title: NIST 800-53 AU-2/AU-12 - Audit Event Generation
id: GENERATE-NEW-UUID
status: stable
description: |
  Implements NIST SP 800-53 Rev. 5 audit event generation requirements.
  Monitors security-relevant events as defined in AU-2 (Audit Events) and
  AU-12 (Audit Generation) controls.
references:
    - https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
author: Your Name
date: 2024/01/20
modified: 2024/01/20
tags:
    - nist-800-53.au-2   # Audit Events
    - nist-800-53.au-3   # Content of Audit Records
    - nist-800-53.au-12  # Audit Generation
    - nist-800-53.ac-2   # Account Management
    - nist-800-53.ia-2   # Identification and Authentication
logsource:
    category: authentication
    product: windows
detection:
    selection_authentication:
        EventID:
            - 4624  # Successful logon
            - 4625  # Failed logon
            - 4634  # Logoff
            - 4648  # Logon using explicit credentials
    selection_account_mgmt:
        EventID:
            - 4720  # Account created
            - 4722  # Account enabled
            - 4723  # Password change attempted
            - 4724  # Password reset
            - 4725  # Account disabled
            - 4726  # Account deleted
            - 4738  # Account modified
    selection_privilege_use:
        EventID:
            - 4672  # Special privileges assigned
            - 4673  # Sensitive privilege use
            - 4674  # Privileged operation
    condition: selection_authentication or selection_account_mgmt or selection_privilege_use
falsepositives:
    - None - these are required audit events per NIST 800-53
level: low  # Informational logging
fields:
    - EventTime
    - EventType
    - Outcome
    - SubjectIdentity
    - ObjectIdentity
    - SourceAddress

# NIST 800-53 Rev. 5 Audit Requirements:
#
# AU-2: Audit Events
# - Successful and unsuccessful account logon events
# - Account management events
# - Object access
# - Policy change
# - Privilege functions
# - Process tracking
# - System events
#
# AU-3: Content of Audit Records
# Required fields in each audit record:
# - Date and time of the event
# - Component where event occurred
# - Type of event
# - User/subject identity
# - Outcome (success/failure)
#
# AU-12: Audit Generation
# - Provide audit record generation for defined events
# - Allow authorized users to select events to be audited
# - Generate audit records for events with required content
#
# Additional NIST 800-53 Detection Rules:
#
# SI-4: System Monitoring
# logsource:
#     category: process_creation
# detection:
#     selection:
#         CommandLine|contains:
#             - 'mimikatz'
#             - 'credential dump'
# tags:
#     - nist-800-53.si-4
#
# AC-6: Least Privilege
# detection:
#     selection:
#         EventID: 4672  # Special privileges assigned
#         PrivilegeList|contains: 'SeDebugPrivilege'
# tags:
#     - nist-800-53.ac-6