NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY
AU-6 — Audit Record Review, Analysis, and Reporting
Review and analyze system audit records {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity; Report findings to {{ insert: param, au-06_odp.03 }} ; and Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
Supplemental Guidance
Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received.
Practitioner Notes
Having logs is pointless if nobody looks at them. This control requires regular review, analysis, and reporting of audit records. Someone must be reading the logs and acting on what they find.
Example 1: Assign your security analyst to review SIEM dashboards and alerts daily. Create a checklist: check for failed logon spikes, new admin accounts, after-hours privileged access, and any SIEM alerts from the past 24 hours. Document the review with date, reviewer name, and any findings in a log review tracker.
Example 2: Generate a weekly audit summary report from your SIEM. Include: total events, top event types, failed logon trends, privileged account activity, and any alerts triggered. Present this report to the ISSO monthly and to leadership quarterly. Use Splunk dashboards or Sentinel workbooks to automate report generation.