AU-2(3) — Reviews and Updates

Periodically review your audit event selections and update them based on new threats, incidents, or changes to your environment. What you needed to log last year may not be enough this year.

Example 1: Include audit event selection in your annual security review. After any security incident, ask: "Did our logging capture enough to investigate this?" If not, add the missing event categories. Document the rationale for each change.

Example 2: Review CISA advisories and MITRE ATT&CK technique updates quarterly. If a new attack technique becomes prevalent (e.g., a new lateral movement method), verify your logging captures the relevant events. For example, if Kerberoasting is trending, ensure you are logging Event ID 4769 (Kerberos Service Ticket Operations).