Hi Amy,
If the auditors did not specify their requirements then you can list down all the rules and log sources and all log sources types to tell them what logs are being monitored.
1) First tell them the number of log sources you are receiving or collecting logs from.
2) Then show the type of log sources you are collecting logs from like IDS/IPS/FIREWALL ETC
3)Then tell them what are you monitoring in those logs which means rules.
Example
1) You have rule to monitor disabled accounts or admin accounts in windows or root accounts in unix.
2) If you have rule for failed login attempt
3) If you have rule for malicious files found on different endpoints.
You can provide details like this depending upon your environment, And this is only if auditors do not have any specific requirement.
Otherwise whatever they ask then we have to provide that.
Regards
Asif Siddiqui
------------------------------
asif siddiqui
------------------------------
Original Message:
Sent: Mon December 02, 2019 12:07 PM
From: Amy Morgan
Subject: What evidence do you provide for "Review SIEM logs" to your auditors?
We have a compliance requirement to show that we are reviewing SIEM logs. There is no guidance from the auditors specifically what they are looking for in regards to show that SIEM logs are being reviewed. If you have this requirement as well, what screenshots or other sort of evidence do you provide? Thanks!
------------------------------
Amy Morgan
------------------------------