title: ISO 27001 A.12.4 - Event Logging and Monitoring
id: GENERATE-NEW-UUID
status: stable
description: |
  Implements ISO/IEC 27001:2013 Annex A.12.4 event logging requirements.
  Monitors user activities, exceptions, faults, and security events as
  required by A.12.4.1 (Event logging).
references:
    - https://www.iso.org/standard/54534.html
author: Your Name
date: 2024/01/20
modified: 2024/01/20
tags:
    - iso27001.a.12.4.1  # Event logging
    - iso27001.a.12.4.3  # Administrator and operator logs
    - iso27001.a.9.2.1   # User registration and de-registration
logsource:
    category: authentication
    product: windows
detection:
    selection_user_activity:
        EventID:
            - 4624  # User logons
            - 4625  # Failed logons
            - 4634  # Logoffs
    selection_admin_activity:
        EventID:
            - 4624  # Successful logon
        TargetUserName|contains:
            - 'admin'
            - 'Administrator'
            - 'root'
    selection_account_mgmt:
        EventID:
            - 4720  # User account created
            - 4726  # User account deleted
            - 4738  # User account changed
    condition: selection_user_activity or selection_admin_activity or selection_account_mgmt
falsepositives:
    - None - required logging per ISO 27001
level: informational
fields:
    - UserID
    - DateTime
    - EventType
    - SystemActivity
    - DeviceIdentity
    - Location
    - Outcome

# ISO 27001:2013 Annex A.12.4 - Logging and Monitoring
#
# A.12.4.1 Event logging
# Event logs shall record:
# - User IDs
# - System activities
# - Dates, times and details of key events (e.g. log-on, log-off)
# - Device identity or location if possible
# - Records of successful and rejected system access attempts
# - Records of successful and rejected data and other resource access attempts
# - Changes to system configuration
# - Use of privileges
# - Use of system utilities and applications
# - Files accessed and the kind of access
# - Network addresses and protocols
# - Alarms raised by the access control system
# - Activation and de-activation of protection systems
#
# A.12.4.2 Protection of log information
# Detection for unauthorized log access/modification:
# logsource:
#     category: file_event
# detection:
#     selection:
#         TargetFilename|contains: '\Logs\'
#         EventType: 'Delete'
# tags:
#     - iso27001.a.12.4.2
#
# A.12.4.3 Administrator and operator logs
# System administrator and operator activities shall be logged:
# logsource:
#     category: process_creation
# detection:
#     selection:
#         User|contains:
#             - 'admin'
#             - 'root'
# tags:
#     - iso27001.a.12.4.3
#
# A.9.2.1 User registration and de-registration
# logsource:
#     category: authentication
# detection:
#     selection:
#         EventID:
#             - 4720  # Account created
#             - 4726  # Account deleted
# tags:
#     - iso27001.a.9.2.1
#
# A.9.4.1 Information access restriction
# logsource:
#     category: file_event
# detection:
#     selection:
#         TargetFilename|contains: '\Confidential\'
# tags:
#     - iso27001.a.9.4.1