Skip to main content

MON-03: Content of Event Logs

MON 10 — Critical Detect

Mechanisms exist to configure Technology Assets, Applications and/or Services (TAAS) to produce event logs that contain sufficient information to, at a minimum: (1) Establish what type of event occurred; (2) When (date and time) the event occurred; (3) Where the event occurred; (4) The source of the event; (5) The outcome (success or failure) of the event; and (6) The identity of any user/subject associated with the event.

Control Question: Does the organization configure Technology Assets, Applications and/or Services (TAAS) to produce event logs that contain sufficient information to, at a minimum: (1) Establish what type of event occurred; (2) When (date and time) the event occurred; (3) Where the event occurred; (4) The source of the event; (5) The outcome (success or failure) of the event; and (6) The identity of any user/subject associated with the event?

General (48)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) PI1.4
CIS CSC 8.1 3.14 8.2 8.5
CIS CSC 8.1 IG1 8.2
CIS CSC 8.1 IG2 8.2
CIS CSC 8.1 IG3 3.14 8.2
CSA CCM 4 LOG-08
CSA IoT SCF 2 MON-03 MON-06
GovRAMP Low AU-03
GovRAMP Low+ AU-03
GovRAMP Moderate AU-03
GovRAMP High AU-03
IEC 62443-4-2 2019 CR 2.8 (6.10.1)
ISO 27002 2022 8.15
ISO 27017 2015 12.4.1
NAIC Insurance Data Security Model Law (MDL-668) 4.D(2)(i)
NIST 800-53 R4 AU-3 DM-2(1)
NIST 800-53 R4 (low) AU-3
NIST 800-53 R4 (moderate) AU-3
NIST 800-53 R4 (high) AU-3
NIST 800-53 R5 (source) AU-2 AU-3
NIST 800-53B R5 (low) (source) AU-3
NIST 800-53B R5 (moderate) (source) AU-3
NIST 800-53B R5 (high) (source) AU-3
NIST 800-82 R3 LOW OT Overlay AU-3
NIST 800-82 R3 MODERATE OT Overlay AU-3
NIST 800-82 R3 HIGH OT Overlay AU-3
NIST 800-161 R1 AU-3
NIST 800-161 R1 C-SCRM Baseline AU-3
NIST 800-161 R1 Flow Down AU-3
NIST 800-161 R1 Level 1 AU-3
NIST 800-161 R1 Level 2 AU-3
NIST 800-161 R1 Level 3 AU-3
NIST 800-171 R2 (source) 3.3.2
NIST 800-171A (source) 3.3.1[a] 3.3.1[b] 3.3.1[d] 3.3.2[a] 3.3.2[b]
NIST 800-171 R3 (source) 03.03.01.a 03.03.02.a 03.03.02.a.01 03.03.02.a.02 03.03.02.a.03 03.03.02.a.04 03.03.02.a.05 03.03.02.a.06 03.03.02.b
NIST 800-171A R3 (source) A.03.03.01.ODP[01] A.03.03.01.a A.03.03.01.b[02] A.03.03.02.a.02 A.03.03.02.a.03 A.03.03.02.a.04 A.03.03.02.a.05 A.03.03.02.a.06 A.03.03.02.b
NIST CSF 2.0 (source) PR.PS-04
OWASP Top 10 2021 A09:2021
PCI DSS 4.0.1 (source) 10.2 10.2.1 10.2.1.1 10.2.1.2 10.2.1.3 10.2.1.4 10.2.1.5 10.2.1.6 10.2.1.7 10.2.2 6.4.2
PCI DSS 4.0.1 SAQ A-EP (source) 6.4.2 10.2.1 10.2.1.1 10.2.1.2 10.2.1.3 10.2.1.4 10.2.1.5 10.2.1.6 10.2.1.7 10.2.2
PCI DSS 4.0.1 SAQ C (source) 10.2.1.2 10.2.1.4 10.2.1.5 10.2.2
PCI DSS 4.0.1 SAQ D Merchant (source) 6.4.2 10.2.1 10.2.1.1 10.2.1.2 10.2.1.3 10.2.1.4 10.2.1.5 10.2.1.6 10.2.1.7 10.2.2
PCI DSS 4.0.1 SAQ D Service Provider (source) 6.4.2 10.2.1 10.2.1.1 10.2.1.2 10.2.1.3 10.2.1.4 10.2.1.5 10.2.1.6 10.2.1.7 10.2.2
SCF CORE Fundamentals MON-03
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) MON-03
SCF CORE ESP Level 1 Foundational MON-03
SCF CORE ESP Level 2 Critical Infrastructure MON-03
SCF CORE ESP Level 3 Advanced Threats MON-03
US (32)
Framework Mapping Values
US CERT RMM 1.2 COMP:SG1.SP3 COMP:SG3.SP1 TM:SG2.SP2
US CJIS Security Policy 5.9.3 (source) 5.4.1 5.4.1.1 5.4.1.1.1
US CMMC 2.0 Level 2 (source) AU.L2-3.3.2
US CMMC 2.0 Level 3 (source) AU.L2-3.3.2
US CMS MARS-E 2.0 AU-3
US DoD Zero Trust Execution Roadmap 7.1
US DHS CISA SSDAF 1.b
US DHS CISA TIC 3.0 3.UNI.AACCO
US EO 14028 4e(i)(B)
US FDA 21 CFR Part 11 11.10 11.10(b) 11.10(c) 11.10(e)
US FedRAMP R4 AU-3
US FedRAMP R4 (low) AU-3
US FedRAMP R4 (moderate) AU-3
US FedRAMP R4 (high) AU-3
US FedRAMP R4 (LI-SaaS) AU-3
US FedRAMP R5 (source) AU-3
US FedRAMP R5 (low) (source) AU-3
US FedRAMP R5 (moderate) (source) AU-3
US FedRAMP R5 (high) (source) AU-3
US FedRAMP R5 (LI-SaaS) (source) AU-3
US HIPAA Administrative Simplification 2013 (source) 164.312(b)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.312(b)
US IRS 1075 AU-3
US NERC CIP 2024 (source) CIP-007-6 4.1 CIP-007-6 4.1.1 CIP-007-6 4.1.2 CIP-007-6 4.1.3
US NISPOM 2020 8-602
US NNPI (unclass) 3.1 3.2 7.1
US TSA / DHS 1580/82-2022-01 III.D.3.a
US - CA CCPA 2025 7123(c)(7)
US - NY DFS 23 NYCRR500 2023 Amd 2 500.6(a)(1) 500.6(a)(2) 500.7(c)
US - TX DIR Control Standards 2.0 AU-3
US - TX TX-RAMP Level 1 AU-3
US - TX TX-RAMP Level 2 AU-3
EMEA (11)
Framework Mapping Values
EMEA EU EBA GL/2019/04 3.5(52)
EMEA EU NIS2 Annex 11.5.2(d) 3.2.3 3.2.3(c) 3.2.3(d) 3.2.3(e) 3.2.3(f) 3.2.3(g) 3.2.3(h) 3.2.3(j) 3.2.3(k) 3.2.3(l)
EMEA Germany Banking Supervisory Requirements for IT (BAIT) 6.3
EMEA Germany C5 2020 OPS-15
EMEA Israel CDMO 1.0 4.6 12.17 21.2 21.5 21.7 21.10
EMEA Saudi Arabia CSCC-1 2019 2-11-1-5
EMEA Spain BOE-A-2022-7191 24.1
EMEA Spain 311/2022 24.1
EMEA Spain CCN-STIC 825 7.3.8 [OP.EXP.8]
EMEA UK CAF 4.0 C1.a
EMEA UK DEFSTAN 05-138 3104
APAC (7)
Framework Mapping Values
APAC Australia Essential 8 ML2-P3 ML2-P5 ML3-P3 ML3-P5
APAC Australia ISM June 2024 ISM-0582 ISM-0585 ISM-1536 ISM-1537
APAC India SEBI CSCRF PR.AA.S9
APAC Japan ISMAP 12.4.1 12.4.1.15.PB
APAC New Zealand HISF 2022 HHSP70 HML70 HSUP61
APAC New Zealand HISF Suppliers 2023 HSUP61
APAC New Zealand NZISM 3.6 16.6.7.C.01 16.6.9.C.01 16.6.10.C.01 16.6.10.C.02
Americas (3)
Framework Mapping Values
Americas Bermuda BMACCC 6.21
Americas Canada OSFI B-13 3.2.7 3.3.1
Americas Canada ITSP-10-171 03.03.01.A 03.03.02.A 03.03.02.A.01 03.03.02.A.02 03.03.02.A.03 03.03.02.A.04 03.03.02.A.05 03.03.02.A.06 03.03.02.B

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to configure Technology Assets, Applications and/or Services (TAAS) to produce event logs that contain sufficient information to, at a minimum: (1) Establish what type of event occurred; (2) When (date and time) the event occurred; (3) Where the event occurred; (4) The source of the event; (5) The outcome (success or failure) of the event; and (6) The identity of any user/subject associated with the event.

Level 1 — Performed Informally

Continuous Monitoring (MON) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Generating event logs and the review of event logs is narrowly-focused to business-critical Technology Assets, Applications and/or Services (TAAS) and/ or Technology Assets, Applications and/or Services (TAAS) that store, processes and/ or transmit sensitive/regulated data.
  • Secure baseline configurations generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis.
Level 2 — Planned & Tracked

Continuous Monitoring (MON) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for situational awareness management. o Configure alerts for critical or sensitive data that is stored, transmitted and processed on assets. o Use a structured process to review and analyze logs.

  • Situational awareness management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • Secure baseline configurations generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis.
  • IT/cybersecurity personnel:
  • A log aggregator, or similar automated tool, provides an event log report generation capability to aid in detecting and assessing anomalous activities on business-critical Technology Assets, Applications and/or Services (TAAS).
Level 3 — Well Defined

Continuous Monitoring (MON) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Governs asset management that ensures compliance with requirements for asset management. o Leverages a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets. o Centrally collects logs and is protected according to the manufacturer’s security guidelines to protect the integrity of the event logs with cryptographic mechanisms. o Monitors the organization for Indicators of Compromise (IoC) and provides 24x7x365 near real-time alerting capability. o Is configured to alert incident response personnel of detected suspicious events such that incident responders can look to terminate suspicious events.

  • An IT Asset Management (ITAM) function, or similar function:
  • A Security Incident Event Manager (SIEM), or similar automated tool:
  • Both inbound and outbound network traffic is monitored for unauthorized activities to identify prohibited activities and assist incident handlers with identifying potentially compromised Technology Assets, Applications and/or Services (TAAS).
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to configure Technology Assets, Applications and/or Services (TAAS) to produce event logs that contain sufficient information to, at a minimum: (1) Establish what type of event occurred; (2) When (date and time) the event occurred; (3) Where the event occurred; (4) The source of the event; (5) The outcome (success or failure) of the event; and (6) The identity of any user/subject associated with the event.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to configure Technology Assets, Applications and/or Services (TAAS) to produce event logs that contain sufficient information to, at a minimum: (1) Establish what type of event occurred; (2) When (date and time) the event occurred; (3) Where the event occurred; (4) The source of the event; (5) The outcome (success or failure) of the event; and (6) The identity of any user/subject associated with the event.

Assessment Objectives

  1. MON-03_A01 the content of audit records needed to support monitoring, analysis, investigation and reporting of unlawful or unauthorized system activity is defined.
  2. MON-03_A02 audit records contain information that establishes what type of event occurred.
  3. MON-03_A03 audit records contain information that establishes when the event occurred.
  4. MON-03_A04 audit records contain information that establishes where the event occurred.
  5. MON-03_A05 audit records contain information that establishes the source of the event.
  6. MON-03_A06 audit records contain information that establishes the outcome of the event.
  7. MON-03_A07 audit records contain information that establishes the identity of the individuals, subjects, objects, or entities associated with the event.
  8. MON-03_A08 event logs needed (e.g., event types to be logged) to enable the monitoring, analysis, investigation and reporting of unlawful or unauthorized system activity are specified.
  9. MON-03_A09 a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents.
  10. MON-03_A10 audit records, once created, contain the defined content.
  11. MON-03_A11 the frequency of event types selected for logging are reviewed / updated.
  12. MON-03_A12 event types selected for logging within the system are defined.
  13. MON-03_A13 the following event types are specified for logging within the system: <A.03.03.01.ODP[01]: event types>.
  14. MON-03_A14 the event types selected for logging are updated <A.03.03.01.ODP[02]: frequency>.
  15. MON-03_A15 additional information for audit records is provided, as needed.

Evidence Requirements

E-AST-01 IT Asset Management (ITAM)

Documented evidence of an IT Asset Management (ITAM) program that addresses the due diligence and due care activities associated with maintaining both secure and compliant systems, applications and services.

Asset Management
E-CPL-01 Statutory, Regulatory & Contractual Obligations

Documented evidence of applicable statutory, regulatory and/or contractual obligations for cybersecurity & data privacy controls.

Compliance

Technology Recommendations

Micro/Small

  • Secure Baseline Configurations (SBC)

Small

  • Secure Baseline Configurations (SBC)

Medium

  • Secure Baseline Configurations (SBC)

Large

  • Secure Baseline Configurations (SBC)

Enterprise

  • Secure Baseline Configurations (SBC)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free