Audit Trail
Definition
An audit trail is a chronological record of system activities that provides documentary evidence of the sequence of activities affecting operations, procedures, or data. Audit trails enable the reconstruction of events, support forensic investigation, and demonstrate compliance by showing who did what, when, and from where.
What Should Be Logged
Authentication events -- successful and failed login attempts, password changes, MFA events
Authorization events -- access grants, permission changes, privilege escalation
Data access -- reads, writes, modifications, and deletions of sensitive data
System changes -- configuration modifications, software installations, patch applications
Administrative actions -- user account creation, role assignments, policy changes
Security events -- firewall actions, intrusion detection alerts, malware detections
Application events -- business-critical transactions, error conditions, API calls
Framework Requirements
PCI-DSS
Requirement 10 mandates comprehensive logging of all access to cardholder data with automated audit trails, daily log reviews, and 12-month retention.
HIPAA
The Security Rule requires audit controls that record and examine activity on systems containing ePHI. Log review is an addressable specification.
SOC 2
Logging and monitoring is a common criteria requirement for detecting unauthorized access and anomalous activity.
ISO 27001
Annex A control A.8.15 requires event logging with protection against tampering and unauthorized access to logs.