Identify and alert on anomalous data access patterns that may indicate an attempt to exfiltrate log data.
Management / Logging / Controls / DEV
Detect and Alert on Potential Log Exfiltration
CCC.Logging.CN06 · Observability
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.Core.CP06 | Access Control | The service automatically enforces user configurations to restrict or allow access to a specific component or a child resource based on factors such as user identities, roles, groups, or attributes. |
| CCC.Core.CP14 | API Access | The service exposes a port enabling external actors to interact programmatically with the service and its resources using HTTP protocol methods such as GET, POST, PUT, and DELETE. |
| CCC.Core.CP22 | Location Lock-In | The service may be configured to restrict the deployment of child resources to specific geographic locations. |
Related Threats
| ID | Title | Description |
|---|---|---|
| CCC.Logging.TH02 | Unauthorized Data Transfer Out of a Trusted Boundary | Sensitive log data, including PII, financial transaction details, or system vulnerabilities, is exfiltrated directly from the logging service's query or API interfaces by authorized but malicious insiders or compromised accounts exploiting legitimate access. |
Assessment Requirements
| ID | Text | Applicability |
|---|---|---|
| CCC.Logging.CN06.AR01 | When a single principal executes an anomalously high number of log queries, an alert MUST be generated. | tlp-green, tlp-amber, tlp-red |