C.3  Security audit analysis (FAU_SAA)

This family defines requirements for automated means that analyse system activity and audit data looking for possible or real security violations. This analysis may work in support of intrusion detection, or automatic response to an imminent security violation.

The action to be performed by the TSF on detection of a possible imminent or potential violation is defined in FAU_ARP  Security audit automatic response components.

Application Notes

For real-time analysis, audit data could be transformed into a useful format for automated treatment, but into a different useful format for delivery to authorised users for review.