CIS_v8CIS Control 8voice-validated
CIS_v8 8: CIS Control 8
CIS_v8
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1190 | 1. Audit logs from public-facing applications detect exploitation attempts. 2. CIS Control 8 mandates collecting and reviewing logs for attack detection. | 90% |
| T1078 | 1. Authentication logs identify unauthorized access attempts using valid accounts. 2. CIS Control 8 requires collecting and alerting on events for attack detection. | 90% |
| T1547.001 | 1. System logs reveal unauthorized modifications to autostart mechanisms. 2. CIS Control 8 mandates reviewing logs to understand attacks. | 80% |
| T1068 | 1. Detailed system logs expose attempts to exploit vulnerabilities for privilege escalation. 2. CIS Control 8 requires collecting and reviewing logs for attack detection. | 80% |
| T1070.001 | 1. Centralized log collection and alerting detect attempts to clear event logs. 2. CIS Control 8 explicitly requires retaining logs and alerting on events. | 100% |
| T1003.001 | 1. Security logs monitor access to critical memory regions like LSASS, detecting credential dumping. 2. CIS Control 8 mandates collecting and reviewing logs for attack detection. | 90% |
| T1087.001 | 1. Directory service and system logs record account enumeration activities. 2. CIS Control 8 requires reviewing logs to detect discovery attempts. | 80% |
| T1021.001 | 1. Remote access logs identify unauthorized RDP connections. 2. CIS Control 8 mandates collecting and alerting on events for attack detection. | 80% |
| T1005 | 1. File system audit logs track unauthorized access or modification of sensitive data. 2. CIS Control 8 requires collecting and reviewing logs to understand attacks. | 80% |
| T1071.001 | 1. Network and proxy logs reveal unusual C2 communication over web protocols. 2. CIS Control 8 mandates collecting and alerting on events for attack detection. | 80% |
| T1041 | 1. Network egress logs detect unauthorized data transfers over C2 channels. 2. CIS Control 8 requires collecting and reviewing logs to detect exfiltration. | 80% |
| T1486 | 1. File system and security logs identify widespread encryption activities indicative of ransomware. 2. CIS Control 8 mandates collecting and alerting on events for attack detection and recovery. | 80% |
| T1053.005 | 1. Task scheduler logs reveal creation or modification of malicious scheduled tasks. 2. CIS Control 8 mandates reviewing logs to understand attacks. | 80% |
| T1049 | 1. Network connection logs and firewall logs identify unauthorized network reconnaissance. 2. CIS Control 8 requires reviewing logs to detect discovery attempts. | 80% |
| T1490 | 1. System and backup logs detect attempts to delete or corrupt recovery mechanisms. 2. CIS Control 8 mandates collecting and reviewing logs to recover from attacks. | 80% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1047 | 1. This mitigation directly implements CIS Control 8 by collecting, alerting, reviewing, and retaining audit logs. 2. The control text explicitly states 'Collect, alert, review, and retain audit logs'. | 100% |
| M1039 | 1. Privilege auditing ensures that events related to privilege escalation are logged and reviewed. 2. CIS Control 8 requires logs of events that could help detect attacks. | 90% |
| M1028 | 1. Secure operating system configurations include enabling comprehensive logging, supporting CIS Control 8. 2. The control mandates collecting logs of events. | 80% |
| M1035 | 1. Logging access attempts to resources helps detect violations of access limits. 2. CIS Control 8 requires collecting and alerting on events for attack detection. | 80% |
| M1016 | 1. Logging authentication and access events helps enforce account use policies. 2. CIS Control 8 mandates collecting and reviewing logs for attack detection. | 80% |
| M1048 | 1. Network segmentation logs monitor traffic between segments, detecting unauthorized lateral movement. 2. CIS Control 8 requires collecting and reviewing logs to understand attacks. | 70% |
Underlying weaknesses · 6
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-778 | 1. Insufficient logging directly prevents detection and understanding of attacks. 2. CIS Control 8 directly addresses this by requiring the collection of audit logs. | 100% |
| CWE-779 | 1. Log forgery can obscure malicious activity, hindering attack detection. 2. CIS Control 8's requirement to retain logs implies protecting their integrity. | 90% |
| CWE-781 | 1. Missing log files prevent post-incident analysis and recovery. 2. CIS Control 8 mandates retaining audit logs to recover from an attack. | 90% |
| CWE-782 | 1. Insufficient log detail makes it difficult to understand the scope and nature of an attack. 2. CIS Control 8 requires logs of events to 'understand' an attack. | 90% |
| CWE-783 | 1. Improper log rotation can lead to loss of critical historical data. 2. CIS Control 8 mandates retaining audit logs for detection, understanding, and recovery. | 90% |
| CWE-784 | 1. Insufficient log storage capacity can result in premature log deletion. 2. CIS Control 8 mandates retaining audit logs for detection, understanding, and recovery. | 90% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0180 compute · voice-rubric self-validated