3.3.6 — Audit Record Reduction and Report Generation

When you have thousands of log entries, you need the ability to filter, sort, and generate reports from them. You can't meet this requirement by manually scrolling through raw text files — you need a tool that can reduce the noise and surface what matters.

Example 1: In Splunk, create saved searches and dashboards under Search & Reporting → Save As → Dashboard Panel that filter audit data by category: authentication events, file access events, configuration changes, and privileged actions. Set these to run daily and email a summary PDF to your security team. The original raw logs must remain untouched in the index — you're analyzing copies, not editing originals.

Example 2: In Microsoft Sentinel, use Hunting → Queries and build KQL queries that reduce large datasets to actionable summaries. For example: SecurityEvent | where EventID == 4625 | summarize FailedAttempts=count() by TargetAccount, bin(TimeGenerated, 1h) | where FailedAttempts > 10. Save these as Analytical Rules so they run automatically and generate incidents when thresholds are exceeded.