KSI-MLA-RVL—Reviewing Logs
Formerly KSI-MLA-02
>Control Description
>NIST 800-53 Controls
>Trust Center Components3
Ways to express your implementation of this indicator — approaches vary by organization size, complexity, and data sensitivity.
From the field: Mature implementations express log review through automated triage — SOAR platforms correlating and escalating events automatically, with log review completion metrics and mean time to review tracked as dashboard indicators. Security events are analyzed systematically through automation, not just collected in a SIEM waiting for manual review.
Automated Alert Triage
How automated alert triage and correlation works — SOAR platform capabilities that analyze events systematically
Log Review Compliance Metrics
Dashboard expressing log review posture — completion rates, automated triage coverage, and mean time to review
Log Review Procedures
How regular log reviews are conducted — frequency, scope, and escalation criteria for events requiring human review
>Programmatic Queries
CLI Commands
splunk search 'index=main sourcetype=syslog OR sourcetype=wineventlog | stats count by sourcetype host | sort -count' -earliest -24hsplunk search 'index=main tag=authentication | stats count by action user src | sort -count | head 50' -earliest -24h>20x Assessment Focus Areas
Aligned with FedRAMP 20x Phase Two assessment methodology
Completeness & Coverage:
- •Does log review and auditing cover all log types — security events, access logs, change logs, error logs, and administrative action logs?
- •Are there log sources that are ingested but not subject to regular review or automated analysis, and how are those gaps tracked?
- •How do you ensure log review depth is appropriate — are high-value logs (privileged access, security events) reviewed more thoroughly than routine operational logs?
- •How do you ensure log review covers both automated detection (SIEM correlation rules, anomaly detection) and human analysis of events that automated tools may miss?
Automation & Validation:
- •What automated detection rules (correlation rules, anomaly detection, ML-based analysis) identify concerning patterns in logs before human review?
- •How do you validate that automated log analysis rules are effective — do you test with simulated attacks or known-bad patterns?
- •What happens when automated analysis flags an anomaly — is it automatically escalated for investigation, and what is the response SLA?
- •How do you detect when automated log analysis stops working — for example, when a correlation rule is disabled or a data source is misconfigured?
Inventory & Integration:
- •What SIEM capabilities, log analysis tools, or SOC services support persistent log review?
- •How do log review findings integrate with your incident response workflow to ensure anomalies become investigated incidents?
- •Are log review and audit schedules defined per log type and sensitivity, with clear accountability for each?
- •How do alert triage and investigation findings feed back into detection rule tuning and log analysis improvement?
Continuous Evidence & Schedules:
- •How do you demonstrate that log reviews and audits occur persistently rather than only when triggered by incidents?
- •Is log review activity data (reviews conducted, anomalies found, investigations opened) available via API or dashboard?
- •What evidence shows that findings from log reviews led to security improvements or incident detection?
- •How do you measure log review effectiveness — for example, tracking whether past incidents could have been detected earlier through log review?
Update History
Ask AI
Configure your API key to use AI features.