AU-6—Audit Record Review, Analysis, and Reporting
>Control Description
Review and analyze system audit records ⚙organization-defined frequency for indications of ⚙organization-defined inappropriate or unusual activity and the potential impact of the inappropriate or unusual activity;
Report findings to ⚙organization-defined personnel or roles; and
Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
>DoD Impact Level Requirements
FedRAMP Parameter Values
AU-6 (a)-1 [at least weekly]
Additional Requirements and Guidance
AU-6 Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. In multi-tenant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.
>Discussion
Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority.
The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received.
>Programmatic Queries
Related Services
CLI Commands
aws logs start-query --log-group-name LOG_GROUP --query-string 'fields @timestamp, @message | filter @message like /ERROR/'aws securityhub get-findings --filters '{"SeverityLabel":[{"Value":"CRITICAL","Comparison":"EQUALS"}]}'aws guardduty list-findings --detector-id DETECTOR_ID>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What formal policies and procedures govern the implementation of AU-6 (Audit Record Review, Analysis, And Reporting)?
- •Who are the designated roles responsible for implementing, maintaining, and monitoring AU-6?
- •How frequently is the AU-6 policy reviewed and updated, and what triggers policy changes?
- •What training or awareness programs ensure personnel understand their responsibilities related to AU-6?
Technical Implementation:
- •Describe the specific technical mechanisms or controls used to enforce AU-6 requirements.
- •What automated tools, systems, or technologies are deployed to implement AU-6?
- •How is AU-6 integrated into your system architecture and overall security posture?
- •What configuration settings, parameters, or technical specifications enforce AU-6 requirements?
Evidence & Documentation:
- •What documentation demonstrates the complete implementation of AU-6?
- •What audit logs, records, reports, or monitoring data validate AU-6 compliance?
- •Can you provide evidence of periodic reviews, assessments, or testing of AU-6 effectiveness?
- •What artifacts would you present during a FedRAMP assessment to demonstrate AU-6 compliance?
Ask AI
Configure your API key to use AI features.