>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

KSI-MLA-OSMOperating SIEM Capability

LOW
MODERATE

Formerly KSI-MLA-01

>Control Description

Operate a Security Information and Event Management (SIEM) or similar system(s) for centralized, tamper-resistent logging of events, activities, and changes.

>NIST 800-53 Controls

ac-17.1
ac-20.1
au-2
au-3
au-3.1
au-4
au-5
au-6.1
au-6.3
au-7
au-7.1
au-8
au-9
au-11
ir-4.1
si-4.2
si-4.4
si-7.7

>Trust Center Components
4

Ways to express your implementation of this indicator — approaches vary by organization size, complexity, and data sensitivity.

From the field: Mature implementations express monitoring coverage through MITRE ATT&CK heat maps — detection rule counts by tactic, alert-to-incident conversion rates, and MTTD/MTTR trends as dashboard indicators. Detection engineering is a continuous process with rules tested against the ATT&CK matrix, showing systematic coverage rather than ad-hoc alerting.

Threat Detection Dashboard

Dashboards

Dashboard expressing detection posture — threat detection metrics, alert volumes, MTTD/MTTR trends, and ATT&CK technique coverage

Automated: SIEM APIs verify detection rules are active and alert pipelines are functioning

Security Monitoring Architecture

Architecture & Diagrams

Architecture expressing SIEM/SOAR design — detection rules, alert routing, and escalation pipelines

Detection Engineering Process

Processes & Procedures

How detection rules are created, tested, and tuned — aligned to MITRE ATT&CK with continuous coverage improvement

SOC Capabilities Overview

Documents & Reports

SOC capabilities, staffing model, and monitoring coverage

>Programmatic Queries

Beta
Security

CLI Commands

Check SIEM health and indexing status
splunk search 'index=_internal source=*metrics.log group=pipeline | stats sum(cpu_seconds) as cpu by name | sort -cpu' -earliest -1h
List active correlation searches
splunk search '| rest /servicesNS/-/-/saved/searches | search is_scheduled=1 alert_type!="" | table title eai:acl.app cron_schedule disabled'
Splunk Documentation

>20x Assessment Focus Areas

Aligned with FedRAMP 20x Phase Two assessment methodology

Completeness & Coverage:

  • Does your SIEM or centralized logging ingest events from all in-scope information resources — cloud infrastructure, applications, identity providers, network devices, and third-party services?
  • Are there log sources that are not yet integrated with centralized logging, and what is the plan and timeline to close those gaps?
  • Does centralized logging cover events, activities, and changes across all environments (production, staging, development, DR)?
  • How do you ensure log ingestion keeps pace with environment growth — new services, accounts, and regions are automatically onboarded?

Automation & Validation:

  • What tamper-resistance mechanisms protect centralized log data (immutable storage, write-once-read-many, cryptographic integrity verification)?
  • How do you detect if centralized log ingestion is disrupted — a source stops sending logs, or the SIEM pipeline drops events?
  • What automated monitoring alerts when log volume from a source drops unexpectedly, indicating potential logging failure or tampering?
  • How do you validate that log integrity controls actually prevent modification — do you test by attempting to alter or delete log entries?

Inventory & Integration:

  • What SIEM platform or log management system provides centralized logging, and what is its capacity and scalability?
  • How does the SIEM integrate with your asset inventory to validate that every in-scope resource has a corresponding log source?
  • What log shipping mechanisms (agents, API collectors, cloud-native log forwarding) feed into the centralized system?
  • How does your centralized logging integrate with alerting, incident response, and compliance reporting workflows?

Continuous Evidence & Schedules:

  • How do you demonstrate that centralized logging has been operational and complete for the past 90 days with no gaps?
  • Is log ingestion health data (source count, event volume, latency, error rates) available via API or dashboard?
  • What evidence shows log retention meets required durations and that retention policies are enforced automatically?
  • How do you prove that tamper-resistance controls have been active and effective throughout the assessment period?

Update History

2026-02-04Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

Ask AI

Configure your API key to use AI features.