Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

If a security incident occurs on your systems you will need to investigate it. To effectively investigate a potential incident you will need to review audit logs. This can only be done if your systems are configured to keep important system and security logs. If you are unsure of what to capture you can use DISA STIGs as guidance.

You must ensure that all systems that store, process, or transmit CUI create and retain audit logs. The collected logs must contain enough information to identify and investigate potentially unauthorized activity. You must define the audit logs that your systems will collect. You must define an audit log retention period. You can use our information security policy template to meet this requirement. If you configure your systems in accordance with DISA security technical implementation guides then they will be set up to collect audit logs. For example, the STIG for Windows 10 lists many audit log settings that you can implement on Windows 10.