This post explains how to implement ECC – 2 : 2024 Control 2-12-4 by using a Security Information and Event Management (SIEM) system to automate periodic event log reviews, create auditable evidence, and maintain essential cybersecurity controls in a small-business environment.
What Control 2-12-4 requires (high level)
Control 2-12-4 of the Compliance Framework requires periodic review of event logs and the retention of those reviews as evidence that organizational monitoring and threat detection practices are occurring. The objective is to detect suspicious activity early, to demonstrate continuous monitoring to auditors, and to ensure that the logs used for detection are complete, secure, and reviewed regularly.
Practical SIEM implementation steps for Compliance Framework
1) Inventory log sources and map to the control
Start by documenting all log sources that are in scope for the Compliance Framework: Active Directory / domain controllers, firewall and VPNs, endpoint EDR, M365/Azure AD and cloud provider audit logs, DNS and DHCP, web/proxy logs, and critical server application logs (database, payment, ERP). For each source record log formats, retention capabilities, volume (events/day), and log transport options (syslog, WEF, agent). Create a simple matrix that maps each source to the control language (e.g., evidence type, retention period, review frequency).
2) Collection, normalization and secure storage
Implement collection with agents or native connectors: Windows Event Forwarding (WEF) or NXLog for Windows, syslog-ng/rsyslog for *nix, cloud connectors for M365/Azure/GCP, and EDR forwarders. Normalize events so the SIEM can correlate fields (user, src_ip, dest_ip, event_id, outcome). Secure logs: use TLS for transport, encrypt at rest (AES-256), enable role-based access in the SIEM, and consider WORM or append-only storage for audit evidence. Set retention aligned to the Compliance Framework — common practice is 90 days of fast-search retention and 1 year (or more if required) in cold storage; document retention settings for audit evidence.
3) Build detection logic and correlation rules
Create a baseline rule set that covers high-value detections required by the Framework: repeated failed logins, RDP/VPN anomalies, privileged account usage outside business hours, new service installs, and large data transfers. Use correlation rules that combine multiple low-fidelity events into high-fidelity findings — for example: "more than 10 failed AD logon attempts across 5 different hostnames from the same source IP within 15 minutes" or "a privileged AD account authenticating from a country where the company has no business operations." Example pseudo-search: index=winevent LogonType=3 EventID=4625 | stats count by src_ip | where count > 10
4) Automate periodic reviews and create review jobs
Set up scheduled SIEM searches that run at the review cadence defined by the Framework (commonly weekly for high-risk logs, monthly for lower-risk). Use the SIEM to produce a "Periodic Review Pack" containing: high-priority alerts from the period, summary counts by event type, top source IPs, and exception list updates. Automate the generation of these packs and delivery to stakeholders via secure email or ticketing integration. Implement a review workflow: assign each periodic pack to a reviewer, require triage notes for each alert (investigated, false positive, remediation action), and attach artifacts. Maintain an audit trail with reviewer identity, timestamps, and exported evidence (CSV or PDF) to meet Control 2-12-4 evidence requirements.
5) Reporting, evidence and auditor-ready artifacts
Design two report types: operational (detailed SIEM dashboards for SOC/IT) and compliance (summarized packs for auditors and management). Compliance reports should include the saved search IDs, query text, run timestamps, reviewer sign-off, and exported results (hash-summed files where possible). For evidence, export the original log subset or search result (CSV) and include metadata: time range, query used, and storage location. Keep an immutable record (or a signed digest) of exported evidence to prove integrity during audits.
6) Small-business scenario and cost-effective options
For a 25–100 employee small business with limited staff, pick a managed SIEM/SOC or cloud-native SIEM (Azure Sentinel, Splunk Cloud, Elastic Cloud, Sumo Logic) to reduce operational overhead. Focus collection on the highest-value sources first: Active Directory, VPN/authentication, firewall, and endpoint EDR. Apply sampling for low-value logs (DNS, DHCP) or use ingest filters to reduce noise and cost. Implement runbooks for automatic triage of common events (unlock account, block IP) and integrate with a ticket system like Jira Service Management or a simple shared mailbox if a full ITSM is not available.
Compliance tips, best practices, and the risk of non‑implementation
Tune detection rules to avoid alert fatigue — maintain a false-positive tracking list and adjust thresholds quarterly. Document RACI for periodic reviews (who reviews, who responds, who signs evidence). Automate proof of review: require a reviewer to check a box in the ticket system and attach the SIEM export. If you use an MSSP, ensure contract terms require delivery of periodic review packs and raw evidence on request. The risk of not implementing this control includes missed detection of active breaches, inability to provide audit evidence, regulatory fines, reputational damage, and longer incident dwell time that increases remediation cost.
Summary: Using a SIEM to automate periodic event log reviews transforms a manual compliance task into repeatable, auditable workflows. Inventory and prioritize log sources, secure collection and retention, build correlation rules and scheduled searches, automate review delivery and ticketing, and keep clear evidence and reviewer sign-offs. For small businesses, a phased approach — focusing on AD, VPN, firewall and endpoint logs — combined with managed SIEM services and clearly documented runbooks will meet ECC – 2 : 2024 Control 2‑12‑4 while controlling cost and operational overhead.
