CMMC AU.4.053 - Automate Log Analysis

CMMC AU.4.053 - Automate Log Analysis

Requirement text: AU.4.053: Automate analysis of audit logs to identify and act on critical indicators
(TTPs) and/or organizationally defined suspicious activity.

DISCUSSION FROM SOURCE: CMMC
Adversary activity typically leaves indications in audit logs. Patterns and signatures from
previously seen adversary activity or malicious software are shared and can be used in
automated analysis. Organizations can define thresholds for the level and definition of
suspicious activity on which to take an action. The automated activity can be distributed or
centralized.

CMMC CLARIFICATION
Speed of response can be critical in stopping a cyber attack and limiting exposure to the
attack. The speed of response is improved when log source platforms automatically and
immediately identify indicators for which immediate action is required and authorized to be
taken automatically. Some logging platforms will not support automated analysis and action.
In those cases, the immediate analysis occurs at the centralized log collection server (see
practice AU.3.048).

The analysis would look for specific log entry text or data element values in cases where
there is certainty that an action should and can occur immediately, as defined by the
organization. Actions may range from notifications to blocks. The actions must be automatic
but need not be comprehensive in stopping the threat.

Example
Upon seeing a specific text string in a log on the corporate CUI database server indicating
that a large query had been requested, an alert is generated to notify the security operations
center (SOC) of the log event. The SOC processes the alert automatically and a full report is
generated and a window pops up for the SOC member responsible for the CUI database as
well as the overall SOC lead.

In a more clear and critical case, where evidence of compromise is conclusive and decisive
and response is already authorized by senior management, the action may be to cut off the
server from some connected systems or to even shut down the server to prevent further
exposure or data exfiltration. The clear evidence may have been provided by external shared
indicators of a cyber incident at a peer organization for which early warning signs have been
identified.

References
• CMMC
• CIS Controls v7.1 6.6
• NIST CSF v1.1 DE.AE-3
• NIST SP 800-53 Rev 4 SI-4(2)

    • Related Articles

    • CMMC AU.3.050 - Limit Access to Log Management

      Requirement text: AU.3.050: Limit management of audit logging functionality to a subset of privileged users. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Individuals with privileged access to a system and who are also the subject of an audit by ...

    • CMMC IR.2.097 - Perform Root Cause Analysis on Incidents

      Requirement text: IR.2.097: Perform root cause analysis on incidents to determine underlying causes. DISCUSSION FROM SOURCE: CERT RMM V1.2 Post-incident review is a formal part of the incident closure process. The organization conducts a formal ...

    • CMMC AU.3.051 - Correlate Audit Records

      Requirement text: AU.3.051: Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 ...

    • CMMC AU.2.042 - Retain System Audit Logs

      Requirement text: AU.2.042: Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. DISCUSSION FROM SOURCE: DRAFT NIST SP ...

    • CMMC AU.3.052 - Implement Audit Record Reduction

      Requirement text: AU.3.052: Provide audit record reduction and report generation to support on- demand analysis and reporting. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Audit record reduction is a process that manipulates collected audit ...