AU.L2-3.3.3: Event Review & Logged Event Updates
Event review is a critical defense layer in CMMC Level 2 compliance. Your organization must establish and maintain processes to regularly review and update logged security events to detect anomalies, respond to incidents, and maintain audit integrity.
What this means
This control requires your team to systematically examine logged events from information systems at defined intervals. You must assess whether events are accurately captured, properly categorized, and contain sufficient detail for security analysis. The review process should identify suspicious patterns, failed access attempts, configuration changes, and other security-relevant activities—then update your event logs or respond accordingly.
How to comply
- 1.Establish a documented event review schedule (daily, weekly, or monthly depending on risk)
- 2.Define roles and responsibilities for who reviews logs and when
- 3.Create criteria for what constitutes a meaningful security event
- 4.Document procedures for updating, archiving, or acting on reviewed events
- 5.Implement tools or dashboards to centralize log visibility across systems
- 6.Train staff on recognizing suspicious patterns and escalation procedures
- 7.Maintain records of reviews performed and actions taken
- 8.Periodically test your review process to ensure effectiveness
Evidence auditors look for
- Log management system with automated alerting and search capabilities
- Event review schedule and log of reviews performed with dates and reviewer names
- Incident response tickets generated from log reviews
- SIEM or centralized logging solution with event categorization
- Security event baseline documentation
- Training records for staff responsible for event review
- Procedures manual describing event review methodology
- Screenshots of dashboard or tool showing reviewed events
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates event log collection and review workflows, alerting you to suspicious patterns in real time and maintaining an audit trail of all reviews—eliminating manual log hunting and reducing your event review cycle from days to minutes.
See how GRCWatch handles this control automatically
Start free trial