https://cooey.wiki/index.php?action=history&feed=atom&title=SPA_Objectives_-_SIEM_ToolSPA Objectives - SIEM Tool - Revision history2026-05-01T08:37:32ZRevision history for this page on the wikiMediaWiki 1.42.3https://cooey.wiki/index.php?title=SPA_Objectives_-_SIEM_Tool&diff=146&oldid=prevLiatris: Created page with "== When is a SIEM an SPA? == A SIEM is an SPA when it ingests/aggregates logs from one or more CUI assets. == Assessment Objectives to Assess == AU.L2-3.3.1 - SYSTEM AUDITING [c,d,f] * A SIEM will shows audit records are created, contain the defined content, and are retained as defined. AU.L2-3.3.2 - USER ACCOUNTABILITY [b] * The SIEM will show that audit records contain the defined content necessary to trace users to their actions. AU.L2-3.3.4 - AUDIT FAILURE ALERT..."2025-09-25T13:30:54Z<p>Created page with "== When is a SIEM an SPA? == A SIEM is an SPA when it ingests/aggregates logs from one or more CUI assets. == Assessment Objectives to Assess == AU.L2-3.3.1 - SYSTEM AUDITING [c,d,f] * A SIEM will shows audit records are created, contain the defined content, and are retained as defined. AU.L2-3.3.2 - USER ACCOUNTABILITY [b] * The SIEM will show that audit records contain the defined content necessary to trace users to their actions. AU.L2-3.3.4 - AUDIT FAILURE ALERT..."</p>
<p><b>New page</b></p><div>== When is a SIEM an SPA? ==<br />
A SIEM is an SPA when it ingests/aggregates logs from one or more CUI assets.<br />
<br />
== Assessment Objectives to Assess ==<br />
AU.L2-3.3.1 - SYSTEM AUDITING [c,d,f]<br />
<br />
* A SIEM will shows audit records are created, contain the defined content, and are retained as defined.<br />
<br />
AU.L2-3.3.2 - USER ACCOUNTABILITY [b]<br />
<br />
* The SIEM will show that audit records contain the defined content necessary to trace users to their actions.<br />
<br />
AU.L2-3.3.4 - AUDIT FAILURE ALERTING [c]<br />
<br />
* A SIEM may be able to show that identified personnel/roles are alerted in an audit logging process failure.<br />
<br />
AU.L2-3.3.5 - AUDIT CORRELATION [b]<br />
<br />
* A SIEM can help show review, analysis, and reporting processes are correlated.<br />
<br />
AU.L2-3.3.6 - REDUCTION & REPORTING [a,b]<br />
<br />
* A SIEM can be used to show on-demand analysis and reporting of audit logs<br />
<br />
AU.L2-3.3.8 - AUDIT PROTECTION [a-f]<br />
<br />
* The SIEM will show how audit information and tools are protected from unauthorized access, modification, and deletion.<br />
<br />
AU.L2-3.3.9 - AUDIT MANAGEMENT [b]<br />
<br />
* The SIEM would need to be shown to demonstrate that a subset of users have access to manage the SIEM.<br />
<br />
IR.L2-3.6.1 - INCIDENT HANDLING [c,d]<br />
<br />
* A SIEM will likely help support detection and analysis during an incident.<br />
<br />
SI.L2-3.14.6 - MONITOR COMMUNICATIONS FOR ATTACKS [a,b,c]<br />
<br />
* A SIEM can show that the system, inbound traffic, and outbound traffic are monitored to detect attacks.<br />
<br />
SI.L2-3.14.7 - IDENTIFY UNAUTHORIZED USE [b]<br />
<br />
* A SIEM will likely show that unauthorized use is identified.<br />
<br />
<br />
<br />
== Assessment Objectives that won't likely be Assessed ==<br />
AU.L2-3.3.3 - EVENT REVIEW<br />
<br />
* A SIEM will likely not contain evidence that event types to be logged are reviewed and updated.<br />
<br />
AU.L2-3.3.7 - AUTHORITATIVE TIME SOURCE<br />
<br />
* No AOs require a SIEM to demonstrate that an authoritative time source is selected and used.</div>Liatris