3.3.2 — Audit Record Content

It's not enough to just log that something happened — each log entry needs to answer the questions: who did it, what did they do, when did they do it, where did it happen, and did it succeed or fail?

Example 1: In Windows Event Viewer, a properly configured audit log entry (e.g., Event ID 4624 for successful logon) already captures the user account name, the workstation, the timestamp, the logon type, and the source IP address. Verify this is working by running wevtutil qe Security /c:5 /rd:true /f:text on a domain workstation and confirming the log entries contain all required fields.

Example 2: If you use a SIEM like Splunk or Microsoft Sentinel, create a saved search or workbook that validates log completeness. In Sentinel, go to Workbooks → Create → Add Query and query: SecurityEvent | where TimeGenerated > ago(1h) | project TimeGenerated, Account, Computer, Activity, IpAddress, LogonType. If any field is blank, you have a logging configuration gap to fix.