CMMC AU.3.052 - Implement Audit Record Reduction

CMMC AU.3.052 - Implement Audit Record Reduction

Requirement text: AU.3.052: Provide audit record reduction and report generation to support on-
demand analysis and reporting.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Audit record reduction is a process that manipulates collected audit information and
organizes such information in a summary format that is more meaningful to analysts. Audit
record reduction and report generation capabilities do not always emanate from the same
system or organizational entities conducting auditing activities. Audit record reduction
capability can include, for example, modern data mining techniques with advanced data
filters to identify anomalous behavior in audit records. The report generation capability
provided by the system can help generate customizable reports. Time ordering of audit
records can be a significant issue if the granularity of the time stamp in the record is
insufficient.

CMMC CLARIFICATION
Raw audit log data is difficult to review, analyze, and report because of the volume of data.
Audit record reduction is an automated process that interprets raw audit log data and
extracts meaningful and relevant information without altering the original logs. An example
of log reduction for files to be analyzed would be the removal of details associated with
nightly backups. Report generation on reduced log information allows you to create succinct
customized reports without the need to burden the reader with unimportant information.
In addition, the security relevant audit information must be made available to personnel on-
demand for immediate review, analysis, reporting, and event investigation support.
Peforming audit log reduction and providing on-demand reports may allow the analyst to
take mitigating action before the adversary completes their malicious actions.

Example
You are in charge of IT operations in your organization. You are responsible for providing
audit record reduction and report generation capability to effectively extract security
relevant information. You either purchase or develop a capability that will collect and
analyze data for signs of anomalies. The system then extracts security relevant data to
provide a reduced, concise, and comprehensive view for further analysis to identify
potentially malicious activity on your network. In addition to creating on-demand data sets
for analysis, you create customized reports explaining the contents of the data set.

References
• NIST SP 800-171 Rev 1 3.3.6
• NIST CSF v1.1 RS.AN-3
• CERT RMM v1.2 COMP:SG3.SP2
• NIST SP 800-53 Rev 4 AU-7


    • Related Articles

    • Audit and Accountability: SP 800-171 Security Family 3.3

      An audit is an independent review and examination of records and activities to assess the adequacy of system requirements and ensure compliance with established policies and operational procedures. An audit trail is a record of individuals who have ...

    • CMMC AU.3.048 - Centralize Audit Information

      Requirement text: AU.3.048: Collect audit information (e.g., logs) into one or more central repositories. DISCUSSION FROM SOURCE: CMMC Aggregate and store audit logs in a central location. Central repositories enable analysis by storing audit record ...

    • CMMC AU.2.042 - Retain System Audit Logs

      Requirement text: AU.2.042: Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. DISCUSSION FROM SOURCE: DRAFT NIST SP ...

    • CMMC AU.3.051 - Correlate Audit Records

      Requirement text: AU.3.051: Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 ...

    • CMMC AU.3.049 - Protect Audit Information and Tools

      Requirement text: AU.3.049: Protect audit information and audit logging tools from unauthorized access, modification, and deletion. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Audit information includes all information (e.g., audit records, ...