AU-6(10) — Audit Level Adjustment

Adjust your audit logging level in response to changes in risk. When the threat level increases, log more. When an investigation is underway, increase logging on the relevant systems.

Example 1: Prepare a heightened logging GPO that enables additional audit categories (detailed file access tracking, registry auditing, process tracking). During an incident or elevated threat period, link this GPO to the affected OUs. Remove it once the situation normalizes. Keep the GPO ready to deploy at all times.

Example 2: In your SIEM, create a saved query set for incident investigation mode that collects more granular data from specific sources. For example, during an investigation, enable full packet capture on the affected network segment using your network TAP and Zeek/Suricata rather than relying solely on flow data.