review.
- MON-01.8_A08 a process for determining when to review logged events is defined.
- MON-01.8_A09 the event types selected for logging are reviewed <A.03.03.01.ODP[02]: frequency>.
- MON-01.8_A10 system audit records are reviewed and analyzed <A.03.03.05.ODP[01]: frequency> for indications and the potential impact of inappropriate or unusual activity.
Evidence Requirements
- E-MON-01 Event Log Review & Analysis
-
Documented evidence of security event log review and analysis (e.g., system monitoring records).
Event Log Monitoring - E-MON-02 Malware Activity
-
Documented evidence of malware activity being logged and included as part of the centralized event log collection and review/analysis process.
Event Log Monitoring - E-MON-05 Centralized Event Log Collection
-
Documented evidence of security-relevant activities being logged and included as part of the centralized event log collection and review/analysis process.
Event Log Monitoring
Technology Recommendations
Micro/Small
- Managed Security Services Provider (MSSP)
Small
- Security Incident Event Manager (SIEM)
- Managed Security Services Provider (MSSP)
Medium
- Security Incident Event Manager (SIEM)
- Managed Security Services Provider (MSSP)
Large
- Security Incident Event Manager (SIEM)
- Managed Security Services Provider (MSSP)
Enterprise
- Security Incident Event Manager (SIEM)
- Managed Security Services Provider (MSSP)