NIST 800-53 REV 5 • RISK ASSESSMENT

RA-5(8)Review Historic Audit Logs

Review historic audit logs to determine if a vulnerability identified in a {{ insert: param, ra-05.08_odp.01 }} has been previously exploited within an {{ insert: param, ra-05.08_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Reviewing historic audit logs to determine if a recently detected vulnerability in a system has been previously exploited by an adversary can provide important information for forensic analyses. Such analyses can help identify, for example, the extent of a previous intrusion, the trade craft employed during the attack, organizational information exfiltrated or modified, mission or business capabilities affected, and the duration of the attack.

Practitioner Notes

Reviewing historical audit logs as part of your vulnerability assessment helps you understand whether a vulnerability was exploited before it was discovered. The vulnerability might be patched now, but the damage may already be done.

Example 1: When a critical vulnerability is discovered on a system, review audit logs from the period between when the vulnerability was introduced (e.g., when the vulnerable software was installed) and when it was patched. Look for indicators of exploitation — unusual access patterns, unexpected processes, data exfiltration signs.

Example 2: In Microsoft Sentinel, use the Hunting feature to search historical logs for indicators associated with newly discovered CVEs. Microsoft often publishes hunting queries for major vulnerabilities that you can run against your retained log data to determine if you were affected.

More Risk Assessment Controls

RA-1 Policy and Procedures RA-2 Security Categorization RA-2(1) Impact-level Prioritization RA-3 Risk Assessment