NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY
AU-3(1) — Additional Audit Information
Generate audit records containing the following additional information: {{ insert: param, au-03.01_odp }}.
CMMC Practice Mapping
NIST 800-171 Mapping
Related Controls
No related controls listed
Supplemental Guidance
The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information that is explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading, make it more difficult to locate information of interest, or increase the risk to individuals' privacy.
Practitioner Notes
Beyond the basics, capture additional information that helps with forensic analysis — things like the full command line, file paths, or process IDs.
Example 1: Enable command-line process auditing in Windows via GPO at Computer Configuration → Administrative Templates → System → Audit Process Creation → "Include command line in process creation events". This adds the full command line to Event ID 4688, which is invaluable for detecting fileless malware and PowerShell attacks.
Example 2: Enable PowerShell script block logging via GPO at Computer Configuration → Administrative Templates → Windows Components → Windows PowerShell → "Turn on Script Block Logging". This captures the actual content of PowerShell scripts that execute, even if they are obfuscated or encoded. Forward Event ID 4104 to your SIEM.