How to Collect SOC 2 Evidence Using Your SIEM
Turn recurring security control tests into saved queries and exports so SOC 2 Type II evidence is boring instead of last-minute.
Overview
SOC 2 is not a single document—it is a repeatable story told with samples. Your SIEM should be the place where most of that story is generated automatically.
Estimated time: 2–4 hours to set up initial queries; ongoing minutes per week
Required: Admin access to Xpernix and alignment with whoever owns your SOC 2 control matrix
Step 1: Map Controls to Log Sources
Start with the boring controls auditors always sample:
| Control theme | Typical log sources |
|---|---|
| Logical access | Okta / Entra ID, VPN, bastion |
| Infrastructure changes | CloudTrail, Terraform Cloud, CI audit |
| Detection & response | SIEM alert queue, ticket system |
| Data protection | DLP (if any), S3 / object storage audit |
If a control has no mapped log source, fix the architecture before you fix the spreadsheet.
Step 2: Create Saved Queries per Control
Examples (adjust field names to your normalized schema):
MFA on privileged users
SELECT day, user, COUNT(*) AS logins
FROM okta_events
WHERE outcome = 'SUCCESS'
AND user IN (SELECT user FROM privileged_directory_group)
GROUP BY day, user
Production changes
SELECT event_time, user_identity, event_name, request_parameters
FROM cloudtrail_events
WHERE readonly = false
AND event_source = 'ec2.amazonaws.com'
AND event_time > now() - INTERVAL 90 DAY
Save each query in the portal with a control ID in the title so your future self does not play archaeology.
Step 3: Schedule Automated Exports
- In Reporting → Scheduled Exports, attach each saved query to a cadence (weekly for high-change environments, monthly for stable ones).
- Send outputs to your evidence bucket with object lock or WORM policy where possible.
- Store checksums alongside PDF/CSV so tampering is obvious.
Step 4: Assign Reviewers
For each export, record:
- Reviewer name and role
- Date reviewed
- Pass/fail and link to any remediation ticket
This mirrors what auditors expect from a mature control operation—not perfect security, but visible ownership.
Step 5: Dry-Run an Evidence Request
Pick a random Tuesday and ask your team for:
- Last 90 days of failed privileged logins
- All security group changes touching
0.0.0.0/0 - All new IAM users or access keys
If you cannot produce these within 24 hours, your SIEM is decorative.
Need Help?
Xpernix can help you align CloudTrail, identity, and SaaS logs with the controls your auditor actually tests. Reach out in your dedicated channel or book a discovery call if you want a joint review of your evidence map.
Ready to get started?
Book a free discovery call — we'll have your managed SIEM environment live within hours.
Book a Discovery Call