Guides

What is an Audit Log

Suggest Edits

Audit is the initial recording of an action or occurrence. This is the most primitive type of data. It can be referred to as audit data. Raw events are a combination of:

  • The action being audited, and
  • The actions metadata, which is the means of collection and processing.

At the most basic level, an audited event contains:

  • Actor: The person, process or system that initiated the event.
  • Action: This is the operations being performed by the Actor.
  • Target: The target of the action. If this is not present, the target is the actor itself.
  • Result: Whether the action was successful or not.
  • Location: The process of system where the action occurs.
  • Timestamp: Date and Time of the event in GMT.

Metadata is information added to the alert that is outside the scope the auditing process can see. For instance, Geo-Ip data, file-has reputations, or collecting system.
Audit data is not intended to be an alert. Raw data is often debugging information. When audit data does follow security designs, it addresses the ability to reconstruct events. This formal use is not detection, but investigation.

DOD 5200.28 (Orange Book)
Audit, Page 17
The [Trusted Computer Base] TCB shall be able to create, maintain, and protect from modification or unauthorized access or destruction an audit trail of accesses to the objects it protects. The audit data shall be protected by the TCB so that read access to it is limited to those who are authorized for audit data. The TCB shall be able to record the following types of events: use of identification and authentication mechanisms, introduction, or objects into a user's address space (e.g., file open, program initiation), deletion of objects, and actions taken by computer operators and system administrators and/or system security officers, and other security relevant events. For each recorded event, the audit record shall identify date and time of the event, user, type of event, and success or failure of the event. For identification/authentication events the origin of request (e.g., terminal ID) shall be included in the audit record. For events that introduce an object into a user's address space and for object deletion events the audit record shall include the name of the object. The ADP system administrator shall be able to selectively audit the actions of any one or more users based on individual identity.

Page 76:
An approved audit trail will permit review of classified system activity and will provide a detailed activity record to facilitate reconstruction of events to determine the magnitude of compromise (if any) should a security malfunction occur.

Updated 8 months ago